BSD-Guard: A Collaborative Blockchain-Based Approach for Detection and Mitigation of SDN-Targeted DDoS Attacks

Software-Defined Networking (SDN) enhances the flexibility and programmability of networks by separating control plane and data plane. The logically centralized control mechanism makes the control plane vulnerable in both single and multiple controller scenarios. Malicious third parties can exploit vulnerabilities of reactive forwarding mode to launch distributed denial-of-service (DDoS) attacks against SDN controllers. Unfortunately, existing DoS/DDoS solutions under single controller can not afford effective performance under multiple controllers due to the absence of cooperative detection and mitigation. To solve the above problem, we propose a blockchain-based SDN-targeted DDoS defense framework (BSD-Guard) that can provide cooperative detection and mitigation mechanism to protect SDN controllers. BSD-Guard introduces a blockchain-based secure middle plane between control plane and data plane. The secure middle plane calculates the suspect rate of new flows based on the collected packets' information and reports suspect lists to blockchain for immutably storing and sharing. Besides, the smart contract deployed on blockchain in advance constitutes collaborative defense strategies based on the suspect lists reported from multiple SDN domains. When receiving defense strategies, the secure middle plane converts them to specific flow table actions and installs actions into relevant switches. The experimental results indicate that BSD-Guard can efficiently detect DoS/DDoS attacks in multiple controllers scenario and issue precise defensive strategies near the source of attack by identifying the attack path.