Content uploaded by Diego F. Rueda
Author content
All content in this area was uploaded by Diego F. Rueda on Apr 06, 2017
Content may be subject to copyright.
Improving the Robustness to Targeted Attacks in Software Defined
Networks (SDN)
PhD(c), Diego F. Rueda, PhD., Eusebi Calle and PhD., Jose L. Marzo, Institute of Informatics and Applications,
Univesitat de Girona (UdG), Girona, Spain
Abstract
Software defined network (SDN) separates the network’s control logic from the data forwarding devices (routers and
switches), providing to network a centralization of control plane. Thereby, the control plane functions move from net-
work devices to dedicated controller instances running in software. However, the centralized control plane proposed by
SDN lead to a great challenge for the network robustness due to the new vulnerable parts that are introduced. In this pa-
per, we present a robust design of SDN control plane in order to maintain the proper network operation in the presence
of failures. Our approach is focused on identifying which are the critical parts of physical topology and find the best
controllers placement for improving the network robustness to targeted attacks. Through interdependent network
modeling of SDN architecture, the network control plane is designed. Moreover, in order to show the efficacy of pro-
posed algorithm, the SDN robustness is analyzed when a targeted attack occurs in the switches of a real telecommunica-
tion network.
1 Introduction
Software defined network (SDN) is an emerging
networking paradigm that breaks the vertical integration
of current network infrastructures by separating the
control plane from the data plane [1]. With this
separation, the physical network elements (routers and
switches) become simple data forwarding devices and
SDN controllers take the centralized control logic [1]. For
instance, the controllers can send the switch configuration
to adapt to traffic demands and can take decisions to
mitigate the failures in the physical network [2].
However, the SDN control plane cannot be fully
physically centralized due to responsiveness, reliability,
and scalability metrics [1]. Hence, distributed controllers
can be used to control different subsets of switches in
order to reduce the processing capacity of each controller
and decrease the switch-to-controller latency [1].
SDN architecture can be modeled as an interdependent
network, where the switch-switch network (GSS), for data
forwarding, and the controller-switch network (GCS), for
network control, are interconnected by bidirectional inter-
links [3]. In SDN, failures can take place into the physical
network, where a switch or link fails, or into the
controllers' domain, where the controller fails. A failure
of one SDN node (switches or controllers) can lead to
cascading failures due to the nodal mutual dependence
[3]. Therefore, SDN robustness depends on the proper
operation of these interdependent networks.
In SDN architectures controllers introduce a centralized
point of failure [4]. Controller failures are usually caused
by software malfunctioning or cyber-attacks e.g. a denial
of service (DoS) attack in one controller can generate the
disconnection of the dependent subset of switches [5].
The consequences of this type of failure are dramatic as
the SDN can even become disconnected. Consequently, a
critical problem in SDN design is related with controller
placement i.e. how to select the best switches in the
physical network for placing
ߢ
controllers in order to
maximize an objective function such as inter-controller
latency, switch-controller latency, links load, controllers
load, and resilience [3] [6].
Our proposal is focused on identifying which are the
critical parts of physical network and find the best
controller placement in order to improve the SDN
robustness against targeted attacks. As shown in [7], [8]
and [9], when the topological structure of the networks is
taken into account, the type of attack producing the
greatest damage can be determined. In addition, the most
vulnerable areas where failures frequently occur due to
natural disasters (hurricanes, earthquakes, tsunami,
tornados, floods or forest fires) or technology-related
disasters (power grid blackouts, hardware failures, dam
failures or nuclear accidents) can be detected by network
operators. Therefore, in the switch-switch network (GSS),
the subset of switches C less vulnerable has high
probability to be selected to place
ߢ
controllers.
Moreover, we considered that the subset of switches to be
managed by each controller c is determined by a
maximum distance δ among switches and controllers.
In this work, the SDN architecture is modeled as an
interdependent network, where each control plane node is
directly connected to a given physical switch by a
bidirectional link. Additionally, in-band controller-switch
78
DRCN 2017 (March 08-10, 2017 in Munich, Germany)
ISBN 978-3-8007-4383-4
© VDE VERLAG GMBH  Berlin  Offenbach
communication via single shortest path is assumed i.e. the
control traffic from controllers to switches are delivered
via the same physical links [3] [6]. Thus, one-to-one
dependence relation between nodes of data and control
planes is performed. Due to this correspondence, a
targeted attack in one physical switch can lead to
cascading failure in SDN architectures. In order to show
the efficacy of proposed algorithm to design a control
plane layer (GCS), the robustness of three SDN
architectures is analyzed when a targeted attack takes
place in the switches of a real telecommunication
network.
The remainder of this paper is structured as follows: Sec-
tion II contains a review of previous work. A mathemati-
cal model of SDN and the failure model are defined in
Section III. In section IV a mechanism to improve the ro-
bustness to targeted attacks in SDN is proposed. The
physical topology of the SDN is presented in Section V.
The resulting SDN topology and the impact analysis of a
targeted attack in the network robustness are also provid-
ed in Section V. Finally, conclusions and future work are
presented in Section VI.
2 Previous work
The interdependency introduced by SDN architectures
and their sophisticated supported services make this type
of networks more vulnerable to failures. This growing
reliance in telecommunication networks is translated in
increased consequences of disruption, and the increased
consequences of disruption lead to networks becoming a
more attractive for target attacks [10]. From a security and
reliability perspective, the SDN architecture exhibit new
vulnerable parts in both data plane and control plane. For
instance, the most vulnerable physical networks elements
can be identified by the number of shortest paths pass
through a given router or by the number of physical links
from one switch to others. In addition, the SDN
controllers introduce a centralized point of failure, which
can fail due to software issues or cyber-attacks e.g. a DoS
attack in one controller [5]. Therefore, designing a robust
and fault-tolerant SDN architecture to targeted attacks
leads to several challenges as the controllers can be
physically distributed along the network and connected to
different switches
One of the critical challenges in SDN regards to the
design of control plane layer where defining the best
controllers’ location has several repercussions on its
robustness. Previous work addressed the controller
placement problem as a key issue to improve the
performance and resilience of SDN. Performance
improvement is studied in [11] deciding the number of
controllers and placing them in order to minimize the
latency from nodes to their assigned controller. In [12],
the dynamic controller provisioning problem (DCPP) is
used to dynamically adapt the number of controllers and
their locations with changing network condition due to
traffic patterns or bandwidth demands.
As regard to the resilient placement controller problem, a
greedy algorithm is used to provide placement decisions
in order to maximize the reliability of SDN [13]. In [3],
the controller placement problem for improving resilience
of SDN is analyzed by using the interdependent network
modeling and a new metric to measure the impact of
cascading failures is proposed. The resilient controller
placement problem in large scale SDN networks with
respect to latencies constraints, resilience against node
and link failures, and load balancing in the control plane
is also studied under heuristic approaches [6]. In [14], the
minimum number of controllers for building a scalable,
robust and balanced control layer is identified. The
proposed k-Critical algorithm also satisfies a target
communication between controller and switches such as
delay, latency or convergence time [14].
Additionally, in [15] a fault tolerant controller placement
(FTCP) problem is solved. This proposal takes into
account that in a given topology there is a set of facilities
where controllers can be deployed, and it also requires
that each node is effectively connected to at least one
controller with high reliability. Thus, a reasonable number
of controllers and their placements to achieve very high
reliability in the SDN network are identified. In [16], a
distributed control architecture with optimized controller
placement, and assurances of SDN resilience is proposed.
This controller architecture establishes control areas with
distributed control. The global network view is achieved
by applying a designated controller, which is an area
controller that assumes the role of maintaining
consistency of entire network [16]
In contrast to previous studies, we propose a novel
algorithm to improve the robustness to targeted attacks in
SDN architectures with distributed controllers. As
constraints of the SDN controller layer design (GCS), our
method requires three inputs parameters: 1) a switch-
switch network (GSS), 2) the number of controllers (
ߢ
) and
3) the maximum distance among controllers and switches
(δ). The values for
ߢ
and δ are design parameters that
could be defined from the particular requirements of the
network operator. For instance, in large-scale networks
the distance δ has practical implications for control layer
design in SDN, affecting availability and convergence
time. The distance δ can also be defined by geographical
proximity among controllers and switches. However, we
are not focused to find optimal minimum-latency
placements in order to reduce the delay of controllers-to-
switches communication [11], but instead, to present an
initial analysis of G
SS network vulnerability to certain
types of targeted attacks as a fundamental aspect to solve
the resilient controller placement problem.
79
DRCN 2017 (March 08-10, 2017 in Munich, Germany)
ISBN 978-3-8007-4383-4
© VDE VERLAG GMBH  Berlin  Offenbach
1
4
3
2
5
6
1
4
3
2
5
6
Gss Gcs
a) b)
c
δ
13
3 Interdependent SDN model and
failure model
Based on [3] and [17], the mathematical model of an
interdependent SDN architecture and the failure model in
SDN networks are defined in this section.
3.1 Interdependent model of SDN networks
Consider the switch-switch network as an undirected
graph GSS(S,U), and the controller-switch network as an
undirected graph GCS(T,V), each with a set of nodes (S,T)
and a set of links (U,V), respectively. The nodes in GSS
consist of the physical switches randomly connected by a
set of V intra-links with degree distribution PSS(k).
Analogously, the nodes in GCS consist of the controllers
and switches connected by a set of U intra-links with
degree distribution PCS(k). Moreover, in-band controller-
switch communication via single shortest path is
assumed, and one-to-one correspondence between Si and
Ti nodes is considered. Thus, the interdependent SDN
network resulting from the connection of these two
networks is a graph G with S
T nodes and U
V intra-
links plus a set of bidirectional inter-links L12 joining the
two networks, i.e. N = S
T and L = U
V
L
12, in
consequence, the SDN graph is defined as G(N, L) = (S
T, U
V
L12). Figure 1 shows the interdependent SDN
modeling.
Figure 1 Interdependent SDN network modeling
Denote |N1| and |N2| as the number of nodes in GSS and
GCS, respectively, |L1| and |L2| as the number of links in
GSS and GCS, respectively, and |L12| as the number of inter-
links. In addition |N| = |N1|+|N2|, and |L|=
|L1|+|L2|+|L12|. Let A1 and A2 be the adjacency matrices
of the two networks GSS and GCS, and A that of the whole
system G, whose entries or elements are aij = 1 if node i is
connected to node j, otherwise aij = 0. When the two
networks are disconnected (L12 =
), the matrix A is
defined as the |N| ×|N| matrix:
ܣൌ
ܣଵͲ
Ͳܣ
ଶ൨ (1)
When an interaction is introduced (L12 ≠
), the adjacency
matrix acquires non-trivial off-block terms denoted by Bij,
Let B12 be defined as the |N1|×|N2| interconnection matrix
representing the inter-links Si ↔ Tj between GSS and GCS,
and B21 as the |N2|×|N1| interconnection matrix
representing the inter-links Tj ↔ Si, between GSS and GCS.
As a bidirectional interdependency between GSS and GCS
is considered, then ܤଶଵ ൌܤ
ଵଶ
். Therefore, the
interdependency matrix B for the whole system G is
defined as the |N|×|N| matrix:
ܤൌͲܤ
ଵଶ
ܤଵଶ
்Ͳ൨ (2)
In this model, the switches are limited to be at a
maximum distance δcs to their assigned controller c.
Therefore, if the distance δcs between the switch Si = {1,
2, …, N1} and the controller c is less or equal than the
maximum distance δ (δcs ≤ δ), the switch Si belongs to the
sub-network controlled by the controller c. Distance δ can
represent a design constraint such as delay propagation or
latency, physical distance of links or the number of hops.
Distance δ has also implications in the availability and
convergence time of the SDN architecture.
As an illustrative example of an interdependent SDN
network, Figure 2(a) shows a physical network (GSS) as a
random graph and Figure 2(b) shows the controller-switch
network (GCS) as a shortest path routing tree for in-band
controller-switch communication on GCS [3]. In Figure
2(a) the nodes Si are the physical switches, whereas in
Figure 2(b) the node 1 is the controller Ci and other nodes
are the switches controlled by it.
Figure 2 Interdependent SDN Network Generating
3.2 Cascading failures in SDN networks
Due to the fact that the SDN architecture could be
modeled as an interdependent network, the SDN
robustness depends on the proper functioning of both GSS
and GCS networks. In the case of interconnecting the GSS
and GCS networks by bidirectional inter-links, we consider
that each node (Si = {1, 2, …, N1}) in GSS depends on one,
and only one, node (Ti = {1, 2, …, N2}) in GCS, to continue
functioning, and vice versa. Furthermore, a subset of
nodes in GCS depends on the communication to a
particular controller to maintain their proper functioning.
In SDN architectures, a targeted attack in one physical
switch could lead to cascading failure. When a node Si in
GSS is attacked, the dependent node Ti in GCS is removed.
Therefore, if a subset of nodes in GCS is disconnected
from a controller c due to the failure of switch Si, by the
mutual dependence the same subset of nodes in GSS also
fails. Similarly, if one controller is attacked, the subset of
dependent nodes in GCS fails and the failure will spread to
the same subset of nodes in GSS.
Figure 3 shows that each node in GSS depends on one, and
only one, node in GCS, and vice versa. Bidirectional inter-
links (L12) between Si and Ti are shown as dashed
Gss
1
4
3
2 5
6
G
ss
G
cs
U
i
1
4
3
2 5
6
S
i
V
i
cT
i
Control Plane
Data Plane
L
12
80
DRCN 2017 (March 08-10, 2017 in Munich, Germany)
ISBN 978-3-8007-4383-4
© VDE VERLAG GMBH  Berlin  Offenbach
horizontal lines, and U and V intra-links are shown as
undirected solid arcs. In order to illustrate the cascading
failure model in SDN networks, Figure 3(a) shows that
when node 3 is attacked in GSS, the node 3 in GCS fails. As
consequence of failure of node 3 in GCS, the node 6 in GCS
also fails because it is disconnected from the controller
located in node 1 (see Figure 3(b)). Finally, by the mutual
dependence, the failure spreads until node 6 in GSS.
Figure 3 Cascading failures in SDN networks
3.3 Modeling targeted attacks
In targeted attacks the network elements are removed with
the purpose of maximizing the impact of the attack in the
network. There are two major schemes for selecting the
elements to be removed. In a simultaneous targeted
attack, the centrality metric is calculated for all elements
(node or link) in the network and then a specified fraction
of the elements is removed based on the centrality
measurement sorted list, from highest to lowest [8].
While, in a sequential targeted attack the centrality
measure is calculated for all the elements in the initial
network, and the element with the highest centrality value
is then removed. Next, the centrality measures of all the
elements in the resulting network are recalculated and
once again the highest ranked element is removed and so
on. This process of recalculating the centrality measures
and removing the highest ranked element is continued
until the desired fraction of elements is reached [8].
As it is drawn in [7], [8] and [9], from the topological
structure of networks it is possible to determine which
targeted attack will produce the greatest damage. Hence,
in this paper, the topological properties of the GSS network
are considered to select the most important nodes i.e. a
centrality metric is measured to rank the nodes to be
removed in the targeted attack. Therefore, the critical
parts of one physical topology to certain type of attack
can be identified and the best controller placements to
reduce the impact of targeted attacks can be located.
4 Improving the robustness to tar-
geted attacks in SDN
Our approach is focused on identifying the best controller
placement in order to improve the network robustness.
Algorithm 1 provides a procedure to mitigate the impact
of a targeted attack in SDN networks. Algorithm 1 re-
quires as input three parameters: 1) a switch-switch net-
work (GSS), 2) the number of controllers (k) and 3) the
maximum distance between controllers and switches (δ).
Algorithm 1 Find the best controller placement to improve the
SDN network robustness.
Require:
ߢ
> 0, δ > 0
1:
Input: a graph GSS and the constants k
(number of control-
lers) and δ (maximum distance between con
trollers and
switches).
2:
Output: an array C containing the best control
ler place-
ments in order to improve the SDN network ro
bustness.
3:
attackStrategy ← getMostDangerousAttackStrategy(G
SS)
4:
C ← getLeastCriticalNodes(GSS,
ߢ
, attackStrategy)
5:
for all c
א
C do
6:
GTc ← setGraphTree(GSS,
ߢ
, δ, c)
7:
end for
8:
GCS = (GT1 GT2,…, GTc), c = {1, 2, … ,
ߢ
}
9:
G ← getInterdepentSDNGraph(GSS, GCS)
10: Return: C
At the first step in Algorithm 1 (line 3), the targeted attack
strategy that produces the greatest damage in GSS is iden-
tified through analysis topological structure of networks
or identification of areas where failures frequently occur.
Based on the number of controllers
ߢ
and the type of at-
tack identified to be the most dangerous, a subset of
switches less vulnerable can be selected as the possible
locations of controllers (C) (line 4). C is an array with
ߢ
nodes and C ؿ S, where S is the set of nodes of GSS. Then,
for each node c
א
C, the Algorithm 1 generates one hier-
archical tree graph (GTc) via single shortest path, which
contains a subset of nodes of GSS to be controlled by the
node c (as shown in Figure 2(b)). Each tree graph GTc has
diameter DTc ≤ δ and the node c as the root (lines 5 to 7).
If the distance δcs ≤ δ, the switch Si will be part of the sub-
network managed by the controller c. For simplicity, we
consider δcs as the shortest path between the node c and
the switches Si = {1, 2, …, N1}. In GTc, the controller c is
connected to the switches by using the physical links of
GSS. Furthermore, to achieve a load balancing among con-
trollers, the number of nodes of each GTc is expected to be
the same and is given by the fraction between the number
of nodes of GSS (N1) and the number of controllers (
ߢ
).
In line 8, the controller-switch network (GCS) is generated
by the interconnection of the
ߢ
tree graphs GTc with an in-
band controller-switch communication strategy i.e. the
control traffic from controllers to switches are delivered
via the physical links of GSS. Thus, controller-controller
communications are not direct. Finally, the interdependent
SDN graph G(N,L) is obtained by the interconnection of
GSS(S,U) and GCS(U,V) (line 9) with a one-to-one corre-
spondence between nodes Si and Ti. Therefore, a subset of
switches C as the best locations to placement the
ߢ
con-
trollers are identified (line 10).
The proposed algorithm takes into account the robustness
of the physical network (GSS) to a given targeted attack in
order to generate the control plane network (GCS) of the
SDN architecture. Consequently, based on the critical
parts of the physical network, the best controller place-
ments to improve the SDN network robustness are identi-
1
2
3
4
5
6
1
2
3
4
5
6
1
2
3
4
5
6
1
2
3
4
5
6
Gcs
Gss Gcs
Gss
Attack
a) b)
c
s
81
DRCN 2017 (March 08-10, 2017 in Munich, Germany)
ISBN 978-3-8007-4383-4
© VDE VERLAG GMBH  Berlin  Offenbach
fied. The number of controllers (ߢ) could be defined by
the network operator in order to reduce the load balancing
of controllers, deployment cost or geographical location
of data centers. In addition, in this paper the control plane
network is defined in function of a maximum distance δ
based on the number of hops. Others definitions to δ such
as latency (key aspect in data center locations [18]) or dis-
tance of physical links (important design criteria in large-
scale networks) could be considered in the algorithm.
5 Results and discussion
The average two-terminal reliability (ATTR) is selected as
the robustness metric to be analyzed in the SDN interde-
pendent network when the most dangerous targeted attack
occurs. ATTR is a suitable tool in analyzing the robustness
and identifying the critical parts of a network. ATTR
measures the probability of the connectivity between a
randomly chosen node pair in a single network, and it is
defined as follows [19]:
ܣܴܶܶ ൌ σሺିଵሻ
ೀ
సభ
ுሺுିଵሻ (3)
where O is the number of components, Xi is the number of
nodes in component i and H is the number of nodes in the
network. When the network is fully connected, exactly one
component exists and ATTR is 1. Successive removal of
nodes or links will bring it closer to zero [19]. If failures
affect two topologies in the same percentage of nodes or
links, the one that takes longer to reach a given critical
ATTR can be considered the most robust [19].
This section initially covers the description of topological
properties of a real switch-to-switch network (GSS) and the
robustness analysis of this GSS network under simultaneous
and sequential targeted attacks. Through this study case,
the most dangerous targeted attack in the single network
scenario of GSS is identified. Then, by executing the Algo-
rithm 1, a SDN interdependent network is obtained from
the GSS network, a number of controllers (
ߢ
) and a maxi-
mum distance (δ). Therefore, a subset of switches C as the
best locations to placement the
ߢ
controllers are identified.
Finally, the network robustness of this SDN network is
studied in the cascading failure model (presented above in
Section 2.B), when a percentage of nodes (P) are removed
from the GSS based on the most dangerous targeted attack.
5.1 Switch-Switch network topology
Internet2 has been selected for this study case because it
supports SDN networking and it has also been studied as
a SDN network in previous works [6]. Internet2's
Advanced Layer 2 Service (AL2S) provides an effective
and efficient wide area 100 gigabit Ethernet technology
[20]. AL2S allows building Layer 2 circuits (VLAN) on
the Internet2 AL2S backbone. Open Exchange Software
Suite (OESS) is a set of software used to configure and
control dynamic (user-controlled) VLAN networks on
OpenFlow enabled switches [20]. In Figure 4 can be seen
the Internet2 Network Advanced Layer 2 Service
topology map, where each switch has SDN Ethernet
add/drop capabilities [20].
Figure 4 Internet2 AL2S network’s topology map
In this paper, the Internet2 AL2S backbone is considered
as the switch-switch network (GSS). Table 1 presents the
main topological properties of the Internet2 AL2S net-
work: number of nodes (N1), number of links (L1), aver-
age nodal degree (ۃkۄ), maximum degree (kmax), average
shortest path length (ۃlۄ), diameter (D) and assortativity
coefficient (r). As can be observed in Table 1, the network
exhibits an assortative (r) value close to zero (-0.128) and
has a low value of ۃkۄ (2.62), and high values of ۃlۄ (4.65)
and D (11).
Table 1 Internet2 AL2S network’s topological properties
GSS
N1
L1
ۃۃ
k
ۄۄ
kmax
ۃۃ
l
ۄۄ
D
r
Internet2
39
51
2.62
5
4.65
11
-0.128
5.2 Robustness analysis of Internet2 AL2S
under targeted attacks
Figure 5 shows the robustness comparison for the Inter-
net2 AL2S network under targeted attacks in the single
network scenario. The INTERNET2_SI_Dc and INTER-
NET2_SI_Bc curves present the results of ATTR measures
for Internet2 AL2S network under simultaneous targeted
attacks based on nodal degree centrality (dc) and nodal
betweenness centrality (bc), respectively. While INTER-
NET2_SE_Dc and INTERNET2_SE_Bc curves present the
results of ATTR measures for Internet2 AL2S network
under the sequential targeted attack based on dc and bc,
respectively. In the failure model, the percentage of nodes
removed (P) ranges from 1% to 70%. Ten runs were car-
ried out and, in accordance with each targeted attack, dif-
ferent subsets of nodes are removed.
As can be seen in Figure 5, the Internet2 AL2S network is
more vulnerable to sequential targeted attacks (see curves
INTERNET2_SE_Dc and INTERNET2_SE_Bc) than to
simultaneous targeted attacks (see curves
INTERNET2_SI_Dc and INTERNET2_SI_Bc). This result
can be explained due to the Internet2 AL2S network
presents a small value of ۃkۄ, and high values of ۃlۄ and D.
In Figure 5, in the range of 1% and 5% of P, network
connections of Internet2 AL2S topology are reduced to
70% in a sequential targeted attack by bc (see curve
82
DRCN 2017 (March 08-10, 2017 in Munich, Germany)
ISBN 978-3-8007-4383-4
© VDE VERLAG GMBH  Berlin  Offenbach
INTERNET2_SE_Bc) and to 66% in a sequential targeted
attack by dc (see curve INTERNET2_SE_Dc). When P
ranges from 6% to 15%, in both sequential targeted
attacks the network connections dramatically decrease
until 21%. For P > 15%, the network connections in the
sequential targeted attacks begin to exhibit a similar
behavior, and the Internet2 AL2S network is almost
completely disconnected when P reaches 40%.
Figure 5 Robustness analysis of Internet2 AL2S under
targeted attacks
In the case of a simultaneous targeted attack, the network
connections are reduced to 87% when nodes are removed
by their dc (see curve INTERNET2_SI_Dc) and to 85%
when nodes are removed by their bc (see curve
INTERNET2_SI_bc). However, for simultaneous targeted
attacks there are 22% of network connections when P
reaches 20% of removed of nodes. For P > 20%, the
Internet2 AL2S topology shows more robustness to
simultaneous targeted attacks by bc than to simultaneous
targeted attacks by dc. The network connections of
Internet2 are approximately 0% when P reaches 45%.
The robustness analysis presented in this section shows
that the Internet2 AL2S network is more vulnerable to a
sequential targeted attack by betweenness centrality (bc)
(see curve INTERNET2_SE_Bc). This is an important
result due to in the first step in the Algorithm 1 (line 3) the
targeted attack strategy that produces the greatest damage
in GSS must be identified. Therefore, based on the strategy
explained in the Section III.B (line 4 in the Algorithm 1),
the sequential targeted attack by bc will select as the
critical parts of the network those nodes with the highest
betweenness centrality for each of the resulting network
after removing the desired fraction of nodes (P).
5.3 Controller placement in SDN to im-
prove the robustness to targeted attacks
The input parameters to the Algorithm 1 are defined as
follows. The Internet ASL2 network is considered as GSS.
The number of controllers
ߢ
is equal to 5 because
according to [15] 8 controllers or less are enough to
reaching high availability. The distance δ is equal to 6 and
it was defined in function of the GSS network diameter (D)
i.e. δ = round(D/2) due to the number of hops to reach to
other nodes is increased as in the study case of this paper
the controllers will be placed on switches with low values
of betweenness centrality.
For the switch-to-switch topology considered as study
case, Algorithm 1 selects as best controller placements
those switches that are the least vulnerable to a sequential
targeted attack based on betweenness centrality (bc).
Therefore, the resulting SDN architecture (GA1) after the
execution of the Algorithm 1 for ߢ=5 controllers and a
distance δ=6 are CGA1 = {32, 34, 35, 37, 38}. The subsets
of switches (S) manage for each controller c
א
CGA1, the
number of switches (N) in each tree graph of the
controller-to-switch network (GCS) and their diameter (D)
are presented in Table 2.
Table 2 Subsets of switches manage by each controller in
the SDN topologies considered as study case
Networks
C
S
N
D
GA1
32
{32,12,21,22,33,36}
5
2
34
{34,25,24,30}
5
2
35
{35,1,2,5,7,8,9,14,15,17,26,27,29,39}
14
6
37
{37,3,4,6,13,16,18,19,23,28,31}
11
6
38
{38,11,10,20}
4
2
GLBc
10
{10,7,8,17,20,24,38}
7
3
18
{18,3,4,6,11,16,19,23}
8
3
32
{32,12,13,25,33,34}
6
3
36
{36,21,22,28,30,37}
6
3
35
{35,1,2,5,9,14,15,26,27,29,31,39}
12
6
GHCc
20
{20,10,11,38}
4
2
7
{7,3,6,8,17,18,19,23,35}
9
5
12
{12,4,13,16,21,22,28,32,33,37}
10
3
24
{24,25,25,30,34,36}
6
4
14
{14,1,2,5,15,26,27,29,31,39}
10
5
Similarly, we have generated two SDN topologies for the
Internet AL2S network in order to compare their
robustness against the robustness of SDN topology
generated from the Algorithm 1 (GA1). The former is GLBc
network, where the nodes for placing
ߢ
controllers are
selected as those having the lowest betweenness centrality
(bc) i.e. the controllers will be place on the switches less
vulnerable to simultaneous targeted attacks by bc. The
latter is GHCc network, where
ߢ
controllers are placed in
nodes with the minimum distance to switches i.e.
controllers will be placed in switches having the highest
values of closeness centrality (cc) [3]. Therefore, the ߢ=5
controllers for GLBc network are placed in the subset of
nodes CGBc = {10, 18, 32, 36, 35}, whereas for GHCc
network they are located in the subset of nodes CHCc =
{20, 7, 12, 24, 14}. The subsets of switches manage by
each controller c in CGBc and CHCc are presented in Table
II. Note in Table 2 how the GHCc network has the lowest
distance (i.e. the lowest diameter D) among the
controllers and switches than GA1 and GLBc.
Graphically the controller placements for each of three
SDN architectures considered in this paper are illustrated
in Figure 6. As the Algorithm 1 does not take into account
the geographical location of nodes and physical distance
among them, the controllers can be placed near each other
0
0.1
0.2
0.3
0.4
0.5
0.6
0.7
0.8
0.9
1
0 5 10 15 20 25 30 35 40 45 50 55 60 65
70
ATT R
% Percentage of failures (P)
INTERNET2_SI_Bc
INTERNET2_SI_Dc
INTERNET2_SE_Dc
INTERNET2_SE_Bc
83
DRCN 2017 (March 08-10, 2017 in Munich, Germany)
ISBN 978-3-8007-4383-4
© VDE VERLAG GMBH  Berlin  Offenbach
(see Figure 6(a)) and the shortest path between controllers
and switches can be overlapped. Hence, there are some
controllers that manages high load and the diameter of
their tree networks are greater than other e.g. the tree sub-
network created by the controller 35 in GA1 manages 14
switches and its diameter is 6, whereas the controller 34
only manages 4 switches and the tree sub-network has a
diameter equal to 2 (see Table II). Similar results were
found for the controller placement of the GLBc and GHCc
SDN topologies (Figure 6(a) and Figure 6(c),
respectively) in which controllers are also geographically
close and are unbalanced. Therefore, we assume that
controllers must have enough capacity to manage the load
introduced by these models because load balancing is not
considered as mandatory constraint in the SDN models of
study case. Although these models are not fully realistic,
these capture others essential constraints in the design of
the SDN networks such as the number of controllers and
the switch-to-controller distance.
a) GA1
b) GLBc
c) GHCc
Figure 6 Controllers placement for Internet2 AL2S in
each SDN topology
5.4 Robustness analysis of SDN networks
In this section, the network robustness of the resulting
SDN architecture (GA1) after the execution of the
Algorithm 1 is studied in the cascading failure model
explained in Section III.B. In order to show the efficacy
of proposed algorithm to improve the robustness of SDN
architectures under targeted attacks, the robustness of GA1
is compared with the robustness of GLBc and GHCc
networks. In the failure model, the percentage of nodes
removed (P) from the GSS network ranges from 1% to
20% based on a sequential targeted attack by betweenness
centrality (bc). Figure 7 illustrates the robustness analysis
of the three SDN architectures under a sequential targeted
attack by bc.
Figure 7 Robustness analysis of SDN architectures under
targeted attacks
In Figure 7 it can be seen that the GA1 SDN network (see
curve GA1) is more robust to sequential targeted attacks by
bc than GLBc and GHCc networks (see curves GLBc and
GHCc, respectively). This result is because the controllers
of GA1 are the last to be attacked, whereas the controllers
of GLBc and GHCc can be removed in the first percentages
of failures. In the range of 1% and 3% of P, network
connections of GA1 (see curve GA1 in Figure 7)
dramatically are reduced to 54% and to 51% for GLBc and
GHCc ((see curves GLBc and GHCc in Figure 7). When P
ranges from 3% to 8%, the network robustness of GA1 is
better than the network robustness of GLBc and GHCc for
approximately 3% up of network connections.
For P ≥ 9%, the network connections for the tree SDN
topologies are reduced to 10% and the robustness of GA1
and GLBc networks begin to exhibit a similar behavior.
Moreover, in Figure 7 it can be seen that GLBc is more
robust than GHCc when P is between 6% and 15% (see
curves GLBc and GHCc, respectively). For P > 15%, the
robustness of the three SDN topologies are similar and
networks are completely disconnected when P reaches
20%. Therefore, Figure 7 illustrates how the robustness of
a SDN network generated from the Algorithm 1 is
improved when the most dangerous targeted attack in
their switch-to-switch network occurs.
Other interesting result can be found by comparing the
robustness of Internet2 ASL2 network in the single
network scenario (see curve INTERNET2_SE_Bc in
Figure 5) and the SDN scenario (see curve GA1 in Figure
0
0.1
0.2
0.3
0.4
0.5
0.6
0.7
0.8
0.9
1
0 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19
20
ATT R
% Percentage of failures (P)
GA1
GLBc
GHCc
84
DRCN 2017 (March 08-10, 2017 in Munich, Germany)
ISBN 978-3-8007-4383-4
© VDE VERLAG GMBH  Berlin  Offenbach
7). Internet2 ASL2 is more robust in the single network
scenario for P equals to 1% and P is greater than 10%.
However, when P ranges from 2% to 9%, the Internet2
ASL2 network is more robust for the SDN scenario.
Then, Algorithm 1 could also improve the network
robustness for SDN scenarios in low values of P.
6 Conclusions and future work
In this paper, we presented a robust design of SDN
architecture to maintain an acceptable level of service in
the face of faults. We are focused on identifying which
are the critical parts of physical topology and finding the
best controller placements to improve the network
robustness to targeted attacks. Moreover, we presented
how a SDN topology can be modeled as an
interdependent network and how the cascading failure
model can be generated from a targeted attack.
Results pointed out how Algorithm 1 provides a
procedure to mitigate the impact of targeted attacks in
SDN networks. Algorithm 1 requires three parameters: 1)
a switch-switch network (GSS), 2) the number of
controllers (
ߢ
) and 3) the maximum distance between
controllers and switches (δ). Based on the critical parts of
a switch-switch network (GSS) to a targeted attack, the
Algorithm 1 selects as best controller placements those
switches that are the least vulnerable to the attack i.e.
those nodes with low probability to be selected in the first
percentage of failures of the targeted attack.
By comparing the robustness of the SDN network
resulting from de execution of Algorithm 1 (GA1) with the
two SDN topologies selected as study case (GLBc and
GHCc), the GA1 network is the most robust. Hence, with the
Algorithm 1 the vulnerability of a SDN network can be
reduced in the most dangerous targeted attack because the
least vulnerable nodes are removed in last percentages of
failures and the network maintains more network
connections than others SDN topologies for increasing of
the percentage of removed nodes (P).
In the future work, the geographical placement of nodes
and physical distance among them can be taken into
account to distribute the controller placements over the
network and reduce the controller load and the physical
distance controller-switch. Furthermore, Algorithm 1 can
be analyzed in others scenarios where finding the best
locations in a network is key design aspect to improve the
network robustness.
7 Literature
[1] Software-Defined Networking: A Comprehensive
Survey, Proceedings of the IEEE. Vol. 103, No. 1,
Jan. 2015, pp. 14-76.
[2] Controller Fault-Tolerance in Software-Defined
Networking, Santa Clara: ACM SIGCOMM SOSR,
2015.
[3] Controller Placement for Improving Resilience of
Software-Defined Networks, Los Angeles: ICNDC,
2013.
[4] Design and deployment of secure, robust, and resili-
ent SDN controllers, London: NETSOFT, 2015.
[5] Distributed Denial of Service Attacks in Software-
Defined Networking with Cloud Computing, IEEE
Communications Magazine. Vol. 53, No. 4, Apr.
2015, pp. 52-59.
[6] Heuristic Approaches to the Controller Placement
Problem in Large Scale SDN Networks, IEEE
Transactions on Network and Service Management.
Vol.12, No. 1, Mar. 2015, pp. 4-17.
[7] Characterising the robustness of complex networks,
Int. J. Internet Technology and Secured Transac-
tions. Vol. 2, No. 3/4, Dec. 2010, pp. 291-330.
[8] Attack Robustness and Centrality of Complex Net-
works, PLoS ONE. Vol. 8, No. 4, Apr. 2013, pp. 1-
17.
[9] Robustness Comparison of 15 Real Telecommunica-
tion Networks: Structural and Centrality Measure-
ments, J. Netw. Syst. Manage, 2016. pp. 1-21.
doi:10.1007/s10922-016-9391-y
[10] Resilience and survivability in communication net-
works: Strategies, principles, and survey of disci-
plines, Computer Networks. Vol. 54, No. 8, Jun.
2010, pp. 1245–1265.
[11] The Controller Placement Problem, Helsinki:
HotSDN, 2012.
[12] Dynamic Controller Provisioning in Software De-
fined Networks, Zürich: CNSM, 2013.
[13] On the placement of controllers in software-defined
networks, The J. of China Univ. of Posts and Tele-
comm. Vol 19, No. 2, Oct. 2012, pp. 92–97.
[14] On the controller placement for designing a distrib-
uted SDN control layer, Trondheim: IFIP Network-
ing Conference, 2014.
[15] On reliable controller placements in Software-
Defined Networks, Computer Communications. Vol.
77, No. 1, Mar. 2016, pp. 41–51.
[16] A Resilient Distributed Controller for Software De-
fined Networking, Kuala Lumpur: IEEE ICC, 2016.
[17] Robustness of interdependent networks with differ-
ent link patterns against cascading failures, Physica
A. Vol. 393, No. 1, Jan. 2014, pp. 535-541.
[18] Comparison of Different Data Center Location
Policies in Survivable Elastic Optical Networks,
Munich: RNDM, 2015.
[19] Network Reliability with Geographically Correlated
Failures, San Diego: IEEE INFOCOM, 2010.
[20] Internet2: www.internet2.edu [Accessed: 3 March
2016].
85
DRCN 2017 (March 08-10, 2017 in Munich, Germany)
ISBN 978-3-8007-4383-4
© VDE VERLAG GMBH  Berlin  Offenbach
