P4 based Switch Centric Flow table Overflow Detection and Mitigation in Data Plane Devices

Abstract

Flow table overflow attack on data plane devices is one of the prominent vulnerabilities in the Software Defined Networking (SDN) architecture. Flow table uses limited-sized TCAM to store the flow rules in the data plane. Unfortunately, TCAM based Flow tables are prone to various attacks such as memory saturation attacks, DDoS attacks, cross-plane attacks, Flow table overflow attacks, etc. These attacks lead to the starvation of benign requests, and saturation of network resources. However, the existing solutions are focused on the controller-based attack mitigation mechanism using OpenFlow switches which increases communication overhead between the control plane and data plane. This paper proposes a switch centric based in-network Flow table overflow attack detection and mitigation framework. We introduce IP_SourceGuard which keeps an audit of the flow rules by counting the threat value of a particular port. Mitigating the attack traffic when the threat value exceeds the limit of the warning threshold. Further, IP_SourceGuard blocks the attacker port from further not communicating it to the network. The solution has been implemented using the BMv2 software switch and determined that the solution reduces the Flow table utilization to 88%. From the result, it is observed that our solution mitigates the Flow table overflow attack in a real-time environment.