Defending DDoS Attacks in Software-Defined Networking Based on Legitimate Source and Destination IP Address Database

Xiulei WANG  Ming CHEN  Changyou XING  Tingting ZHANG  

IEICE TRANSACTIONS on Information and Systems   Vol.E99-D   No.4   pp.850-859
Publication Date: 2016/04/01
Publicized: 2016/01/13
Online ISSN: 1745-1361
DOI: 10.1587/transinf.2015ICP0016
Type of Manuscript: Special Section PAPER (Special Section on Information and Communication System Security)
Category: Network security
network security,  DDoS attacks,  software-defined networking,  non-parametric CUSUM,  

Full Text: PDF>>
Buy this Article

The availability is an important issue of software-defined networking (SDN). In this paper, the experiments based on a SDN testbed showed that the resource utilization of the data plane and control plane changed drastically when DDoS attacks happened. This is mainly because the DDoS attacks send a large number of fake flows to network in a short time. Based on the observation and analysis, a DDoS defense mechanism based on legitimate source and destination IP address database is proposed in this paper. Firstly, each flow is abstracted as a source-destination IP address pair and a legitimate source-destination IP address pair database (LSDIAD) is established by historical normal traffic trace. Then the proportion of new source-destination IP address pair in the traffic per unit time is cumulated by non-parametric cumulative sum (CUSUM) algorithm to detect the DDoS attacks quickly and accurately. Based on the alarm from the non-parametric CUSUM, the attack flows will be filtered and redirected to a middle box network for deep analysis via south-bound API of SDN. An on-line updating policy is adopted to keep the LSDIAD timely and accurate. This mechanism is mainly implemented in the controller and the simulation results show that this mechanism can achieve a good performance in protecting SDN from DDoS attacks.