SDNFV-Based DDoS Detection and Remediation in Multi-tenant, Virtualised Infrastructures

  • Abeer AliEmail author
  • Richard Cziva
  • Simon Jouët
  • Dimitrios P. Pezaros
Part of the Computer Communications and Networks book series (CCN)


As ICT resources are increasingly hosted over cloud data centre infrastructures, distributed denial of service (DDoS) attacks are becoming a major concern for cloud service providers and tenants. The lack of physical resource isolation over a cloud environment exposes nontargeted tenants to indirect performance degradation while it is increasingly challenging to distinguish between safe (e.g. internal, DMZ) and external zones. Traditional DDoS detection and prevention systems employ high-performance and high-cost bespoke appliances (middleboxes) in fixed locations of the physical infrastructure. However, this limits their provisioning abilities to a static specification, hindering extensible functionality and resulting in vendor lock-in.

In this chapter, we propose a softwarised orchestration framework for DDoS detection and mitigation in the cloud. We exploit latest advances in network functions virtualisation (NFV) to devise a modular security framework through the dynamic deployment of lightweight network functions where and when required to protect the infrastructure at the onset of DDoS attacks. We rely on the network-wide, logically centralised management of traffic and network services provided by software-defined networking (SDN) for the placement of NFs and to (re)route traffic to them. Using an example of a DDoS remediation service, we demonstrate the benefits of an extensible and reconfigurable DDoS security system that uses dynamic security module duplication and placement to remediate the performance impact of the attack on the underlying infrastructure.



The work has been supported in part by the UK Engineering and Physical Sciences Research Council (EPSRC) projects EP/L026015/1, EP/N033957/1, EP/P004024/1 and EP/L005255/1 and by the European Cooperation in Science and Technology (COST) Action CA 15127: RECODIS – Resilient communication services protecting end-user applications from disaster-based failures.


  1. 1.
    AbuHmed T, Mohaisen A, Nyang D (2008) A survey on deep packet inspection for intrusion detection systems. arXiv preprint arXiv:0803.0037Google Scholar
  2. 2.
    Akamai, Akamai state of the internet security report (2016). Accessed on 18 Nov 2016
  3. 3.
    Alosaimi W, Alshamrani M, Al-Begain K (2015) Simulation-based study of distributed denial of service attacks prevention in the cloud. In: 2015 9th international conference on next generation mobile applications, services and technologies. IEEE, pp 0–65Google Scholar
  4. 4.
    Anwer B, Benson T, Feamster N, Levin D (2015) Programming Slick network functions. In: Proceedings of the 1st ACM SIGCOMM symposium on software defined networking research. ACM, p 14Google Scholar
  5. 5.
    Basile C, Pitscheider C, Risso F, Valenza F, Vallini M (2015) Towards the dynamic provision of virtualized security services. In: Cyber security and privacy forum. Springer, Cham, pp 65–76Google Scholar
  6. 6.
    Baumgartner K, Elasticsearch Vuln abuse on Amazon cloud and more for DDoS and profit – Kasperskylab Blog.
  7. 7.
    Bereziński P, Jasiul B, Szpyrka M (2015) An entropy-based network anomaly detection method. Entropy 17(4):2367–2408Google Scholar
  8. 8.
    Bhuyan MH, Bhattacharyya DK, Kalita JK (2014) Network anomaly detection: methods, systems and tools. IEEE Commun Surv Tutorials 16(1):303–336Google Scholar
  9. 9.
    Bosshart P, Daly D, Gibb G, Izzard M, McKeown N, Rexford J, Schlesinger C, Talayco D, Vahdat A, Varghese G et al (2014) P4: programming protocol-independent packet processors. ACM SIGCOMM Comput Commun Rev 44(3):87–95Google Scholar
  10. 10.
    Bremler-Barr A, Harchol Y, Hay D (2016) Openbox: a software-defined framework for developing, deploying, and managing network functions. In: Proceedings of the 2016 conference on ACM SIGCOMM, SIGCOMM’16. ACM, New York, pp 511–524.,
  11. 11.
    Cabaj K, Wytrebowicz J, Kuklinski S, Radziszewski P, Dinh KT (2014) SDN architecture impact on network security. In: FedCSIS position papers, pp 143–148Google Scholar
  12. 12.
  13. 13.
    Cziva R, Pezaros D (2017, in press) Container network functions: bringing NFV to the network edge. IEEE Commun Mag Adv Netw Softw.
  14. 14.
    Cziva R, Jouet S, White KJS, Pezaros DP (2015) Container-based network function virtualization for software-defined networks. In: 2015 IEEE symposium on computers and communication (ISCC), pp 415–420.
  15. 15.
    Cziva R, Jouet S, Pezaros DP (2015) GNFC: towards network function cloudification. In: 2015 IEEE conference on network function virtualization and software defined network (NFV-SDN), pp 142–148.
  16. 16.
    Cziva R, Jouet S, Pezaros DP (2016) Roaming edge vNFs using glasgow network functions. In: Proceedings of the 2016 ACM SIGCOMM conference, SIGCOMM’16. ACM, New York, pp 601–602.,
  17. 17.
    Cziva R, Jout S, Stapleton D, Tso FP, Pezaros DP (2016) SDN-based virtual machine management for cloud data centers. IEEE Trans Netw Serv Manag 13(2):212–225.
  18. 18.
  19. 19.
    Douligeris C, Mitrokotsa A (2004) DDoS attacks and defense mechanisms: classification and state-of-the-art. Comput Netw 44(5):643–666Google Scholar
  20. 20.
    Enguehard M (2016) Thyper-NF: synthesizing chains of virtualized network functions. Master’s thesis, School of Information and Communication Technology, KTH Royal Institute of TechnologyGoogle Scholar
  21. 21.
    Foundation L (2017) Linux foundation open vswitch. https://LinuxFoundationOpenvSwitch. Accessed on 28 Mar 2017Google Scholar
  22. 22.
    Gember A, Krishnamurthy A, John SS, Grandl R, Gao X, Anand A, Benson T, Akella A, Sekar V (2013) Stratos: a network-aware orchestration layer for middleboxes in the cloud. Technical reportGoogle Scholar
  23. 23.
    Giotis K, Kryftis Y, Maglaris V (2015) Policy-based orchestration of NFV services in software-defined networks. In: 2015 1st IEEE conference on network softwarization (NetSoft). IEEE, pp 1–5Google Scholar
  24. 24.
    Gupta BB, Badve OP (2016) Taxonomy of DoS and DDoS attacks and desirable defense mechanism in a cloud computing environment. Neural Comput Appl 1–28.,
  25. 25.
    Hilton S, Dyn Analysis Summary Of Friday October 21 Attack — Dyn Blog.
  26. 26.
    Idziorek J, Tannian M, Jacobson D (2011) Detecting fraudulent use of cloud resources. In: Proceedings of the 3rd ACM workshop on cloud computing security workshop. ACM, pp 61–72Google Scholar
  27. 27.
    Jammal M, Singh T, Shami A, Asal R, Li Y (2014) Software defined networking: state of the art and research challenges. Comput Netw 72:74–98CrossRefGoogle Scholar
  28. 28.
    Joseph DA, Tavakoli A, Stoica I (2008) A policy-aware switching layer for data centers. In: Proceedings of the ACM SIGCOMM 2008 conference on data communication, SIGCOMM’08. ACM, New York, pp 51–62.,
  29. 29.
    Krebs B, Krebs on Security website.
  30. 30.
    Kumar MN, Sujatha P, Kalva V, Nagori R, Katukojwala AK, Kumar M (2012) Mitigating economic denial of sustainability (EDoS) in cloud computing using in-cloud scrubber service. In: 2012 fourth international conference on computational intelligence and communication networks (CICN). IEEE, pp 535–539Google Scholar
  31. 31.
    Lakhina A, Crovella M, Diot C (2005) Mining anomalies using traffic feature distributions. SIGCOMM Comput Commun Rev 35(4):217–228.,
  32. 32.
    Lazarevic A, Ertöz L, Kumar V, Ozgur A, Srivastava J (2003) A comparative study of anomaly detection schemes in network intrusion detection. In: SDM. SIAM, pp 25–36Google Scholar
  33. 33.
    Liu AX (2005) A model of stateful firewalls and its properties. In: Proceedings of the 2005 international conference on dependable systems and networks, DSN’05. IEEE Computer Society, Washington, DC, pp 128–137.,
  34. 34.
    Martins J, Ahmed M, Raiciu C, Olteanu V, Honda M, Bifulco R, Huici, F (2014) Clickos and the art of network function virtualization. In: Proceedings of the 11th USENIX conference on networked systems design and implementation, NSDI’14. USENIX Association, Berkeley, pp 459–473. Google Scholar
  35. 35.
    Mijumbi R, Serrat J, Gorricho JL, Bouten N, De Turck F, Boutaba R (2015) Network function virtualization: state-of-the-art and research challenges. IEEE Commun Surv Tutorials 18(1):236–262CrossRefGoogle Scholar
  36. 36.
    Mininet, Mininet (2017). Accessed on 24 Mar 2017
  37. 37.
    Modi C, Patel D, Borisaniya B, Patel H, Patel A, Rajarajan M (2013) A survey of intrusion detection techniques in cloud. J Netw Comput Appl 36(1):42–57.,
  38. 38.
    Motive Security Labs (2014) Motive Malware Report 2014 H2. Technical report, Motive Security Labs. Google Scholar
  39. 39.
    Osanaiye O, Choo KKR, Dlodlo M (2016) Distributed denial of service (DDoS) resilience in cloud: review and conceptual cloud ddos mitigation framework. J Netw Comput Appl 67:147–165CrossRefGoogle Scholar
  40. 40.
    Qazi ZA, Tu CC, Chiang L, Miao R, Sekar V, Yu M (2013) Simple-fying middlebox policy enforcement using SDN. SIGCOMM Comput Commun Rev 43(4):27–38.,
  41. 41.
    Shea R, Liu J (2013) Performance of virtual machines under networked denial of service attacks: experiments and analysis. IEEE Syst J 7(2):335–345. CrossRefGoogle Scholar
  42. 42.
    Sherry J, Hasan S, Scott C, Krishnamurthy A, Ratnasamy S, Sekar V (2012) Making middleboxes someone else’s problem: network processing as a cloud service. In: Proceedings of the ACM SIGCOMM 2012 conference on applications, technologies, architectures, and protocols for computer communication, SIGCOMM’12, ACM, New York, pp 13–24.,
  43. 43.
    Shin S, Wang H, Gu G (2015) A first step toward network security virtualization: from concept to prototype. IEEE Trans Inf Forensics Secur 10(10):2236–2249CrossRefGoogle Scholar
  44. 44.
    Snort intrusion detection system.
  45. 45.
    Somani G, Gaur MS, Sanghi D (2015) DDoS/EDoS attack in cloud: affecting everyone out there! In: Proceedings of the 8th international conference on security of information and networks, SIN’15. ACM, New York, pp 169–176.,
  46. 46.
    Somani G, Gaur MS, Sanghi D, Conti M, Buyya R (2015) DDoS attacks in cloud computing: issues, taxonomy, and future directions. arXiv preprint arXiv:1512.08187Google Scholar
  47. 47.
    Specht SM, Lee RB (2004) Distributed denial of service: taxonomies of attacks, tools, and countermeasures. In: ISCA PDCS, pp 543–550Google Scholar
  48. 48.
    Tartakovsky AG, Rozovskii BL, Blazek RB, Kim H (2006) A novel approach to detection of intrusions in computer networks via adaptive sequential and batch-sequential change-point detection methods. IEEE Trans Signal Process 54(9):3372–3382CrossRefzbMATHGoogle Scholar
  49. 49.
    The Bro Network Security Monitor.
  50. 50.
    The Suricata open source IDS, IPS, and NSM.
  51. 51.
    VivinSandar S, Shenai S (2012) Economic denial of sustainability (EDoS) in cloud services using http and xml based DDoS attacks. Int J Comput Appl 41(20):11–16Google Scholar
  52. 52.
    Wang B, Zheng Y, Lou W, Hou YT (2015) {DDoS} attack protection in the era of cloud computing and software-defined networking. Comput Netw 81:308–319.,
  53. 53.
    White KJ, Pezaros D, Denney E, Knudson M, Marnerides AK (2017) A programmable SDN+NFV-based architecture for uav telemetry monitoring.
  54. 54.
    Wong F, Tan CX (2014) A survey of trends in massive DDoS attacks and cloud-based mitigations. Int J Netw Secur Appl 6(3):57Google Scholar
  55. 55.
    Yan Q, Yu FR (2015) Distributed denial of service attacks in software-defined networking with cloud computing. IEEE Commun Mag 53(4):52–59CrossRefGoogle Scholar
  56. 56.
    Yan Q, Yu FR, Gong Q, Li J (2016) Software-defined networking (SDN) and distributed denial of service (DDoS) attacks in cloud computing environments: a survey, some research issues, and challenges. IEEE Commun Surv Tutorials 18(1):602–622. CrossRefGoogle Scholar
  57. 57.
    Yoon C, Park T, Lee S, Kang H, Shin S, Zhang Z (2015) Enabling security functions with SDN: a feasibility study. Comput Netw 85:19–35.,
  58. 58.
    Yoshida M, Shen W, Kawabata T, Minato K, Imajuku W (2014) Morsa: a multi-objective resource scheduling algorithm for NFV infrastructure. In: 2014 16th Asia-Pacific network operations and management symposium (APNOMS). IEEE, pp 1–6Google Scholar
  59. 59.
    Zapechnikov S, Miloslavskaya N, Tolstoy A (2015) Modeling of next-generation firewalls as queueing services. In: Proceedings of the 8th international conference on security of information and networks, SIN’15. ACM, New York, pp 250–257.,
  60. 60.
    Zargar ST, Joshi J, Tipper D (2013) A survey of defense mechanisms against distributed denial of service (DDoS) flooding attacks. IEEE Commun Surv Tutorials 15(4):2046–2069CrossRefGoogle Scholar
  61. 61.
    Zhang Y, Beheshti N, Beliveau L, Lefebvre G, Manghirmalani R, Mishra, R, Patneyt R, Shirazipour M, Subrahmaniam R, Truchan C, Tatipamula M (2013) Steering: a software-defined networking for inline service chaining. In: 2013 21st IEEE international conference on network protocols (ICNP), pp 1–10.

Copyright information

© Springer International Publishing AG 2017

Authors and Affiliations

  • Abeer Ali
    • 1
    Email author
  • Richard Cziva
    • 1
  • Simon Jouët
    • 1
  • Dimitrios P. Pezaros
    • 1
  1. 1.School of Computing ScienceUniversity of GlasgowGlasgowUK

Personalised recommendations