DDoS Attack Detection and Mitigation Using SDN: Methods, Practices, and Solutions

Distributed denial-of-service (DDoS) attacks have become a weapon of choice for hackers, cyber extortionists, and cyber terrorists. These attacks can swiftly incapacitate a victim, causing huge revenue losses. Despite the large number of traditional mitigation solutions that exists today, DDoS attacks continue to grow in frequency, volume, and severity. This calls for a new network paradigm to address the requirements of today’s challenging security threats. Software-defined networking (SDN) is an emerging network paradigm which has gained significant traction by many researchers to address the requirement of today’s data centers. Inspired by the capabilities of SDN, we present a comprehensive survey of existing SDN-based DDoS attack detection and mitigation solutions. We classify solutions based on DDoS attack detection techniques and identify requirements of an effective solution. Based on our findings, we propose a novel framework for detection and mitigation of DDoS attacks in a large-scale network which comprises a smart city built on SDN infrastructure. Our proposed framework is capable of meeting application-specific DDoS attack detection and mitigation requirements. The primary contribution of this paper is twofold. First, we provide an in-depth survey and discussion of SDN-based DDoS attack detection and mitigation mechanisms, and we classify them with respect to the detection techniques. Second, leveraging the characteristics of SDN for network security, we propose and present an SDN-based proactive DDoS Defense Framework (ProDefense). We show how this framework can be utilized to secure applications built for smart cities. Moreover, the paper highlights open research challenges, future research directions, and recommendations related to SDN-based DDoS detection and mitigation.

[1]  Xiangyang Li,et al.  Selective Packet Inspection to Detect DoS Flooding Using Software Defined Networking (SDN) , 2015, 2015 IEEE 35th International Conference on Distributed Computing Systems Workshops.

[2]  Ian F. Akyildiz,et al.  A roadmap for traffic engineering in SDN-OpenFlow networks , 2014, Comput. Networks.

[3]  F. Richard Yu,et al.  Distributed denial of service attacks in software-defined networking with cloud computing , 2015, IEEE Communications Magazine.

[4]  H. Kim,et al.  A SDN-oriented DDoS blocking scheme for botnet-based attacks , 2014, 2014 Sixth International Conference on Ubiquitous and Future Networks (ICUFN).

[5]  Donald F. Towsley,et al.  Detecting anomalies in network traffic using maximum entropy estimation , 2005, IMC '05.

[6]  Song Guo,et al.  Discriminating DDoS Attacks from Flash Crowds Using Flow Correlation Coefficient , 2012, IEEE Transactions on Parallel and Distributed Systems.

[7]  Bing Wang,et al.  Malware Detection for Mobile Devices Using Software-Defined Networking , 2013, 2013 Second GENI Research and Educational Experiment Workshop.

[8]  Mark Crovella,et al.  Mining anomalies using traffic feature distributions , 2005, SIGCOMM '05.

[9]  Martin Roesch,et al.  Snort - Lightweight Intrusion Detection for Networks , 1999 .

[10]  Saman Taghavi Zargar,et al.  A Survey of Defense Mechanisms Against Distributed Denial of Service (DDoS) Flooding Attacks , 2013, IEEE Communications Surveys & Tutorials.

[11]  Hong Li,et al.  Application layer DDoS attack detection using cluster with label based on sparse vector decomposition and rhythm matching , 2015, Secur. Commun. Networks.

[12]  Dijiang Huang,et al.  SnortFlow: A OpenFlow-Based Intrusion Prevention System in Cloud Environment , 2013, 2013 Second GENI Research and Educational Experiment Workshop.

[13]  Matthew M. Williamson,et al.  Throttling viruses: restricting propagation to defeat malicious mobile code , 2002, 18th Annual Computer Security Applications Conference, 2002. Proceedings..

[14]  Dhirendra Mishra,et al.  Qualified Vector Match and Merge Algorithm (QVMMA) for DDoS Prevention and Mitigation , 2016 .

[15]  John Langford,et al.  CAPTCHA: Using Hard AI Problems for Security , 2003, EUROCRYPT.

[16]  J. K. Kalita,et al.  Botnet in DDoS Attacks: Trends and Challenges , 2015, IEEE Communications Surveys & Tutorials.

[17]  Richard E. Overill,et al.  Detection of known and unknown DDoS attacks using Artificial Neural Networks , 2016, Neurocomputing.

[18]  Munesh Chandra Trivedi,et al.  DDA: An Approach to Handle DDoS (Ping Flood) Attack , 2016 .

[19]  Khaled Salah,et al.  EDoS-Shield - A Two-Steps Mitigation Technique against EDoS Attacks in Cloud Computing , 2011, 2011 Fourth IEEE International Conference on Utility and Cloud Computing.

[20]  Malcolm I. Heywood,et al.  A Hierarchical SOM based Intrusion Detection System , 2008 .

[21]  Muhammad Zubair Shafiq,et al.  On the Inefficient Use of Entropy for Anomaly Detection , 2009, RAID.

[22]  Wei-Yang Lin,et al.  Intrusion detection by machine learning: A review , 2009, Expert Syst. Appl..

[23]  Otto Carlos Muniz Bandeira Duarte,et al.  Flowfence: a denial of service defense system for software defined networking , 2015, 2015 Global Information Infrastructure and Networking Symposium (GIIS).

[24]  Vern Paxson,et al.  Outside the Closed World: On Using Machine Learning for Network Intrusion Detection , 2010, 2010 IEEE Symposium on Security and Privacy.

[25]  Marcin Szpyrka,et al.  Network Anomaly Detection Using Parameterized Entropy , 2014, CISIM.

[26]  Narmeen Zakaria Bawany,et al.  Smart City Architecture: Vision and Challenges , 2015 .

[27]  Jeanna Neefe Matthews,et al.  Quantitative analysis of intrusion detection systems: Snort and Suricata , 2013, Defense, Security, and Sensing.

[28]  Symeon Papavassiliou,et al.  Network anomaly detection and classification via opportunistic sampling , 2009, IEEE Network.

[29]  Yonggang Wen,et al.  “ A Survey of Software Defined Networking , 2020 .

[30]  Nick McKeown,et al.  OpenFlow: enabling innovation in campus networks , 2008, CCRV.

[31]  Dijiang Huang,et al.  NICE: Network Intrusion Detection and Countermeasure Selection in Virtual Network Systems , 2013, IEEE Transactions on Dependable and Secure Computing.

[32]  Vyas Sekar,et al.  An empirical evaluation of entropy-based traffic anomaly detection , 2008, IMC '08.

[33]  Imad H. Elhajj,et al.  SDN controllers: A comparative study , 2016, 2016 18th Mediterranean Electrotechnical Conference (MELECON).

[34]  Wanlei Zhou,et al.  Discriminating DDoS attack traffic from flash crowd through packet arrival patterns , 2011, 2011 IEEE Conference on Computer Communications Workshops (INFOCOM WKSHPS).

[35]  Basil S. Maglaris,et al.  Combining OpenFlow and sFlow for an effective and scalable anomaly detection and mitigation mechanism on SDN environments , 2014, Comput. Networks.

[36]  Mabry Tyson,et al.  FRESCO: Modular Composable Security Services for Software-Defined Networks , 2013, NDSS.

[37]  Sebastian Abt,et al.  Blessing or curse? Revisiting security aspects of Software-Defined Networking , 2014, 10th International Conference on Network and Service Management (CNSM) and Workshop.

[38]  Syed Ali Khayam,et al.  Revisiting Traffic Anomaly Detection Using Software Defined Networking , 2011, RAID.

[39]  Yang Xu,et al.  DDoS attack detection under SDN context , 2016, IEEE INFOCOM 2016 - The 35th Annual IEEE International Conference on Computer Communications.

[40]  Loizos Heracleous,et al.  A strategic view on smart city technology: The case of IBM Smarter Cities during a recession , 2014 .

[41]  Olivier Bonaventure,et al.  Opportunities and research challenges of hybrid software defined networks , 2014, CCRV.

[42]  Seungwon Shin,et al.  The Smaller, the Shrewder: A Simple Malicious Application Can Kill an Entire SDN Environment , 2016, SDN-NFV@CODASPY.

[43]  Yao Zheng,et al.  DDoS Attack Protection in the Era of Cloud Computing and Software-Defined Networking , 2014, 2014 IEEE 22nd International Conference on Network Protocols.

[44]  Martin May,et al.  Impact of packet sampling on anomaly detection metrics , 2006, IMC '06.

[45]  Ronald Marx,et al.  Feature-based comparison and selection of Software Defined Networking (SDN) controllers , 2014, 2014 World Congress on Computer Applications and Information Systems (WCCAIS).

[46]  Stuart E. Schechter,et al.  Fast Detection of Scanning Worm Infections , 2004, RAID.

[47]  Alexander Shalimov,et al.  Advanced study of SDN/OpenFlow controllers , 2013 .

[48]  George Suciu,et al.  Smart Cities Built on Resilient Cloud Computing and Secure Internet of Things , 2013, 2013 19th International Conference on Control Systems and Computer Science.

[49]  Neil C. Rowe,et al.  A Realistic Experimental Comparison of the Suricata and Snort Intrusion-Detection Systems , 2012, 2012 26th International Conference on Advanced Information Networking and Applications Workshops.

[50]  Fernando M. V. Ramos,et al.  Software-Defined Networking: A Comprehensive Survey , 2014, Proceedings of the IEEE.

[51]  Ian F. Akyildiz,et al.  Research challenges for traffic engineering in software defined networks , 2016, IEEE Network.

[52]  Andrei Vladyko,et al.  A fuzzy logic-based information security management for software-defined networks , 2014, 16th International Conference on Advanced Communication Technology.

[53]  Andrew B. Whinston,et al.  Defeating distributed denial of service attacks , 2000 .

[54]  Rui Wang,et al.  An Entropy-Based Distributed DDoS Detection Mechanism in Software-Defined Networking , 2015, 2015 IEEE Trustcom/BigDataSE/ISPA.

[55]  Andrew H. Sung,et al.  Intrusion detection using neural networks and support vector machines , 2002, Proceedings of the 2002 International Joint Conference on Neural Networks. IJCNN'02 (Cat. No.02CH37290).

[56]  Kotagiri Ramamohanarao,et al.  Survey of network-based defense mechanisms countering the DoS and DDoS problems , 2007, CSUR.

[57]  Fernando M. V. Ramos,et al.  Towards secure and dependable software-defined networks , 2013, HotSDN '13.

[58]  Sanjay Jha,et al.  A Survey of Securing Networks Using Software Defined Networking , 2015, IEEE Transactions on Reliability.

[59]  Michael Bailey,et al.  Taming the 800 Pound Gorilla: The Rise and Decline of NTP DDoS Attacks , 2014, Internet Measurement Conference.

[60]  Dong Xiang,et al.  Information-theoretic measures for anomaly detection , 2001, Proceedings 2001 IEEE Symposium on Security and Privacy. S&P 2001.

[61]  Guofei Gu,et al.  BotMiner: Clustering Analysis of Network Traffic for Protocol- and Structure-Independent Botnet Detection , 2008, USENIX Security Symposium.

[62]  Min Zhu,et al.  B4: experience with a globally-deployed software defined wan , 2013, SIGCOMM.

[63]  Narmeen Zakaria Bawany,et al.  Application Layer DDoS Attack Defense Framework for Smart City using SDN , 2016 .

[64]  Radia J. Perlman,et al.  DoS protection for UDP-based protocols , 2003, CCS '03.

[65]  Christopher Krügel,et al.  Bayesian event classification for intrusion detection , 2003, 19th Annual Computer Security Applications Conference, 2003. Proceedings..

[66]  Rodrigo Roman,et al.  On the Vital Areas of Intrusion Detection Systems in Wireless Sensor Networks , 2013, IEEE Communications Surveys & Tutorials.

[67]  Shingo Mabu,et al.  An Intrusion-Detection Model Based on Fuzzy Class-Association-Rule Mining Using Genetic Network Programming , 2011, IEEE Transactions on Systems, Man, and Cybernetics, Part C (Applications and Reviews).

[68]  Rodrigo Braga,et al.  Lightweight DDoS flooding attack detection using NOX/OpenFlow , 2010, IEEE Local Computer Network Conference.

[69]  Wang-Cheol Song,et al.  Large Flows Detection, Marking, and Mitigation based on sFlow Standard in SDN , 2015 .

[70]  Michael K. Reiter,et al.  Traffic Aggregation for Malware Detection , 2008, DIMVA.

[71]  J. Michael Stewart Network Security, Firewalls, and VPNs , 2010 .

[72]  Cheng Xiang Tan,et al.  A Survey of Trends in Massive DDOS Attacks and Cloud-Based Mitigations , 2014 .

[73]  Jung-Soo Park,et al.  SDN-based security services using interface to network security functions , 2015, 2015 International Conference on Information and Communication Technology Convergence (ICTC).

[74]  Pedro Casas,et al.  Challenging Entropy-based Anomaly Detection and Diagnosis in Cellular Networks , 2015, SIGCOMM.