MAC based model to Differentiate Flash crowd and Malicious traffic in SDN

Abstract

The nature of computer network flash crowd traffic, which is generated by legitimate users accessing servers or other network resources are similar to the traffic generated by Distributed Denial of Service (DDoS) like attacks. With advancement in spoof packet generation tools, attacker may generate Multi-source Multi-destination Multi-protocol (MMM) traffic; characteristics of such traffic are very similar to on-going genuine/ flash crowd traffic in the network. In the case of Software Defined Network (SDN), attacker’s target is controller plane. Controller plane in SDN is a centralized processing unit of the underlying network, which manages several data planes. Controller plane frames the policies and pushes forwarding rules to the data planes. Data planes just maintain the forwarding rules. Thus by overloading the SDN controller, functionality of complete computer network will be hampered. In this paper, we have proposed Media Access Control (MAC) address based Model to Differentiate Flash crowd and Malicious traffic in SDN (MDFMS). Novelty of the proposed model is to detect, locate and mitigate the source of Traditional DDoS (T-DDoS) and MMMDDoS traffic. MDFSM has been implemented on separate machine to avoid any additional computing load on SDN controller. It also preserves the original design of the SDN architecture. Proposed model has been evaluated under various scenarios and encouraging results have been obtained to differentiate T-DDoS and MMM-DDoS from benign flash crowd traffic.