Skip to main content
SpringerLink
Log in

SDNFV-Based DDoS Detection and Remediation in Multi-tenant, Virtualised Infrastructures

  • Chapter
  • First Online:
Guide to Security in SDN and NFV

Part of the book series: Computer Communications and Networks ((CCN))

Abstract

As ICT resources are increasingly hosted over cloud data centre infrastructures, distributed denial of service (DDoS) attacks are becoming a major concern for cloud service providers and tenants. The lack of physical resource isolation over a cloud environment exposes nontargeted tenants to indirect performance degradation while it is increasingly challenging to distinguish between safe (e.g. internal, DMZ) and external zones. Traditional DDoS detection and prevention systems employ high-performance and high-cost bespoke appliances (middleboxes) in fixed locations of the physical infrastructure. However, this limits their provisioning abilities to a static specification, hindering extensible functionality and resulting in vendor lock-in.

In this chapter, we propose a softwarised orchestration framework for DDoS detection and mitigation in the cloud. We exploit latest advances in network functions virtualisation (NFV) to devise a modular security framework through the dynamic deployment of lightweight network functions where and when required to protect the infrastructure at the onset of DDoS attacks. We rely on the network-wide, logically centralised management of traffic and network services provided by software-defined networking (SDN) for the placement of NFs and to (re)route traffic to them. Using an example of a DDoS remediation service, we demonstrate the benefits of an extensible and reconfigurable DDoS security system that uses dynamic security module duplication and placement to remediate the performance impact of the attack on the underlying infrastructure.

This is a preview of subscription content, log in via an institution to check access.

Access this chapter

Log in via an institution
eBook
USD 16.99
Price excludes VAT (USA)
  • Available as EPUB and PDF
  • Read on any device
  • Instant download
  • Own it forever
Softcover Book
USD 69.99
Price excludes VAT (USA)
  • Compact, lightweight edition
  • Dispatched in 3 to 5 business days
  • Free shipping worldwide - see info
Hardcover Book
USD 69.99
Price excludes VAT (USA)
  • Durable hardcover edition
  • Dispatched in 3 to 5 business days
  • Free shipping worldwide - see info

Tax calculation will be finalised at checkout

Purchases are for personal use only

Institutional subscriptions

Notes

  1. 1.

    https://osrg.github.io/ryu/

  2. 2.

    https://www.opendaylight.org

  3. 3.

    http://onosproject.org

  4. 4.

    https://dpdk.org

  5. 5.

    Source code and instructions to replicate this experiment are available at https://github.com/UofG-netlab/sdnfv-ddos

References

  1. AbuHmed T, Mohaisen A, Nyang D (2008) A survey on deep packet inspection for intrusion detection systems. arXiv preprint arXiv:0803.0037

    Google Scholar 

  2. Akamai, Akamai state of the internet security report (2016). https://content.akamai.com/pg7425-uk-soti-report.html. Accessed on 18 Nov 2016

  3. Alosaimi W, Alshamrani M, Al-Begain K (2015) Simulation-based study of distributed denial of service attacks prevention in the cloud. In: 2015 9th international conference on next generation mobile applications, services and technologies. IEEE, pp 0–65

    Google Scholar 

  4. Anwer B, Benson T, Feamster N, Levin D (2015) Programming Slick network functions. In: Proceedings of the 1st ACM SIGCOMM symposium on software defined networking research. ACM, p 14

    Google Scholar 

  5. Basile C, Pitscheider C, Risso F, Valenza F, Vallini M (2015) Towards the dynamic provision of virtualized security services. In: Cyber security and privacy forum. Springer, Cham, pp 65–76

    Google Scholar 

  6. Baumgartner K, Elasticsearch Vuln abuse on Amazon cloud and more for DDoS and profit – Kasperskylab Blog. https://securelist.com/blog/virus-watch/65192/elasticsearch-vuln-abuse-on-amazon-cloud-and-more-for-ddos-and-profit/

  7. Bereziński P, Jasiul B, Szpyrka M (2015) An entropy-based network anomaly detection method. Entropy 17(4):2367–2408

    Google Scholar 

  8. Bhuyan MH, Bhattacharyya DK, Kalita JK (2014) Network anomaly detection: methods, systems and tools. IEEE Commun Surv Tutorials 16(1):303–336

    Google Scholar 

  9. Bosshart P, Daly D, Gibb G, Izzard M, McKeown N, Rexford J, Schlesinger C, Talayco D, Vahdat A, Varghese G et al (2014) P4: programming protocol-independent packet processors. ACM SIGCOMM Comput Commun Rev 44(3):87–95

    Google Scholar 

  10. Bremler-Barr A, Harchol Y, Hay D (2016) Openbox: a software-defined framework for developing, deploying, and managing network functions. In: Proceedings of the 2016 conference on ACM SIGCOMM, SIGCOMM’16. ACM, New York, pp 511–524. http://dx.doi.org/#1, http://doi.acm.org/10.1145/2934872.2934875

  11. Cabaj K, Wytrebowicz J, Kuklinski S, Radziszewski P, Dinh KT (2014) SDN architecture impact on network security. In: FedCSIS position papers, pp 143–148

    Google Scholar 

  12. Cisco, Installing the IDS Appliance – Cisco. http://www.cisco.com/c/en/us/td/docs/security/ips/4-0/installation/guide/

  13. Cziva R, Pezaros D (2017, in press) Container network functions: bringing NFV to the network edge. IEEE Commun Mag Adv Netw Softw. http://eprints.gla.ac.uk/138001/

  14. Cziva R, Jouet S, White KJS, Pezaros DP (2015) Container-based network function virtualization for software-defined networks. In: 2015 IEEE symposium on computers and communication (ISCC), pp 415–420. http://dx.doi.org/#1

  15. Cziva R, Jouet S, Pezaros DP (2015) GNFC: towards network function cloudification. In: 2015 IEEE conference on network function virtualization and software defined network (NFV-SDN), pp 142–148. http://dx.doi.org/#1

  16. Cziva R, Jouet S, Pezaros DP (2016) Roaming edge vNFs using glasgow network functions. In: Proceedings of the 2016 ACM SIGCOMM conference, SIGCOMM’16. ACM, New York, pp 601–602. http://dx.doi.org/#1, http://doi.acm.org/10.1145/2934872.2959067

  17. Cziva R, Jout S, Stapleton D, Tso FP, Pezaros DP (2016) SDN-based virtual machine management for cloud data centers. IEEE Trans Netw Serv Manag 13(2):212–225. http://dx.doi.org/#1

  18. Deep inside a DNS amplification DDoS attack. https://blog.cloudflare.com/deep-inside-a-dns-amplification-ddos-attack/

  19. Douligeris C, Mitrokotsa A (2004) DDoS attacks and defense mechanisms: classification and state-of-the-art. Comput Netw 44(5):643–666

    Google Scholar 

  20. Enguehard M (2016) Thyper-NF: synthesizing chains of virtualized network functions. Master’s thesis, School of Information and Communication Technology, KTH Royal Institute of Technology

    Google Scholar 

  21. Foundation L (2017) Linux foundation open vswitch. https://LinuxFoundationOpenvSwitch. Accessed on 28 Mar 2017

    Google Scholar 

  22. Gember A, Krishnamurthy A, John SS, Grandl R, Gao X, Anand A, Benson T, Akella A, Sekar V (2013) Stratos: a network-aware orchestration layer for middleboxes in the cloud. Technical report

    Google Scholar 

  23. Giotis K, Kryftis Y, Maglaris V (2015) Policy-based orchestration of NFV services in software-defined networks. In: 2015 1st IEEE conference on network softwarization (NetSoft). IEEE, pp 1–5

    Google Scholar 

  24. Gupta BB, Badve OP (2016) Taxonomy of DoS and DDoS attacks and desirable defense mechanism in a cloud computing environment. Neural Comput Appl 1–28. http://dx.doi.org/#1, http://dx.doi.org/10.1007/s00521-016-2317-5

  25. Hilton S, Dyn Analysis Summary Of Friday October 21 Attack — Dyn Blog. http://dyn.com/blog/dyn-analysis-summary-of-friday-october-21-attack/

  26. Idziorek J, Tannian M, Jacobson D (2011) Detecting fraudulent use of cloud resources. In: Proceedings of the 3rd ACM workshop on cloud computing security workshop. ACM, pp 61–72

    Google Scholar 

  27. Jammal M, Singh T, Shami A, Asal R, Li Y (2014) Software defined networking: state of the art and research challenges. Comput Netw 72:74–98

    Article  Google Scholar 

  28. Joseph DA, Tavakoli A, Stoica I (2008) A policy-aware switching layer for data centers. In: Proceedings of the ACM SIGCOMM 2008 conference on data communication, SIGCOMM’08. ACM, New York, pp 51–62. http://dx.doi.org/#1, http://doi.acm.org/10.1145/1402958.1402966

  29. Krebs B, Krebs on Security website. http://krebsonsecurity.com/

  30. Kumar MN, Sujatha P, Kalva V, Nagori R, Katukojwala AK, Kumar M (2012) Mitigating economic denial of sustainability (EDoS) in cloud computing using in-cloud scrubber service. In: 2012 fourth international conference on computational intelligence and communication networks (CICN). IEEE, pp 535–539

    Google Scholar 

  31. Lakhina A, Crovella M, Diot C (2005) Mining anomalies using traffic feature distributions. SIGCOMM Comput Commun Rev 35(4):217–228. http://dx.doi.org/#1, http://doi.acm.org/10.1145/1090191.1080118

  32. Lazarevic A, Ertöz L, Kumar V, Ozgur A, Srivastava J (2003) A comparative study of anomaly detection schemes in network intrusion detection. In: SDM. SIAM, pp 25–36

    Google Scholar 

  33. Liu AX (2005) A model of stateful firewalls and its properties. In: Proceedings of the 2005 international conference on dependable systems and networks, DSN’05. IEEE Computer Society, Washington, DC, pp 128–137. http://dx.doi.org/#1, http://dx.doi.org/10.1109/DSN.2005.9

  34. Martins J, Ahmed M, Raiciu C, Olteanu V, Honda M, Bifulco R, Huici, F (2014) Clickos and the art of network function virtualization. In: Proceedings of the 11th USENIX conference on networked systems design and implementation, NSDI’14. USENIX Association, Berkeley, pp 459–473. http://dl.acm.org/citation.cfm?id=2616448.2616491

    Google Scholar 

  35. Mijumbi R, Serrat J, Gorricho JL, Bouten N, De Turck F, Boutaba R (2015) Network function virtualization: state-of-the-art and research challenges. IEEE Commun Surv Tutorials 18(1):236–262

    Article  Google Scholar 

  36. Mininet, Mininet (2017). http://mininet.org/. Accessed on 24 Mar 2017

  37. Modi C, Patel D, Borisaniya B, Patel H, Patel A, Rajarajan M (2013) A survey of intrusion detection techniques in cloud. J Netw Comput Appl 36(1):42–57. http://dx.doi.org/#1, http://www.sciencedirect.com/science/article/pii/S1084804512001178

  38. Motive Security Labs (2014) Motive Malware Report 2014 H2. Technical report, Motive Security Labs. https://resources.alcatel-lucent.com/asset/184652

    Google Scholar 

  39. Osanaiye O, Choo KKR, Dlodlo M (2016) Distributed denial of service (DDoS) resilience in cloud: review and conceptual cloud ddos mitigation framework. J Netw Comput Appl 67:147–165

    Article  Google Scholar 

  40. Qazi ZA, Tu CC, Chiang L, Miao R, Sekar V, Yu M (2013) Simple-fying middlebox policy enforcement using SDN. SIGCOMM Comput Commun Rev 43(4):27–38. http://dx.doi.org/#1, http://doi.acm.org/10.1145/2534169.2486022

  41. Shea R, Liu J (2013) Performance of virtual machines under networked denial of service attacks: experiments and analysis. IEEE Syst J 7(2):335–345. http://dx.doi.org/#1

    Article  Google Scholar 

  42. Sherry J, Hasan S, Scott C, Krishnamurthy A, Ratnasamy S, Sekar V (2012) Making middleboxes someone else’s problem: network processing as a cloud service. In: Proceedings of the ACM SIGCOMM 2012 conference on applications, technologies, architectures, and protocols for computer communication, SIGCOMM’12, ACM, New York, pp 13–24. http://dx.doi.org/#1, http://doi.acm.org/10.1145/2342356.2342359

  43. Shin S, Wang H, Gu G (2015) A first step toward network security virtualization: from concept to prototype. IEEE Trans Inf Forensics Secur 10(10):2236–2249

    Article  Google Scholar 

  44. Snort intrusion detection system. https://www.snort.org/

  45. Somani G, Gaur MS, Sanghi D (2015) DDoS/EDoS attack in cloud: affecting everyone out there! In: Proceedings of the 8th international conference on security of information and networks, SIN’15. ACM, New York, pp 169–176. http://dx.doi.org/#1, http://doi.acm.org/10.1145/2799979.2800005

  46. Somani G, Gaur MS, Sanghi D, Conti M, Buyya R (2015) DDoS attacks in cloud computing: issues, taxonomy, and future directions. arXiv preprint arXiv:1512.08187

    Google Scholar 

  47. Specht SM, Lee RB (2004) Distributed denial of service: taxonomies of attacks, tools, and countermeasures. In: ISCA PDCS, pp 543–550

    Google Scholar 

  48. Tartakovsky AG, Rozovskii BL, Blazek RB, Kim H (2006) A novel approach to detection of intrusions in computer networks via adaptive sequential and batch-sequential change-point detection methods. IEEE Trans Signal Process 54(9):3372–3382

    Article  MATH  Google Scholar 

  49. The Bro Network Security Monitor. https://www.bro.org/

  50. The Suricata open source IDS, IPS, and NSM. https://suricata-ids.org/

  51. VivinSandar S, Shenai S (2012) Economic denial of sustainability (EDoS) in cloud services using http and xml based DDoS attacks. Int J Comput Appl 41(20):11–16

    Google Scholar 

  52. Wang B, Zheng Y, Lou W, Hou YT (2015) {DDoS} attack protection in the era of cloud computing and software-defined networking. Comput Netw 81:308–319. http://dx.doi.org/10.1016/j.comnet.2015.02.026, http://www.sciencedirect.com/science/article/pii/S1389128615000742

  53. White KJ, Pezaros D, Denney E, Knudson M, Marnerides AK (2017) A programmable SDN+NFV-based architecture for uav telemetry monitoring. http://eprints.gla.ac.uk/130944/

  54. Wong F, Tan CX (2014) A survey of trends in massive DDoS attacks and cloud-based mitigations. Int J Netw Secur Appl 6(3):57

    Google Scholar 

  55. Yan Q, Yu FR (2015) Distributed denial of service attacks in software-defined networking with cloud computing. IEEE Commun Mag 53(4):52–59

    Article  Google Scholar 

  56. Yan Q, Yu FR, Gong Q, Li J (2016) Software-defined networking (SDN) and distributed denial of service (DDoS) attacks in cloud computing environments: a survey, some research issues, and challenges. IEEE Commun Surv Tutorials 18(1):602–622. http://dx.doi.org/#1

    Article  Google Scholar 

  57. Yoon C, Park T, Lee S, Kang H, Shin S, Zhang Z (2015) Enabling security functions with SDN: a feasibility study. Comput Netw 85:19–35. http://dx.doi.org/10.1016/j.comnet.2015.05.005, http://www.sciencedirect.com/science/article/pii/S1389128615001619

  58. Yoshida M, Shen W, Kawabata T, Minato K, Imajuku W (2014) Morsa: a multi-objective resource scheduling algorithm for NFV infrastructure. In: 2014 16th Asia-Pacific network operations and management symposium (APNOMS). IEEE, pp 1–6

    Google Scholar 

  59. Zapechnikov S, Miloslavskaya N, Tolstoy A (2015) Modeling of next-generation firewalls as queueing services. In: Proceedings of the 8th international conference on security of information and networks, SIN’15. ACM, New York, pp 250–257. http://dx.doi.org/#1, http://doi.acm.org/10.1145/2799979.2799997

  60. Zargar ST, Joshi J, Tipper D (2013) A survey of defense mechanisms against distributed denial of service (DDoS) flooding attacks. IEEE Commun Surv Tutorials 15(4):2046–2069

    Article  Google Scholar 

  61. Zhang Y, Beheshti N, Beliveau L, Lefebvre G, Manghirmalani R, Mishra, R, Patneyt R, Shirazipour M, Subrahmaniam R, Truchan C, Tatipamula M (2013) Steering: a software-defined networking for inline service chaining. In: 2013 21st IEEE international conference on network protocols (ICNP), pp 1–10. http://dx.doi.org/#1

Download references

Acknowledgements

The work has been supported in part by the UK Engineering and Physical Sciences Research Council (EPSRC) projects EP/L026015/1, EP/N033957/1, EP/P004024/1 and EP/L005255/1 and by the European Cooperation in Science and Technology (COST) Action CA 15127: RECODIS – Resilient communication services protecting end-user applications from disaster-based failures.

Author information

Authors and Affiliations

  1. School of Computing Science, University of Glasgow, G12 8QQ, Glasgow, Scotland, UK

    Abeer Ali, Richard Cziva, Simon Jouët & Dimitrios P. Pezaros

Authors
  1. Abeer Ali
    View author publications

    You can also search for this author in PubMed Google Scholar

  2. Richard Cziva
    View author publications

    You can also search for this author in PubMed Google Scholar

  3. Simon Jouët
    View author publications

    You can also search for this author in PubMed Google Scholar

  4. Dimitrios P. Pezaros
    View author publications

    You can also search for this author in PubMed Google Scholar

Corresponding author

Correspondence to Abeer Ali .

Editor information

Editors and Affiliations

  1. University of Derby, Derby, United Kingdom

    Shao Ying Zhu

  2. Queen’s University Belfast, Belfast, United Kingdom

    Sandra Scott-Hayward

  3. Hewlett Packard Labs, Bristol, United Kingdom

    Ludovic Jacquin

  4. University of Huddersfield, Huddersfield, United Kingdom

    Richard Hill

Rights and permissions

Reprints and permissions

Copyright information

© 2017 Springer International Publishing AG

About this chapter

Check for updates. Verify currency and authenticity via CrossMark

Cite this chapter

Ali, A., Cziva, R., Jouët, S., Pezaros, D.P. (2017). SDNFV-Based DDoS Detection and Remediation in Multi-tenant, Virtualised Infrastructures. In: Zhu, S., Scott-Hayward, S., Jacquin, L., Hill, R. (eds) Guide to Security in SDN and NFV. Computer Communications and Networks. Springer, Cham. https://doi.org/10.1007/978-3-319-64653-4_7

Download citation

  • DOI: https://doi.org/10.1007/978-3-319-64653-4_7

  • Published:

  • Publisher Name: Springer, Cham

  • Print ISBN: 978-3-319-64652-7

  • Online ISBN: 978-3-319-64653-4

  • eBook Packages: Computer ScienceComputer Science (R0)

Publish with us

Policies and ethics

Search

Navigation