A Low-Rate DoS Attack Mitigation Scheme Based on Port and Traffic State in SDN

• Published in: IEEE transactions on computers Vol. 74; no. 5; pp. 1758 - 1770
• Main Authors: Tang, Dan, Dai, Rui, Zuo, Chenguang, Chen, Jingwen, Li, Keqin, Qin, Zheng
• Format: Journal Article
• Language: English
• Published: IEEE 01.05.2025
• Subjects: Accuracy; Attack detection; attack mitigation; Computers; Electronic mail; Fractals; low-rate denial of service attacks; Monitoring; Prevention and mitigation; Software defined networking; Switches; Telecommunication traffic; Threat modeling
• ISSN: 0018-9340; 1557-9956
• DOI: 10.1109/TC.2025.3541143

Low-rate Denial of Service (DoS) attacks can significantly compromise network availability and are difficult to detect and mitigate due to their stealthy exploitation of flaws in congestion control mechanisms. Software-Defined Networking (SDN) is a revolutionary architecture that decouples network control from packet forwarding, emerging as a promising solution for defending against low-rate DoS attacks. In this paper, we propose Trident, a low-rate DoS attack mitigation scheme based on port and traffic state in SDN. Specifically, we design a multi-step strategy to monitor switch states. First, Trident identifies switches suspected of suffering from low-rate DoS attacks through port state detection. Then, it monitors the traffic state of switches with abnormal port states. Once a switch is identified as suffering from an attack, Trident analyzes the flow information to pinpoint the malicious flow. Finally, Trident issues rules to the switch's flow table to block the malicious flow, effectively mitigating the attack. We prototype Trident on the Mininet platform and conduct experiments using a real-world topology to evaluate its performance. The experiments show that Trident can accurately and robustly detect low-rate DoS attacks, respond quickly to mitigate them, and maintain low overhead.