Abstract
Distributed denial of service (DDoS) attacks have been prevalent on the Internet for decades. Albeit various defenses, they keep growing in size, frequency, and duration. The new network paradigm, Software-defined networking (SDN), is also vulnerable to DDoS attacks. SDN uses logically centralized control, bringing the advantages in maintaining a global network view and simplifying programmability. When attacks happen, the control path between the switches and their associated controllers may become congested due to their limited capacity. However, the data plane visibility of SDN provides new opportunities to defend against DDoS attacks in the cloud computing environment. To this end, we conduct measurements to evaluate the throughput of the software control agents on some of the hardware switches when they are under attacks. Then, we design a new mechanism, called Scotch, to enable the network to scale up its capability and handle the DDoS attack traffic. In our design, the congestion works as an indicator to trigger the mitigation mechanism. Scotch elastically scales up the control plane capacity by using an Open vSwitch-based overlay. Scotch takes advantage of both the high control plane capacity of a large number of vSwitches and the high data plane capacity of commodity physical switches to increase the SDN network scalability and resiliency under abnormal (e.g., DDoS attacks) traffic surges. We have implemented a prototype and experimentally evaluated Scotch. Our experiments in the small-scale lab environment and large-scale GENI testbed demonstrate that Scotch can elastically scale up the control channel bandwidth upon attacks.
- [1] . 2021. DDoS Attacks in Q1 2020 | Securelist. Retrieved from https://securelist.com/ddos-attacks-in-q1-2020/96837/.Google Scholar
- [2] . 2009. Making routers last longer with ViAggre. In NSDI.Google Scholar
- [3] . 2010. Network traffic characteristics of data centers in the wild. In IMC.Google Scholar
Digital Library
- [4] . 2014. GENI: A federated testbed for innovative network experiments. Comput. Netw. 61 (2014), 5–23.Google Scholar
Digital Library
- [5] . 2011. Maestro: Balancing Fairness, Latency and Throughput in the OpenFlow Control Plane. Technical Report TR11-07. Rice University.Google Scholar
- [6] . 2007. Ethane: Taking control of the enterprise. In ACM SIGCOMM.Google Scholar
- [7] . 2011. Open vSwitch: Performance improvement and porting to FreeBSD. In CHANGE & OFELIA Summer school. https://tinyurl.com/mr47dnmw.Google Scholar
- [8] . 2020. Ryu: Component-based Software Defined Networking Framework. Retrieved from http://osrg.github.io/ryu/.Google Scholar
- [9] Andrew R. Curtis, Jeffrey C. Mogul, Tourrilhes Jean, Yalagandula Praveen, Sharma Puneet, and Banerjee Sujata. 2011. DevoFlow: Scaling flow management for high-performance networks. In Proc. of SIGCOMM.Google Scholar
- [10] . 2020. Robust distributed monitoring of traffic flows. IEEE/ACM Transactions on Networking 29, 1 (2020), 275–288.Google Scholar
- [11] . 2015. SPHINX: Detecting security attacks in software-defined networks. In NDSS.Google Scholar
- [12] . 2013. Towards an elastic distributed SDN controller. In HotSDN.Google Scholar
- [13] . 2016. Packet Processing - Intel DPDK vSwitch - OVS. Retrieved from https://01.org/packet-processing/intel-ovdk.Google Scholar
- [14] . 2013. The Beacon OpenFlow controller. In HotSDN. ACM.Google Scholar
- [15] . 2013. Participatory networking: An API for application control of SDNs. In SIGCOMM.Google Scholar
- [16] . 2018. Floodlight. Retrieved from http://floodlight.openflowhub.org.Google Scholar
- [17] . 2012. OpenFlow switch specification (version 1.3.0). (
June 2012). https://opennetworking.org/wp-content/uploads/2014/10/openflow-spec-v1.3.0.pdf.Google Scholar - [18] . 2008. NOX: Towards an operating system for networks. In SIGCOMM CCR.Google Scholar
- [19] . 2015. Poisoning network visibility in software-defined networks: New attacks and countermeasures. In NDSS.Google Scholar
- [20] . 2005. hping3. Retrieved from http://linux.die.net/man/8/hping3.Google Scholar
- [21] . 2013. High-fidelity switch models for software-defined network emulation. In HotSDN.Google Scholar
- [22] . 2013. SoftCell: Scalable and flexible cellular core network architecture. In ACM CoNEXT.Google Scholar
- [23] . 2008. Floodless in SEATTLE: A scalable Ethernet architecture for large enterprises. In SIGCOMM.Google Scholar
- [24] . 2010. Onix: A distributed control platform for large-scale production networks. In OSDI.Google Scholar
Digital Library
- [25] . 812383-US-NP. Securing Software Defined Networks VIA Flow Deflection.Google Scholar
- [26] . 2021. Enabling performant, flexible and cost-efficient DDoS defense with programmable switches. IEEE/ACM Transactions on Networking 29, 4 (2021), 1509–1526.Google Scholar
- [27] . 2009. Resonance: Dynamic access control for enterprise networks. In Proceedings of the 1st ACM Workshop on Research on Enterprise Networking.Google Scholar
Digital Library
- [28] . 2015. The design and implementation of open vSwitch. In NSDI. 117–130.Google Scholar
- [29] . [n. d.]. Personal Communication with Pica8. http://www.pica8.com/.Google Scholar
- [30] : Open Networks for Software-Defined Networking. 2012. Pica8: Open Networks for Software-Defined Networking. Retrieved from http://www.pica8.com/.Google Scholar
- [31] . [n. d.]. Packet Trace at a Switch in a Data-center. Retrieved from http://pages.cs.wisc.edu/tbenson/IMC10_Data.html.Google Scholar
- [32] . 2007. A distributed hash table based address resolution scheme for large-scale Ethernet networks. In ICC.Google Scholar
- [33] . 2021. Data plane cooperative caching with dependencies. IEEE Transactions on Network and Service Management (2021).Google Scholar
- [34] . 2017. FloodDefender: Protecting data and control plane resources under SDN-aimed DoS attacks. In IEEE INFOCOM. IEEE.Google Scholar
- [35] . 2013. FRESCO: Modular composable security services for software-defined networks. In NDSS.Google Scholar
- [36] . 2013. AVANT-GUARD: Scalable and vigilant switch flow management in software-defined networks. In CCS.Google Scholar
- [37] . 2022. Tcpreplay. Retrieved from http://tcpreplay.synfin.net/.Google Scholar
- [38] . 2012. On controller performance in software-defined networks. In HotICE. 1–1.Google Scholar
Digital Library
- [39] . 2021. revisiting the open vSwitch dataplane ten years later. In ACM SIGCOMM.Google Scholar
- [40] . 2012. The Overhead of Software Tunneling. Retrieved from http://networkheresy.com/2012/06/08/the-overhead-of-software-tunneling/.Google Scholar
- [41] . 2019. Architecting programmable data plane defenses into the network with fastflex. In Hot Topics.Google Scholar
- [42] . 2016. DDoS attack detection under SDN context. In IEEE INFOCOM. IEEE.Google Scholar
- [43] . 2002. A case for end system multicast. In IEEE J. Select. Areas Commun, Vol. 20, 1456–1471.Google Scholar
- [44] . 2020. Mantis: Reactive programmable switches. In SIGCOMM.Google Scholar
- [45] . 2010. Scalable flow-based networking with DIFANE. In SIGCOMM.Google Scholar
Index Terms
Elastically Augmenting the Control-path Throughput in SDN to Deal with Internet DDoS Attacks
Recommendations
DDoS attacks and defense mechanisms: classification and state-of-the-art
Denial of Service (DoS) attacks constitute one of the major threats and among the hardest security problems in today's Internet. Of particular concern are Distributed Denial of Service (DDoS) attacks, whose impact can be proportionally severe. With ...
Research on the Mechanism of Cooperative Defense Against DDoS Attacks Based on Game Theory
Big Data Intelligence and ComputingAbstractDistributed Denial of Service (DDoS) attacks are one of the biggest threats in the era of cloud computing and big data. This paper mainly studies the defense methods of DDoS attacks for cloud computing platforms and big data centers, proposes a ...
Countering DDoS and XDoS Attacks against Web Services
EUC '08: Proceedings of the 2008 IEEE/IFIP International Conference on Embedded and Ubiquitous Computing - Volume 01Cyber-criminals use distributed denial-of-service attacks (DDoS) and XML denial-of-service attacks (XDoS) to extort money from online service providers. This kind of attacks is normally targeted at a particular service provider to exhaust the network ...






Comments