Graduation Year

2021

Document Type

Dissertation

Degree

Ph.D.

Degree Name

Doctor of Philosophy (Ph.D.)

Degree Granting Department

Engineering

Major Professor

Nasir Ghani, Ph.D.

Committee Member

Sylvia Thomas, Ph.D.

Committee Member

Zhuo Lu, Ph.D.

Committee Member

Sriram Chellappan, Ph.D.

Committee Member

Tao Zhang, Ph.D.

Keywords

Data Availability, Intelligent Networking, Packet Forwarding, Queuing Theory for Attack Mitigation, Virtualization

Abstract

Software defined networking (SDN) improves upon traditional networking protocol technologies by decoupling the data and control planes and moving all control provisioning decisions to a centralized SDN controller entity. This concept has matured over the last decade, having gained strong industry traction, and is now being widely deployed within enterprise and carrier networks to streamline network services provisioning and reduce costs. Overall, centralized control delivers much more cost-effective and flexible networking setups that can support a wide range of customized user-driven network management applications, e.g., traffic engineering, security, survivability, admission control, policy control, etc.

However, the separation of the data and control layers in a SDN network introduces many attack points for malicious users to exploit. Some key examples include (distributed) denial of service (DoS/DDoS), intrusion, and man-in-the-middle (MitM) attacks. In particular, the former types are of particular concern to network operators as they can effectively shut down vital communications between the SDN controller and their distributed data plane switching nodes/platforms. Moreover, the ongoing proliferation of lower cost Internet of Things (IoT) devices is further increasing the magnitude and scale of potential DoS attacks. For example, recent IoT-driven DDoS amplification attacks have generated malicious data flows with terabit level speeds, a very sobering reality.

Given the increasing sophistication of DoS attacks and the vulnerability of SDN controllers, the effective modeling (characterization) and mitigation of DoS/DDoS attacks in SDN-based infrastructures is a vital concern. Although various studies have addressed this problem area, there is a further need to develop more formalized analytical models to characterize the impact of DoS/DDoS attacks on the SDN control plane. As a result, this dissertation develops and analyzes novel queuing theoretic models to address this concern for baseline (simplified) SDN controllers, as well as more advanced designs that implement traffic classification and separation to improve security. The impact of attack mitigation strategies in data plane switches is also addressed to evaluate traffic control at the network edge. Finally, an initial testbed setup is also built using the NSF Global Environment for Network Innovations (GENI) infrastructure to further study DoS/DDoS attacks on the SDN control plane. Overall, this work provides a strong basis for characterizing DoS/DDoS attacks on SDN infrastructures and can be used to develop appropriate mitigation strategies.

Share

COinS