research-article

FlexProtect: A SDN-based DDoS Attack Protection Architecture for Multi-tenant Data Centers

Authors:

Ming-Hung Chen,

Cheng-Fu ChouAuthors Info & Claims

HPCAsia '18: Proceedings of the International Conference on High Performance Computing in Asia-Pacific Region

Pages 202 - 209

https://doi.org/10.1145/3149457.3149476

Published: 28 January 2018 Publication History

Abstract

With the recent advances in software-defined networking (SDN), the multi-tenant data centers provide more efficient and flexible cloud platform to their subscribers. However, as the number, scale, and diversity of distributed denial-of-service (DDoS) attack is dramatically escalated in recent years, the availability of those platforms is still under risk. We note that the state-of-art DDoS protection architectures did not fully utilize the potential of SDN and network function virtualization (NFV) to mitigate the impact of attack traffic on data center network. Therefore, in this paper, we exploit the flexibility of SDN and NFV to propose FlexProtect, a flexible distributed DDoS protection architecture for multi-tenant data centers. In FlexProtect, the detection virtual network functions (VNFs) are placed near the service provider and the defense VNFs are placed near the edge routers for effectively detection and avoid internal bandwidth consumption, respectively. Based on the architecture, we then propose FP-SYN, an anti-spoofing SYN flood protection mechanism. The emulation and simulation results with real-world data demonstrates that, compared with the traditional approach, the proposed architecture can significantly reduce 46% of the additional routing path and save 60% internal bandwidth consumption. Moreover, the proposed detection mechanism for anti-spoofing can achieve 98% accuracy.

References

[1]

602 gbps! this may have been the largest ddos attack in history 2016. Swati Khandelwal. 602 gbps! this may have been the largest ddos attack in history. {Online}. Available: http://thehackernews.com/2016/01/biggest-ddos-attack.html. (2016).

[2]

Mohammad Al-Fares, Alexander Loukissas, and Amin Vahdat. 2008. A scalable, commodity data center network architecture. ACM SIGCOMM Computer Communication Review 38, 4 (2008), 63--74.

Digital Library

[3]

Atlas Q2 2015 update 2015. Atlas Q2 2015 update. {Online}. Available: http://www.slideshare.net/ArborNetworks/atlasq2-2015final. (2015).

[4]

ATLAS Summary Report: Global Denial of Service 2016. A. Networks. ATLAS Summary Report: Global Denial of Service. {Online}. Available: http://atlas.arbor.net/summary/dos/. (2016).

[5]

R. R. R. Barbosa, R. Sadre, A. Pras, and R. van de Meent. 2010. Simpleweb/University of Twente Traffic Traces Data Repository. Technical Report TR-CTIT-10-19.

[6]

BGPlay 2013. RIPEstat-RIPEStat BGPlay. {Online}. Available: https://stat.ripe.net/special/bgplay/. (2013).

[7]

Center for Applied Internet Data Analysis 2017. Center for Applied Internet Data Analysis. {Online}. Available: http://www.caida.org/data/overview/. (2017).

[8]

Seyed K Fayaz, Yoshiaki Tobioka, Vyas Sekar, and Michael Bailey. 2015. Bohatei: Flexible and elastic DDoS defense. In 24th USENIX Security Symposium (USENIX Security 15). 817--832.

Digital Library

[9]

Carol J Fung and Bill McCormick. 2015. VGuard: A distributed denial of service attack mitigation method using network function virtualization. In Network and Service Management (CNSM), 2015 11th International Conference on. IEEE, 64--70.

Digital Library

[10]

AHM Jakaria, Wei Yang, Bahman Rashidi, Carol Fung, and M Ashiqur Rahman. 2016. VFence: A Defense against Distributed Denial of Service Attacks Using Network Function Virtualization. In Computer Software and Applications Conference (COMPSAC), 2016 IEEE 40th Annual, Vol. 2. IEEE, 431--436.

[11]

S. Knight, H.X. Nguyen, N. Falkner, R. Bowden, and M. Roughan. 2011. The Internet Topology Zoo. Selected Areas in Communications, IEEE Journal on 29, 9 (october 2011), 1765--1775.

[12]

Jelena Mirkovic and Peter Reiher. 2004. A taxonomy of DDoS attack and DDoS defense mechanisms. ACM SIGCOMM Computer Communication Review 34, 2 (2004), 39--53.

Digital Library

[13]

RFC 2827 2000. RFC 2827 Network Ingress Filtering. {Online}. Available: https://www.ietf.org/rfc/rfc2827.txt. (2000).

[14]

RFC 3704 2004. RFC 3704 Ingress Filtering for Multihomed Networks. {Online}. Available: https://www.ietf.org/rfc/rfc3704.txt. (2004).

[15]

State of IP Spoofing 2017. State of IP Spoofing. {Online}. Available: https://spoofer.caida.org/summary.php. (2017).

[16]

Haining Wang, Cheng Jin, and Kang G Shin. 2007. Defense against spoofed IP traffic using hop-count filtering. IEEE/ACM Transactions on Networking (ToN) 15, 1 (2007), 40--53.

Digital Library

[17]

Qiao Yan, F Richard Yu, Qingxiang Gong, and Jianqiang Li. 2016. Software-defined networking (SDN) and distributed denial of service (DDoS) attacks in cloud computing environments: A survey, some research issues, and challenges. IEEE Communications Surveys & Tutorials 18, 1 (2016), 602--622.

Digital Library

[18]

Saman Taghavi Zargar, James Joshi, and David Tipper. 2013. A survey of defense mechanisms against distributed denial of service (DDoS) flooding attacks. IEEE Communications Surveys & Tutorials 15, 4 (2013), 2046--2069.

Cited By

MAN WYANG GFENG S(2024)Joint Selfattention-SVM DDoS Attack Detection and Defense Mechanism Based on Self-Attention Mechanism and SVM Classification for SDN NetworksIEICE Transactions on Fundamentals of Electronics, Communications and Computer Sciences10.1587/transfun.2023EAP1057E107.A:6(881-889)Online publication date: 1-Jun-2024
https://doi.org/10.1587/transfun.2023EAP1057
Jain AShukla HGoel D(2024)A comprehensive survey on DDoS detection, mitigation, and defense strategies in software-defined networksCluster Computing10.1007/s10586-024-04596-z27:9(13129-13164)Online publication date: 22-Jun-2024
https://doi.org/10.1007/s10586-024-04596-z
Sheldon JZhu WAbdullah AButler KIslam MRampazzi STarasov VZhang YAnwar AMi N(2023)Deep Note: Can Acoustic Interference Damage the Availability of Hard Disk Storage in Underwater Data Centers?Proceedings of the 15th ACM Workshop on Hot Topics in Storage and File Systems10.1145/3599691.3603403(51-57)Online publication date: 9-Jul-2023
https://dl.acm.org/doi/10.1145/3599691.3603403
Show More Cited By

Index Terms

FlexProtect: A SDN-based DDoS Attack Protection Architecture for Multi-tenant Data Centers
1. Networks

Recommendations

Joint Switch Upgrade and VNF Placement for NFV-Based SDNs
Wireless Algorithms, Systems, and Applications
Abstract
With the centralized control of SDN, operators can easily manage the network and flexibly forward flows to achieve certain objects for Network Functions Virtualization (NFV). Previous works focus on placing Virtual Network Functions (VNFs) in pure ...
Countering ARP spoofing attacks in software-defined networks using a game-theoretic approach
Abstract
The Address Resolution Protocol (ARP) spoofing is a form of attack typically used by attackers to cause a denial of service or man-in-the-middle attacks. This attack comes from ARP weaknesses and aims to compromise victims' ARP caches by sending ...
System for DDoS attack mitigation by discovering the attack vectors through statistical traffic analysis

DDoS attacks are becoming an increasing threat to the internet due to the easy availability of user-friendly attack tools. In meantime defending from such attacks is very difficult, because it is very hard to differentiate between the legitimate traffic ...

Comments

Information & Contributors

Information

Published In

cover image ACM Other conferences

HPCAsia '18: Proceedings of the International Conference on High Performance Computing in Asia-Pacific Region

January 2018

322 pages

ISBN:9781450353724

DOI:10.1145/3149457

Copyright © 2018 ACM.

Permission to make digital or hard copies of all or part of this work for personal or classroom use is granted without fee provided that copies are not made or distributed for profit or commercial advantage and that copies bear this notice and the full citation on the first page. Copyrights for components of this work owned by others than ACM must be honored. Abstracting with credit is permitted. To copy otherwise, or republish, to post on servers or to redistribute to lists, requires prior specific permission and/or a fee. Request permissions from [email protected]

In-Cooperation

SIGHPC: ACM Special Interest Group on High Performance Computing, Special Interest Group on High Performance Computing
IPSJ: Information Processing Society of Japan
Cybermedia Center, Osaka University: Cybermedia Center, Osaka University

Publisher

Association for Computing Machinery

New York, NY, United States

Publication History

Published: 28 January 2018

Permissions

Request permissions for this article.

Request Permissions

Check for updates

Author Tags

Qualifiers

Research-article
Research
Refereed limited

Funding Sources

Ministry of Science and Technology, Taiwan

Conference

HPC Asia 2018

HPC Asia 2018: International Conference on High Performance Computing in Asia-Pacific Region

January 28 - 31, 2018

Tokyo, Chiyoda, Japan

Acceptance Rates

HPCAsia '18 Paper Acceptance Rate 30 of 67 submissions, 45%;

Overall Acceptance Rate 69 of 143 submissions, 48%

Contributors

Other Metrics

View Article Metrics

Bibliometrics & Citations

Bibliometrics

Article Metrics

9
Total Citations
View Citations
288
Total Downloads

Downloads (Last 12 months)19
Downloads (Last 6 weeks)1

Reflects downloads up to 06 Nov 2024

Other Metrics

View Author Metrics

Citations

Cited By

MAN WYANG GFENG S(2024)Joint Selfattention-SVM DDoS Attack Detection and Defense Mechanism Based on Self-Attention Mechanism and SVM Classification for SDN NetworksIEICE Transactions on Fundamentals of Electronics, Communications and Computer Sciences10.1587/transfun.2023EAP1057E107.A:6(881-889)Online publication date: 1-Jun-2024
https://doi.org/10.1587/transfun.2023EAP1057
Jain AShukla HGoel D(2024)A comprehensive survey on DDoS detection, mitigation, and defense strategies in software-defined networksCluster Computing10.1007/s10586-024-04596-z27:9(13129-13164)Online publication date: 22-Jun-2024
https://doi.org/10.1007/s10586-024-04596-z
Sheldon JZhu WAbdullah AButler KIslam MRampazzi STarasov VZhang YAnwar AMi N(2023)Deep Note: Can Acoustic Interference Damage the Availability of Hard Disk Storage in Underwater Data Centers?Proceedings of the 15th ACM Workshop on Hot Topics in Storage and File Systems10.1145/3599691.3603403(51-57)Online publication date: 9-Jul-2023
https://dl.acm.org/doi/10.1145/3599691.3603403
Taheri RAhmed HArslan E(2023)Deep learning for the security of software-defined networks: a reviewCluster Computing10.1007/s10586-023-04069-926:5(3089-3112)Online publication date: 15-Jul-2023
https://dl.acm.org/doi/10.1007/s10586-023-04069-9
Ayodele BButtigieg V(2023)SDN as a defence mechanism: a comprehensive surveyInternational Journal of Information Security10.1007/s10207-023-00764-123:1(141-185)Online publication date: 6-Oct-2023
https://doi.org/10.1007/s10207-023-00764-1
Tahirou AKonate K(2023)A Survey of the Security and DDoS Attacks in the Software Defined NetworkInnovations in Smart Cities Applications Volume 610.1007/978-3-031-26852-6_40(426-441)Online publication date: 2-Mar-2023
https://doi.org/10.1007/978-3-031-26852-6_40
Neto EDadkhah SGhorbani A(2022)Collaborative DDoS Detection in Distributed Multi-Tenant IoT using Federated Learning2022 19th Annual International Conference on Privacy, Security & Trust (PST)10.1109/PST55820.2022.9851984(1-10)Online publication date: 22-Aug-2022
https://doi.org/10.1109/PST55820.2022.9851984
Maleh YQasmaoui YEl Gholami KSadqi YMounir S(2022)A comprehensive survey on SDN security: threats, mitigations, and future directionsJournal of Reliable Intelligent Environments10.1007/s40860-022-00171-89:2(201-239)Online publication date: 8-Feb-2022
https://doi.org/10.1007/s40860-022-00171-8
Swami RDave MRanga V(2019)Software-defined Networking-based DDoS Defense MechanismsACM Computing Surveys10.1145/330161452:2(1-36)Online publication date: 9-Apr-2019
https://dl.acm.org/doi/10.1145/3301614

View Options

Get Access

Login options

Check if you have access through your login credentials or your institution to get full access on this article.

Full Access

Get this Publication

View options

PDF

View or Download as a PDF file.

eReader

View online with eReader.

Media

Figures

Other

Tables

View Table of Contents