2015 Ninth International Conference on Frontier of Computer Science and Technology
A Defense Mechanism for Distributed Denial of Service Attack in Software-Defined
Networks
Shibo Luo, Jun Wu, Member,IEEE, and Jianhua Li
School of Electronic Information and Electrical
Engineering
Shanghai Jiao Tong University
Shanghai, China
luoshibo.pla@sjtu.edu.cn, junwuhn@sjtu.edu.cn
AbstractDistributed Denial of Service (DDoS) attack is a
major threat to Internet based killer applications, such as
independent news web sites, e-business and online games.
Detecting and blocking such clever attacks has become
difficult. Software-Defined Networks (SDN) has emerged as a
future communication network architecture which decouples
network control and forwarding. It has some particular
features such as central control and programmability to
combat against DDoS attack. In this paper, we survey DDoS
attacks and existing defense mechanisms, and draw a
conclusion of the needs of defense mechanism for successful
combating against DDoS. Then, we analyze the particular
features of SDN and conclude it is conducive to
countermeasure DDoS attack. According the analysis, we
construct a defense mechanism for DDoS in SDN. At last, we
illustrate how this mechanism could combat against DDoS
attacks through a working example.
Keywords- Software-Defined Networks; Distributed Denial of
Service; Central Control; Programmability
I. INTRODUCTION
In computing, a denial-of-service (DoS) or distributed
denial-of-service (DDoS) attack is an attempt to make a
machine or network resource unavailable to its intended
users. DDoS attacks have been known to the network
research community since the early 1980s. In the summer of
1999, the Computer Incident Advisory Capability reported
the first DDoS attack incident [2] and most of the DoS
attacks since then have been distributed in nature.
Most of the DDoS attacks launched to date have tried to
make the victims services unavailable, leading to revenue
losses and increased costs of mitigating the attacks and
restoring the services.
According to the findings of the Ponemon Institutes
research [10], on average DDoS attacks are costing
companies approximately $3.5 million annually. The average
amount of downtime following a DDoS attack is 54 minutes
and the average cost for each minute of downtime was about
$22,000. However, the cost can range from as little as $1 to
more than $100,000 per minute of downtime. Estimates from
Forrester, IDC, and the Yankee Group predict the cost of a
24-hour outage for a large e-commerce company would
approach US$30 million.
978-1-4673-9295-2/15 $31.00 2015 IEEE
DOI 10.1109/FCST.2015.11
Bei Pei
Key Lab of Information Network Security
Ministry of Public Security
Shanghai, China
There are some exact cases in past few years. A spate of
DDoS attacks against Amazon, Yahoo, eBay, and other
major sites in February 2000 caused an estimated cumulative
loss of US$1.2 billion, according to the Yankee Group. And
in January 2001, Microsoft lost approximately US$500
million over the course of a few days from a DDoS attack on
its site.
Along with high revenue losses, DDoS attacks spread
widely. Many DDoS flooding attacks had been launched
against different organizations since the summer of 1999,
according the news in [2][3][4][5][6][7][8][9].
DDoS attacks are so widely spread and impactful that
many works have been done to combat against DDoS
attacks. To combat against DDoS attacks, many solutions
have been proposed, such as in [11][12][13]. However, they
have met with limited success.
While with the evolving of SDN, there appear new
opportunities to combat against DDoS attacks.
In this paper, we propose a defense mechanism for DDoS
attacks in SDN. The rest of the paper is organized as follows:
We analyze the DDoS attacks and the needs of a successful
defense mechanism in Section II. Section III presents the
features of SDN and its advantages to combat against DDoS
attacks. Proposed defense mechanism for DDoS attacks are
discussed in Section IV. In Section V, a working example is
illustrated. Finally, we conclude the paper in Section VI.
II. ANALYSIS OF DDOS ATTACKS AND DEFENSE
MECHANISMS
A. Survey of DDoS Attacks
There are lots of DDoS attack instances in the past year.
But in all of the attacks, the attackers try to do one or both of
the following things [1].
The first one is to disrupt a legitimate users connectivity
by exhausting bandwidth, router processing capacity or
network resources. And the second one is to disrupt a
legitimate users services by exhausting the server resources;
The attacks of the former type are essentially
network/transport-level flooding attacks [14]. And the
attacks of the latter type are essentially application-level
flooding attacks [15].
According to the analysis, we can classify DDoS attacks
into two categories based on the protocol level. The complete
category structure of DDoS attacks is illustrated in Fig. 1.
326
325

Fig. 1. A category structure of DDoS attacks
And its details are listed as follows:
1) Network/transport-level DDoS attacks
The network/transport-level DDoS attacks have been
mostly launched using TCP, UDP, ICMP and DNS protocol
packets. There are four sub catagories of attacks in this
category:
z Flooding attacks
In flooding attacks, attackers makes use of the way of
exhausting victim networks bandwidth to disrupt legitimate
users connectivity.
z Protocol exploitation flooding attacks
In protocol exploitation flooding attacks, attackers exploit
specific features or implementation bugs of some of the
victims protocols. By this means, it consumes excess
amounts of the victims resources.
z Reflection-based flooding attacks
In reflection-based flooding attacks, attackers usually
send forged requests instead of direct requests to a large
number of reflectors. Then, these reflectors send their
massive replies to the victim and exhaust victims resources.
z Amplification-based flooding attacks
Attackers exploit services to generate large messages or
multiple messages for each message they receive to amplify
the traffic towards the victim..
2) Application-level DDoS flooding attacks
These attacks focus on disrupting legitimate users
services by exhausting the server resources. Application-
level DDoS attacks generally consume less bandwidth. But
application-level DDoS flooding attacks usually have the
same impact to the services since they target specific
characteristics of applications such as HTTP, DNS, or
Session Initiation Protocol (SIP).
z Reflection/amplification based flooding attacks
These attacks use the same techniques as their
network/transport-level peers. For instance, the DNS
amplification attack employs both reflection and
amplification techniques. The attackers generate small DNS
queries with forged source IP addresses which can generate
326
327
a large volume of network traffic since DNS response
messages may be substantially larger than DNS query
messages. Then this large volume of network traffic is
directed towards the targeted system to paralyze it.
z HTTP flooding attacks
HTTP flooding attack disables the victimized Web server
by sending a large number of HTTP requests. There are four
types of attacks in this category. They are session flooding
attacks, request flooding attacks, asymmetric attacks, and
slow request/response attacks. More details about all these
attacks refer to [2].
B. Analysis of DDoS defense mechanisms
According to the analysis of DDoS attacks as
aforementioned, an ideal comprehensive DDoS defense
mechanism must have specific features to combat DDoS
attacks. These features are listed as follows:
z More nodes in the network should be involved in
defense mechanism to DDoS flooding attacks.
z There should be collaboration and cooperation
among the nodes in the network defense architecture.
z The sources of the network traffic can be confirmed
more easily so that malicious users could be
identified .
z All the nodes in the network defense architecture
must keep consistency .
Combining source address authentication, capability
mechanisms, and filtering mechanisms could be the most
effective and efficient way to address the DDoS attacks in a
distributed cooperative/collaborative DDoS defense
mechanism.
III. ANALYSIS OF SDN
A. Definition and Features of SDN
Software-defined networking (SDN) [16] is an emerging
networking paradigm that gives hope to change the
limitations of current network infrastructures.
Firstly, it breaks the vertical integration by separating the
networks control logic from the underlying routers and
switches that forward the traffic.
Secondly, with the separation of the control and data
planes, network switches become simple forwarding devices
and the control logic is implemented in a logically
centralized controller, simplifying policy enforcement and
network (re)configuration and evolution. A view of this
architecture is shown in Fig. 2.
The SDN architecture has four distinct features:
1) The control and data planes are decoupled
Control functionality is removed from network devices
that will become simple forwarding elements.
2) Forwarding decisions are flow based
A flow is broadly defined by a set of packet field values
acting as a match criterion and a set of actions. In the SDN
context, a flow is a sequence of packets between a source
and a destination. Flow programming enables
unprecedented flexibility, limited only to the capabilities of
the implemented flow tables.
3) Control logic is moved to an external entity
The controller is a software platform that runs on
commodity server technology and provides the essential
resources and abstractions to facilitate the programming of
forwarding devices based on a logically centralized, abstract
network view. Its purpose is therefore similar to that of a
traditional operating system.
4) The network is programmable
The network is programmable through software
applications running on top of the controller that interact
with the underlying data plane devices. This is a
fundamental characteristic of SDN, considered as its main
value proposition.
App A App B App C
Common Northbound API
Controller
threats. Centralized control of SDN makes it possible to
dynamically quarantine compromised hosts and authenticate
legitimate hosts based on the information obtained through
requesting end hosts and remote authentication dial in user
service (RADIUS) servers for users authentication
information and system scanning during registration.
3) Programmability of the network by external
applications
The programmability of SDN supports a process of
harvesting intelligence from existing intrusion detection
systems and intrusion prevention systems. More intelligent
algorithms can be flexibly used based on different DDoS
attacks.
4) Software-based traffic analysis
Software-based traffic analysis greatly enables innovation,
as it can be performed using all kinds of intelligent
algorithms, databases, and any other software tools.
5) Dynamic updating of forwarding rules and flow
abstraction
Dynamic updating of forwarding rules assists in the
prompt response to DDoS attacks. Based on the traffic
analysis, new or updated security policy can be propagated
across the network in the form of flow rules to block the
attack traffic without delay.

IV. PROPOSED DEFENSE MECHANISM FOR DDOS

A. Framework of Defense Mechanism

1 2 3
According to the analysis as mentioned above, we
propose a framework of defense mechanism for DDoS
6 5 4 based on the work of [18]. The framework is illustrated in
Fig. 2. A architecture view of SDN Fig. 3:

B. Advantages of SDN for defending against DDoS Attack

SDN has many distinct features as aforementioned, and
these distinct features offer many advantages for defeating
DDoS attacks.
1) Separation of the control plane from the data plane
SDN decouples the data plane from the control plane, and
thus makes it possible to easily establish large scale attack
and defense experiments.
The high configurability of SDN offers clear separation
among virtual networks, permitting experimentation in a
real environment. Progressive deployment of new ideas can
be performed through a seamless transition from an
experimental phase to an operational phase.
This feature of SDN offers great convenience in putting
forward new thoughts and methods for DDoS attack
mitigation.
2) A centralized controller and view of the network
Fig. 3. Framework of defense mechanism
The controller has network-wide knowledge of the system
and global views to build consistent security policies and to
monitor or analyze traffic patterns for potential security The framework mainly consists of script language,

327
328
predefined modules and enforcement component.
Network administrators use the script language to define
the detection and mitigation method at high level. There are
many abstract modules are predefined for network
administrators to define their method. So, network
administrators have no obligations to learn more details of
the method and network.
There are many predefined abstract and elementary
modules in the framework. These modules are atom actions
for detection and mitigation for DDoS attacks. The details
of these modules are discussed in latter section.
The scripts are translated into exact switch rules and
deployed into switches by the enforcement component. The
enforcement component performs this job by the controller
northbound APIs.
The enforcement component offers several important
features to ensure that flow rules derived from security
services are prioritized and enforced over competing flow
rules produced by other applications. The enforcement
component includes three main functions. They are rule
source identification, rule conflict detection, and conflict
resolution. More details about the enforcement component
refer to [18].
B. Key Modules in Framework
The predefined modules can be defined according actual
environment. Some key modules are listed as follows [17]:
1) Binding module
All of these nodes can be the source of the threats that
happen in the network, so knowing the identity of each node
is important. Profiting from the central control and global
view of SDN logic controller, the binding module collect
the information of all the nodes in the network. The
information includes the nodes exact IP addresses, etc. So,
using binding module, the mechanism can monitor the
network easily.
2) Location tracking module
Knowing the location of hosts can ease the process of
blocking the detected attacks. Also profiting from the
central control and global view of SDN logic controller, the
application records and saves the position of each connected
node in the network.
3) Packets filtering module
In SDN, packets that do not match any of the flow entries
that reside in the switch will be sent to the controller for
further analysis. Then, controller can use this message to
generate specific messages to the switch so that the
subsequent packets will not be sent to controller. The
controller generates order message based on the result of the
inspection. It will forward legitimate packets and drop
malicious spoofed packets.
4) Port statistic queries module
To detect the DDoS attacks, the framework must be able
to detect the events of DDoS attacks. The events mean
328
329
something that can be used to warn the mechanism that
suspicious behavior happen in the network. The framework
queries for the port statistics of each switch in the networks
periodically to monitor byte rate and packet rate of ports in
switches. And the framework uses the values to make
decision.
5) Flow statistic queries module
In order to safely insert security flow into the switch, the
framework needs to know existing flow entries that reside at
each switch. This step is necessary to make sure that there
will not be overlapping or conflict flow rules in the switch.
To do this, the framework periodically queries the switches
with their state of flow table. Then the framework looks up
for malicious flow entries, deletes them, and inserts counter
flow entries to block the attacks.
V. WORKING EXAMPLE
We use a spoofed UDP flood attack as our example. In
the case, the attacker startups UDP flood attack using IP
spoofing to overload networks and devices with packets that
appear to be from legitimate source IP addresses.
Fig. 4 shows a scenario example of DDoS defense
mechanism.
...
DDoS Defense
Application
Sub network
Sub network
Bot
Sub network
Victim
Bot
Sub network
Attacker
Fig. 4. Scenario of DDoS defense mechanism
At the startup phase, the framework collects the
information of the network. At run time of the network, it
periodically updates the information through the controller.
The attacker sends command to the bots to perform
spoofed UDP flooding attack targeting the victim.
The bots accepts the command and send large volume
UDP packets with spoofed IP to the victim.
The port statistic queries module periodically to monitor
byte rate and packet rate of ports in switches. And it finds
there are large volume UDP packets suddenly in the
network.
 The port statistic queries module notifies the binding
module to audit the IP address. The binding module finds
these UDP packets are spoofed according the registered IP
address information of the network.
The binding module notifies the framework that there are
a DDoS attack is occurring and tells the framework the
properties of the attack including the victims IP address and
bots IP address.
The framework firstly orders the packets filtering module
to drop the attack packets based on the victims IP address.
And then it notifies the location tracking module to find the
attackers exact IP address.
The location tracking module picks the attackers exact IP
address based on the global view of the network and the
bots IP address. After finding the attackers node, the
framework notifies the flow statistic queries module to put
the node offline.
At last, the network is peaceful.
VI. CONCLUSIONS
This paper proposed a defense mechanism for DDoS
attacks in SDN. Firstly, we analyze the DDoS attacks and
draw the needs of defense mechanism for DDoS attacks.
Secondly, we analyze the properties of SDN and find SDNs
advantages to construct defense mechanism for DDoS
attacks. Then, we propose a framework of defense
mechanism for DDoS attacks. More details about key
modules in the framework are discussed. At last, we
demonstrate a working example to verify our proposed
framework.
ACKNOWLEDGMENT
This work is supported by Key Lab of Information
Network Security, Ministry of Public Security, China.
REFERENCES
[1] Saman Taghavi Zargar, James Joshi, and David Tipper, A Survey of
Defense Mechanisms Against Distributed Denial of Service (DDoS)
Flooding Attacks, IEEE Comm. Survey & Tutorials, vol. 15, no. 4,
pp. 2046-2069, Fourth Quater 2013
[2] P. J. Criscuolo, Distributed Denial of Service, Tribe Flood Network
2000, and Stacheldraht CIAC-2319, Department of Energy Computer
329
330
Incident Advisory Capability (CIAC), UCRL-ID-136939, Rev. 1.,
Lawrence Livermore National Laboratory, February 14, 2000.
[3] Yahoo on Trail of Site Hackers, Wired.com, Feb. 8, 2000, [online]
http://www.wired.com/news/business/0,1367,34221,00.html.
[4] Powerful Attack Cripples Internet, Oct. 23, 2002, [online]
http://www.greenspun.com/bboard/qandafetchmsg.tcl?msg
id=00A7G7.
[5] Mydoom lesson: Take proactive steps to prevent DDoS attacks, Feb.
6, 2004, [online]
http://www.computerworld.com/s/article/89932/Mydoom lesson Take
proactive steps to prevent DDoS attacks?taxonomyId=017
[6] Lazy Hacker and Little Worm Set Off Cyberwar Frenzy, July 8,
2009, [online] http://www.wired.com/threatlevel/2009/07/mydoom/.
[7] New cyber attacks hit S Korea, July 9, 2009, [online]
http://news.bbc.co.uk/2/hi/asia-pacific/8142282.stm.
[8] Operation Payback cripples MasterCard site in revenge for
WikiLeaks ban, Dec. 8, 2010, [online]
http://www.guardian.co.uk/media/2010/dec/08/operationpayback
mastercardwebsitewikileaks.
[9] T. Kitten, DDoS: Lessons from Phase 2 Attacks, Jan. 14, 2013,
[online]http://www.bankinfosecurity.com/ddos-attacks-lessons-from-
phase-2-a-5420/op-1.
[10] Ponemon Institute, Cyber Security on the Offense: A Study of IT
Security Experts, Nov. 2012.
[11] Paulo E. Ayres, Huizhong Sun, H. Jonathan Chao, and Wing Cheong
Lau, ALPi: A DDoS Defense System for High-Speed Networks,
IEEE Journal on Selected Areas in Communications, vol. 24, no. 10,
pp. 1864-1876, Oct. 2006.
[12] Zahid Anwar, and Asad Waqar Malik, Can a DDoS Attack
Meltdown My Data Center? A Simulation Study and Defense
Strategies, IEEE Commu. Letters, vol. 18, no. 7, pp. 1175-1178, Jul.
2014.
[13] Yu Chen, Kai Hwang, and Wei-Shinn Ku, Collaborative Detection
of DDoS Attacks over Multiple Network Domains, IEEE Trans. on
Parallel and Distributed Systems, vol. 18, no. 12, Dec. 2007.
[14] J. Mirkovic and P. Reiher, A taxonomy of DDoS attack and DDoS
defense mechanisms, ACM SIGCOMM Computer Communications
Review, vol. 34, no. 2, pp. 39-53, April 2004.
[15] S. Ranjan, R. Swaminathan, M. Uysal, and E. Knightly, DDoS-
Resilient Scheduling to Counter Application Layer Attacks under
Imperfect Detection, IEEE INFOCOM06, 2006.
[16] Open Networking Foundation, "Software-Defined Networking: The
New Norm for Networks," Open Networking Foundation, Apr. 2012.
[17] Oktian, SangGon Lee, and Hoonjae Lee, Mitigating Denial of
Service (DoS) attacks in OpenFlow networks, In Information and
Communication Technology Convergence (ICTC), 2014, pp. 325-
330, Oct. 2014.
[18] Seugwon Shin, Phillip Porras, Vinod Yegneswaran, Martin Fong,
Guofei Gu, and Mabry Tyson, FRESCO: Modular Composable
Security Services for Software-Defined Networks, NDSS, 2013.