IP Source Lockdown to Detect and Mitigate Multi-Destination, Multi-Port, Multi-Protocol DDoS Attacks in SDN

Abstract

Distributed Denial of Service (DDoS) attack is not a new attack and remains a challenging task. It has already been addressed by researchers and a lot of work has been done in this direction. Most of the work in Software-Defined-Network (SDN) environment focused on legacy DDoS attacks where targets are end servers. Legacy DDoS attack traffics are associated with a single destination and mostly the solutions are around this characteristic. In the case of SDN, the target is SDN controller plane whose overcharging brings the network to a complete halt. An attacker can achieve this by customizing Multi-Destination, Multi-Port, Multi-Protocol DDoS (MMMD) attack traffic to force the data plane to push more messages to the controller plane. In this paper, we have considered MMMD attack traffic which is just like normal traffic but has the potential to paralyze the complete SDN based networking infrastructure. In the contribution of this work, we have created MMMD traffic and proposed a model named “Simple, Lightweight DDoS Detection and Mitigation model in Software Defined Network” (SLDDM) to combat MMMD traffic in the SDN environment. SLDDM is based on the implementation of IP source-lockdown in SDN environment to detect and mitigate malicious traffic originating from spoof/legitimate IPs. The proposed model has been evaluated under different scenarios and compared with standard models in the literature. SLDDM brings down average response time in establishing https connections by legitimate hosts under attack scenario from 31 seconds to 0.054 seconds. It has been evaluated that the SLDDM keeps the SDN controller healthy and responsive to legitimate hosts under attack conditions.