TY - JOUR
T1 - Detecting and mitigating DHCP attacks in OpenFlow-based SDN networks
T2 - a comprehensive approach
AU - Aldaoud, Manar
AU - Al-Abri, Dawood
AU - Al Maashri, Ahmed
AU - Kausar, Firdous
N1 - Funding Information:
We confirm that the research is not funded by any organization.
Publisher Copyright:
© 2023, The Author(s), under exclusive licence to Springer-Verlag France SAS, part of Springer Nature.
DBLP License: DBLP's bibliographic metadata records provided through http://dblp.org/ are distributed under a Creative Commons CC0 1.0 Universal Public Domain Dedication. Although the bibliographic metadata records are provided consistent with CC0 1.0 Dedication, the content described by the metadata records is not. Content may be subject to copyright, rights of privacy, rights of publicity and other restrictions.
PY - 2023/2/21
Y1 - 2023/2/21
N2 - Software Defined Networking (SDN) is an approach that provides centralized control and management of networks. This centralized view of the network traffic flow can be exploited to enhance the network's overall security. This paper focuses on protecting SDN networks from DHCP attacks, which not only impact the DHCP service but also extend to the SDN controller and the overall network. This paper proposes a real-time and comprehensive approach—DHCPWatcher—to detect and mitigate DHCP attacks in SDN networks. The DHCPWatcher is a multi-stage detection mechanism for detecting DHCP attacks using anomaly, heuristic, and/or behavior analysis. When an attack is detected, a DROP action for malicious DHCP traffic is injected into the forwarding device using the OpenFlow protocol. Then, a multi-step mechanism is activated to heal and restore the affected controller and the DHCP service that includes removing spoofed hosts from the controller, releasing IP addresses that may have been maliciously leased by the attack, and reassigning those IP addresses to their original clients. Mininet emulator is utilized to evaluate DHCPWatcher against well-known DHCP attacks for three different DHCP services. The results show that DHCPWatcher effectively detects attacks from the first attack packet. It also can neutralize the impacts of most malicious attacks—Yersinia—within the first 30 s and takes much less time for the other attacks, such as Hyena and DHCPwn. This fast neutralization of attacks positively reflects on the controller resources, such as CPU utilization, and network performance in terms of latency and packet loss.
AB - Software Defined Networking (SDN) is an approach that provides centralized control and management of networks. This centralized view of the network traffic flow can be exploited to enhance the network's overall security. This paper focuses on protecting SDN networks from DHCP attacks, which not only impact the DHCP service but also extend to the SDN controller and the overall network. This paper proposes a real-time and comprehensive approach—DHCPWatcher—to detect and mitigate DHCP attacks in SDN networks. The DHCPWatcher is a multi-stage detection mechanism for detecting DHCP attacks using anomaly, heuristic, and/or behavior analysis. When an attack is detected, a DROP action for malicious DHCP traffic is injected into the forwarding device using the OpenFlow protocol. Then, a multi-step mechanism is activated to heal and restore the affected controller and the DHCP service that includes removing spoofed hosts from the controller, releasing IP addresses that may have been maliciously leased by the attack, and reassigning those IP addresses to their original clients. Mininet emulator is utilized to evaluate DHCPWatcher against well-known DHCP attacks for three different DHCP services. The results show that DHCPWatcher effectively detects attacks from the first attack packet. It also can neutralize the impacts of most malicious attacks—Yersinia—within the first 30 s and takes much less time for the other attacks, such as Hyena and DHCPwn. This fast neutralization of attacks positively reflects on the controller resources, such as CPU utilization, and network performance in terms of latency and packet loss.
KW - DHCP Rouge Server
KW - DHCP Starvation Attack
KW - Network Security
KW - OpenFlow
KW - Software Defined Networking (SDN)
KW - Yersinia
UR - http://www.scopus.com/inward/record.url?scp=85148430364&partnerID=8YFLogxK
UR - http://www.scopus.com/inward/citedby.url?scp=85148430364&partnerID=8YFLogxK
UR - https://www.mendeley.com/catalogue/cfed7ef7-de91-3cd3-8025-771c6b0dd114/
U2 - 10.1007/s11416-023-00468-z
DO - 10.1007/s11416-023-00468-z
M3 - Article
AN - SCOPUS:85148430364
SN - 2274-2042
VL - 19
SP - 597
EP - 614
JO - Journal of Computer Virology and Hacking Techniques
JF - Journal of Computer Virology and Hacking Techniques
IS - 4
M1 - 4
ER -