Abstract
SDN (Software-Defined Networking) is a new technology that separates data and control planes; the main components of SDN are OFSwitches and Controller. The traffic flow is monitored by the SDN controller. Initially, OFSwitches lack security rules for packet handling. OFSwitch sends the packet to the controller for examination, creating control messages that favor the packet and establishing necessary flow entry. Host packets are sent to their destination, seeing only the destination host address and not the source host address. The attacker takes advantage of this situation and generates packets with forged source addresses in order to conceal his identity and perform various source address spoofed attacks such as Denial of Service (DoS), man in the middle (MiM), Distributed DoS (DDoS), and so on. This paper proposes a design for discovering hosts proactively, preparing HostTable, configuring flow entry during handshaking, and detecting and preventing source-forged attacks in Hybrid SDN. We called it HyPASS: Design of Hybrid-SDN Prevention of Source Spoofing Attacks with Host Discovery and Address Validation. We used Python for Mininet implementation and tested it on RYU and POX controllers. During the experiment, it identifies and drops 99.99% of packets with the forged source address.
[Display omitted]
•Proactive discovery of hosts connected with the network.•Automatically identification of the Address-Spoofed packets and.•Prevention of attacks of AddressSpoofing in realtime.•We have managed the HostLink table at the Controller level to store Host MAC, SDN switch ID and Port ID.•We have loaded essential flow entries into the OpenFlow switch flow table before actual data packet generation by a host.