Abstract
Software Defined Networking (SDN) has proved itself to be a backbone in the new network design and is quickly becoming an industry standard. The idea of separation of control plane and data plane is the key concept behind SDN. SDN not only allows us to program and monitor our networks but it also helps in mitigating some key network problems. Distributed denial of service (DDoS) attack is among them. In this paper we propose a collaborative DDoS attack mitigation scheme using SDN. We design a secure controller-to-controller (C-to-C) protocol that allows SDN-controllers lying in different autonomous systems (AS) to securely communicate and transfer attack information with each other. This enables efficient notification along the path of an ongoing attack and effective filtering of traffic near the source of attack, thus saving valuable time and network resources. We also introduced three different deployment approaches i.e., linear, central and mesh in our testbed. Based on the experimental results we demonstrate that our SDN based collaborative scheme is fast and reliable in efficiently mitigating DDoS attacks in real time with very small computational footprints.
Highlights
The legacy of distributed denial of service (DDoS) attacks continue to grow in sophistication and volume with attacks breaking the barrier of hundreds of Gbps [1]
At the border of any autonomous systems (AS) sits Software Defined Networking (SDN) controllers that are capable of communicating with the neighboring AS’s controllers to transfer attack definitions (Attack definition basically consists of the malicious IP addresses that are exchanged in the payload of C-to-C protocol)
Still attackers can try to launch a DDoS attack against a controller in an ISP, a DDoS attack against a controller is synonymous with an attack against any host/server within an ISP
Summary
The legacy of distributed denial of service (DDoS) attacks continue to grow in sophistication and volume with attacks breaking the barrier of hundreds of Gbps [1]. The report latency will increase with the number of hops between the source and victim of attacks They do not validate the authenticity of incident reports exchanged among the adjacent SDN domains. These schemes add functionality in each router to detect and filter attack traffic and to notify the upstream routers to drop such traffic [13] As a result, they require more resources at various levels and the push-back mechanism must be deployed in all the participating network components (routers and switches). The protocol itself can use different approaches for deployment It can be deployed in linear order, peer-to-peer or via centralized scheme to collaboratively disseminate DDoS filtering information.
Sign-in/Register to view highlights & summary Sign-in/Register to access full text options 
Free) 
Talk to us
Join us for a 30 min session where you can share your feedback and ask us any queries you have
Schedule a call
