A Multi-Criteria based Software Defined Networking System Architecture for DDoS-Attack Mitigation

Abstract

Nowadays, Software-Defined Networking (SDN) has become a promising network architecture in which network devices are controlled in a separate Control Plane (i.e., SDN controller). In a specific aspect, employing SDN in a network offers an attractive network security solution due to its flexibility in building and adding more new software security rules. From another perspective, attack prediction and mitigation, especially for Distributed Denial of Service (DDoS) attacks, are still challenges in SDN environments since a SDN control system works probably slower than a non-SDN one and theSDN controller can become a target of attacks. In this article, at first, we analyze a real traffic use case in order to derive DDoS indicators and thresholds. Secondly, we design an Openflow/SDN-based Attack Mitigation Architecture that is able to quickly mitigate DDoS attacks on the fly. The design solves the existing problems of the Openflow protocol, reducing the traffic volume traversing over the interface between the data plane (switch) and the control plane (SDN controller) and decreasing the buffer size at the Openflow switch. Applying our proposed Fuzzy Logic-based DDoS Mitigation algorithm that deploys multiple criteria for DDoS detection - FDDoM, the system demonstrates the ability to detect and filter 97% of attack flows and reach a False Positive Rate of 5% that are acceptable figures in real system management. The results also show that the network resource which is required to cope and maintain flow entries is 50% reduced during attack time.