| Title | DoS attack mitigation in SDN networks using a deeply programmable packet-switching node based on a hybrid FPGA/CPU data plane architecture |
| Publication Type | Conference Paper |
| Year of Publication | 2019 |
| Authors | Kaljic, Enio, Maric, Almir, Njemcevic, Pamela |
| Conference Name | 2019 XXVII International Conference on Information, Communication and Automation Technologies (ICAT) |
| Keywords | 5G, architectural model, authorisation, composability, Computer architecture, computer network management, computer network security, data plane, DDoS, DDoS attack mitigation, deep network programmability, deeply programmable packet-switching node, denial-of-service attack, denial-of-service attacks, DoS, DoS attack mitigation, DoS attack redirection, DoS attacks mitigation, DoS traffic, DPN, field programmable gate arrays, Filtering, firewall, Firewalls (computing), FPGA, Hardware, Human Behavior, Internet, Metrics, packet switching, packet-switching nodes, pubcrawl, Resiliency, SDN, SDN network, Software, software defined networking, software-defined networking, Software-Defined Networks, switches price, telecommunication traffic |
| Abstract | The application of the concept of software-defined networks (SDN) has, on the one hand, led to the simplification and reduction of switches price, and on the other hand, has created a significant number of problems related to the security of the SDN network. In several studies was noted that these problems are related to the lack of flexibility and programmability of the data plane, which is likely first to suffer potential denial-of-service (DoS) attacks. One possible way to overcome this problem is to increase the flexibility of the data plane by increasing the depth of programmability of the packet-switching nodes below the level of flow table management. Therefore, this paper investigates the opportunity of using the architecture of deeply programmable packet-switching nodes (DPPSN) in the implementation of a firewall. Then, an architectural model of the firewall based on a hybrid FPGA/CPU data plane architecture has been proposed and implemented. Realized firewall supports three models of DoS attacks mitigation: DoS traffic filtering on the output interface, DoS traffic filtering on the input interface, and DoS attack redirection to the honeypot. Experimental evaluation of the implemented firewall has shown that DoS traffic filtering at the input interface is the best strategy for DoS attack mitigation, which justified the application of the concept of deep network programmability. |
| DOI | 10.1109/ICAT47117.2019.8938862 |
| Citation Key | kaljic_dos_2019 |
DoS attack mitigation in SDN networks using a deeply programmable packet-switching node based on a hybrid FPGA/CPU data plane architecture