FTMaster: A Detection and Mitigation System of Low-Rate Flow Table Overflow Attacks via SDN

Software-defined networking (SDN) faces challenges in efficiently forwarding packets across the network due to the limited capacity of flow tables in the switches. Ternary content addressable memory (TCAM) is typically used to store flow tables, but its limited capacity makes it vulnerable to attacks. Specifically, the Low-rate Flow Table Overflow (LFTO) attack is an attack against the flow table capacity limit, which can occupy massive space in the flow table to decrease the forwarding performance of normal flow rules by slowly sending packets that cannot match the flow table. To address this, we propose the FTMaster, a system to monitor, detect and mitigate LFTO attacks based on machine learning. FTMaster monitors and detects the flow table state by analyzing the features of flow tables. Once the LFTO attack is detected, FTMaster will activate the mitigation module to extract and analyze the features of each flow rule, evict attack flows, and ultimately block the attack source, thereby protecting flow tables and normal flows. Experimental results demonstrate that FTMaster enables real-time LFTO attack detection and mitigation, ensuring normal forwarding and availability of flow tables.