Closed-Loop DDoS Mitigation System in Software Defined Networks

Abstract

In Software Defined Networking (SDN) with the centralized controller structure, Distributed Denial of Service (DDoS) attacks can exhaust the controller's or the nodes' computing and communication resources; thus, breakdown of the network could happen. Threat vectors for DDoS attack can be the main components of SDN, such as the control plane, the data plane, and/or the application plane. This paper focuses on protecting servers in the SDN networks from DDoS attacks. We focus specifically on protocol attacks. This type of attack consumes target server resources, or the communication resources allocated for the target server. Using a feedback loop from the data plane to the control plane in real-time, we can anticipate future attacks and control the attack reactively. Processing all the traffic going through an SDN network at the control plane in real-time can overwhelm the controller. To prevent this a Network Function Virtualization (NFV) node can be configured in the SDN where the traffic processing can take place. Hence a closed-loop system where the real-time traffic is monitored from a NFV in the SDN that reports to the controller in the SDN can mitigate DDoS attacks. The NFV can monitor the real-time network traffic for any upsurges in a pre-defined traffic flow that crosses a pre-configured threshold. The threshold can be chosen based on information from previous attacks. In the event of an attack the NFV can report to the controller which can in turn take appropriate action. In this paper, we propose two closed-loop methods to protect servers in SDN from DDoS attacks. The objective of this paper is to protect the host machines in SDN from DDoS attacks that originate from within the network itself. We implemented the proposed methods and compared the two methods for further analysis. Our closed-loop systems can mitigate the DDoS attacks in real-time. The rate at which the attacks were mitigated was largely influenced by the value of the threshold that is configured.