Professional Documents
Culture Documents
Abstract—Distributed Denial-of-Service (DDoS) flooding at- make it easy to detect and to react against DDoS attacks [2].
tack is one of the most serious threats to network security. On the other hand, some characteristics of SDN also make
Software-Defined Networking (SDN) has recently emerged as a itself vulnerable to DDoS attacks, such as the controller is too
new network management platform, and its centralized control
architecture brings many new opportunities for defending against centralized, the switch flow table size is limited, and the band-
network attacks. In this paper, we propose FADM, an efficient width between control and data planes is a bottleneck. How
and lightweight framework to detect and mitigate DDoS attacks to take full advantage of the SDN characteristics to defend
in SDN. Firstly, the network traffic information is collected against DDoS attacks and protect the SDN infrastructure from
through the SDN controller and sFlow agents. Then an entropy- attacks is a very challenging problem.
based method is used to measure network features, and the SVM
classifier is applied to identify network anomalies. By adopting In this paper, we propose a framework to detect and mitigate
these methods together, the timeliness and accuracy of attack DDoS flooding attacks in SDN network to tackle the challenge
detection are effectively improved. To keep the major network above. Information collection is the prerequisite for attack
functionality working, we propose an efficient attack mitigation detection. According to the characteristics of SDN, we propose
mechanism based on the white-list and traffic migration. By an information collection method combining the SDN con-
introducing the mitigation agent to the network, attack traffic can
be timely blocked while benign traffic can be forwarded as usual, troller with sFlow[3] to improve its accuracy and timeliness.
which prevents the controller resources from being exhausted and Then we use an entropy-based method to measure the changes
ensures that legitimate users can access the network normally. of network features, and use the machine learning algorithm
The experimental results show that multiple DDoS attacks can to automatically detect network anomalies. By using these
be accurately detected and effectively mitigated by FADM, which methods together, DDoS attacks can be accurately detected
enables the network to recover in a short time.
in the early stage.
When the SDN network suffers from DDoS attacks, the con-
I. I NTRODUCTION
troller resources and the bandwidth between data and control
Distributed Denial-of-Service (DDoS) flooding attack is one planes will be exhausted by attack traffic. To avoid cutting off
of the most serious threats to current network security. Attack- the communication of legitimate users, we can not simply drop
ers make use of a botnet to send massive useless packets, all attack traffic, therefore we introduce the mitigation agent in
which will rapidly exhaust the target’s resources such as the network. When a DDoS attack occurs, all suspected attack
bandwidth, memory, CPU, etc. Compared with other attacks, traffic flows are migrated to the agent through the installed
DDoS attacks have various attack methods, large-scale traffic wildcard flow rules. However, some benign traffic flows may
and distributed infected hosts, all of which make it a challenge also be migrated to the mitigation agent too, so there must be
to defend. On October 21, 2016, attackers used the Mirai a way to identify them and install extra forwarding rules. By
botnet to launch two large and complex DDoS attacks against adopting this mitigation mechanism, the network can recover
the Dyn’s Managed DNS platform from 100,000 malicious quickly and provide services for legitimate users.
endpoints, which caused major Internet platforms and services The main contributions of this work can be summarized as
to be unavailable to large swathes of users in Europe and North follows:
America [1]. How to detect and defense such a large-scale 1) We propose a real-time DDoS attack detection scheme,
DDoS attack is an urgent problem to be studied. which can effectively improve the timeliness and ac-
Software-Defined Networking (SDN) has recently emerged curacy of attack detection by adopting the Controller-
as a new network management platform. In the SDN architec- based and sFlow-based information collection meth-
ture, the control and data planes are decoupled. As a result, ods, entropy-based feature extraction method and SVM-
the network intelligence and state can be logically centralized, based classification method.
and the underlying network infrastructure is abstract from 2) We propose an efficient DDoS attack mitigation mech-
applications. SDN has the capabilities of software-based traffic anism based on the white-list and dynamic updating of
analysis, logically centralized control, global view of the forwarding rules. By introducing the mitigation agent to
network, and dynamic updating of forwarding rules, which the network, attack traffic can be timely blocked while