Launching DDOS Attacks on Software Defined Networks

Software Defined Networking is a better approach towards network management. Its architecture provides greater control over network assets. The control and forwarding actions are separated as control plane and data plane. As previously both actions were used to be an integrate part of a single hardware provided with some proprietary software control by the vendor. Now the administrator take over the control plane and device fine grained policies for multiple forwarding actions. The policies may also be dynamic. In reality the switch from any vendor just do the forwarding task not processing the incoming traffic.

 

The switches look for a match against the incoming traffic in their forwarding tables, if a match is not found the traffic is sent to control plane for processing. The controller will decide whether it should be forwarded or dropped. Thus control plane is an obvious advantage for SDN but it can be a single point of failure as well. It can happen in case if the control plane is made unreachable by a DDOS attack. Compromising the path between the switch and the control plane can cause a DDOS to happen. By spoofing the source addresses of the incoming traffic, the switch will forward them for processing towards the control plane. Thus a large number of such instances can consume the resources of the controller and exhaust it.