Mitigating High-Rate Application Layer DDoS Attacks in Software Defined Networks

Differently from previous attacks, many recent DDoS attacks have not been carried out over the network layer, but over the application layer. The main difference is that in the latter, an attacker can target a particular application of the server, while leaving the remaining applications still available, thus generating less traffic and being harder to detect. Recently, we have proposed the use of selective strategies for mitigating Low-Rate Application Layer DDoS attacks (ADDoS). Unfortunately, due to their higher traffic load, High-Rate ADDoS attacks (e.g., GET flooding) remain a serious problem as they still generate traffic in much lower proportions than usual network-layer DDoS attacks, but they generate traffic load high enough to render our and other defenses ineffective. This paper proposes a new defense mechanism, called SHADE, that uses selective strategies in Software Defined Networks (SDN) for mitigating High-Rate ADDoS. As SDN controllers have a global view of the network, they allow redirecting traffic when applications, such as web-servers, are (on the verge of being) overloaded. Traffic is re-directed to mitigation applications implementing our selective strategies, reducing the traffic hitting the target application and ultimately allowing it to serve more clients. We carried out a number of simulations on realistic attack scenarios. Our simulations show that without our defense, the target application can only serve 19% clients with an average time to service of 5.4s, while with our defense it can serve 61% of clients with an average time to service of 1.6s.