Connected devices and cloud computing have driven traditional networks to their limits, which is why, after much deliberation, traditional networks are now beginning a transition to virtualised network functions and controllers. Telecommunications and hosting companies are deploying Software Defined Networks (SDN) and Network Functions Virtualisation (NFV) technologies as they strive for higher performance networks with increased speed and elasticity. Indeed, SDN has the potential to revolutionize data centres by providing the flexibility to adapt to the dynamic nature of today’s applications and workloads.

However, when it comes to security in an SDN world, services and policies are distributed, but still managed from a single point, through a centralised SDN controller. This can be a curse as well as a blessing, because if the SDN controller is compromised, an attacker can quickly impact, or gain control of, the entire network. In terms of DDoS attacks, this means that an SDN controller effectively becomes part of the problem, stopping legitimate traffic from reaching its destination. This article will explore the security implications of DDoS attacks in an SDN environment, and offers advice to those looking to mitigate against these types of attacks.

What are virtualised networks and why are organizations adopting them?

Software Defined Networking is an emerging approach, which allows network administrators an easier and less time-consuming way to create dynamic networks, via open interfaces and abstraction of lower-level functionality. SDN separates the intelligence which decides where information is being sent, called ‘control plane’ (for example Cisco’s IOS operating system), from the hardware that actually moves the data (the ‘forwarding plane’). The separation of the two planes allows the decision-making process to take place in a centralized, software-based, controller, rather than having each node in the network making its own local decisions. All applications make configuration requests through the controller, which has visibility over the entire network and makes all forwarding decisions for each node. But, this also means that IT security teams need to re-consider how to protect the control plane, as this becomes a single point of failure, where a single vulnerability, which could leave the whole network wide-open.

Despite the many benefits SDN offers, including fine-grained security policies with improved network access control, compared to traditional network architectures, it also introduces challenges that are not present in traditional network configuration processes.

SDN: A mixed blessing for security?

When it comes to security, SDN finally enables the fine-grained policies required to maximise protection for each virtualized workload and for those policies to follow those workloads automatically when they are moved around the virtualised infrastructure.

The challenge is that this can result in the SDN controller becoming a single point of compromise for the entire network, whether the motives are to steal data, or cause significant disruption with a DDoS attack.

Comparing SDN to a plumbing system, this is equivalent to a single leak dropping the system pressure and impacting a whole building. Indeed, the huge spine bandwidth, associated with SDN deployments, significantly increases the attack surface, and even a relatively small (but well-crafted) multi-gigabit DDoS attack could take an entire data centre offline; overloading the control plane with huge session density. Ultimately, even a single, low-volume DDoS attack could cause serious damage, up to, and including, the total loss of an organisation’s online presence, for extended periods of time.

Security best practices

When creating a resilient and secure environment with SDN and NFV, always-on, automatic DDoS detection and mitigation tools must be deployed at the data centre edge. This is the only way to gain the visibility required to react to incidents in real-time. By federating APIs between the SDN controller and DDoS defence, the ability to compromise the SDN controller can be managed, and DDoS attacks can be mitigated as they occur. In the event of a super-saturation event, the DDoS defences can rapidly signal upstream, to contain any such attacks.


Overall, SDN and NFV deliver huge advantages for the critical network functions that organisations need, removing the need for dedicated physical appliances. This enables organisations to reduce cost and complexity and, at the same time, enjoy improved scalability, elasticity, and faster deployments. But, despite such advantages, these networks are also inherently vulnerable to attack. Organizations looking to benefit from SDN or NFV must ensure they have full visibility into their virtualised environments to mitigate these risks. A robust defence starts by integrating DDoS protection, including right into the heart of the SDN controller, by federating APIs between systems. Only by paying close attention to the plumbing of a virtualised environment, in this way, can the security of its operation and data be maintained.

Sean Newman is director of product management for Corero Network Security