Abstract
Distributed denial-of-service (DDoS) attacks have become a weapon of choice for hackers, cyber extortionists, and cyber terrorists. These attacks can swiftly incapacitate a victim, causing huge revenue losses. Despite the large number of traditional mitigation solutions that exists today, DDoS attacks continue to grow in frequency, volume, and severity. This calls for a new network paradigm to address the requirements of today’s challenging security threats. Software-defined networking (SDN) is an emerging network paradigm which has gained significant traction by many researchers to address the requirement of today’s data centers. Inspired by the capabilities of SDN, we present a comprehensive survey of existing SDN-based DDoS attack detection and mitigation solutions. We classify solutions based on DDoS attack detection techniques and identify requirements of an effective solution. Based on our findings, we propose a novel framework for detection and mitigation of DDoS attacks in a large-scale network which comprises a smart city built on SDN infrastructure. Our proposed framework is capable of meeting application-specific DDoS attack detection and mitigation requirements. The primary contribution of this paper is twofold. First, we provide an in-depth survey and discussion of SDN-based DDoS attack detection and mitigation mechanisms, and we classify them with respect to the detection techniques. Second, leveraging the characteristics of SDN for network security, we propose and present an SDN-based proactive DDoS Defense Framework (ProDefense). We show how this framework can be utilized to secure applications built for smart cities. Moreover, the paper highlights open research challenges, future research directions, and recommendations related to SDN-based DDoS detection and mitigation.
Similar content being viewed by others
References
Geng, X.J.; Whinston, A.B.: Defeating distributed denial of service attacks. IT Prof. 2(4), 36–42 (2000)
Ottis, R.: Analysis of the 2007 cyber attacks against Estonia from the information warfare perspective. In: Proceedings of the 7th European Conference on Information Warfare, p. 163 (2008)
Bangladesh Bank heist. (2016). https://en.wikipedia.org/wiki/2016_Bangladesh_Bank_heist
European renewable power grid rocked by cyber-attack. EurActiv (2012). https://www.euractiv.com/section/energy/news/european-renewable-power-grid-rocked-by-cyber-attack/
Musil, S.: Record-breaking DDoS attack in Europe hits 400 Gbps. CNET (2014). http://www.cnet.com/news/record-breaking-ddos-attack-in-europe-hits-400gbps/
Paroutis, S.; Bennett, M.; Heracleous, L.: A strategic view on smart city technology: the case of IBM Smarter Cities during a recession. Technol. Forecast. Soc. Chang. 89, 262–272 (2014)
Bawany, N.Z.; Shamsi, J.A.: Smart city architecture: Vision and challenges. Int. J. Adv. Comput. Sci. Appl. 6(11) (2015)
Yadav, V.K.; Trivedi, M.C.; Mehtre, B.M.: DDA: an approach to handle DDoS (Ping flood) attack. Adv. Intell. Syst. Comput. 408, 11–23 (2016)
Saied, A.; Overill, R.E.; Radzik, T.: Detection of known and unknown DDoS attacks using artificial neural networks. Commun. Comput. Inf. Sci. 172, 385–393 (2016)
Hoque, N.; Bhattacharyya, D.; Kalita, J.: Botnet in DDoS attacks: trends and challenges. IEEE Commun. Surv. Tutor. 99, 1–1 (2015)
Arbor Networks Inc. http://www.arbornetworks.com
Arbor networks detects largest ever DDoS attack in Q1 2015 DDoS report. In: Arbor Networks (2015). http://www.arbornetworks.com/arbor-networks-detects-largest-ever-ddos-attack-in-q1-2015-ddos-report
Jain, S.; et al.: B4: experience with a globally-deployed software defined WA. ACM SIGCOMM Comput. Commun. Rev. 43(4), 3–14 (2013)
Technol, I.: Secure and Dependable SDNs, Feb 2016 (2015)
Shalimov, A.; Zuikov, D.; Zimarina, D.; Pashkov, V.; Smeliansky, R.: Advanced study of SDN/openflow controllers. In: Proceedings of the 9th Central & Eastern European Software Engineering Conference in Russia on - CEE-SECR ’13 Oct pp. 1–6 (2013)
Schehlmann, L.; Abt, S.; Baier, H.: Blessing or curse? Revisiting security aspects of software-defined networking. In: Proceedings of the 10th International Conference on Network and Service Management, CNSM 2014, no. 1, pp. 382–387 (2015)
Kreutz, D.; Ramos, F.M.V.; Verissimo, P.: Towards secure and dependable software-defined networks. In: Proceedings of the second ACM SIGCOMM Workshop on Hot Topics in Software Defined Networking—HotSDN ’13, p. 55 (2013)
Wang, B.; Zheng, Y.; Lou, W.; Hou, Y.T.: DDoS attack protection in the era of cloud computing and software-defined networking. In: 2014 IEEE 22nd International Conference on Network Protocols, pp. 624–629 (2014)
Thapngam, T.; Yu, S.; Zhou, W.; Beliakov, G.: Discriminating DDoS attack traffic from flash crowd through packet arrival patterns. In: 2011 IEEE Conference on Computer Communications Workshops, INFOCOM WKSHPS 2011, pp. 952–957 (2011)
Xia, W.; Wen, Y.; Member, S.; Heng Foh, C.; Niyato, D.; Xie, H.: A survey on software-defined networking. IEEE Commun. Surv. Tutor. 17(1), 27–51 (2015)
Liao, Q.; Li, H.; Kang, S.; Liu, C.: Application layer DDoS attack detection using cluster with label based on sparse vector decomposition and rhythm matching. Secur. Commun. Netw. 8(17), 3111–3120 (2015)
Stewart, J.M.: Network Security, Firewalls and VPNs. Jones & Bartlett Publishers (2013)
DDoS: website-crippling cyber-attacks to rise in 2016. BBC News. http://www.bbc.com/news/technology-35376327
Q1 2016 Global DDoS Threat Landscape Report. Incapsula. https://www.incapsula.com/blog/q1-2016-global-ddos-threat-landscape-report.html
Bawany, N.Z.; Shamsi, J.A.: Application layer DDoS attack defense framework for smart city using SDN. In: Computer Science, Computer Engineering, and Social Media (CSCESM) (2016)
Kreutz, D.; Ramos, F.M.V.; Verissimo, P.; Rothenberg, C.E.; Azodolmolky, S.; Uhlig, S.: Software-defined networking: a comprehensive survey. Proc. IEEE 103(1), 14–76 (2015)
Khondoker, R.; Zaalouk, A.; Marx, R.; Bayarou, K.: Feature-based comparison and selection of Software Defined Networking (SDN) controllers. In: 2014 World Congress on Computer Applications and Information Systems (WCCAIS), pp. 1–7. IEEE (2014)
Berde, P.; Gerola, M.; Hart, J.; Higuchi, Y.; Kobayashi, M.; Koide, T.; Lantz, B.; Snow, W.; Parulkar, G.; O’Connor, B.; Radoslavov, P.: ONOS. In: Proceedings of the third workshop on Hot topics in software defined networking—HotSDN ’14, pp. 1–6 (2014)
Linux Foundation. http://www.opendaylight.org
McKeown, N.; Anderson, T.; Balakrishnan, H.; Parulkar, G.; Peterson, L.; Rexford, J.; Shenker, S.; Turner, J.: OpenFlow: enabling innovation in campus networks. ACM SIGCOMM Comput. Commun. Rev. 38(2), 69–74 (2008)
Coughlin, M.: A survey of SDN security research. In: Future Networks and Services (SDN4FNS), IEEE (2013)
Kim, J.; Firoozjaei, M.D.; Jeong, J.P.; Kim, H.; Park, J.-S.: SDN-based security services using interface to network security functions. In: 2015 International Conference on Information and Communication Technology Convergence (ICTC), pp. 526–529. IEEE (2015)
Yan, Q.; Yu, F.R.: Distributed denial of service attacks in software-defined networking with cloud computing. IEEE Commun. Mag. 53(4), 52–59 (2015)
Giotis, K.; Argyropoulos, C.; Androulidakis, G.; Kalogeras, D.; Maglaris, V.: Combining OpenFlow and sFlow for an effective and scalable anomaly detection and mitigation mechanism on SDN environments. Comput. Netw. 62, 122–136 (2014)
Lee, W.; Xiang, D.: Information-theoretic measures for anomaly detection. In: Proceedings of the 2001 IEEE Symposium on Security and Privacy, S&P 2001, pp. 130–143. IEEE (2001)
Gu, Y.; McCallum, A.; Towsley, D.: Detecting anomalies in network traffic using maximum entropy estimation. In: Proceedings of the 5th ACM SIGCOMM conference on Internet Measurement, p. 32. USENIX Association (2005)
Bereziński, P.; Szpyrka, M.; Jasiul, B.; Mazur, M.: Network anomaly detection using parameterized entropy. In: Computer Information Systems and Industrial Management. Springer, Berlin (2014)
Nychis, G.; Sekar, V.; Andersen, D.G.; Kim, H.; Zhang, H.: An empirical evaluation of entropy-based traffic anomaly detection. In: Proceedings of the 8th ACM SIGCOMM Conference on Internet Measurement Conference—IMC ’08, p. 151 (2008)
Brauckhoff, D.; Tellenbach, B.; Wagner, A.; May, M.; Lakhina, A.: Impact of packet sampling on anomaly detection metrics. In: Proceedings of the 6th ACM SIGCOMM conference on Internet measurement, pp. 159–164 (2006)
Androulidakis, G.; Chatzigiannakis, V.; Papavassiliou, S.: Network anomaly detection and classification via opportunistic sampling. IEEE Netw. 23(1), 6–12 (2009)
Wang, R.; Jia, Z.; Ju, L.: An entropy-based distributed DDoS detection mechanism in software-defined networking. In: 2015 IEEE Trustcom/BigDataSE/ISPA, pp. 310–317 (2015)
Mehdi, S.,A.,S.; Khalid, J.; Khayam, S.,A.,S.: Revisiting traffic anomaly detection using software defined networking. In: Proceedings of the 14th International Conference on Recent Advances in Intrusion Detection, pp. 161–180 (2011)
Lakhina, A.; Crovella, M.; Diot, C.: Mining anomalies using traffic feature distributions. ACM SIGCOMM Comput. Commun. Rev. 35(4), 217 (2005)
sflow. http://www.sflow.com
Fiadino, P.; Alconzo, A.,D.; Schiavone, M.; Casas, P.: Challenging entropy-based anomaly detection and diagnosis in cellular networks. In: Proceedings of the 2015 ACM Conference on Special Interest Group on Data Communication (2015)
Javed, M.; Ashfaq, A.B.; Shafiq, M.Z.; Khayam, S.A.: On the Inefficient Use of Entropy for Anomaly Detection. Lecture Notes in Computer Science (including subseries Lecture Notes in Artificial Intelligence and Lecture Notes in Bioinformatics), vol. 5758 LNCS, no. c, pp. 369–370 (2009)
Tsai, C.F.; Hsu, Y.F.; Lin, C.Y.; Lin, W.Y.: Intrusion detection by machine learning: a review. Expert Syst. Appl. 36(10), 11994–12000 (2009)
Sommer, R.; Paxson, V.: Outside the closed world: on using machine learning for network intrusion detection. In: 2010 IEEE Symposium on Security and Privacy, pp. 305–316 (2010)
Mukkamala, S.; Janoski, G.; Sung, A.: Intrusion detection using neural networks and support vector machines. In: Proceeding of the 2002 International Joint Conference on Neural Networks, vols. 1–3, pp. 1702–1707 (2002)
Kruegel, C.; Mutz, D.; Robertson, W.; Valeur, F.: Bayesian event classification for intrusion detection. In: Proceedings—Annual Computer Security Applications Conference, ACSAC, pp. 14–23 (2003)
Kayacik, H.G.; Zincir-Heywood, A.N.; Heywood, M.I.: A hierarchical SOM-based intrusion detection system. Eng. Appl. Artif. Intell. 20(4), 439–451 (2007)
Mabu, S.; Chen, C.; Lu, N.; Shimada, K.; Hirasawa, K.: An intrusion-detection model based on fuzzy class-association-rule mining using genetic network programming. IEEE Trans. Syst. Man Cybern C Appl. Rev. 41(1), 130–139 (2011)
Abduvaliyev, A.; Pathan, A.-S.K.; Zhou, J.; Roman, R.; Wong, W.-C.: On the vital areas of intrusion detection systems in wireless sensor networks. IEEE Commun. Surv. Tutor. 15(3), 1223–1237 (2013)
Xu, Y.; Liu, Y.: DDoS attack detection under SDN context. In: IEEE INFOCOM 2016—The 35th Annual IEEE International Conference on Computer Communications, pp.1–9. IEEE (2016)
Braga, R.; Mota, E.; Passito, A.: Lightweight DDoS flooding attack detection using NOX/OpenFlow. In: LCN ’10 Proceedings of the 2010 IEEE 35th Conference on Local Computer Networks, pp. 408–415. IEEE, Washington (2010)
Dotcenko, S.; Vladyko, A.; Letenko, I.: A fuzzy logic-based information security management for software-defined networks. In: 16th International Conference on Advanced Communication Technology (ICACT), pp. 167–171. IEEE (2014)
Schechter, S.E.; Jung, J.; Berger, A.W.: Fast detection of scanning worm infections. In: International Workshop on Recent Advances in Intrusion Detection. Springer, Berlin, Heidelberg (2004)
Chung, C.-J.; Khatkar, P.; Xing, T.; Lee, J.; Huang, D.: NICE: Network intrusion detection and countermeasure. IEEE Trans. Dependable Secure Comput. 10(4), 198–211 (2013)
Dillon, C.; Berkelaar, M.: OpenFlow (D) DoS Mitigation. Technical Report (Feb 2014). http://www.delaat.net/rp/2013-2014/p42/report.pdf (2014)
Yen, T.-F.; Reiter, M.K.: Traffic aggregation for malware detection. In: International Conference on Detection of Intrusions and Malware, and Vulnerability Assessment, pp. 207–227. Springer, Berlin, Heidelberg (2008)
Shin, S.; Porras, P.; Yegneswaran, V.; Fong, M.; Gu, G.; Tyson, M.; Texas, A.; Station, C.; Park, M.: Fresco: modular composable security services for software-defined networks. In: Network and Distributed System Security Symposium, pp. 1–16. (2013)
Gu, G.; Perdisci, R.; Zhang, J.; Lee, W.: BotMiner: clustering analysis of network traffic for protocol- and structure-independent Botnet detection. In: USENIX Security Symposium, vol. 5, no. 2, pp. 139–154 (2008)
Jin, R.; Wang, B.: Malware detection for mobile devices using software-defined networking. In: GREE ’13 Proceedings of the 2013 Second GENI Research and Educational Experiment Workshop, pp. 81–88. IEEE, Washington (2013)
Twycross, J.; Williamson, M.M.: Implementing and testing a virus throttle. In: Proceedings of the 11th USENIX Security Symposium, pp. 285–294 (2003)
Williamson, M.M.: Throttling viruses: restricting propagation to defeat malicious mobile code. In: Proceedings—18th Annual Computer Security Applications Conference, pp. 61–68. IEEE (2002)
Lim, S.; Ha, J.; Kim, H.; Kim, Y.; Yang, S.: A SDN-oriented DDoS blocking scheme for botnet-based attacks. In: Sixth International Conference on Ubiquitous and Future Networks (ICUFN), pp. 63–68. IEEE (2014)
Roesch, M.: Snort: lightweight intrusion detection for networks. In: LISA ’99: 13th Systems Administration Conference, pp. 229–238 (1999)
White, J.S.; Fitzsimmons, T.; Matthews, J.N.: Quantitative analysis of intrusion detection systems: Snort and Suricata. Proc. SPIE 8757, 875704 (2013)
Albin, E.; Rowe, N.C.: A realistic experimental comparison of the Suricata and Snort intrusion-detection systems. In: 2012 26th International Conference on Advanced Information Networking and Applications Workshops (WAINA), pp. 122–127. IEEE (2012)
Ali, S.T.; Sivaraman, V.; Radford, A.; Jha, S.: A survey of securing networks using software defined networking. IEEE Trans. Reliab. 64(3), 1086–1097 (2015)
Chin, T.; Mountrouidou, X.; Li, X.; Xiong, K.: Selective packet inspection to detect DoS flooding using software defined networking (SDN). In: 2015 IEEE 35th International Conference on distributed Computing Systems Workshops (ICDCSW), pp. 95–99. IEEE (2015)
Xing, T.; Huang, D.; Xu, L.; Chung, C.J.; Khatkar, P.: SnortFlow: a OpenFlow-based intrusion prevention system in cloud environment. In: Proceedings—2013 2nd GENI Research and Educational Experiment Workshop, GREE 2013, pp. 89–92 (2013)
Von Ahn, L.; Blum, M.; Hopper, N.J.; Langford, J.: CAPTCHA: using hard AI problems for security. In: International Conference on the Theory and Applications of Cryptographic Techniques, pp. 294–311. Springer, Berlin, Heidelberg (2003)
Piedrahita, A.F.M.; Rueda, S.; Mattos, D.M.F.; Duarte, O.C.M.B.: FlowFence: a denial of service defense system for software defined networking. In: 2015 Global Information Infrastructure and Networking Symposium (GIIS), Guadalajara, pp. 1–6. (2015)
Suciu, G.; Vulpe, A.; Halunga, S.; Fratu, O.; Todoran, G.; Suciu, V.: Smart cities built on resilient cloud computing and secure internet of things. In: 2013 19th International Conference on Control Systems and Computer Science (CSCS), pp. 513–518. IEEE (2013)
Afaq, M.; Rehman, S.; Song, W.-C.: Large flows detection, marking, and mitigation based on sFlow standard in SDN. J. Korea Multimedia Soc. 18(2), 189–198 (2015)
Sqalli, M.H.; Al-Haidari, F.; Salah, K.: Edos-shield-a two-steps mitigation technique against edos attacks in cloud computing. In: 2011 Fourth IEEE International Conference on Utility and Cloud Computing (UCC), pp. 49–56. IEEE (2011)
Salman, O.; Elhajj, I.H.; Kayssi, A.; Chehab, A.: SDN controllers: a comparative study. In: Proceedings of the 18th Mediterranean Electrotechnical Conference (MELECON), pp. 1–6. IEEE (2016)
Vissicchio, S.; Vanbever, L.; Bonaventure, O.: Opportunities and research challenges of hybrid software defined networks. ACM SIGCOMM Comput. Commun. Rev. 44(2), 70–75 (2014)
Akyildiz, I.F.; Lee, A.; Wang, P.; Luo, M.; Chou, W.: A roadmap for traffic engineering in software defined networks. Comput. Netw. 71, 1–30 (2014)
Akyildiz, I.F.; Lee, A.; Wang, P.; Luo, M.; Chou, W.: Research challenges for traffic engineering in software defined networks. IEEE Netw. 30(3), 52–58 (2016)
Yu, S.; Zhou, W.; Jia, W.; Guo, S.; Xiang, Y.; Tang, F.: Discriminating DDoS attacks from flash crowds using flow correlation coefficient. IEEE Trans. Parallel Distrib. Syst. 23(6), 1073–1080 (2012)
Lee, S.; Yoon, C.; Shin, S.: The smaller, the Shrewder: a simple malicious application can kill an entire SDN environment. In: Proceedings of the 2016 ACM International Workshop on Security in Software Defined Networks & Network Function Virtualization, pp. 23–28. ACM (2016)
CCTV-based botnet used for DDoS attacks. https://www.ddosattacks.net/a-massive-botnet-of-cctv-cameras-involved-in-ferocious-ddos-attacks Accessed 04 July 2016
Sucuri, Inc. Delaware Corporation. https://sucuri.net
DDoS Attack on Bank of Greece Website https://www.hackread.com/anonymous-ddos-attack-bank-greece-website-down. Accessed 04 July 2016
HSBC Internet Banking Services Down After DDoS Attack. http://www.telegraph.co.uk/finance/newsbysector/banksandfinance/12129411/HSBC-online-banking-service-crashes-again.html. Accessed 04 July 2016
HSBC Bank. www.hsbc.co.uk. Accessed 02 July 2016
Irish Government Websites temporarily offline due to DDoS-attack. http://www.bbc.com/news/world-europe-35379817. Accessed 04 July 2016
Laskar, S.; Mishra, D.: Qualified vector match and merge algorithm (QVMMA) for DDoS prevention and mitigation. Procedia Comput. Sci. 79, 41–52 (2016)
Web Attack Knocks BBC Websites Offline. http://www.bbc.com/news/technology-35204915. Accessed 04 July 2016
Thai Government Websites hit by denial-of-service attack. http://www.bbc.com/news/world-asia-34409343. Accessed 04 July 2016
Hack attack leaves 1,400 airline passengers grounded. http://www.cnbc.com/2015/06/22/hack-attack-leaves-1400-passengers-of-polish-airline-lot-grounded.html. Accessed 04 July 2016
Hacker group ‘Anonymous’ claims credit for federal cyber attacks. http://ottawacitizen.com/news/politics/federal-computer-servers-cyber-attacked-clement. Accessed 04 Jul 2016
Musil, S.: Record-breaking DDoS attack in Europe hits 400 Gbps. CNET http://www.cnet.com/news/record-breaking-ddos-attack-in-europe-hits-400gbps/
Cloudflare, Cloudflare Organization. https://www.cloudflare.com. Accessed 08 Aug 2015
Wong, F.; Tan, C.X.: A survey of trends in massive DDoS attacks and cloud-based mitigations. Int. J. Netw. Secur. Appl. (IJNSA) 6(3), 57–71 (2014).
Zargar, S.T.; Joshi, J.; Tipper, D.; Member, S.: A survey of defense mechanisms against distributed denial of service (DDoS). IEEE Commun. Surv. Tutor. 15(4), 2046–2069 (2013)
Kaufman, C.; Perlman, R.; Sommerfeld, B.: DoS protection for UDP-based protocols. In: Proceedings of the 10th ACM Conference on Computer and communication security—CCS ’03 p. 2, (2003)
Peng, T.; Leckie, C.; Ramamohanarao, K.: Survey of network-based defense mechanisms countering the DoS and DDoS problems. ACM Comput. Surv. 39(1), 3-es (2007)
Czyz, J.; Kallitsis, M.; Papadopoulos, C.; Bailey, M.: Taming the 800 Pound Gorilla: the rise and decline of NTP DDoS attacks. In: IMC, pp. 435–448 (2014)
Author information
Authors and Affiliations
Corresponding author
Rights and permissions
About this article
Cite this article
Bawany, N.Z., Shamsi, J.A. & Salah, K. DDoS Attack Detection and Mitigation Using SDN: Methods, Practices, and Solutions. Arab J Sci Eng 42, 425–441 (2017). https://doi.org/10.1007/s13369-017-2414-5
Received:
Accepted:
Published:
Issue Date:
DOI: https://doi.org/10.1007/s13369-017-2414-5