Leveraging SDN for Efficient Anomaly Detection and Mitigation on Legacy Networks

In this paper, we investigate the applicability of Software-Defined Networking (SDN), and specifically the use of the OpenFlow protocol as a means to enhance the legacy Remote Triggered Black-Hole (RTBH) routing approach, towards Distributed Denial of Service (DDoS) attack mitigation. More specifically, we exploit the network programmability of OpenFlow to match and handle traffic on a per-flow level, in order to preserve normal operation of the victim, while pushing the mitigation process upstream towards the edge of the network. To this end, we implemented and evaluated a sketch-based anomaly detection and identification mechanism, capable of pinpointing the victim and remotely triggering the mitigation of the offending network traffic. The evaluation is based on the combination of datasets containing real DDoS attacks and normal background traffic from an operational university campus network. Our results demonstrated that the proposed approach succeeds in identifying the victim of the attack and efficiently filtering the malicious sources.

[1]  Syed Ali Khayam,et al.  Revisiting Traffic Anomaly Detection Using Software Defined Networking , 2011, RAID.

[2]  Danny McPherson,et al.  Remote Triggered Black Hole Filtering with Unicast Reverse Path Forwarding (uRPF) , 2009, RFC.

[3]  Basil S. Maglaris,et al.  Detecting DDoS attacks with passive measurement based heuristics , 2004, Proceedings. ISCC 2004. Ninth International Symposium on Computers And Communications (IEEE Cat. No.04TH8769).

[4]  J. Crowcroft,et al.  Using Packet Symmetry to Curtail Malicious Traffic , 2005 .

[5]  Martín Casado,et al.  Extending Networking into the Virtualization Layer , 2009, HotNets.

[6]  Rodrigo Braga,et al.  Lightweight DDoS flooding attack detection using NOX/OpenFlow , 2010, IEEE Local Computer Network Conference.

[7]  Benoit Claise,et al.  Cisco Systems NetFlow Services Export Version 9 , 2004, RFC.

[8]  Ying Zhang,et al.  An adaptive flow counting method for anomaly detection in SDN , 2013, CoNEXT.

[9]  Basil S. Maglaris,et al.  Combining OpenFlow and sFlow for an effective and scalable anomaly detection and mitigation mechanism on SDN environments , 2014, Comput. Networks.

[10]  Mabry Tyson,et al.  FRESCO: Modular Composable Security Services for Software-Defined Networks , 2013, NDSS.

[11]  Anna C. Gilbert,et al.  QuickSAND: Quick Summary and Analysis of Network Data , 2001 .

[12]  Vern Paxson,et al.  An analysis of using reflectors for distributed denial-of-service attacks , 2001, CCRV.

[13]  Min Sik Kim,et al.  A Scalable DDoS Detection Framework with Victim Pinpoint Capability , 2011, J. Commun..

[14]  Nick McKeown,et al.  OpenFlow: enabling innovation in campus networks , 2008, CCRV.

[15]  Doughan Turk,et al.  Configuring BGP to Block Denial-of-Service Attacks , 2004, RFC.