Software Defined Networking (SDN) is a network paradigm that decouples the network’s control plane, delegated to the SDN controller, from the data plane, delegated to SDN switches.

For increased efficiency, SDN switches use a high-performance Ternary Content-Addressable memory (TCAM) to install rules. However, due to the TCAM’s high cost and power consumption, switches have a limited amount of TCAM memory. Consequently, a limited number of rules can be installed. This limitation has been exploited to carry out Distributed Denial of Service (DDoS) attacks, such as Saturation attacks, that generate large amounts of traffic. Inspired by slow application layer DDoS attacks, this paper presents and investigates DDoS attacks on SDN that do not require large amounts of traffic, thus bypassing existing defenses that are triggered by traffic volume.

In particular, we offer two slow attacks on SDN. The first attack, called Slow TCAM Exhaustion attack (Slow-TCAM), is able to consume all SDN switch’s TCAM memory by forcing the installation of new forwarding rules and maintaining them indeterminately active, thus disallowing new rules to be installed to serve legitimate clients.

The second attack, called Slow Saturation attack, combines Slow-TCAM attack with a lower rate instance of the Saturation attack. A Slow Saturation attack is capable of denying service using a fraction of the traffic of typical Saturation attacks. Moreover, the Slow Saturation attack can also impact installed legitimate rules, thus causing a greater impact than the Slow-TCAM attack. In addition, it also affects the availability of other network’s components, e.g., switches, even the ones not being directly targeted by the attack, as has been proven by our experiments. We propose a number of variations of these attacks and demonstrate their effectiveness by means of an extensive experimental evaluation. The Slow-TCAM is able to deny service to legitimate clients requiring only 38 seconds and sending less than 40 packets per second without abruptly changing network resources, such as CPU and memory. Moreover, besides denying service as a Slow-TCAM attack, the Slow Saturation attack can also disrupt multiple SDN switches (not only the targeted ones) by sending a lower-rate traffic when compared to current known Saturation attacks.

软件定义网络（SDN）是一种网络范例，它将委派给SDN控制器的网络控制平面与委派给SDN交换机的数据平面解耦。

为了提高效率，SDN交换机使用高性能的三进制内容可寻址存储器（TCAM）来安装规则。但是，由于TCAM的高成本和功耗，交换机的TCAM存储器数量有限。因此，可以安装数量有限的规则。已利用此限制来进行分布式拒绝服务（DDoS）攻击，例如饱和攻击，该攻击会产生大量流量。受缓慢的应用程序层DDoS攻击的启发，本文提出并研究了不需要大量流量的SDN上的DDoS攻击，从而绕过了由流量引发的现有防御措施。

特别是，我们对SDN提出了两种缓慢的攻击方式。第一种攻击称为慢速TCAM耗尽攻击（Slow-TCAM），它可以通过强制安装新的转发规则并保持不确定的活动状态来消耗SDN交换机的所有TCAM内存，从而不允许安装新规则来服务于合法客户端。

第二种攻击称为“慢速饱和”攻击，它将“慢速TCAM”攻击与“低速”饱和实例结合在一起。慢饱和攻击能够使用典型饱和攻击流量的一小部分来拒绝服务。此外，慢速饱和攻击还可能影响已安装的合法规则，因此，与慢速TCAM攻击相比，造成的影响更大。此外，它还会影响其他网络组件的可用性，例如实验证明，即使攻击没有直接针对的交换机也是如此。我们提出了这些攻击的多种变体，并通过广泛的实验评估证明了其有效性。Slow-TCAM能够拒绝仅需要38秒且每秒发送少于40个数据包的合法客户端的服务，而不会突然更改网络资源（例如CPU和内存）。此外，除了拒绝将服务作为慢TCAM攻击之外，与当前已知的饱和攻击相比，慢饱和攻击还可以通过发送较低速率的流量来破坏多个SDN交换机（不仅是目标交换机）。