Académique Documents
Professionnel Documents
Culture Documents
AbstractDistributed Denial of Service (DDoS) attack is a There are some exact cases in past few years. A spate of
major threat to Internet based killer applications, such as DDoS attacks against Amazon, Yahoo, eBay, and other
independent news web sites, e-business and online games. major sites in February 2000 caused an estimated cumulative
Detecting and blocking such clever attacks has become loss of US$1.2 billion, according to the Yankee Group. And
difficult. Software-Defined Networks (SDN) has emerged as a in January 2001, Microsoft lost approximately US$500
future communication network architecture which decouples million over the course of a few days from a DDoS attack on
network control and forwarding. It has some particular its site.
features such as central control and programmability to
Along with high revenue losses, DDoS attacks spread
combat against DDoS attack. In this paper, we survey DDoS
attacks and existing defense mechanisms, and draw a
widely. Many DDoS flooding attacks had been launched
conclusion of the needs of defense mechanism for successful against different organizations since the summer of 1999,
combating against DDoS. Then, we analyze the particular according the news in [2][3][4][5][6][7][8][9].
features of SDN and conclude it is conducive to DDoS attacks are so widely spread and impactful that
countermeasure DDoS attack. According the analysis, we many works have been done to combat against DDoS
construct a defense mechanism for DDoS in SDN. At last, we attacks. To combat against DDoS attacks, many solutions
illustrate how this mechanism could combat against DDoS have been proposed, such as in [11][12][13]. However, they
attacks through a working example. have met with limited success.
While with the evolving of SDN, there appear new
Keywords- Software-Defined Networks; Distributed Denial of opportunities to combat against DDoS attacks.
Service; Central Control; Programmability In this paper, we propose a defense mechanism for DDoS
attacks in SDN. The rest of the paper is organized as follows:
I. INTRODUCTION We analyze the DDoS attacks and the needs of a successful
defense mechanism in Section II. Section III presents the
In computing, a denial-of-service (DoS) or distributed features of SDN and its advantages to combat against DDoS
denial-of-service (DDoS) attack is an attempt to make a attacks. Proposed defense mechanism for DDoS attacks are
machine or network resource unavailable to its intended discussed in Section IV. In Section V, a working example is
users. DDoS attacks have been known to the network illustrated. Finally, we conclude the paper in Section VI.
research community since the early 1980s. In the summer of
1999, the Computer Incident Advisory Capability reported II. ANALYSIS OF DDOS ATTACKS AND DEFENSE
the first DDoS attack incident [2] and most of the DoS MECHANISMS
attacks since then have been distributed in nature.
Most of the DDoS attacks launched to date have tried to A. Survey of DDoS Attacks
make the victims services unavailable, leading to revenue
There are lots of DDoS attack instances in the past year.
losses and increased costs of mitigating the attacks and
But in all of the attacks, the attackers try to do one or both of
restoring the services.
the following things [1].
According to the findings of the Ponemon Institutes
The first one is to disrupt a legitimate users connectivity
research [10], on average DDoS attacks are costing
by exhausting bandwidth, router processing capacity or
companies approximately $3.5 million annually. The average
network resources. And the second one is to disrupt a
amount of downtime following a DDoS attack is 54 minutes
legitimate users services by exhausting the server resources;
and the average cost for each minute of downtime was about
The attacks of the former type are essentially
$22,000. However, the cost can range from as little as $1 to
network/transport-level flooding attacks [14]. And the
more than $100,000 per minute of downtime. Estimates from
attacks of the latter type are essentially application-level
Forrester, IDC, and the Yankee Group predict the cost of a
flooding attacks [15].
24-hour outage for a large e-commerce company would
According to the analysis, we can classify DDoS attacks
approach US$30 million.
into two categories based on the protocol level. The complete
category structure of DDoS attacks is illustrated in Fig. 1.
326
327
context, a flow is a sequence of packets between a source threats. Centralized control of SDN makes it possible to
and a destination. Flow programming enables dynamically quarantine compromised hosts and authenticate
unprecedented flexibility, limited only to the capabilities of legitimate hosts based on the information obtained through
the implemented flow tables. requesting end hosts and remote authentication dial in user
3) Control logic is moved to an external entity service (RADIUS) servers for users authentication
The controller is a software platform that runs on information and system scanning during registration.
commodity server technology and provides the essential 3) Programmability of the network by external
resources and abstractions to facilitate the programming of applications
forwarding devices based on a logically centralized, abstract The programmability of SDN supports a process of
network view. Its purpose is therefore similar to that of a harvesting intelligence from existing intrusion detection
traditional operating system. systems and intrusion prevention systems. More intelligent
4) The network is programmable algorithms can be flexibly used based on different DDoS
The network is programmable through software attacks.
applications running on top of the controller that interact 4) Software-based traffic analysis
with the underlying data plane devices. This is a Software-based traffic analysis greatly enables innovation,
fundamental characteristic of SDN, considered as its main as it can be performed using all kinds of intelligent
value proposition. algorithms, databases, and any other software tools.
5) Dynamic updating of forwarding rules and flow
App A App B App C abstraction
Dynamic updating of forwarding rules assists in the
Common Northbound API prompt response to DDoS attacks. Based on the traffic
analysis, new or updated security policy can be propagated
Controller across the network in the form of flow rules to block the
attack traffic without delay.
327
328
predefined modules and enforcement component. something that can be used to warn the mechanism that
Network administrators use the script language to define suspicious behavior happen in the network. The framework
the detection and mitigation method at high level. There are queries for the port statistics of each switch in the networks
many abstract modules are predefined for network periodically to monitor byte rate and packet rate of ports in
administrators to define their method. So, network switches. And the framework uses the values to make
administrators have no obligations to learn more details of decision.
the method and network. 5) Flow statistic queries module
There are many predefined abstract and elementary In order to safely insert security flow into the switch, the
modules in the framework. These modules are atom actions framework needs to know existing flow entries that reside at
for detection and mitigation for DDoS attacks. The details each switch. This step is necessary to make sure that there
of these modules are discussed in latter section. will not be overlapping or conflict flow rules in the switch.
The scripts are translated into exact switch rules and To do this, the framework periodically queries the switches
deployed into switches by the enforcement component. The with their state of flow table. Then the framework looks up
enforcement component performs this job by the controller for malicious flow entries, deletes them, and inserts counter
northbound APIs. flow entries to block the attacks.
The enforcement component offers several important
features to ensure that flow rules derived from security V. WORKING EXAMPLE
services are prioritized and enforced over competing flow We use a spoofed UDP flood attack as our example. In
rules produced by other applications. The enforcement the case, the attacker startups UDP flood attack using IP
component includes three main functions. They are rule spoofing to overload networks and devices with packets that
source identification, rule conflict detection, and conflict appear to be from legitimate source IP addresses.
resolution. More details about the enforcement component Fig. 4 shows a scenario example of DDoS defense
refer to [18]. mechanism.
B. Key Modules in Framework
...
DDoS Defense
The predefined modules can be defined according actual Application
328
329
The port statistic queries module notifies the binding Incident Advisory Capability (CIAC), UCRL-ID-136939, Rev. 1.,
Lawrence Livermore National Laboratory, February 14, 2000.
module to audit the IP address. The binding module finds
[3] Yahoo on Trail of Site Hackers, Wired.com, Feb. 8, 2000, [online]
these UDP packets are spoofed according the registered IP http://www.wired.com/news/business/0,1367,34221,00.html.
address information of the network. [4] Powerful Attack Cripples Internet, Oct. 23, 2002, [online]
The binding module notifies the framework that there are http://www.greenspun.com/bboard/qandafetchmsg.tcl?msg
a DDoS attack is occurring and tells the framework the id=00A7G7.
properties of the attack including the victims IP address and [5] Mydoom lesson: Take proactive steps to prevent DDoS attacks, Feb.
6, 2004, [online]
bots IP address. http://www.computerworld.com/s/article/89932/Mydoom lesson Take
The framework firstly orders the packets filtering module proactive steps to prevent DDoS attacks?taxonomyId=017
to drop the attack packets based on the victims IP address. [6] Lazy Hacker and Little Worm Set Off Cyberwar Frenzy, July 8,
2009, [online] http://www.wired.com/threatlevel/2009/07/mydoom/.
And then it notifies the location tracking module to find the
[7] New cyber attacks hit S Korea, July 9, 2009, [online]
attackers exact IP address. http://news.bbc.co.uk/2/hi/asia-pacific/8142282.stm.
The location tracking module picks the attackers exact IP [8] Operation Payback cripples MasterCard site in revenge for
address based on the global view of the network and the WikiLeaks ban, Dec. 8, 2010, [online]
bots IP address. After finding the attackers node, the http://www.guardian.co.uk/media/2010/dec/08/operationpayback
mastercardwebsitewikileaks.
framework notifies the flow statistic queries module to put
[9] T. Kitten, DDoS: Lessons from Phase 2 Attacks, Jan. 14, 2013,
the node offline. [online]http://www.bankinfosecurity.com/ddos-attacks-lessons-from-
At last, the network is peaceful. phase-2-a-5420/op-1.
[10] Ponemon Institute, Cyber Security on the Offense: A Study of IT
VI. CONCLUSIONS Security Experts, Nov. 2012.
This paper proposed a defense mechanism for DDoS [11] Paulo E. Ayres, Huizhong Sun, H. Jonathan Chao, and Wing Cheong
Lau, ALPi: A DDoS Defense System for High-Speed Networks,
attacks in SDN. Firstly, we analyze the DDoS attacks and IEEE Journal on Selected Areas in Communications, vol. 24, no. 10,
draw the needs of defense mechanism for DDoS attacks. pp. 1864-1876, Oct. 2006.
Secondly, we analyze the properties of SDN and find SDNs [12] Zahid Anwar, and Asad Waqar Malik, Can a DDoS Attack
advantages to construct defense mechanism for DDoS Meltdown My Data Center? A Simulation Study and Defense
Strategies, IEEE Commu. Letters, vol. 18, no. 7, pp. 1175-1178, Jul.
attacks. Then, we propose a framework of defense 2014.
mechanism for DDoS attacks. More details about key [13] Yu Chen, Kai Hwang, and Wei-Shinn Ku, Collaborative Detection
modules in the framework are discussed. At last, we of DDoS Attacks over Multiple Network Domains, IEEE Trans. on
demonstrate a working example to verify our proposed Parallel and Distributed Systems, vol. 18, no. 12, Dec. 2007.
framework. [14] J. Mirkovic and P. Reiher, A taxonomy of DDoS attack and DDoS
defense mechanisms, ACM SIGCOMM Computer Communications
Review, vol. 34, no. 2, pp. 39-53, April 2004.
ACKNOWLEDGMENT
[15] S. Ranjan, R. Swaminathan, M. Uysal, and E. Knightly, DDoS-
This work is supported by Key Lab of Information Resilient Scheduling to Counter Application Layer Attacks under
Network Security, Ministry of Public Security, China. Imperfect Detection, IEEE INFOCOM06, 2006.
[16] Open Networking Foundation, "Software-Defined Networking: The
New Norm for Networks," Open Networking Foundation, Apr. 2012.
REFERENCES [17] Oktian, SangGon Lee, and Hoonjae Lee, Mitigating Denial of
Service (DoS) attacks in OpenFlow networks, In Information and
[1] Saman Taghavi Zargar, James Joshi, and David Tipper, A Survey of Communication Technology Convergence (ICTC), 2014, pp. 325-
Defense Mechanisms Against Distributed Denial of Service (DDoS) 330, Oct. 2014.
Flooding Attacks, IEEE Comm. Survey & Tutorials, vol. 15, no. 4,
[18] Seugwon Shin, Phillip Porras, Vinod Yegneswaran, Martin Fong,
pp. 2046-2069, Fourth Quater 2013
Guofei Gu, and Mabry Tyson, FRESCO: Modular Composable
[2] P. J. Criscuolo, Distributed Denial of Service, Tribe Flood Network Security Services for Software-Defined Networks, NDSS, 2013.
2000, and Stacheldraht CIAC-2319, Department of Energy Computer
329
330