An elapsed-time based scheme for detecting and mitigating DDOS attacks in the SDN environment
Over the last decade, Distributed Denial of Service (DDoS) attacks became one of the main Internet security issues and the weapon of choice for hackers, cyber extortionists, and cyber terrorists. A DDoS attack disrupts or degrades the network services (by depleting the network bandwidth or router pr...
Saved in:
Summary: | Over the last decade, Distributed Denial of Service (DDoS) attacks became one of the main Internet security issues and the weapon of choice for hackers, cyber extortionists, and cyber terrorists. A DDoS attack disrupts or degrades the network services (by depleting the network bandwidth or router processing capacity) or victim resources (by exhausting disk or database bandwidth, file descriptors, buffers, sockets, CPU cycles, memory) and stops the legitimate user from accessing a specific Internet service. Such attacks hog the victim’s resources so that it cannot respond to the services requested by an authenticated user. Amid raising the number of DDoS attacks and the attackers' ability to develop attack types to penetrate traditional protection methods, Software-defined networks has emerged as an alternative environment to minimize the damage of this attack. Enabling the network control to become directly programmable and the underlying infrastructure to be abstracted for applications and network services make the network more flexible and agile. SDN is an emerging network model that attracted the attention of many researchers in today's networks security issues. The detection of DDoS attacks becomes much easier if we are able to take advantage of the SDN distinct characteristics such as the centralization of control over the infrastructure, decoupling of the control plane from the data plane and the flow-based traffic concept. In this research, we utilize the SDN controller to detect and mitigate DDoS attacks. The SDN-based DDoS detection solutions that have been proposed are various but suffer from performance degradation particularly, machine learning-based solutions and entropy-based solutions. DDoS detection solutions based on Machine learning techniques and entropy techniques in SDN suffer from either increase the CPU usage or increase false alarms. The performance degradation in the existing solutions is caused by the complexity of the techniques used to detect the DDoS attacks in SDN as well as the parameters used by these techniques to distinguish DDoS packets. The existing solutions do not consider the elapsed time between the successive attack packets as a key parameter in detecting DDoS attacks in SDN as an example. Furthermore, the existing solutions are only focused on detecting the flooding DDoS attacks and failed to propose a defense solution can detect the DDoS attacks that change from the high volume to the low volume at the time of the attack. Also, few solutions considered low-rate DDoS attacks detection in SDN. In this research, we propose an elapsed-time based scheme, an effective and efficient scheme to detect and mitigate flooding attacks and low-rate attacks in SDN. Elapsed-time based scheme is implemented on POX controller and evaluated under different attack scenarios. The experimental results confirm that, compared to different machine learning-based solution and entropy-based solutions mentioned in this research, elapsed-time based scheme reduces the overhead up to 50%, while ensuring 0% of false alarms and to more than 99.20% of the accuracy. |
---|