Elsevier

Computers & Security

Volume 70, September 2017, Pages 482-499
Computers & Security

ArOMA: An SDN based autonomic DDoS mitigation framework

https://doi.org/10.1016/j.cose.2017.07.008Get rights and content

Abstract

Distributed Denial of Service (DDoS) attacks have been the plague of the Internet for more than two decades, despite the tremendous and continuous efforts from both academia and industry to counter them. The lessons learned from the past DDoS mitigation designs indicate that the heavy reliance on additional software modules and dedicated hardware devices seriously impede their widespread deployment. This paper proposes an autonomic DDoS defense framework, called ArOMA, that leverages the programmability and centralized manageability features of Software Defined Networking (SDN) paradigm. Specifically, ArOMA can systematically bridge the gaps between different security functions, ranging from traffic monitoring to anomaly detection to mitigation, while sparing human operators from non-trivial interventions. It also facilitates the collaborations between ISPs and their customers on DDoS mitigation by logically distributing the essential security functions, allowing the ISP to handle DDoS traffic based on the requests of its customers. Our experimental results demonstrate that, in the face of DDoS flooding attacks, ArOMA can effectively maintain the performance of video streams at a satisfactory level.

Introduction

Distributed Denial of Service (DDoS) attacks have continuously occurred on the Internet for most of the past three decades, attracting tremendous research efforts from both academia and industry. In particular, flooding-based attacks, such as the ones manipulating UDP, TCP SYN or ICMP packets, are the most prevalent attack variants on the Internet (Arbor Networks). As a matter of fact, DDoS attacks impact not only the victim networks but also the ISP networks, as all the malicious traffic, directed to the victim networks, traverses the ISP network, potentially congesting the links within the ISP network (Eddy et al., 2016). This indicates that the customers and their ISP need to closely collaborate to cope with DDoS attacks. For example, when a customer detects an attack, relevant information about the attack should be shared with the ISP in a timely manner, in order to operate a quick mitigation. Despite a large variety of DDoS mitigation mechanisms, to the best of our knowledge, only a few of them provide a collaborative architecture (Koutepas et al, 2004, Schnakengerg et al, 2001) based on a community of trusted partners. However, this requires all network routers to maintain a partner list, clearly resulting in information exchange overhead. It may require, as well, the modification of legacy routers and the deployment of dedicated network devices, incurring necessary, more complex human interventions (Mahimkar et al., 2007).

After a comprehensive survey on the available DDoS mitigation designs, we have identified several requirements to enhance them, and even new designs: (1) easy deployment and operation, avoiding the use of special-purpose software or hardware devices; (2) effective information exchange between the different parties involved (i.e., the ISP and its customers), so that a customer can signal threat information to the ISP at a very early stage of the DDoS attack; (3) timely handling of the customers' requests by the ISP and enforcement of appropriate DDoS mitigation policies; (4) management of the entire life-cycle of the DDoS mitigation scheme in a scalable, adaptive, and automated way, avoiding non-trivial manual effort. Unfortunately, the intrinsic characteristics of today's legacy networking infrastructure make a majority of DDoS mitigation schemes fail to meet the given requirements. The recent development of Software Defined Networking (SDN) motivate us to re-examine such designs (Sahay et al, 2015, Shin et al, 2013), in particular by taking advantage of the clear separation between the network control plane and data plane, as well as, of the programmability of SDN controllers.

To meet all the above-mentioned requirements, we propose ArOMA, an SDN based autonomic DDoS mitigation framework. ArOMA is intended to systematically and seamlessly integrate different DDoS mitigation modules together, which are distributed across the ISP and its customers, ranging from traffic monitoring to anomaly detection to mitigation. In particular, traffic monitoring and anomaly detection modules are deployed at the customer side, while the mitigation engine runs at the ISP side. Such architecture is motivated by the fact that customers usually have a better opinion on undesired traffic. On the other hand, the ISP has better control over the upstream traffic. To facilitate the collaboration between the ISP and its customers, the intrinsic functions of OpenFlow (OF) switches are explored, such as flow tagging and flow statistics collection. It is worth mentioning that the focus of this paper is on DDoS attacks mitigation rather than their detection. Therefore, we assume that the customer has detected flows suspected of being attacks and shares the alerts with its ISP via a communication channel between the SDN controllers deployed at the ISP and customer sides.

The rest of this paper is organized as follows. Section 2 reviews some related work. A set of key observations and motivations are given in Section 3. An architectural description of ArOMA, together with the implementation details of its key functional components, is presented in Section 4. Section 5 develops a use case to illustrate the application of ArOMA. The development and implementation of an ArOMA prototype using the Ryu SDN controller is reported in Section 6, along with a set of simulation results. In addition, some testbed-based experimental results are reported in Section 7. Section 8 finally concludes the paper.

Section snippets

Related work

To date, a large variety of DDoS or DoS mitigation mechanisms have been proposed, covering the entire security life-cycle from prevention and detection to characterization and response. However, few of them have been considered for widespread deployment due to non-trivial deployment overhead and management complexity. We conducted a survey to better understand their shortcomings and classified them into five categories: capability-based, congestion control, traceback, cooperative detection and

Key observations and design objectives

We analyzed and compared the state-of-the-art DDoS mitigation mechanisms discussed in Section 2, and summarized our findings in Table 1. A number of observations is given in the following.

  • Most of the mechanisms in our sample are designed to protect end hosts. This is not surprising, considering the nature of most DDoS attacks, in particular recent occurrences such as DNS and NTP amplifications, or redirection attacks (Arbor Networks). The target link flooding attacks (Studer and Perrig, 2009),

ArOMA: towards SDN-based autonomic DDoS mitigation

As Table 1 shows, most of the existing DDoS mitigation mechanisms perform well with particular assumptions, but they generally lack an effective way facilitating the collaboration between multiple parties, e.g., ISP, customer, as well as the systematic integration between different functional components, e.g., monitoring, detection, and reaction. In this Section, we present our autonomic DDoS mitigation framework ArOMA by leveraging the characteristics of SDN. We first present an overview of

Use case

For better illustration and understanding of the design purpose and principle of ArOMA, we develop a use case, as shown in Fig. 2, in which one customer and one ISP collaborate with each other to mitigate DDoS attacks. A use case including multiple customers and multiple ISPs will be studied as our future work. In addition, for a single ISP network, it is possible to deploy multiple SDN controllers, each of which interact with one customer network through the security API.

First of all, the

Simulations

The purpose of our experiments is to validate the feasibility and effectiveness of ArOMA, our proposed autonomic DDoS mitigation framework. We validate the prototype using both mininet-based simulations and testbed-based experiments. We first describe the threat model that is addressed by ArOMA, we then present the detailed settings and configurations of our experiments, including the implementation details of the prototype.

Testbed based experiments

In addition to the simulation based experiments, we also experimented with the actual platform to evaluate our prototype ArOMA. In the platform, we treat the video streaming service as the target to protect, and measure its quality, in the face of DDoS attacks, in terms of Quality of user Experience (QoE) metrics.

Conclusion

DDoS attacks remain as one of the major threats disrupting today's Internet service. It is widely recognized that without effective collaborations, it is extremely difficult, if not impossible, to mitigate DDoS attacks. However, the collaboration between different domains and parties in the Internet is challenging. In this paper, we provide an on-demand DDoS mitigation framework called ArOMA by leveraging SDN, with an objective to facilitate the collaboration between the ISP and their

Rishikesh Sahay is PhD student at Telecom SudParis, France. He obtained his M.Tech degree from International Institute of Information Technology Bhubaneswar (IIIT Bhubaneswar) in 2011. Then he joined as a project fellow at Indian Institute of Technology Patna. His research interests include network and policy management, software-defined networking and network security.

References (49)

  • H. Aljifri et al.

    IP traceback using header compression

    Comput Secur

    (2003)
  • A. Belenky et al.

    On deterministic packet marking

    Comput Netw

    (2007)
  • S. Akbar Mehdi et al.

    Revisiting traffic anomaly detection using software defined networking

  • Arbor Networks. Worldwide infrastructure security report. Technical...
  • BaiC. et al.

    Algebraic geometric code based IP traceback

  • K. Benton et al.

    Openflow vulnerability assessment

  • R. Braga et al.

    Lightweight DDoS flooding attack detection using NOX/OpenFlow

  • N. Damianou et al.

    The ponder policy specification language

  • L. De Cicco et al.

    Tapas: a tool for rapid prototyping of adaptive streaming algorithms

  • C. Demetrescu et al.

    A new approach to dynamic all pairs shortest paths

  • M. Dhawan et al.

    SPHINX: detecting security attacks in software-defined networks

  • F. Dobrian et al.

    Understanding the impact of video quality on user engagement

    Comput Commun Rev

    (2011)
  • F. Dobrian et al.

    Understanding the impact of video quality on user engagement

  • L. Dunbar et al.

    Interface to Network Security Functions Problem Statement. Internet-Draft dunbar-i2nsf-problem-statement-01, IETF

    (2014)
  • W. Eddy et al.

    Customer-controlled filtering using SDN

    (2016)
  • S.K. Fayaz et al.

    Bohatei: flexible and elastic ddos defense

  • B. Feinstein et al.

    The Intrusion detection message exchange format (IDMEF)

    (2015)
  • H.-C. Hsiao et al.

    STRIDE: sanctuary trail – refuge from internet DDoS entrapment

  • T. Iimura et al.

    Necomatter: curating approach for sharing cyber threat information

  • J. Ioannidis et al.

    Implementing pushback: router-based defense against DDoS attacks

  • P. Kijewski et al.

    Proactive detection and automated exchange of network security incidents

    (2014)
  • G. Koutepas et al.

    Distributed management architecture for cooperative detection and reaction to ddos attacks

    J Netw Syst Manage

    (2004)
  • D. Kreutz et al.

    Towards secure and dependable software-defined networks

  • D. Kreutz et al.

    Software-defined networking: a comprehensive survey

    Proc IEEE

    (2015)
  • Cited by (59)

    • SD-WAN Flood Tracer: Tracking the entry points of DDoS attack flows in WAN

      2021, Computer Networks
      Citation Excerpt :

      Also, the tag contains the information of source IP fetched by the switch; hence if source IP is spoofed, the tag’s information becomes less reliable. Sahay et al. in [16] further modified their work to handle the flow identification in the ISP network. As per the best of our knowledge, this is the only proposal addressing traceback in a multi-controller scenario.

    • Detection of reduction-of-quality DDoS attacks using Fuzzy Logic and machine learning algorithms

      2021, Computer Networks
      Citation Excerpt :

      Despite DoS/DDoS attacks being a plague to Internet for more than two decades, in 2009 several massive DDoS attacks were carried out in order to disrupt network services of popular websites such as Facebook, Live Journal, Twitter, and Amazon (()). Since then, the topic of DDoS has been an intense field of research, where new approaches for detection, mitigation, prevention or defense have been proposed, following the evolution of DDoS attack mechanisms (see e.g. surveys ((; ; ; ; ; ; ; ))) and/or new application domains such as mobile/wireless ((; )), Internet of Things (()), Software-defined networks (SDN) ((; )), cloud ((; )) or fog computing ((; )). Nevertheless, DDoS attacks have continued to increase and to be successful causing service interruptions that lead to huge financial losses, as was the case of the Dyn attack which took place on October 21, 2016 and was initiated by a DNS operator bringing down major websites including PayPal, Amazon, Airbnb, Visa, The New York Times, Netflix, GitHub, Reddit, Twitter, Spotify, the Guardian, and CNN ((; ; )).

    View all citing articles on Scopus

    Rishikesh Sahay is PhD student at Telecom SudParis, France. He obtained his M.Tech degree from International Institute of Information Technology Bhubaneswar (IIIT Bhubaneswar) in 2011. Then he joined as a project fellow at Indian Institute of Technology Patna. His research interests include network and policy management, software-defined networking and network security.

    Gregory Blanc is currently an assistant professor at Telecom SudParis in the networks department where he researches about SDN/NFV security, access control systems and alert correlation. He previously spent two years as a postdoctoral researcher at Telecom SudParis where he took the technical coordination of an EU-Japan collaborative project funded by the European Commission (FP7). He holds a Master in Network and Information Security from ESIEA, a French grande ecole and has received his PhD degree from NAIST, a Japanese national research university in 2012.

    Zonghua Zhang is an associate professor (with HDR – accreditation to supervise research) of Institute Mines-Telecom of France. He is also affiliated with CNRS UMR 5157 SAMOVAR Lab. Previously, he worked as an expert researcher at National Institute of Information and Communication Technology (NICT), Tokyo. He also spent two years as a postdoctoral researcher at the University of Waterloo, Canada and INRIA, France right after obtaining his Ph.D. degree from Japan Advanced Institute of Science and Technology (JAIST). His research topics cover security management, network forensics, reputation management and security protocols, in different types of computer and communication networks, with the current scenarios about Network Function Virtualization, Software Defined Networking, and Cyber-Physical Systems. He has contributed to tens of national and international research projects, with the results published in over 60 international journals and conference proceedings. He is serving on the editorial board of Computers & Security, Security and Communication Networks, IEEE Communications Magazine, Intl. journal of Network Security.

    Hervé Debar is professor at Telecom SudParis, and the Head of the Networks and Telecommunication Services Department. His activity is related to the information and communication technology (ICT) security area. He has been involved in intrusion detection research and he is currently focusing on Software Defined Networking and Network Function Virtualization, with an emphasis on automated threat mitigation.

    View full text