ArOMA: An SDN based autonomic DDoS mitigation framework
Introduction
Distributed Denial of Service (DDoS) attacks have continuously occurred on the Internet for most of the past three decades, attracting tremendous research efforts from both academia and industry. In particular, flooding-based attacks, such as the ones manipulating UDP, TCP SYN or ICMP packets, are the most prevalent attack variants on the Internet (Arbor Networks). As a matter of fact, DDoS attacks impact not only the victim networks but also the ISP networks, as all the malicious traffic, directed to the victim networks, traverses the ISP network, potentially congesting the links within the ISP network (Eddy et al., 2016). This indicates that the customers and their ISP need to closely collaborate to cope with DDoS attacks. For example, when a customer detects an attack, relevant information about the attack should be shared with the ISP in a timely manner, in order to operate a quick mitigation. Despite a large variety of DDoS mitigation mechanisms, to the best of our knowledge, only a few of them provide a collaborative architecture (Koutepas et al, 2004, Schnakengerg et al, 2001) based on a community of trusted partners. However, this requires all network routers to maintain a partner list, clearly resulting in information exchange overhead. It may require, as well, the modification of legacy routers and the deployment of dedicated network devices, incurring necessary, more complex human interventions (Mahimkar et al., 2007).
After a comprehensive survey on the available DDoS mitigation designs, we have identified several requirements to enhance them, and even new designs: (1) easy deployment and operation, avoiding the use of special-purpose software or hardware devices; (2) effective information exchange between the different parties involved (i.e., the ISP and its customers), so that a customer can signal threat information to the ISP at a very early stage of the DDoS attack; (3) timely handling of the customers' requests by the ISP and enforcement of appropriate DDoS mitigation policies; (4) management of the entire life-cycle of the DDoS mitigation scheme in a scalable, adaptive, and automated way, avoiding non-trivial manual effort. Unfortunately, the intrinsic characteristics of today's legacy networking infrastructure make a majority of DDoS mitigation schemes fail to meet the given requirements. The recent development of Software Defined Networking (SDN) motivate us to re-examine such designs (Sahay et al, 2015, Shin et al, 2013), in particular by taking advantage of the clear separation between the network control plane and data plane, as well as, of the programmability of SDN controllers.
To meet all the above-mentioned requirements, we propose ArOMA, an SDN based autonomic DDoS mitigation framework. ArOMA is intended to systematically and seamlessly integrate different DDoS mitigation modules together, which are distributed across the ISP and its customers, ranging from traffic monitoring to anomaly detection to mitigation. In particular, traffic monitoring and anomaly detection modules are deployed at the customer side, while the mitigation engine runs at the ISP side. Such architecture is motivated by the fact that customers usually have a better opinion on undesired traffic. On the other hand, the ISP has better control over the upstream traffic. To facilitate the collaboration between the ISP and its customers, the intrinsic functions of OpenFlow (OF) switches are explored, such as flow tagging and flow statistics collection. It is worth mentioning that the focus of this paper is on DDoS attacks mitigation rather than their detection. Therefore, we assume that the customer has detected flows suspected of being attacks and shares the alerts with its ISP via a communication channel between the SDN controllers deployed at the ISP and customer sides.
The rest of this paper is organized as follows. Section 2 reviews some related work. A set of key observations and motivations are given in Section 3. An architectural description of ArOMA, together with the implementation details of its key functional components, is presented in Section 4. Section 5 develops a use case to illustrate the application of ArOMA. The development and implementation of an ArOMA prototype using the Ryu SDN controller is reported in Section 6, along with a set of simulation results. In addition, some testbed-based experimental results are reported in Section 7. Section 8 finally concludes the paper.
Section snippets
Related work
To date, a large variety of DDoS or DoS mitigation mechanisms have been proposed, covering the entire security life-cycle from prevention and detection to characterization and response. However, few of them have been considered for widespread deployment due to non-trivial deployment overhead and management complexity. We conducted a survey to better understand their shortcomings and classified them into five categories: capability-based, congestion control, traceback, cooperative detection and
Key observations and design objectives
We analyzed and compared the state-of-the-art DDoS mitigation mechanisms discussed in Section 2, and summarized our findings in Table 1. A number of observations is given in the following.
- •
Most of the mechanisms in our sample are designed to protect end hosts. This is not surprising, considering the nature of most DDoS attacks, in particular recent occurrences such as DNS and NTP amplifications, or redirection attacks (Arbor Networks). The target link flooding attacks (Studer and Perrig, 2009),
ArOMA: towards SDN-based autonomic DDoS mitigation
As Table 1 shows, most of the existing DDoS mitigation mechanisms perform well with particular assumptions, but they generally lack an effective way facilitating the collaboration between multiple parties, e.g., ISP, customer, as well as the systematic integration between different functional components, e.g., monitoring, detection, and reaction. In this Section, we present our autonomic DDoS mitigation framework ArOMA by leveraging the characteristics of SDN. We first present an overview of
Use case
For better illustration and understanding of the design purpose and principle of ArOMA, we develop a use case, as shown in Fig. 2, in which one customer and one ISP collaborate with each other to mitigate DDoS attacks. A use case including multiple customers and multiple ISPs will be studied as our future work. In addition, for a single ISP network, it is possible to deploy multiple SDN controllers, each of which interact with one customer network through the security API.
First of all, the
Simulations
The purpose of our experiments is to validate the feasibility and effectiveness of ArOMA, our proposed autonomic DDoS mitigation framework. We validate the prototype using both mininet-based simulations and testbed-based experiments. We first describe the threat model that is addressed by ArOMA, we then present the detailed settings and configurations of our experiments, including the implementation details of the prototype.
Testbed based experiments
In addition to the simulation based experiments, we also experimented with the actual platform to evaluate our prototype ArOMA. In the platform, we treat the video streaming service as the target to protect, and measure its quality, in the face of DDoS attacks, in terms of Quality of user Experience (QoE) metrics.
Conclusion
DDoS attacks remain as one of the major threats disrupting today's Internet service. It is widely recognized that without effective collaborations, it is extremely difficult, if not impossible, to mitigate DDoS attacks. However, the collaboration between different domains and parties in the Internet is challenging. In this paper, we provide an on-demand DDoS mitigation framework called ArOMA by leveraging SDN, with an objective to facilitate the collaboration between the ISP and their
Rishikesh Sahay is PhD student at Telecom SudParis, France. He obtained his M.Tech degree from International Institute of Information Technology Bhubaneswar (IIIT Bhubaneswar) in 2011. Then he joined as a project fellow at Indian Institute of Technology Patna. His research interests include network and policy management, software-defined networking and network security.
References (49)
- et al.
IP traceback using header compression
Comput Secur
(2003) - et al.
On deterministic packet marking
Comput Netw
(2007) - et al.
Revisiting traffic anomaly detection using software defined networking
- Arbor Networks. Worldwide infrastructure security report. Technical...
- et al.
Algebraic geometric code based IP traceback
- et al.
Openflow vulnerability assessment
- et al.
Lightweight DDoS flooding attack detection using NOX/OpenFlow
- et al.
The ponder policy specification language
- et al.
Tapas: a tool for rapid prototyping of adaptive streaming algorithms
- et al.
A new approach to dynamic all pairs shortest paths
SPHINX: detecting security attacks in software-defined networks
Understanding the impact of video quality on user engagement
Comput Commun Rev
Understanding the impact of video quality on user engagement
Interface to Network Security Functions Problem Statement. Internet-Draft dunbar-i2nsf-problem-statement-01, IETF
Customer-controlled filtering using SDN
Bohatei: flexible and elastic ddos defense
The Intrusion detection message exchange format (IDMEF)
STRIDE: sanctuary trail – refuge from internet DDoS entrapment
Necomatter: curating approach for sharing cyber threat information
Implementing pushback: router-based defense against DDoS attacks
Proactive detection and automated exchange of network security incidents
Distributed management architecture for cooperative detection and reaction to ddos attacks
J Netw Syst Manage
Towards secure and dependable software-defined networks
Software-defined networking: a comprehensive survey
Proc IEEE
Cited by (59)
Hybrid SDN evolution: A comprehensive survey of the state-of-the-art
2021, Computer NetworksSD-WAN Flood Tracer: Tracking the entry points of DDoS attack flows in WAN
2021, Computer NetworksCitation Excerpt :Also, the tag contains the information of source IP fetched by the switch; hence if source IP is spoofed, the tag’s information becomes less reliable. Sahay et al. in [16] further modified their work to handle the flow identification in the ISP network. As per the best of our knowledge, this is the only proposal addressing traceback in a multi-controller scenario.
Detection of reduction-of-quality DDoS attacks using Fuzzy Logic and machine learning algorithms
2021, Computer NetworksCitation Excerpt :Despite DoS/DDoS attacks being a plague to Internet for more than two decades, in 2009 several massive DDoS attacks were carried out in order to disrupt network services of popular websites such as Facebook, Live Journal, Twitter, and Amazon (()). Since then, the topic of DDoS has been an intense field of research, where new approaches for detection, mitigation, prevention or defense have been proposed, following the evolution of DDoS attack mechanisms (see e.g. surveys ((; ; ; ; ; ; ; ))) and/or new application domains such as mobile/wireless ((; )), Internet of Things (()), Software-defined networks (SDN) ((; )), cloud ((; )) or fog computing ((; )). Nevertheless, DDoS attacks have continued to increase and to be successful causing service interruptions that lead to huge financial losses, as was the case of the Dyn attack which took place on October 21, 2016 and was initiated by a DNS operator bringing down major websites including PayPal, Amazon, Airbnb, Visa, The New York Times, Netflix, GitHub, Reddit, Twitter, Spotify, the Guardian, and CNN ((; ; )).
A Comprehensive Survey of Distributed Denial of Service Detection and Mitigation Technologies in Software-Defined Network
2024, Electronics (Switzerland)Security and Privacy Issues in Software-Defined Networking (SDN): A Systematic Literature Review
2023, Electronics (Switzerland)A comprehensive survey on SDN security: threats, mitigations, and future directions
2023, Journal of Reliable Intelligent Environments
Rishikesh Sahay is PhD student at Telecom SudParis, France. He obtained his M.Tech degree from International Institute of Information Technology Bhubaneswar (IIIT Bhubaneswar) in 2011. Then he joined as a project fellow at Indian Institute of Technology Patna. His research interests include network and policy management, software-defined networking and network security.
Gregory Blanc is currently an assistant professor at Telecom SudParis in the networks department where he researches about SDN/NFV security, access control systems and alert correlation. He previously spent two years as a postdoctoral researcher at Telecom SudParis where he took the technical coordination of an EU-Japan collaborative project funded by the European Commission (FP7). He holds a Master in Network and Information Security from ESIEA, a French grande ecole and has received his PhD degree from NAIST, a Japanese national research university in 2012.
Zonghua Zhang is an associate professor (with HDR – accreditation to supervise research) of Institute Mines-Telecom of France. He is also affiliated with CNRS UMR 5157 SAMOVAR Lab. Previously, he worked as an expert researcher at National Institute of Information and Communication Technology (NICT), Tokyo. He also spent two years as a postdoctoral researcher at the University of Waterloo, Canada and INRIA, France right after obtaining his Ph.D. degree from Japan Advanced Institute of Science and Technology (JAIST). His research topics cover security management, network forensics, reputation management and security protocols, in different types of computer and communication networks, with the current scenarios about Network Function Virtualization, Software Defined Networking, and Cyber-Physical Systems. He has contributed to tens of national and international research projects, with the results published in over 60 international journals and conference proceedings. He is serving on the editorial board of Computers & Security, Security and Communication Networks, IEEE Communications Magazine, Intl. journal of Network Security.
Hervé Debar is professor at Telecom SudParis, and the Head of the Networks and Telecommunication Services Department. His activity is related to the information and communication technology (ICT) security area. He has been involved in intrusion detection research and he is currently focusing on Software Defined Networking and Network Function Virtualization, with an emphasis on automated threat mitigation.