Yi Shen,Chunming Wu,Dezhang Kong,Mingliang Yang

DOI: https://doi.org/10.1109/icc40277.2020.9149276

2020-01-01

Abstract:Distributed Denial of Service (DDoS) attack is one of the most severe threats to the current network security. As a new network architecture, Software-Defined Networking (SDN) draws notable attention from both industry and academia. The characteristics of SDN such as centralized management and flow-based traffic monitoring make it an ideal platform to defend against DDoS attacks. When designing a network intrusion detection system (NIDS) in SDN, how to obtain fine-grained flow information with minimal overhead to the SDN architecture is a problem to be solved. In this paper, we propose TPDD, a two-phase DDoS detection system to detect DDoS attacks in SDN. In the first phase, we utilize the characteristics of SDN to collect coarse-grained flow information from the core switches and locate the potential victim. Then we monitor the edge switches located close to the potential victim to obtain finer-grained traffic information in the second phase. The collection method of each phase fully considers the impact on the bandwidth between the controller and switches. Without modifying the existing flow rules, the collection module can obtain sufficient information about traffic. By using entropy-based and machine learning-based methods, the detection module can effectively detect anomalies and identify whether the potential victim marked in the first phase is the target of attacks. Experimental results show that TPDD can effectively detect DDoS attacks with little overhead.

Xinyue Jiang,Risheng Deng,Dong Zhang,Chunming Wu

DOI: https://doi.org/10.1109/iThings-GreenCom-CPSCom-SmartData-Cybermatics53846.2021.00035

2021-01-01

Abstract:The large-scale distributed network has exposed increasing attack surfaces to cyber attackers. In this paper, we present a refined network measurement mechanism, called DDoS Collaborative Mitigation Mechanism (DDoSCCM). Based on former achievements in the programmable network, our work aims at capturing the characters of abnormal traffic and presenting an antedating reaction, constrained by limited resources of the switching ASIC. In-band Network Telemetry (INT) technique achieves real-time monitoring of the network by utilizing the device data acquisition on the data plane. Our work helps the network operator not only to learn the status of the network but also to issue an appropriate mitigation strategy faster and more accurately. DDoSCCM aims at delegating both detection and mitigation processes to the programmable switch. Consequently, the theoretical analysis and experimental results show that DDoSCCM can meet practical requirements and have a certain application value.

Feilong Tang,Lu Li,Leonard Barolli,Can Tang

DOI: https://doi.org/10.1109/AINA.2017.125

2017-01-01

Abstract:Software defined networking (SDN) provides flexible management for datacenter networks with the flow-level control. Such the fine-grained management, however, consumes large amount of bandwidth between data and control planes, which results in the bottleneck in the scalability of SDN-based datacenters. "The elephant and mouse phenomenon" suggests that there are only very few elephant flows that carry the majority of bytes in datacenters so that it can improve management efficiency to detect and reroute elephant flows while leaving mice flows in data plane leveraging wildcard flow table in OpenFlow. Unfortunately, existing mechanisms for elephant flow detection suffer from high bandwidth consumption and long detection time. In this paper, we propose an efficient sampling and classification approach (ESCA) with the two-phase elephant flow detection. In the first phase, ESCA improves sampling efficiency by estimating the arrival interval of elephant flows and filtering out redundant samples using a filtering flow table. In the second phase, ESCA classifies samples with a new supervised classification algorithm based on correlation among data flows. The mathematical analysis proofs our ESCA outperforms related schemes. Extensive experiment results on real public datacenter traces further demonstrate that our ESCA can provide accurate detection with less sampled packets and shorter detection time.

Xiang Chen,Hongyan Liu,Qun Huang,Dong Zhang,Haifeng Zhou,Chunming Wu,Xuan Liu

DOI: https://doi.org/10.1109/tnet.2023.3281449

2024-01-01

Abstract:To date, security researchers evaluate their solutions of mitigating distributed denial-of-service (DDoS) attacks via kernel-based or kernel-bypassing testing tools. However, kernelbased tools exhibit poor scalability in attack traffic generation while kernel-bypassing tools incur unacceptable monetary cost. We propose Excalibur, a scalable and low-cost testing framework for evaluating DDoS defense solutions. The key idea is to leverage the emerging programmable switch to empower testing tasks with Tbps-level scalability and low cost. Specifically, Excalibur offers intent-based primitives to enable academic researchers to customize testing tasks on demand. Moreover, in view of switch resource limitations, Excalibur coordinates both a server and a programmable switch to jointly perform testing tasks. It realizes flexible attack traffic generation, which requires a large number of resources, in the server while using the switch to increase the sending rate of attack traffic to Tbps-level. We have implemented Excalibur on a 64 x 100 Gbps Tofino switch. Our experiments on a 64 x 100 Gbps Tofino switch show that Excalibur achieves orders-of-magnitude higher scalability and lower cost than existing tools.

Xiang Chen,Hongyan Liu,Tingxin Sun,Qun Huang,Dong Zhang,Xuan Liu,Boyang Zhou,Haifeng Zhou,Chunming Wu

DOI: https://doi.org/10.1109/infocom53939.2023.10229080

2023-01-01

Abstract:To date, security researchers evaluate their solutions of mitigating denial-of-service (DDoS) attacks via kernel-based or kernel-bypassing testing tools. However, kernel-based tools exhibit poor scalability in attack traffic generation while kernel-bypassing tools result in unacceptable monetary cost. We propose Excalibur, a scalable and low-cost testing framework for DDoS defense solutions. The key idea is to leverage the programmable switch to perform testing tasks with Tbps-level scalability and low cost. Specifically, Excalibur coordinates both a server and a programmable switch to jointly perform testing tasks. It realizes flexible attack traffic generation, which requires a large number of resources, in the server while using the switch to increase the sending rate of attack traffic to Tbps-level. Our experiments on a 64×100Gbps Tofino switch show that Excalibur achieves orders-of-magnitude higher scalability and lower cost than existing tools.

Shuhan Chen,Congqi Shen,Danrui Yu,Yuqin Wu,Chunming Wu

DOI: https://doi.org/10.1109/isncc52172.2021.9615889

2021-01-01

Abstract:Botnets provide a fundamental infrastructure for various kinds of network attacks, such as DDoS attack, etc. Detecting DDoS attack in botnet is a long-standing challenge. In this paper, we propose a novel method to detect DDoS attack in botnet through the analysis of packet forwarding and network traffic. The primary idea is to collect features from both overall network traffic and packet to describe the attack pattern and conduct a detection model with high accuracy. Firstly, apart from overall network traffic, we calculate several statistics related to looking up functions of flow tables during packet forwarding on switches to describe attack pattern. Secondly, these features are put into a deep learning model to detect DDoS attack. We perform evaluations under Software Defined Networking (SDN) paradigm. In particular, we compare the proposed method with traditional methods. The experimental results demonstrate that the proposed method is meaningful in improving the accuracy of DDoS attack detection by adding packet-level features extracted from packet forwarding.

Ziming Zhao,Zhuotao Liu,Huan Chen,Fan Zhang,Zhuoxue Song,Zhaoxuan Li

DOI: https://doi.org/10.1109/tdsc.2023.3349180

2024-01-01

Abstract:Defending against Distributed Denial of Service (DDoS) attacks is a fundamental problem in the Internet. Over the past few decades, the research and industry communities have proposed a variety of solutions, from adding incremental capabilities to the existing Internet routing stack, to clean-slate future Internet architectures, and to widely deployed commercial DDoS prevention services. Yet a recent interview with over 100 security practitioners in multiple sectors reveals that existing solutions are still insufficient against , due to either unenforceable protocol deployment or non-comprehensive traffic filters. This seemingly endless arms race with attackers probably means that we need a fundamental paradigm shift. In this paper, we propose a new DDoS prevention paradigm named preference-driven and in-network enforced traffic shaping , aiming to explore the novel DDoS prevention norms that focus on delivering victim-preferred traffic rather than consistently chasing after the DDoS attacks. Towards this end, we propose DFNet, a novel DDoS prevention system that provides reliable delivery of victim-preferred traffic without full knowledge of DDoS attacks. At a very high level, the core innovative design of DFNet embraces the advances in Machine Learning (ML) and new network dataplane primitives, by encoding the victim's traffic preference (in the form of complex ML models) into dataplane packet scheduling algorithms such that the victim-preferred traffic is forwarded with priority at line-speed, regardless of the attacker strategy. We implement a prototype of DFNet in 11,560 lines of code, and extensively evaluate it on our testbed. The results show that a single instance of DFNet can forward 99.93% of victim-desired traffic when facing previously unseen attacks, while imposing less than 0.1% forwarding overhead on a dataplane with 80 Gbps upstream links and a 40 Gbps bottleneck.

Guorui Xie,Qing Li,Chupeng Cui,Peican Zhu,Dan Zhao,Wanxin Shi,Zhuyun Qi,Yong Jiang,Xi Xiao

DOI: https://doi.org/10.1109/srds55811.2022.00029

2022-01-01

Abstract:Though several deep learning (DL) detectors have been proposed for the network attack detection and achieved high accuracy, they are computationally expensive and struggle to satisfy the real-time detection for high-speed networks. Recently, programmable switches exhibit a remarkable throughput efficiency on production networks, indicating a possible deployment of the timely detector. Therefore, we present Soter, a DL enhanced in-network framework for the accurate real-time detection. Soter consists of two phases. One is filtering packets by a rule-based decision tree running on the Tofino ASIC. The other is executing a well-designed lightweight neural network for the thorough inspection of the suspicious packets on the CPU. Experiments on the commodity switch demonstrate that Soter behaves stably in ten network scenarios of different traffic rates and fulfills per-flow detection in 0.03s. Moreover, Soter naturally adapts to the distributed deployment among multiple switches, guaranteeing a higher total throughput for large data centers and cloud networks.

Xiang Chen,Hongyan Liu,Dong Zhang,Qun Huang,Haifeng Zhou,Chunming Wu,Qiang Yang

DOI: https://doi.org/10.1109/mnet.107.2100643

IF: 10.294

2022-01-01

IEEE Network

Abstract:Distributed denial-of-service (DDoS) attacks have long been the most severe and destructive attack on modern networks. Some solutions place several middleboxes that run security-oriented network functions (SNFs) in the network to defend against DDoS attacks. However, middleboxes are proprietary and fixed-function, making them costly and inflexible when handling attack dynamics. Another class of solutions exploits the capability of software-defined networking (SDN) and network function virtualization (NFV) to run virtualized SNFs on commodity servers. This reduces the cost of DDoS attack mitigation while enabling high flexibility by dynamically removing or adding SNF instances. However, this class of solutions sacrifices packet processing performance and incurs non-trivial end-to-end latency, which is unacceptable for many latency-sensitive internet services. Recently, the emergence of programmable switches brings a promising alternative solution: arbitrary SNFs can be directly performed in line-rate ASIC pipelines of programmable switches, enabling low-cost, flexible, and high-performance DDoS attack mitigation. In this article, we present an illustrative survey of recent solutions that leverage programmable switches to provide DDoS attack mitigation. Our survey can help understand how to make full use of the benefits of programmable switches to defend against DDoS attacks.

computer science, information systems,telecommunications,engineering, electrical & electronic, hardware & architecture

Shang Gao,Zhe Peng,Bin Xiao,Aiqun Hu,Yubo Song,Kui Ren

DOI: https://doi.org/10.1109/tnet.2020.2983976

2020-01-01

IEEE/ACM Transactions on Networking

Abstract:The introduction of software-defined networking (SDN) has emerged as a new network paradigm for network innovations. By decoupling the control plane from the data plane in traditional networks, SDN provides high programmability to control and manage networks. However, the communication between the two planes can be a bottleneck of the whole network. SDN-aimed DoS attacks can cause long packet delay and high packet loss rate by using massive table-miss packets to jam links between the two planes. To detect and mitigate SDN-aimed DoS attacks, this paper presents FloodDefender, an efficient and protocol-independent defense framework for SDN/OpenFlow networks. FloodDefender stands between the controller platform and other controller apps, and conforms to the OpenFlow policy without additional devices. The detection module in FloodDefender utilizes new frequency features to precisely identify SDN-aimed DoS attacks. The mitigation module uses three new techniques to efficiently mitigate attack traffic: table-miss engineering to prevent the communication bandwidth from being exhausted; packet filter to filter out attack traffic and save computational resources of the control plane; and flow rule management to eliminate most of useless flow entries in the switch flow table. Our evaluation on a prototype implementation of FloodDefender shows that the defense framework can precisely identify and efficiently mitigate the SDN-aimed DoS attacks with very little overhead.

Jie Ma,Wei Su,Yikun Li,Yihua Peng

DOI: https://doi.org/10.1016/j.future.2023.12.033

IF: 7.307

2024-01-05

Future Generation Computer Systems

Abstract:The availability of SD-IoT is now under complex and serious cyber threats, especially distributed denial-of-service attacks. However, traditional defense schemes suffer from coarse-grained centralized sampling approaches, low accuracy of detection models, and inefficient mitigation methods. In this paper, a novel DDoS defense scheme is proposed, which consists of a high-accuracy detection mechanism based on a Graph Convolutional Neural Network learning model and a mitigation mechanism based on fast traffic migration. In the detection stage, a fine-grained INT sampling approach is utilized to obtain multidimensional network topology and status information. The Graph Convolutional Neural Network learning model detects switches containing DDoS attack traffic with high accuracy because the detection model not only extracts and utilizes multiple temporal and spatial features of the collected information, but also has a better learning and representation capability. In the mitigation stage, the enhanced whitelist with dynamic threshold-based values is automatically adapted to the real-time state of the network environment for enhanced mitigation flexibility. The fast programmable segment rerouting strategy can block attack traffic in time and ensure the continuity of network services. The results of several comparison experiments show that the proposed scheme can detect DDoS attacks more accurately and mitigate them more effectively than traditional schemes.

computer science, theory & methods

Jing Zheng,Qi Li,Guofei Gu,Jiahao Cao,David K. Y. Yau,Jianping Wu

DOI: https://doi.org/10.1109/tifs.2018.2805600

IF: 7.231

2018-07-01

IEEE Transactions on Information Forensics and Security

Abstract:Distributed denial-of-service (DDoS) defense is still a difficult problem though it has been extensively studied. The existing approaches are not capable of detecting various types of DDoS attacks. In particular, new emerging sophisticated DDoS attacks (e.g., Crossfire) constructed by low-rate and short-lived benign traffic are even more challenging to capture. Moreover, it is difficult to enforce realtime defense to throttle these detected attacks since the attack traffic can be concealed in benign traffic. Software defined networking (SDN) opens a new door to address these issues. In this paper, we propose Reinforcing Anti-DDoS Actions in Realtime (RADAR) to detect and throttle DDoS attacks via adaptive correlation analysis built upon unmodified commercial off-the-shelf SDN switches. It is a practical system to defend against a wide range of flooding-based DDoS attacks, e.g., link flooding (including Crossfire), SYN flooding, and UDP-based amplification attacks, while requiring neither modifications in SDN switches/protocols nor extra appliances. It accurately detects attacks by identifying attack features in suspicious flows, and locates attackers (or victims) to throttle the attack traffic by adaptive correlation analysis. We implement RADAR prototype using open source Floodlight controller, and evaluate its performance under various DDoS attacks by real hardware testbed based experiments. We observe that our scheme can successfully detect and effectively defend against various DDoS attacks with acceptable overhead.

computer science, theory & methods,engineering, electrical & electronic

Zaoxing Liu,Hun Namkung,Georgios Nikolaidis,Jeongkeun Lee,Changhoon Kim,Xin Jin,Vladimir Braverman,Minlan Yu,Vyas Sekar

2021-01-01

Abstract:The emergence of programmable switches offers a new opportunity to revisit ISP-scale defenses for volumetric DDoS attacks. In theory, these can offer better cost vs. performance vs. flexibility trade-offs relative to proprietary hardware and virtual appliances. However, the ISP setting creates unique challenges in this regard-we need to run a broad spectrum of detection and mitigation functions natively on the programmable switch hardware and respond to dynamic adaptive attacks at scale. Thus, prior efforts in using programmable switches that assume out-of-band detection and/or use switches merely as accelerators for specific tasks are no longer sufficient, and as such, this potential remains unrealized. To tackle these challenges, we design and implement Jaqen, a switch-native approach for volumetric DDoS defense that can run detection and mitigation functions entirely inline on switches, without relying on additional data plane hardware. We design switch-optimized, resource-efficient detection and mitigation building blocks. We design a flexible API to construct a wide spectrum of best-practice (and future) defense strategies that efficiently use switch capabilities. We build a network-wide resource manager that quickly adapts to the attack posture changes. Our experiments show that Jaqen is orders of magnitude more performant than existing systems: Jaqen can handle large-scale hybrid and dynamic attacks within seconds, and mitigate them effectively at high line-rates (380 Gbps).

Guanyu Li,Menghao Zhang,Shicheng Wang,Chang Liu,Mingwei Xu,Ang Chen,Hongxin Hu,Guofei Gu,Qi Li,Jianping Wu

DOI: https://doi.org/10.1109/tnet.2021.3062621

2021-01-01

IEEE/ACM Transactions on Networking

Abstract:Distributed Denial-of-Service (DDoS) attacks have become a critical threat to the Internet. Due to the increasing number of vulnerable Internet of Things (IoT) devices, attackers can easily compromise a large set of nodes and launch high-volume DDoS attacks from the botnets. State-of-the-art DDoS defenses, however, have not caught up with the fast development of the attacks. Middlebox-based defenses can achieve high performance with specialized hardware; however, these defenses incur a high cost, and deploying new defenses typically requires a device upgrade. On the other hand, software-based defenses are highly flexible, but software-based packet processing leads to high performance overheads. In this article, we propose Poseidon, a system that addresses these limitations in today's DDoS defenses. It leverages emerging programmable switches, which can be reconfigured in the field without additional hardware upgrades. Users of Poseidon can specify their defense strategies in a modular fashion in the form of a set of defense primitives; this can be further customized easily for each network and extended to include new defenses. Poseidon then maps the defense primitives to run on programmable switches-and when necessary, on server software-for effective defense. When attacks change, Poseidon can reconfigure the underlying defense primitives to respond to the new attack patterns. Evaluations using our prototype demonstrate that Poseidon can effectively defend against high-volume attacks, easily support customization of defense strategies, and adapt to dynamic attacks with low overheads.

Menghao Zhang,Jun Bi,Jiasong Bai,Guanyu Li

DOI: https://doi.org/10.1109/trustcom/bigdatase.2018.00101

2018-01-01

Abstract:Software-Defined Networking (SDN) has attracted great attention from both academia and industry. However, the deployment of SDN has faced some critical security issues, such as Denial-of-Service (DoS) attacks on the SDN infrastructure. One such DoS attack is the data-to-control plane saturation attack, where an attacker floods a large number of packets to trigger massive table-misses and packet-in messages in the data plane. This attack can exhaust resources of different components of the SDN infrastructure, including TCAM and buffer memory in the data plane, bandwidth of the control channel, and CPU cycles of the controller. In this paper, we analyze the vulnerability of SDN against the data-to-control plane saturation attack extensively and design FloodShield, a comprehensive, deployable and lightweight SDN defense framework to mitigate this dedicated DoS attack. FloodShield combines the following two techniques: 1) source address validation which filters forged packets directly in the data plane, and 2) stateful packet supervision which monitors traffic states of real addresses and performs dynamic countermeasures based on evaluation scores and network resource usages. Implementations and experiments demonstrate that, compared with previous defense frameworks, FloodShield provides effective protection for all three components of the SDN infrastructure - data plane, control channel and control plane - with less resource consumption.

Gao Shang,Peng Zhe,Xiao Bin,Hu Aiqun,Ren Kui

DOI: https://doi.org/10.1109/infocom.2017.8057009

2017-01-01

Abstract:The separated control and data planes in software-defined networking (SDN) with high programmability introduce a more flexible way to manage and control network traffic. However, SDN will experience long packet delay and high packet loss rate when the communication link between two planes is jammed by SDN-aimed DoS attacks with massive table-miss packets. In this paper, we propose FloodDefender, an efficient and protocol-independent defense framework for SDN/OpenFlow networks to mitigate DoS attacks. It stands between the controller platform and other controller apps, and can protect both the data and control plane resources by leveraging three new techniques: table-miss engineering to prevent the communication bandwidth from being exhausted; packet filter to identify attack traffic and save computational resources of the control plane; and flow rule management to eliminate most of useless flow entries in the switch flow table. All designs of FloodDefender conform to the OpenFlow policy, requiring no additional devices. We implement a prototype of FloodDefender and evaluate its performance in both software and hardware environments. Experimental results show that FloodDefender can efficiently mitigate the SDN-aimed DoS attacks, incurring less than 0.5% CPU computation to handle attack traffic, only 18ms packet delay and 5% packet loss rate under attacks.

Guorui Xie,Qing Li,Chupeng Cui,Ruoyu Li,Lianbo Ma,Zhuyun Qi,Yong Jiang

DOI: https://doi.org/10.1109/TDSC.2024.3402955

2024-01-01

IEEE Transactions on Dependable and Secure Computing

Abstract:To improve the accuracy of network attack detection, recent work has proposed deep learning (DL) based detectors. Nonetheless, conventional DL-based solutions are computation-intensive and have to be deployed on high-performance x86 servers, which is inefficient for large-scale networks. Unlike x86 servers, current programmable switches (e.g., P4 switches) support a throughput of Tbps and enable programmable logic in networks, indicating a promising alternative. Therefore, we present Soterv2, an intelligent in-network solution deployed on programmable switches. Soterv2 utilizes a two-phase detection manner. In the first phase, we build a P4 program running on the switch's Tofino ASIC to filter malicious packets from the massive traffic. Then, a DL-based inspection is conducted on the switch's CPU, thoroughly detecting the filtered packets. To improve the filtering performance, we propose to embed the rule-based machine learning model, decision tree, in a single match-action table in the P4 program. We also design a lightweight DL model, Branch Convolution Net, running on a multi-core fashion to speed up the thorough detection. Besides, Soterv2 enables the coordination of distributed switches, covering the detection in a large-scale network. Experiments demonstrate that Soterv2 behaves stably in eight network scenarios of different traffic rates (40/100Gbps) and fulfills per-flow detection in 0.03s.

Yunhe Cui,Lianshan Yan,Saifei Li,Huanlai Xing,Wei Pan,Jian Zhu,Xiaoyang Zheng

DOI: https://doi.org/10.1016/j.jnca.2016.04.005

IF: 7.574

2016-06-01

Journal of Network and Computer Applications

Abstract:In order to overcome Distributed Denial of Service (DDoS) in Software Defined Networking (SDN), this paper proposes a mechanism consisting of four modules, namely attack detection trigger, attack detection, attack traceback and attack mitigation. The trigger of attack detection mechanism is introduced for the first time to respond more quickly against DDoS attack and reduce the workload of controllers and switches. In the meantime, the DDoS attack detection method based on neural network is implemented to detect attack. Furthermore, an attack traceback method taking advantages of the characteristics of SDN is also proposed. Meanwhile, a DDoS mitigation mechanism including attack blocking and flow table cleaning is presented. The proposed mechanism is evaluated on SDN testbed. Experimental results show that the proposed mechanism can quickly initiate the attack detection with less than one second and accurately trace the attack source. More importantly, it can block the attack in source and release the occupied resources of switches.

computer science, interdisciplinary applications, software engineering, hardware & architecture

Jin Wang,Liping Wang,Ruiqing Wang

DOI: https://doi.org/10.3390/e25081210

IF: 2.738

2023-08-15

Entropy

Abstract:Software defined networking (SDN) improves the flexibility and programmability of the network by separating the control plane and the data plane and effectively realizes the global control of the network infrastructure. However, the centralized structure design of SDN exposes the controller to potential threats. Attackers have used the active flow table delivery mode to launch distributed denial of service (DDoS) attacks on the SDN controller, resulting in the controller failure and seriously affecting the network performance. To overcome this problem, this paper proposes a defense framework called CC-Guard. The framework consists of four modules: attack detection triggering, switch migration, anomaly detection, and mitigation. Among them, the attack detection trigger module improves the system's timely response to DDoS attacks. The switch migration module effectively unclogs the controller congestion problem and provides convenience for network flow transmission. The anomaly detection module uses a coarse-grained method for two-stage detection, which improves the detection accuracy. The mitigation module uses the idea of cross-domain cooperation of the controller to clear the abnormal flow in the blacklist. Experimental results show that our proposed CC-Guard has real-time DDoS attack defense capability and high detection accuracy, as well as efficient network resource utilization.

physics, multidisciplinary