Defending Against New-Flow Attack in SDN-Based Internet of Things

Recently, the Internet of Things (IoT) is attracting significant attention from both academia and industry. To connect the huge amount of IoT devices effectively, software-defined networking (SDN) is considered as a promising way because of its centralized network management and programmable routing logic. However, due to the limited resources in both the data plane and the control plane, SDN is vulnerable to the new-flow attack, which can disable the SDN-based IoT by exhausting the switches or the controller. Therefore, in this paper, we propose a smart security mechanism (SSM) to defend against the new-flow attack. The SSM uses the standard southbound and northbound interfaces of SDN, and it includes a low-cost method that monitors the new-flow attack by reusing the asynchronous messages on the control link. The monitor method can differentiate the new-flow attack from the normal flow burst by checking the hit rate of the flow entries. Based on the monitoring result, the SSM uses a dynamic access control method to mitigate the new-flow attack by perceiving the behavior of the security middleware in the IoT. The dynamic access control method can intercept the attack flows at their access switch. Extensive simulations and testbed-based experiments are conducted and the corresponding results verify the feasibility of our claims.