3/2019 - 3 |
HPOFS: A High Performance and Secured OpenFlow Switch Architecture for FPGAPHAM-QUOC, C. , NGO, D.-M. , THINH, T. N. |
View the paper record and citations in |
Click to see author's profile in SCOPUS, IEEE Xplore, Web of Science |
Download PDF (687 KB) | Citation | Downloads: 976 | Views: 1,011 |
Author keywords
field programmable gate arrays, software defined networking, computer security, high performance computing, reconfigurable architectures
References keywords
networks(12), link(12), software(10), defined(10), security(9), openflow(9), network(8), networking(7), communications(7), ddos(6)
Blue keywords are present in both the references section and the paper title.
About this article
Date of Publication: 2019-08-31
Volume 19, Issue 3, Year 2019, On page(s): 19 - 28
ISSN: 1582-7445, e-ISSN: 1844-7600
Digital Object Identifier: 10.4316/AECE.2019.03003
Web of Science Accession Number: 000486574100003
SCOPUS ID: 85072163116
Abstract
Although Software Defined Networking offers many advantages, it suffers from many security issues due to centralized control. In this paper, we introduce HPOFS (High-Performance and Secured OpenFlow Switching Architecture) for FPGA which is not only able to route packets from sources to destinations according to the OpenFlow protocol but also able to protect the system against different attacks efficiently. Thanks to FPGA technology, the two processes can be scheduled in parallel; thus, the switch can work at very high throughput. We implement the first prototype version on Xilinx xc5vtx240t FPGA device with three different security functions to protect the system against DDoS attack types, including Hop-count filtering, port Ingress/Egress filtering, and SYN Flood attacks defender. While the first two protection techniques are adapted from our previous work, the SYN Flood defender core is designed and implemented with a pipeline model in this work. The core is able to protect the system against SYN Flood attacks at up to 30,000,000 packets per second with only 0.248 ms overhead. The full switch can provide throughput at up to 78.96 Gbps with only 0.0012 percent drop rate. |
References | | | Cited By «-- Click to see who has cited this paper |
[1] Opennetworking, "Software-Defined Networking (SDN) Definition," [Online] Available: Temporary on-line reference link removed - see the PDF document
[2] T. Dargahi, A. Caponi, M. Ambrosin, G. Bianchi and M. Conti, "A Survey on the Security of Stateful SDN Data Planes," IEEE Communications Surveys & Tutorials, 2017. [CrossRef] [Web of Science Times Cited 119] [SCOPUS Times Cited 159] [3] S. Scott-Hayward, G. O'Callaghan and S. Sezer, "Sdn Security: A Survey," in 2013 IEEE SDN for Future Networks and Services (SDN4FNS), 2013. [CrossRef] [SCOPUS Times Cited 391] [4] S. Scott-Hayward, S. Natarajan and S. Sezer, "A Survey of Security in Software Defined Networks," IEEE Communications Surveys Tutorials, vol. 18, pp. 623-654, 2016. [CrossRef] [Web of Science Times Cited 291] [SCOPUS Times Cited 383] [5] Y. Hu, W. Wang, X. Gong, X. Que and S. Cheng, "BalanceFlow: Controller load balancing for OpenFlow networks," in 2012 IEEE 2nd International Conference on Cloud Computing and Intelligence Systems, 2012. [CrossRef] [SCOPUS Times Cited 115] [6] T. Koponen, M. Casado, N. Gude, J. Stribling, L. Poutievski, M. Zhu, R. Ramanathan, Y. Iwata, H. Inoue, T. Hama and others, "A distributed control platform for large-scale production networks," in Proceedings of the 9th USENIX Conference on Operating Systems Design and Implementation, 2010. [7] G. Bianchi, M. Bonola, A. Capone and C. Cascone, "OpenState: programming platform-independent stateful openflow applications inside the switch," ACM SIGCOMM Computer Communication Review, vol. 44, pp. 44-51, 2014. [CrossRef] [SCOPUS Times Cited 286] [8] J. Sonchack, J. M. Smith, A. J. Aviv and E. Keller, "Enabling Practical Software-defined Networking Security Applications with OFX," in NDSS, 2016. [CrossRef] [Web of Science Times Cited 19] [SCOPUS Times Cited 61] [9] Y. Afek, A. Bremler-Barr and L. Shafir, "Network anti-spoofing with SDN data plane," in INFOCOM 2017-IEEE Conference on Computer Communications, IEEE, 2017. [CrossRef] [SCOPUS Times Cited 54] [10] N. McKeown, T. Anderson, H. Balakrishnan, G. Parulkar, L. Peterson, J. Rexford, S. Shenker and J. Turner, "OpenFlow: Enabling Innovation in Campus Networks," SIGCOMM Comput. Commun. Rev., vol. 38, pp. 69-74, 3 2008. [CrossRef] [Web of Science Times Cited 5432] [11] C. Pham-Quoc, B. Nguyen and T. N. Thinh, "FPGA-based Multicore Architecture for Integrating Multiple DDoS Defense Mechanisms," SIGARCH Comput. Archit. News, vol. 44, pp. 14-19, 1 2017. [CrossRef] [12] M. C. Herbordt, T. VanCourt, Y. Gu, B. Sukhwani, A. Conti, J. Model and D. DiSabello, "Achieving high performance with FPGA-based computing," Computer, vol. 40, 2007. [CrossRef] [Web of Science Times Cited 79] [SCOPUS Times Cited 121] [13] T. El-Ghazawi, E. El-Araby, M. Huang, K. Gaj, V. Kindratenko and D. Buell, "The promise of high-performance reconfigurable computing," Computer, vol. 41, 2008. [CrossRef] [Web of Science Times Cited 86] [SCOPUS Times Cited 130] [14] K. B. Margaret Rouse, "Distributed denial of service attack," [Online] Available: Temporary on-line reference link removed - see the PDF document [15] J. Mirkovic and P. Reiher, "A taxonomy of DDoS attack and DDoS defense mechanisms," ACM SIGCOMM Computer Communication Review, vol. 34, pp. 39-53, 2004. [CrossRef] [Web of Science Times Cited 862] [SCOPUS Times Cited 1331] [16] S. T. Zargar, J. Joshi and D. Tipper, "A Survey of Defense Mechanisms Against Distributed Denial of Service (DDoS) Flooding Attacks," Communications Surveys Tutorials, IEEE, vol. 15, pp. 2046-2069, 4 2013. [CrossRef] [Web of Science Times Cited 709] [SCOPUS Times Cited 1007] [17] P. Ferguson and D. Senie, "Network Ingress Filtering: Defeating Denial of Service Attacks which employ IP Source Address Spoofing," Internet RFC2827, 5 2000. [18] Y. Xiang and W. Zhou, "Classifying DDoS packets in high-speed networks," Computer science and network security, vol. 6, pp. 107-115, 2006. [19] T. Katashita, Y. Yamaguchi, A. Maeda and T. O. D. A. Kenji, "FPGA-based intrusion detection system for 10 gigabit ethernet," Information and systems, vol. 90, pp. 1923-1931, 2007. [CrossRef] [Web of Science Times Cited 16] [SCOPUS Times Cited 22] [20] X. Wang, M. Li and M. Li, "A scheme of distributed hop-count filtering of traffic," in Wireless Mobile and Computing, 2009. [CrossRef] [SCOPUS Times Cited 12] [21] M. Ayman, E. Imad, K. Ayman and C. Ali, "IP Spoofing Detection Using Modified Hop Count," IEEE Advanced Information Networking and Applications, 5 2014. [CrossRef] [Web of Science Times Cited 22] [SCOPUS Times Cited 35] [22] R. Maheshwari, C. R. Krishna and M. S. Brahma, "Defending network system against IP spoofing based distributed DoS attacks using DPHCF-RTT packet filtering technique," in Issues and Challenges in Intelligent Computing Techniques, 2014. [CrossRef] [SCOPUS Times Cited 14] [23] TechTerms, "SYN Flood," [Online] Available: Temporary on-line reference link removed - see the PDF document [24] D. J. Bernstein, "Syn cookies, 1996," [Online] Available: Temporary on-line reference link removed - see the PDF document [25] S. Shin, P. A. Porras, V. Yegneswaran, M. W. Fong, G. Gu and M. Tyson, "FRESCO: Modular Composable Security Services for Software-Defined Networks," in NDSS, 2013. [26] S. Hong, L. Xu, H. Wang and G. Gu, "Poisoning Network Visibility in Software-Defined Networks: New Attacks and Countermeasures," in NDSS, 2015. [CrossRef] [Web of Science Times Cited 150] [SCOPUS Times Cited 321] [27] P. Porras, S. Shin, V. Yegneswaran, M. Fong, M. Tyson and G. Gu, "A security enforcement kernel for OpenFlow networks," in Proceedings of the first workshop on Hot topics in software defined networks, 2012. [CrossRef] [SCOPUS Times Cited 454] [28] R. Braga, E. Mota and A. Passito, "Lightweight DDoS flooding attack detection using NOX/OpenFlow," in Local Computer Networks (LCN), 2010 IEEE 35th Conference on, 2010. [CrossRef] [Web of Science Times Cited 448] [SCOPUS Times Cited 652] [29] R. Mohammadi, R. Javidan and M. Conti, "SLICOTS: An SDN-Based Lightweight Countermeasure for TCP SYN Flooding Attacks," IEEE Transactions on Network and Service Management, 2017. [CrossRef] [Web of Science Times Cited 91] [SCOPUS Times Cited 132] [30] M. Moshref, A. Bhargava, A. Gupta, M. Yu and R. Govindan, "Flow-level state transition as a new switch primitive for SDN," in Proceedings of the third workshop on Hot topics in software defined networking, 2014. [CrossRef] [SCOPUS Times Cited 80] [31] S. Zhu, J. Bi, C. Sun, C. Wu and H. Hu, "Sdpa: Enhancing stateful forwarding for software-defined networking," in Network Protocols (ICNP), 2015 IEEE 23rd International Conference on, 2015. [CrossRef] [Web of Science Times Cited 32] [SCOPUS Times Cited 35] [32] J. Naous, D. Erickson, G. A. Covington, G. Appenzeller and N. McKeown, "Implementing an OpenFlow switch on the NetFPGA platform," in Proceedings of the 4th ACM/IEEE Symposium on Architectures for Networking and Communications Systems, 2008. [CrossRef] [SCOPUS Times Cited 185] [33] T. Yabe, "OpenFlow implementation on NetFPGA-10G: Design Document," [Online] Available: Temporary on-line reference link removed - see the PDF document [34] S. Shin, V. Yegneswaran, P. Porras and G. Gu, "Avant-guard: Scalable and vigilant switch flow management in software-defined networks," in Proceedings of the 2013 ACM SIGSAC conference on Computer & communications security, 2013. [CrossRef] [SCOPUS Times Cited 579] [35] M. Ambrosin, M. Conti, F. De Gaspari and R. Poovendran, "LineSwitch: Efficiently Managing Switch Flow in Software-Defined Networking While Effectively Tackling DoS Attacks," in Proceedings of the 10th ACM Symposium on Information, Computer and Communications Security, New York, NY, USA, 2015. [CrossRef] [SCOPUS Times Cited 53] [36] Github, "Working with SYNPROXY," [Online] Available: Temporary on-line reference link removed - see the PDF document [37] OpenFlow, "OpenFlow Switching Reference System," [Online] Available: Temporary on-line reference link removed - see the PDF document [38] Github, "Ryu," [Online] Available: Temporary on-line reference link removed - see the PDF document [39] "OpenDaylight," [Online] Available: Temporary on-line reference link removed - see the PDF document [40] M. Rouse, "Round Robin," [Online] Available: Temporary on-line reference link removed - see the PDF document [41] "Ethernet II - Frame Types, Packet details," [Online] Available: Temporary on-line reference link removed - see the PDF document [42] University of Cambridge, "Open Source Network Tester," [Online] Available: Temporary on-line reference link removed - see the PDF document Web of Science® Citations for all references: 8,356 TCR SCOPUS® Citations for all references: 6,612 TCR Web of Science® Average Citations per reference: 194 ACR SCOPUS® Average Citations per reference: 154 ACR TCR = Total Citations for References / ACR = Average Citations per Reference We introduced in 2010 - for the first time in scientific publishing, the term "References Weight", as a quantitative indication of the quality ... Read more Citations for references updated on 2024-09-15 06:49 in 174 seconds. Note1: Web of Science® is a registered trademark of Clarivate Analytics. Note2: SCOPUS® is a registered trademark of Elsevier B.V. Disclaimer: All queries to the respective databases were made by using the DOI record of every reference (where available). Due to technical problems beyond our control, the information is not always accurate. Please use the CrossRef link to visit the respective publisher site. |
Faculty of Electrical Engineering and Computer Science
Stefan cel Mare University of Suceava, Romania
All rights reserved: Advances in Electrical and Computer Engineering is a registered trademark of the Stefan cel Mare University of Suceava. No part of this publication may be reproduced, stored in a retrieval system, photocopied, recorded or archived, without the written permission from the Editor. When authors submit their papers for publication, they agree that the copyright for their article be transferred to the Faculty of Electrical Engineering and Computer Science, Stefan cel Mare University of Suceava, Romania, if and only if the articles are accepted for publication. The copyright covers the exclusive rights to reproduce and distribute the article, including reprints and translations.
Permission for other use: The copyright owner's consent does not extend to copying for general distribution, for promotion, for creating new works, or for resale. Specific written permission must be obtained from the Editor for such copying. Direct linking to files hosted on this website is strictly prohibited.
Disclaimer: Whilst every effort is made by the publishers and editorial board to see that no inaccurate or misleading data, opinions or statements appear in this journal, they wish to make it clear that all information and opinions formulated in the articles, as well as linguistic accuracy, are the sole responsibility of the author.