Keywords

1 Introduction

The core idea of software defined networking (SDN) [1] is to abstract and decouple control plane and data forwarding plane, making network management and expansion more flexible [6, 8]. The structure of SDN is divided into centralized controller and forwarding device (e.g. switch). The controller is responsible for management, control and configuration of network devices using standard protocol such as OpenFlow [2, 3]. It also issues flow rules generated thereof to switches through secure channel. Switches maintain flow table and forward network data according to flow rules. Switches receive querying instructions sent by the controller to report the network state. The OpenFlow technology is currently one of successful implementation under the SDN conception. In addition, Protocol Oblivious Forwarding (POF) [25] architecture put forward by Huawei is also a material implementation of SDN idea.

In whatever implementation of SDN, the controller always plays the core function in SDN system and is the most vulnerable part and the weakest link in the whole SDN system security chains. Single point of failure is a very common security threat to centralized model controller [7]. It may be induced by a number of factors including physical damage, communication line failure, and a variety of attacks. SDN controller is an assembly of control surfaces. There are many instructions between the controller and switches. In case the switch receives initial packets, it will forward these packets to the controller. In a complex network environment, either bandwidth resource or computing resource of the controller may turn out to be bottleneck of the SDN system. Especially in OF_ONLY mode, switches are heavily dependent on the controller, so the entire network will be paralyzed when the controller is in breakdown.

Besides the above-mentioned shortcomings, SDN controller is also vulnerable to DDoS attacks. Traditionally, an attacker may directly launch DDoS attack on any network host on condition that the attacker has detected its IP address [26]. When it comes to SDN, there is an extra way to launch DDoS attack. The attacker sends a large number of packets to the switch that cannot be processed, which all will be forwarded to the controller by the switch according to OpenFlow protocol. When packets from multiple switches flood to the controller, the controller’s processing competence will degrade. More seriously, denial of service will occur as a result. For this kind of attack, the attacker needs not know the IP address of the controller. In other words, the attacker can launch DDoS blindly. Thus it is a specific new DDoS attack on SDN architecture and we call it Blind DDoS. As composed a closed system with the controller and switches, SDN can avoid Direct DDoS attack by hiding information of its topology. This paper focuses on Blind DDoS attack and its defense.

In order to solve the above mentioned problem, this paper proposes a multiple controllers security method based on Moving Target Defense (MTD), which adopts a strategy to run a number of dynamically extensible controllers in SDN architecture. Even in the scanning stage, the packets’ response time will also be changed dynamically by MTD strategy. The remaining sections of this paper is organized as the followings: Sect. 2 is an analysis of the principles of Blind DDoS attack including its generation process, harms and characteristics; Sect. 3 presents a novel MTD model as well as a multi-controller MTD system based on this model. In Sect. 4, the MTD defense approach is tested and evaluated. In Sect. 5, we will talk about the limitations of our approach and give the recommendations to improve them in the future works. Section 6 provides a comparative analysis between this paper and related researches. In the last section, a summary of this paper is presented.

2 Blind DDoS Attack

Taking OpenFlow for example, SDN switch forwards packets in accordance with flow table rules, where the fresh packet or abnormal packet that cannot be processed in the flow table will be sent to the controller. In this sense, there is no need for an attacker to catch the IP address or location of the controller through scanning before launching an attack. Since as long as the attacker sends some specific attack packets and abnormal packets to SDN networks, all switches will automatically forward these packets to their controller.

Comparing with traditional DDoS attacks [5] which need to exploit victim host’s IP addresses at first, this kind of DDoS on SDN controller is blind. So we define it as Blind DDoS attack. Paralysis of the controller as a result of data flow eruption sent to SDN network marks successful implementation of a Blind DDoS attack. Figure 1 gives the general view of Blind DDoS attack.

Fig. 1.
figure 1

Blind DDoS attack on SDN controller

Full size image

Every flow entry in the flow table of a switch contains three items, i.e. ruleaction and stats. The attacker can make a new or abnormal packet from carefully selected IP, Port, MAC etc. and then send it to the switch. Generally, there is no rule in the switch matching the fresh packet sent for the first time. The packet will be uploaded to the controller, and then controller will broadcast this packet’s information to all network interfaces to find it’s route. Once getting the route, the controller will issue corresponding rules to the switch’ flow table. Otherwise, the controller will make a rule to switches to drop these packets. This whole response process will take a long time. Then the attacker will send a group of packets with the same information for a second time to the switch, if the response time is much shorter than that of the first time, the network can be determined to be SDN architecture. An attacker may launch Blind DDoS directly on the network which claims to be SDN network architecture or which the attacker has already known is SDN system by scanning (Fig. 1).

Fig. 2.
figure 2

Flow entry structure in SDN switch [2]

Full size image

Blind DDoS attack is a serious threat to the security of SDN. On the one hand, a great quantity of attack data flow may cause the flow table of the switch to be full of rubbish rules, resulting in performance degradation or flow table entries overflow. On the other hand, Blind DDoS attack will cause network paralysis by causing the controller work improperly. Traditional network security methods provide no effective defense against this kind of attacks. Therefore, it needs development of new defense method to reduce its threat to SDN.

3 Moving Target Defense Method Against Blind DDoS

Existing defense systems including Firewall, IDS, IPS, WAF etc. all adopt static passive defense technologies, as a result, they are unable to provide dynamic security defense effectively against unknown or instantaneous attacks on the network. Most defense systems are devoted to pursue perfect detection and to prevent all attacks. However, it is clearly not rational because there are endless zero-day vulnerability like \(Openssl'\) Heartbleed on April 9, 2014. Therefore, network security researchers are actively exploring new security model [1719], in pursuit of steady balance between security and defense costs. Moving target defense is one of these achievements which is completely different from previous Detection-based network security model.

3.1 Concept of MTD

As a fresh kind of defense, moving target defense does not seek to establish a perfect system to fight against all attacks. In practice, the idea of moving target defense is constantly diversing or changing the target to reduce the chances of vulnerability exposure, which will increase the attack difficulty and costs of the attacker. In essence, moving target defense technology realizes protection of objects by moving them.

In information attack and defense scenarios, the moving target defense system consists of method, channel, data and other resources. In [24], attack surface is defined by means of formal description and used as the main reference for modeling of moving target defense. Attack surface is made up of method, channel, data and other resources that may be exploited by the attackers. Attack surface’s features include IP address, ports, identity of the host, program language and data, etc. A moving target defense can be modeled using an attack surface together with different shifting strategies. Moving target defense may be divided into defenses at network layer [20], application layer, software layer [21], system layer and other layers corresponding to layers of the attack surface features. When automatically shifting the system’s attack surface by changing one or more features, the target becomes unpredictable for the attackers. Constant changing attributes will increase attack difficulty and costs for the attackers. It will effectively reduce the chances of vulnerability exposure as well as the chances of being attacked and increase flexibility of the system.

However, attack surface only describes static properties of the target system, while fails to define or describe how the attack surface shift, the space of each property to shift or the shift frequency. It neither takes the overall characteristics of target system nor confederates the attackers. Thus, current MTD model based on attack surface is far from perfect.

3.2 A Novel MTD Model

Mandhata et al. [24] proposed a concept of system attack surface and gave its formal definition as the followings.

Definition 1

The environment of system s, \(E_{s} = <U, D, T>\), wherein U is the user, D is data storage and T is systems other than s in the set of global system S, i.e., \(T = S / \{s\}\).

Definition 2

As a specified system s and its environment \(E_{s}\), the system’s attack surface of s includes \(<\) \(\,M^{E_{s}}, C^{E_{s}}, I^{E_{s}}\) \(\,>\), wherein \(M^{E_{s}}\) is a set of inlets and outlets of the system s, \(C^{E_{s}}\) is a set of channels of system s and \(I^{E_{s}}\) is a set of untrusted data entry of system s.

According to the definition of system attack surface, reduction in the number of features of attack surfaces can enhance the security of system s. In a MTD system based on attack surface in the premise of keeping system service unchanged, the number of features is not reduced, rather, attack surface is shifted. Elements in every feature set in system attack surface are replaced so as to increase the difficulty for the attackers to guess the properties of these elements being used, consequently making it difficult for them to implement attacks.

In essence, moving target defense makes it difficult for the attackers to launch attacks exploiting the attack surfaces by means of constantly changing them. Therefore, randomization of the features’ elements or attack surface shifting strategy is the key point of moving target defense model building. Hoverer, the MTD model built by shifting attack surfaces of the system has many defects, including mainly the following aspects:

(A). Although system attack surfaces have defined three sets, i.e. M, C, I, etc., and each set contains a plurality of elements, alternative variables for each element are not given, namely the shifting space for elements are not defined.

(B). The shift frequencies for each set or element are not specified for attack surface shifting strategy.

(C). The type of system s is not considered, though s may be a fully open system (such as web service), fully closed system (such as hosts in IPSec VPN) or a semi-open and semi-closed hybrid system.

(D). The attacker’s actions and policies are not considered.

To solve the above problems, this paper presents a novel MTD model, which is the basis for design of SDN defense system against Blind DDoS attack proposed in the following parts of this paper.

Definition 3

We propose a novel MTD model which has 3 tuple,

The New MTD: \( <S^{<N,R,T>}, A^{<G^{a}>}, D^{<G^{d},F^{d}>} >\), wherein,

\(S^{<N,R,T>}\) is a target system, \(A^{<G^{a}>}\) is an attacker, \(D^{<G^{d},F^{d}>} \) is a defender;

\(N = \{n_{1},n_{2},...,n_{i}\} \)is the attack surface of system S,while \(n_{i}\) is the elements of attack surface;

\(R = \{r(n_{1}), r(n_{2}), ... ,r(n_{i})\}\) is shift space for the elements \(n_{i}\);

\(T = \{O, C, H\}\) is three types of a system, where O represents full open system, C represents fully closed system and H represents semi-open and semi-closed hybrid system. l \(G^{a} = \{g_{a}(1),g_{a}(2),...,g_{a}(i)\} \)is a set of attack strategies of A;

\(G^{d} = \{g_{d}(1),g_{d}(2),...,g_{d}(i)\} \)is a set of defend strategies of D;

\(F^{d} = \{f_{d}(1),f_{d}(2),...,f_{d}(i)|f_{d}(i) \rightarrow g_{d}(i)\}\)is the shift frequency of every strategy;

Below is a case study of MTD Model, taking defense against Blind DDoS attack on SDN for an example.

Table 1. MTD Model in SDN
Full size table

SDN is a semi-open and semi-closed hybrid system, where the switch is open to the attacker and the user, and the controller is closed and invisible to the attacker and the network user.

For a closed system, legitimate users may access it by authorization and authentication, thus shift frequency for features of MTD model in it are not required to be too high, rather, it is proper as long as it can prevent force attacks. In an open system, as a large number of legitimate users and attackers mixed together are hard to be distinguished or granted authorization, and there is a possibility of distributed force guess in a short period, the elements of the attack surface has to shift every interaction. In a semi-open and semi-closed hybrid system as SDN, the two principles of closed system and open system mentioned above should be applied together. In a SDN system, the switch is open for an attacker while the controller is closed. When the attacker tries to launch a scanning attack based on response time difference, the switch may randomly delay the transmission and feedback time of the packets which match the flow table rules to achieve MTD, confusing information received by the attacker. Packet-delaying operation requires applying on each packet (e.g. \({f_{d}(1)}\) in Table 1). For the purpose of defending Blind DDoS attacks, as the controllers are closed, their shift frequencies (e.g. \({f_{d}(2)}\) in Table 1) are not required to be too high, whereas the shift space shall be large enough to prevent statistical attacks.

3.3 Implementation

MTD system proposed herein comprises the following components: a controller-pool consists of a number of controllers, MTD strategy manager, Flood-Filtering equipment based on route-map rules and SDN switches. Its architecture figure is as Fig. 3.

The controller-pool maintains multiple controllers, which can be physical machines or virtual machines. One controller which working as online is set to master model and all other controllers which working as offline are set to equal model. Generally, only one controller is online while other controllers are offline. In case the controller online has detected the number of packets which can not be routed beyond the default threshold, it will notify MTD strategy manager to start a number of controllers from offline to online.

MTD strategy manager is responsible for monitoring online controller’s bandwidth and load. When alarming of the controller is trigged by Blind DDoS attack data flow, MTD strategy manager will shift multiple offline controllers to online status and assign appropriate IP addresses to them. And MTD strategy can change the controller’s role between master and equal by sending \(Role-Change\) messages to the switch. The controller initially online will issue to the switches a series of configuration instructions for defense of attacks. When Blind DDoS attacks stop, the number of online controllers should be drop.

MTD strategy manager will send two instruction to switches when there is Blind DDoS attack. One defense configuration instruction received by the switches is setting last rule in the flow table as default so as to forward all packets which do not match flow table rules to Flood-Filtering equipment rather than report them to the controller. We adopt Bloom Filter [28] method in Flood-Filtering equipment to improve the matching speed. The other defense configuration instruction is to randomly select a new controller for communication by sending Role-Change messages to the switch.

Fig. 3.
figure 3

The architecture of MTD

Full size image

In addition to filtering common protocol vulnerability attacks, Flood-Filtering equipment also maintains all network’s routing information and verify the validity of packets’ destination IP to filter malicious forged packets of Blind DDoS attack. MTD strategy will continue to update the route-map rules from the controllers online and the route-map rules will be maintained for a long time.

4 Experiment and Evaluation

In the experiment, we adopt OpenvSwitch serveing as the switch, Floodlight [14] as SDN controller and PC with route-map matching software as Flood-Filtering device, all of which installed on X86 Pc with Intel(R) Core(TM)2 Duo CPU 2.40 Ghz, 2 GB RAM memory and CentOS 6.3. A windows server2003 with Apache Tomcat is used as a web service. IXIA equipment is used for generation of attack data flow and background flow. MTD manager is applied on controllers (Fig. 4).

Blind DDoS attack simulation is divided into two stages, where at the first stage, the attacker launches scanning attacks on network to confirm whether it is a SDN and at the second stage, the attacker sends flood packets of Blind DDoS to a SDN system.

Fig. 4.
figure 4

Examination topology

Full size image

4.1 Attack Stage I

Here we define FirstPacket and LastPacket which will be used in follow sections. In SDN, first several packets can not be routed by swithes because there are no rules to match these fresh packets. So the response time will be longer than the following packets. In our experiment, the number of these ping packets ranges from 1 to 9, with median 5. We use FirstPacket to stand for one of these initial packets and LastPacket to stand for one of following packets. The response time of FirstPacket is \(t_{1}\) and that of LastPacket is \(t_{2}\).

Table 2. Scan packets response time in traditional network (ms)
Full size table
Table 3. Scan packets response time in SDN (ms)
Full size table

At the stage of scanning attack, whether it is a SDN network is mainly judged by the time difference between the network’s response times to the packet sent for the first time \(t_{1}\) and the same kind packet sent for the second time \(t_{2}\). In traditional Network, \(t_{1}\) is nearly equals to \(t_{2}\) as showing in Table 2. But in SDN, there are huge differences of the response time between FirstPacket and LastPacket as showing in Table 3.

Figure 5 shows the Scan Attacks result with slow rate of ping to the host of web service. For the purpose of combating scanning attack, MTD manager will make up a MTD Random Delay strategy (strategy \(g_{d}(1)\) in Table 1.) according to the test results, the controller will deliver that strategy to the switch for the latter to randomly prolongs \(t_{2}\) for a period time when processing packets matched with the flow table rules, so that \((t_{1}-t_{2})\) will approach 0.

Fig. 5.
figure 5

Scan attacks

Full size image

We define \(D_{t}\) as the response time difference of FirstPacket and LastPacket:

$$\begin{aligned} D_{t} = \left\{ d_{t(i)} | d_{t(i)}= t_{1}(i)-t_{2}(i) ,i > 0 \} \right. \end{aligned}$$
(1)

It can be easily proved that \(D_{t}\) has relation with both the SDN structure and the enter point, regardless of the client. So we give the MTD strategy of \(d_{1}\) in MTD model showing in Table 1 with randomly delay packet as \(T_{2}\):

$$\begin{aligned} T_{2} = \left\{ t'_{2(i)} | t'_{2(i)}= t_{2}(i) + Random[Min(D_{t} ),Max(D_{t})],i > 0 \} \right. \end{aligned}$$
(2)
Fig. 6.
figure 6

Packets with MTD randomly delay

Full size image

Figure 6 shows that the response times of packets were confused by the switch with MTD randomly delay strategy. So it will be hard to make a difference between SDN response time and traditional network response time.

4.2 Attack Stage II

In our simulation experiment, DDoS attack flow is generated by IXIA. Provided that attack flow stays unchanged, the effect of DDoS attacks is correlated with the following two factors, i.e. size of the data packet and randomness of the destination IP. As shown in the first figure, the effects on performance of target host’s CPU by attacks through TCP Flood, UDP Flood, ICMP Flood and Flood without protocol in the same flow size and packet length are just slightly different. For the same kind of protocol, under constant attack flow, experiments with data packets in 64 Bytes and 1024 Bytes at the same rate 800 Mbps show that data packets in smaller size are more hazardous to target host than those in bigger size (Fig. 7).

If destination IP address of the attack data packet is matched with rules in the flow entry of the switch, the attack flow will not be sent to the controller; consequently, Blind DDoS attack will be ineffective. The following figure shows the data packets received by the controller in conditions of Destination IP and Random Destination IP DDoS attacks with packet size 1024 Bytes (Fig. 7).

Fig. 7.
figure 7

Flood with different protocol

Full size image
Fig. 8.
figure 8

DDoS flood to controller with static/random destination IP

Full size image

In this experiment, the attack packets are generated by IXIA with randomly target IP and with the packet size of 64 Bytes to strengthen the attack effect. Assume that in IXIA simulation the attack flow sent to four switches respectively are A1, A2, A3 and A4, and attack flow rate is 200 Mbps\(\times 4\, (e.g.\,A1=A2=A3=A4 =\) 200 Mbps). Without MTD defense, there is only one single controller at work and the total attack flow it receives is \(A1+A2+A3+A4\), which will increase the controller’s CPU occupancy rate and degrade its performance. If MTD defense is initiated, the controller will give flow lead order to the switch for the latter to forward unmatched flow to Flood Filtering equipment and at the same time, notify the switches to randomly select a new controller (strategy \(g_{d}(2)\) in Table 1.). At the beginning, there will be a time window for Flood Filtering equipment collecting route-info from controllers to make route-map. Only the hash of network address, not host address, will be used in route-map hash table. When filtering the flood, the equipment just matches network address’ hash in route-map. In this case, average data flow the controller receives will be decreased. According to statistical theory, the average attack flow for per controller will be \(F_{a}\), where D is the attack flow the Flood Filtering Equipment drops.

$$\begin{aligned} F_{a}= \frac{1}{n}(\sum _{i=1}^{n}A_{i}-D) \end{aligned}$$
(3)

In ideal conditions, if Flood-Filtering equipment can filter most of the attack flood, \(F_{a}\) is nearly equal to 0. Even if D is 0, which means Flood-Filtering equipment is not working, the value of \(F_{a}\) will be much smaller than that in the case of single controller, which proves that MTD defense can effectively resist the harm of Blind DDoS attacks.

Fig. 9.
figure 9

MTD against blind DDoS attack

Full size image

Figure 9 shows that Blind DDoS attack can destroy a single controller and increase its CPU occupancy rate to a very high value. And with MTD system, the number of controllers will increase and the packets received by one controller will decrease.

The experiment shows that MTD in SDN can effectively alleviate the damage to the controllers and switches caused by Blind DDoS attacks.

4.3 Security Analysis

This paper defines SDN as an open-closed hybrid system, which provides an important basis for the construction of an appropriate Moving Target Defense model defending Blind DDoS attack. The core idea of this defense model is to build a security defense system without detection, which can reduce risks of Blind DDoS in three attack kill chains, e.g. Reconnaissance, Attack Launch and Persistence.

Anti-Reconnaissance. Scanning plays an important role in the implementation of Blind DDoS attack. First, scanning can help identify whether the target network is SDN since Blind DDoS attack are only effective to SDN. Second, in order to make Blind DDoS attack more effective, scanning detection can be used to determine the range of random destination IP to make sure that its chance to match the flow entry is minimal.

If the attacker wants to get useful information in reconnaissance, he should be able to distinguish the response times of First-Packet and Last-Packet. As moving target defense Randomly Delay strategy is adopted in our approach, the response times in scanning attacks will be indistinguishable. Since in our solution the Randomly Delay strategy is applied to every scanning packet, the \(One-Time\) Padding method can be used to make a completely randomized sequence and the response time of two packets is statistically indistinguishable. In this way, it can effectively resist the effects of scanning attacks and play an active role in defending subsequent Blind DDoS flood.

Anti-Attack Launch. The MTD architecture proposed by this paper adopts a multi-controller pool, where the switch can shift the controllers randomly in the event of Blind DDoS attack. On the one hand, multi-controller can effectively alleviate the pressure of Blind DDoS attack on single controller; on the other hand, mobility of multi-controller will also increase the difficulty for the attacker to launch attacks directly on the controller, thus improves its security. Since the network between controller and switches is closed to attackers, there are enough IPv4 or IPv6 addresses for controllers. So the entropy of shifting IP space is big enough.

In addition to multi-controller strategy, this paper also presents a lightweight flood flow filtering method based on route map. Previous analysis shows that Blind DDoS attack is a special means of attack which requires the attacker to construct non-existent or random destination IP address in order to achieve best attack effects. In this paper, we gather the history record of routing tables on the controller as the basis of flood filtering, which is able to filter a large proportion of Blind DDoS attack quickly.

Anti-Persistence. Although there is little possibility for Blind DDoS attacks to install additional back-doors or access channels to keep persistence to the controller, it’s not sure whether other kinds of attacks can do that, such as Blind Injection attacks or Buffer Overflow attacks. Besides anti-Blind DDoS, our MTD model with multi-controller can also reduce the persistence risks of Blind Injection attacks or Buffer Overflow attacks by randomly changing and refreshing controllers.

5 Discussion and Future Works

The above analysis demonstrates two key steps by which the attacker launches Blind DDoS attack on SDN controller, where the first one is scanning detection and the second one is sending of a large number of packets in abnormal structure, or attack packets with randomly destination IP address. In this paper, we construct a defense model and system based on MTD to cope with the Blind DDoS attack in SDN environment.

However, there are some limitations in this approach. On the one hand, in order to resist the scanning SDN attack, a method of random packet transmission delay is adopted, which will affect the normal data transfer performance. On the other hand, Flood-Filtering equipment filters attack flow based on the history of routing information which requires prolonged keeping of routing tables, but how to synchronize route tables in multi controllers is not considered herein. By default, each controller will regenerate its own routing tables after shifted to online mode. This may produce false negatives because the routing tables may have expired.

To the first problem, we will research on sampling-delay method focusing on the high-speed, large volume of data transmission, while maintaining the low-speed transmission delay to every packet.

In order to solve the problem of false negatives to attacks, we will optimize the updating mechanism of route table to reduce the possibility of attacks by the attacker availing expired route tables. And another available scheme we can adopt is to replace simple route querying with SOM [27] and we also plan to adopt data mining methods to realize more accurate attack data stream filtering.

In spite that the model of randomly shifted controllers pool proposed in this paper is able to solve the problems of time delay and false negatives to attacks, it also has some limitations for it can only be used in Openflow1.3 and later versions. How to realize synchronization of multi controllers non-dependent on OpenFlow protocol version is worthy of further study.

6 Related Research

Although OpenFlow Specification White Paper [3] has proposed muti-controller since version 1.3, its application is still not clearly defined. OpenFlow classifies controllers into three kinds: master, slave and equal. However, as the configuration of mutli-controller is static and unable to be dynamically expanded, its security is at stake. To solve this problem, we give our approach using controllers pool instead of a single controller. Shin et al. [13] addresses the saturation challenge by the SYN Cookie. At low-rate [15, 16] of TCP DDoS attack, SYN Cookie is a useful method to prevent flooding attack in SDN. But this approach will take an expensive computing resource in switch. When attack flow becomes very intensive, the switch’s performance will slow down until it cannot work any longer. In our solution, we use MTD to select controllers randomly, so the flow in switch can just do matching action as usual without being interrupted. SYN flood [10, 11] is just one type of those DDoS attacks. Any other flood, such as UDP flood, ICMP flood, etc., also can destroy SDN controller. Our defense system can resist more kinds of network protocol used by Blind DDoS attack. The literature [4] presented a method of identifying SDN architecture by comparing the system’s response times to the same packets sent for two times in succession. Where it is a SDN network, DDoS attacks may be launched to consume resources of its control surfaces and forwarding surfaces.

Dixit et al. [22] proposed a solution named flexible distributed controller, which can dynamically increase or reduce the number of controllers by monitoring the load of controllers. Jafarian et al. [23] adopted OpenFlow to realize moving target defense. It differs from this paper in that, the object it defended is the host in SDN, while that of this paper is SDN controller. In paper [13], SYN Cookie was adopted and the state of part SYN was represented by the switch to reduce the impact of DDoS attacks. The defect of this method lies in that it is just effective against SYN flood DDoS attacks and this solution requires changes in the switches’ software programs and hardware programs, which is both costly and scarcely extensible. Shin et al. [13] also proposed a MTD method to defend brute force scanning. It can confuses the responding information to scanning attacks and can increase difficulty to attackers. Whereas, it is ineffective to Blind DDoS attacks and it is also ineffective to low rate scanning attack on SDN. The Crossfire attack [9] is not Blind because it require know and carefully select the links to the victims before launching attack.

The above literatures conduct researches on securities of hosts or controller in SDN [12] from the perspectives of applying SDN to security or vice versa. Our approach differs obviously from these methods in that we fist focus on defending Blind DDoS attacks based on MTD without detection.

7 Conclusion

SDN is new network architecture with immature technology and plenty of security risks. The security of SDN has become a focus of study in the field of network security. As controller is the core of SDN, SDN architecture with a single controller are vulnerable to performance bottlenecks and single point of failure. In this paper, we first propose the concept of Blind DDoS attack which is one of new threats to SDN. Then we analyze in details the principle of Blind DDoS attack, attack simulation and its harm, and proposed an attack defense method based on moving target defense. It proposes a novel MTD model to render the defender more effective and efficient. This method is advantageous as it adopted multi-controller, which is dynamically extensible with changes in attack flow. By randomly changing the packets delay in the switches, our approach can resist scanning attacks. Experiment and security argumentation demonstrate that this method is convenient to implement and can effectively defend Blind DDoS attack.