Combining OpenFlow and sFlow for an effective and scalable anomaly detection and mitigation mechanism on SDN environments K. Giotis, C. Argyropoulos, G. Androulidakis ⇑ , D. Kalogeras, V. Maglaris Network Management & Optimal Design Laboratory (NETMODE), School of Electrical & Computer Engineering, National Technical University of Athens (NTUA), Greece article info Article history: Received 16 November 2012 Received in revised form 24 October 2013 Accepted 28 October 2013 Available online xxxx Keywords: Software Defined Networking SDN OpenFlow sFlow Anomaly detection Attack mitigation abstract Software Defined Networks (SDNs) based on the OpenFlow (OF) protocol export control- plane programmability of switched substrates. As a result, rich functionality in traffic management, load balancing, routing, firewall configuration, etc. that may pertain to specific flows they control, may be easily developed. In this paper we extend these functionalities with an efficient and scalable mechanism for performing anomaly detection and mitigation in SDN architectures. Flow statistics may reveal anomalies triggered by large scale malicious events (typically massive Distributed Denial of Service attacks) and subsequently assist networked resource owners/operators to raise mitigation policies against these threats. First, we demonstrate that OF statistics collection and processing overloads the centralized control plane, introducing scalability issues. Second, we propose a modular architecture for the separation of the data collection process from the SDN con- trol plane with the employment of sFlow monitoring data. We then report experimental results that compare its performance against native OF approaches that use standard flow table statistics. Both alternatives are evaluated using an entropy-based method on high volume real network traffic data collected from a university campus network. The packet traces were fed to hardware and software OF devices in order to assess flow-based data- gathering and related anomaly detection options. We subsequently present experimental results that demonstrate the effectiveness of the proposed sFlow-based mechanism com- pared to the native OF approach, in terms of overhead imposed on usage of system resources. Finally, we conclude by demonstrating that once a network anomaly is detected and identified, the OF protocol can effectively mitigate it via flow table modifications. Ó 2013 Elsevier B.V. All rights reserved. 1. Introduction Data center operators and cloud service providers require flexibility and scalability in setting up programma- ble network environments. Traditional network architectures prove to be cumbersome, thus constricting innovations and hindering management and configuration procedures. Moreover, the software interfaces between control and data plane software elements inside network equipment still remain proprietary, leading to vendor lock-in phenomena. Software-Defined Networks (SDNs) rise as a promising, alternative architecture where the control and data planes are decoupled. Network intelligence and state are logically centralized, while enforcement is distributed locally at network gear [1]. Among the first and most widespread 1389-1286/$ - see front matter Ó 2013 Elsevier B.V. All rights reserved. http://dx.doi.org/10.1016/j.bjp.2013.10.014 ⇑ Corresponding author. Tel.: +30 210 7721449. E-mail addresses: coyiotis@netmode.ntua.gr (K. Giotis), cargious@net- mode.ntua.gr (C. Argyropoulos), gandr@netmode.ntua.gr (G. Androulida- kis), dkalo@netmode.ntua.gr (D. Kalogeras), maglaris@netmode.ntua.gr (V. Maglaris). Computer Networks xxx (2013) xxx–xxx Contents lists available at ScienceDirect Computer Networks journal homepage: www.elsevier.com/locate/comnet Please cite this article in press as: K. Giotis et al., Combining OpenFlow and sFlow for an effective and scalable anomaly detection and mit- igation mechanism on SDN environments, Comput. Netw. (2013), http://dx.doi.org/10.1016/j.bjp.2013.10.014