Article Preview
TopIntroduction
The Open Networking Foundation (ONF) a non-profit consortium has promoted SDN and OpenFlow (OF) protocol (McKeown et al., 2008) as a new norm for networks. OpenFlow-based SDN technologies enable IT to address dynamic nature of the current application, reduce operations and management complexity.
However, SDN is still not completely designed. The attributes of centralized control and programmability also bring many challenges, as discussed in (Yan, Zhang, & Vasilakos, 2015). Specially, DDoS attack (Mirkovic, & Reiher, 2004) is still a huge threat to SDN (Kreutz, Ramos, & Verissimo, 2013). This paper focuses on DDoS flooding attack which usually originates from distributed zombies and targets to exhaust victim’s bandwidth or resources. A lot of people have done researches on DDoS detection and migration in SDN e.g., (Braga, Mota, & Passito, 2010) and (Mehdi, Khalid, & Khayam, 2011). Most researches collect the flow tables from the switch and do the anomaly detection in the controller. However, when the network scale becomes larger, the collecting process burdens the communication overload between the switch and the controller (Giotis, Argyropoulos, Androulidakis, Kalogeras, & Maglaris, 2014). And also the attack response time is depended on the polling time (Moshref, Yu, & Govindan, 2014). Sampling technologies, such as sFlow and NetFlow, may relieve this overload, but bring a new tradeoff between sampling rate and detection accuracy.
To protect the victim, as discussed in (Zargar, Joshi, & Tipper, 2013), the system can traceback the real sources of the attack traffic which may use IP Spoofing, filter or mitigate the attack traffic based on the attack signature. IP traceback in traditional network has been well researched e.g., Deterministic Packet Marking (DPM) (Xiang, Zhou, & Guo, 2009) and Probabilistic Packet Marking (PPM) (Park, & Lee, 2001) approaches. Now, it also draws more and more attention in SDN e.g., (Zhang, Reich, & Rexford, 2015) and (Francois, & Festor, 2015). However, these existing works do the traceback relying on the complex algorithms running in the controller and mostly focus on identifying the potential paths of an anomaly.
To deal with the DDoS flooding attack, this paper proposes a complete detection and response mechanism in SDN. In order to lighten the overhead caused by flow collection and detect the DDoS attack proactively at the edge switch, the authors propose an entropy-based distributed detection mechanism. Then leveraging the first ingress edge router’s information provided by DPM and the global topology capacity of the controller, the authors propose a novel SDN IP traceback and source filtering mechanism. The main contributions of this paper can be summarized as follows:
- •
Extending the OF flow entry by adding a copy of the packet number counter and a local host flag, the edge switch can get the flow traffic information during the monitoring period and identify the flow to its local network;
- •
By running DDoS detection mechanism in the OpenFlow edge switch, the heavy communication between the controller and the switch can be reduced;
- •
To the best knowledge of the authors, this paper is among the first combining the DPM with the character of OpenFlow to realize IP traceback system in SDN;
- •
Utilizing the proposed novel communication manner from the victim to the controller, this paper achieves a source filtering mechanism that avoids resource and bandwidth consumption on the intermediate links.
The remainder of this paper is organized as follows. The authors firstly describe the related work, secondly explain the entropy-based distributed DDoS detection mechanism in detail, then state the novel SDN IP traceback and source filtering response mechanism, and then presents the experimental setups and results, and offer the concluding remarks finally.