FTODefender: An efficient flow table overflow attacks defending system in SDN

Software-Defined Networking (SDN) is a promising architecture that disentangles the control plane from the data plane. A mainstream southbound protocol for controller-to-switch communication in SDN is OpenFlow. In an OpenFlow-enabled network, SDN switches are connected to the logically centralized control plane, which issues control messages to direct packet forwarding and processing in the data plane. Given that the finite capacity of physical flow tables of switches, typically implemented with ternary content addressable memory (TCAM), attackers have the ability to carry out Denial-of-Service (DoS) attacks aimed at depleting the TCAM's resources and causing an overflow of the flow table. In this paper, we propose FTODefender, a method combining eviction and cut-off attack sources to detect Low-rate Flow Table Overflow (LFTO) attacks and mitigate this kind of attacks in time. FTODefender consists of two modules: Detector and Mitigator. Detector periodically examines the flow table and extract four specific detection features. It then employs the trained CRITIC weights to calculate the detection score based on these extracted features to verify if the LFTO attack has happened. Mitigator computes the features for each flow and utilizes the LightGBM-LR classification model to identify attack flows among all flows. Then, the module evicts the malicious rules to mitigate attacks. Finally, Mitigator counts the occurrence of each source IP address in the eviction list, determines the attacker IP based on a predefined threshold, and issues a flow rule to drop all packets originating from the attacker's IPs to sever the attack sources. Simulations show the effectiveness of FTODefender in mitigating the LFTO attacks, which proves that FTODefender is a practical solution to flow table overflow attacks.