POAGuard: A Defense Mechanism Against Preemptive Table Overflow Attack in Software-Defined Networks

In Software-Defined Networks (SDN), the limited flow table capacity of switches makes them susceptible to flow table overflow attacks, which can lead to performance degradation or network corruption. Prior research has mainly focused on rate-based overflow attacks (ROA), which exhibit varying attack effects depending on the overflow rate. This study introduces a novel attack called the preemptive overflow attack (POA), which exploits flow entry eviction mechanism to preempt the flow entries of normal applications, resulting in amplified performance degradation. Notably, when using the widely deployed Least Frequently Used (LFU) eviction algorithm, POA achieves a significant impact while consuming fewer flow entries than existing ROA methods. Furthermore, the detection of POA remains challenging owing to the lack of distinctive flow features. To mitigate POA, we propose POAGuard as a defense mechanism. POAGuard incorporates a table segmentation method for table management, a score-based eviction algorithm that evicts suspicious flow entries, and a concept drift-based detection method that identifies and defends against POA. Extensive experiments are conducted to verify the effectiveness of POAGuard, and the results demonstrate that POAGuard can effectively defend against POA.