Network Anti-Spoofing With SDN Data Plane

Yehuda Afek, Anat Bremler-Barr, Lior Shafir
Conferences & Workshops
DDoS attack, NFV/SDN


Traditional DDoS anti-spoofing scrubbers require dedicated middleboxes thus adding CAPEX, latency and complexity in the network. This paper starts by showing that the current SDN match-and-action model is rich enough to implement a collection of anti-spoofing methods. Secondly we develop and utilize advance methods for dynamic resource sharing to distribute the required mitigation resources over a network of switches.
None of the earlier attempts to implement anti-spoofing in SDN actually directly exploited the match and action power of the switch data plane. They required additional functionalities on top of the match-and-action model, and are not implementable on an SDN switch as is. Our method builds on the premise that an SDN data path is a very fast and efficient engine to perform low level primitive operations at wire speed. The solution requires a number of flow-table rules and switch-controller messages proportional to the legitimate traffic. To scale when protecting multiple large servers the flow tables of multiple switches are harnessed in a distributed and dynamic network based solution.
We have fully implemented all our methods in either OpenFlow1.5 in Open-vSwitch and in P4. The system mitigates spoofed attacks on either the SDN infrastructure itself or on downstream servers.

Share on facebook
Share on twitter
Share on linkedin
Share on whatsapp
Share on email
  title={Network anti-spoofing with SDN data plane},
  author={Afek, Yehuda and Bremler-Barr, Anat and Shafir, Lior},
  booktitle={IEEE INFOCOM 2017-IEEE Conference on Computer Communications},