Detecting and mitigating DHCP attacks in OpenFlow-based SDN networks: a comprehensive approach

Software Defined Networking (SDN) is an approach that provides centralized control and management of networks. This centralized view of the network traffic flow can be exploited to enhance the network's overall security. This paper focuses on protecting SDN networks from DHCP attacks, which not only impact the DHCP service but also extend to the SDN controller and the overall network. This paper proposes a real-time and comprehensive approach—DHCPWatcher—to detect and mitigate DHCP attacks in SDN networks. The DHCPWatcher is a multi-stage detection mechanism for detecting DHCP attacks using anomaly, heuristic, and/or behavior analysis. When an attack is detected, a DROP action for malicious DHCP traffic is injected into the forwarding device using the OpenFlow protocol. Then, a multi-step mechanism is activated to heal and restore the affected controller and the DHCP service that includes removing spoofed hosts from the controller, releasing IP addresses that may have been maliciously leased by the attack, and reassigning those IP addresses to their original clients. Mininet emulator is utilized to evaluate DHCPWatcher against well-known DHCP attacks for three different DHCP services. The results show that DHCPWatcher effectively detects attacks from the first attack packet. It also can neutralize the impacts of most malicious attacks—Yersinia—within the first 30 s and takes much less time for the other attacks, such as Hyena and DHCPwn. This fast neutralization of attacks positively reflects on the controller resources, such as CPU utilization, and network performance in terms of latency and packet loss.