SD-WAN Flood Tracer: Tracking the entry points of DDoS attack flows in WAN

Abstract

Countering DDoS attacks in the network requires identification of attack flows and their removal, resulting in the removal of legitimate flows as well. Mitigation of attacks near the attacker reduces the chances of affecting legitimate communication as the attack path is curtailed. Hence, an efficient DDoS countermeasure requires an efficient traceback scheme to identify the attack source in order to mitigate the attack at entry point itself. This paper proposes SD-WAN Flood Tracer to facilitate tracing the attack source in software-defined wide area network (SD-WAN). The traceback scheme is divided into two parts; the first part is internal traceback to trace the sources in the vicinity of a single controller. The second part is external traceback to trace the source belonging to another controller’s vicinity. Such a global traceback scheme prevents the impact of DDoS attacks on legitimate traffic. Not just DDoS attack sources, but this scheme may also support tracking other anomaly sources as well. The traceback scheme is lightweight with low overhead on the communication channel and converges the trace quickly. The proposed scheme is capable of efficiently tracing internal anomaly sources, as well as external anomaly sources to the farthest location, preventing damage to legitimate communications in the network.