Browse > Article
http://dx.doi.org/10.3837/tiis.2016.09.027

An OpenFlow User-Switch Remapping Approach for DDoS Defense  

Wei, Qiang (State Key Laboratory of Mathematical Engineering and Advanced Computing)
Wu, Zehui (State Key Laboratory of Mathematical Engineering and Advanced Computing)
Ren, Kalei (State Key Laboratory of Mathematical Engineering and Advanced Computing)
Wang, Qingxian (State Key Laboratory of Mathematical Engineering and Advanced Computing)
Publication Information
KSII Transactions on Internet and Information Systems (TIIS) / v.10, no.9, 2016 , pp. 4529-4548 More about this Journal
Abstract
DDoS attacks have had a devastating effect on the Internet, which can cause millions of dollars of damage within hours or even minutes. In this paper we propose a practical dynamic defense approach that overcomes the shortage of static defense mechanisms. Our approach employs a group of SDN-based proxy switches to relay data flow between users and servers. By substituting backup proxy switches for attacked ones and reassigning suspect users onto the new proxy switches, innocent users are isolated and saved from malicious attackers through a sequence of remapping process. In order to improve the speed of attacker segregation, we have designed and implemented an efficient greedy algorithm which has been demonstrated to have little influence on legitimate traffic. Simulations, which were then performed with the open source controller Ryu, show that our approach is effective in alleviating DDoS attacks and quarantining the attackers by numerable remapping process. The simulations also demonstrate that our dynamic defense imposes little effect on legitimate users, and the overhead introduced by remapping procedure is acceptable.
Keywords
Cyber security; dynamic defense; software defined network; DDoS attack; greedy algorithm;
Citations & Related Records
연도 인용수 순위
  • Reference
1 RYU Homepage. https://osrg.github.io/ryu/, (Access on 2016-04-11).
2 Open vSwitch. Homepage.http://openvswitch.org/, (Access on 2016-04-11).
3 J. Mirkovic and P. Reiher, “A taxonomy of DDoS attack and DDoS defense mechanisms,” ACM SIGCOMM Computer Communication Review, vol. 34, no. 2, pp. 39-53, 2004. Article (CrossRef Link).   DOI
4 M. Abliz, “Internet denial of service attacks and defense mechanisms,” University of Pittsburgh, Department of Computer Science, Technical Report, pp. 1-50, 2011.
5 Y. Chen, X. Ma and X. Wu, “DDoS detection algorithm based on preprocessing network Traffic Predicted Method and Chaos Theory,” IEEE Communications Letters, vol. 17, no. 5, pp. 1052-1054, 2013. Article (CrossRef Link).   DOI
6 X. Liu, X. Yang and Y. Xia, “NetFence: preventing internet denial of service from inside out,” ACM SIGCOMM Computer Communication Review, vol. 41, no. 4, pp. 255-266, 2011. Article (CrossRef Link).
7 H. S. Kang and S. R. Kim, “sShield: small DDoS defense system using RIP-based traffic deflection in autonomous system,” The Journal of Supercomputing, vol. 67, no. 3, pp. 820-836, 2014. Article (CrossRef Link).   DOI
8 X. Liu, X. Yang and Y. Lu, “To filter or to authorize: Network-layer DoS defense against multimillion-node botnets,” ACM SIGCOMM Computer Communication Review, vol. 38, no. 4, pp. 195-206, 2008. Article (CrossRef Link).   DOI
9 S. M. Lee, D. S. Kim, J. H. Lee and et al., “Detection of DDoS attacks using optimized traffic matrix,” Computers & Mathematics with Applications, vol. 63, no. 2, pp. 501-510, 2012. Article (CrossRef Link).   DOI
10 X. Yang, D. Wetherall and T. Anderson, “TVA: a DoS-limiting network architecture,” IEEE/ACM Transactions on Networking, vol. 16, no. 6, pp. 1267-1280, 2008. Article (CrossRef Link).   DOI
11 R. Dingledine, N. Mathewson and P. Syverson, “Tor: The second-generation onion router,” in Proc. of the 13th Usenix Security Symposium, pp.28-39, 2004.
12 H. Luo, Y. Lin and H. Zhang and et al., “Preventing DDoS attacks by identifier/locator separation,” IEEE Network, vol. 27, no. 6, pp. 60-65, 2013. Article (CrossRef Link).   DOI
13 H. Wang, Q. Jia, F. Dan and et al., “A moving target DDoS defense mechanism,” Computer Communications, vol. 46, no. 6, pp. 10-21, 2014. Article (CrossRef Link).   DOI
14 Z. Anwar and A. W. Malik, “Can a DDoS attack meltdown my data center? A simulation study and defense strategies,” IEEE Communications Letters, vol. 18, no. 7, pp. 1175-1178, 2014. Article (CrossRef Link).   DOI
15 V. Kambhampati, C. Papadopolous and D. Massey, “Epiphany: A location hiding architecture for protecting critical services from DDoS attacks,” in Proc. of the 42nd Annual IEEE/IFIP International Conference on Dependable Systems and Networks (DSN), pp. 1-12, 2012. Article (CrossRef Link).
16 C. Fachkha, E. Bou-Harb and M. Debbabi, “Inferring distributed reflection denial of service attacks from darknet,” Computer Communications, vol. 62, pp. 59-71, 2015. Article (CrossRef Link).   DOI
17 S. Shin, V. Yegneswaran, P. Porras and et al., “Avant-guard: Scalable and vigilant switch flow management in software-defined networks,” in Proc. of ACM SIGSAC conference on Computer & communications security, pp. 413-424, 2013. Article (CrossRef Link).
18 L. Mchale, J. Case, P. V. Gratz and et al., “Stochastic pre-classification for SDN data plane matching,” in Proc. of IEEE 22nd International Conference on Network Protocols, pp. 596-602, 2014. Article (CrossRef Link).
19 R. Braga, E. Mota and A. Passito, “Lightweight DDoS flooding attack detection using NOX/OpenFlow,” in Proc. of IEEE 35th Conference on Local Computer Networks (LCN), pp. 408-415, 2010. Article (CrossRef Link).
20 P. Smith, A. Schaeffer-Filho, D. Hutchison and et al., “Management patterns: SDN-enabled network resilience management,” in Proc. of IEEE Network Operations and Management Symposium (NOMS), pp. 1-9, 2014. Article (CrossRef Link).
21 D. Gkounis, V. Kotronis and X. Dimitropoulos, “Towards defeating the crossfire attack using SDN,” arXiv preprint arXiv, pp. 12-22, 2014.
22 B. Wang, Y. Zheng, W. Lou and et al., “DDoS attack protection in the Era of cloud computing and software-defined networking,” in Proc. of IEEE 22nd International Conference on Network Protocols, pp. 624-629, 2014. Article (CrossRef Link).
23 M. Ambrosin, M. Conti, F. De Gaspari and et al., “Lineswitch: Efficiently managing switch flow in software-defined networking while effectively tackling dos attacks,” in Proc. of the 10th ACM Symposium on Information, Computer and Communications Security, ACM, pp. 639-644, 2015. Article (CrossRef Link).
24 D. A. Sprott, “Urn models and their application—an approach to modern discrete probability theory,” Technometrics, vol. 20, no. 4, pp. 501-501, 20(4), 1978.
25 M. Twister, “A 623-Dimensionally equidistributed uniform pseudorandom number generator-matsumoto,” Nishimura ACM Trans on Modeling and Computer Simulation, vol. 8, no. 1, pp. 3-30, 1998.   DOI
26 F. Al-Haidari, M. Sqalli, K. Salah, “Evaluation of the impact of EDoS attacks against cloud computing services,” Arabian Journal for Science and Engineering, pp. 1-13, 2014. Article (CrossRef Link).