Based upon the above problems and the research foundation on them, we proposes a dynamic defensive mechanism to defend against identity forgery attack which utilizing the DPID of forwarding device to cheat SDN controller.
(1) For DPID forgery attack on forwarding device, which is proposed by Shin  and Dover , we can precisely identify forged DPID with the mechanism proposed in this paper to maintain the stability of current link.
(2) For DoS attack on controller caused by DPID identity forgery proposed by Dover  and Gregory , this mechanism is able to quickly reduce the network load, and at the same time separate the attack stream from the legal stream in all network flows, which enables the controller to serve the legal requests without interrupt.
This paper is organized as follows: the first part introduces the related work of this paper; the second part conducts an abstract analysis of the threat model for DPID attack; the third part describes the principle for dynamic defense based on Client-Puzzle model, along with its execution flow; the fourth part gives a detailed exposition on the algorithm and its corresponding analysis of the Client-Puzzle model; the fifth part tests effect of the model; the last part concludes this paper, and discusses the future work.
The attacker can forge DPID to carry out the above two types of attack on forwarding device and controller, respectively.
According to the above two types of attack using forged DPID which are proposed by Shin , Dover  and Gregory , the DPID identity forgery attack can be abstracted into the following two models.
For a legal forwarding device [S.sub.i] with DPID value as [??], [S.sub.i] has set up connection with controller [C.sub.i], and [??], [??].
For example, when applying the models to Floodlight, it is necessary to set up connection first, at the end of which value of DPID should be modified to make flow table of the controller overflow.
For the above DPID attack model which is made up of 5-tuple, the process for controllers under Client-Puzzle model to deal with the connection form forwarding devices is shown in Algorithm.
(1) When controller C receives connection request from forwarding device [S.sub.2], it would extract DPID value of [S.sub.2] from the message msg, and look up the table.
(2) When C has received a large number of requests from different forwarding devices [S.sub.k=1,2,...] (their DPID value is shown in DPID.recv) in a short period of time, and the number of requests goes beyond the preset threshold, then C is considered to be under attack.
1: CP-HANDLER Notations DPID.recv: the value of DPID which received from switch DPID.