Flooding DDoS mitigation and traffic management with software defined networking

Aapo Kalliola, Kiryong Lee, Heejo Lee, Tuomas Aura

Research output: Chapter in Book/Report/Conference proceedingConference contribution

23 Citations (Scopus)

Abstract

Mitigating distributed denial-of-service attacks can be a complex task due to the wide range of attack types, attacker adaptation, and defender constraints. We propose a defense mechanism which is largely automated and can be implemented on current software defined networking (SDN)-enabled networks. Our mechanism combines normal traffic learning, external blacklist information, and elastic capacity invocation in order to provide effective load control, filtering and service elasticity during an attack. We implement the mechanism and analyze its performance on a physical SDN testbed using a comprehensive set of real-life normal traffic traces and synthetic attack traces. The results indicate that the mechanism is effective in maintaining roughly 50% to 80% service levels even when hit by an overwhelming attack.

Original languageEnglish
Title of host publication2015 IEEE 4th International Conference on Cloud Networking, CloudNet 2015
PublisherInstitute of Electrical and Electronics Engineers Inc.
Pages248-254
Number of pages7
ISBN (Print)9781467395014
DOIs
Publication statusPublished - 2015 Nov 20
Event4th IEEE International Conference on Cloud Networking, CloudNet 2015 - Falls, Canada
Duration: 2015 Oct 52015 Oct 7

Other

Other4th IEEE International Conference on Cloud Networking, CloudNet 2015
CountryCanada
CityFalls
Period15/10/515/10/7

Fingerprint

Telecommunication traffic
Testbeds
Elasticity
Software defined networking
Denial-of-service attack

ASJC Scopus subject areas

  • Computer Networks and Communications

Cite this

Kalliola, A., Lee, K., Lee, H., & Aura, T. (2015). Flooding DDoS mitigation and traffic management with software defined networking. In 2015 IEEE 4th International Conference on Cloud Networking, CloudNet 2015 (pp. 248-254). [7335317] Institute of Electrical and Electronics Engineers Inc.. https://doi.org/10.1109/CloudNet.2015.7335317

Flooding DDoS mitigation and traffic management with software defined networking. / Kalliola, Aapo; Lee, Kiryong; Lee, Heejo; Aura, Tuomas.

2015 IEEE 4th International Conference on Cloud Networking, CloudNet 2015. Institute of Electrical and Electronics Engineers Inc., 2015. p. 248-254 7335317.

Research output: Chapter in Book/Report/Conference proceedingConference contribution

Kalliola, A, Lee, K, Lee, H & Aura, T 2015, Flooding DDoS mitigation and traffic management with software defined networking. in 2015 IEEE 4th International Conference on Cloud Networking, CloudNet 2015., 7335317, Institute of Electrical and Electronics Engineers Inc., pp. 248-254, 4th IEEE International Conference on Cloud Networking, CloudNet 2015, Falls, Canada, 15/10/5. https://doi.org/10.1109/CloudNet.2015.7335317
Kalliola A, Lee K, Lee H, Aura T. Flooding DDoS mitigation and traffic management with software defined networking. In 2015 IEEE 4th International Conference on Cloud Networking, CloudNet 2015. Institute of Electrical and Electronics Engineers Inc. 2015. p. 248-254. 7335317 https://doi.org/10.1109/CloudNet.2015.7335317
Kalliola, Aapo ; Lee, Kiryong ; Lee, Heejo ; Aura, Tuomas. / Flooding DDoS mitigation and traffic management with software defined networking. 2015 IEEE 4th International Conference on Cloud Networking, CloudNet 2015. Institute of Electrical and Electronics Engineers Inc., 2015. pp. 248-254
@inproceedings{c8295c5d16db44499eb28d0c80dbc11e,
title = "Flooding DDoS mitigation and traffic management with software defined networking",
abstract = "Mitigating distributed denial-of-service attacks can be a complex task due to the wide range of attack types, attacker adaptation, and defender constraints. We propose a defense mechanism which is largely automated and can be implemented on current software defined networking (SDN)-enabled networks. Our mechanism combines normal traffic learning, external blacklist information, and elastic capacity invocation in order to provide effective load control, filtering and service elasticity during an attack. We implement the mechanism and analyze its performance on a physical SDN testbed using a comprehensive set of real-life normal traffic traces and synthetic attack traces. The results indicate that the mechanism is effective in maintaining roughly 50{\%} to 80{\%} service levels even when hit by an overwhelming attack.",
author = "Aapo Kalliola and Kiryong Lee and Heejo Lee and Tuomas Aura",
year = "2015",
month = "11",
day = "20",
doi = "10.1109/CloudNet.2015.7335317",
language = "English",
isbn = "9781467395014",
pages = "248--254",
booktitle = "2015 IEEE 4th International Conference on Cloud Networking, CloudNet 2015",
publisher = "Institute of Electrical and Electronics Engineers Inc.",

}

TY - GEN

T1 - Flooding DDoS mitigation and traffic management with software defined networking

AU - Kalliola, Aapo

AU - Lee, Kiryong

AU - Lee, Heejo

AU - Aura, Tuomas

PY - 2015/11/20

Y1 - 2015/11/20

N2 - Mitigating distributed denial-of-service attacks can be a complex task due to the wide range of attack types, attacker adaptation, and defender constraints. We propose a defense mechanism which is largely automated and can be implemented on current software defined networking (SDN)-enabled networks. Our mechanism combines normal traffic learning, external blacklist information, and elastic capacity invocation in order to provide effective load control, filtering and service elasticity during an attack. We implement the mechanism and analyze its performance on a physical SDN testbed using a comprehensive set of real-life normal traffic traces and synthetic attack traces. The results indicate that the mechanism is effective in maintaining roughly 50% to 80% service levels even when hit by an overwhelming attack.

AB - Mitigating distributed denial-of-service attacks can be a complex task due to the wide range of attack types, attacker adaptation, and defender constraints. We propose a defense mechanism which is largely automated and can be implemented on current software defined networking (SDN)-enabled networks. Our mechanism combines normal traffic learning, external blacklist information, and elastic capacity invocation in order to provide effective load control, filtering and service elasticity during an attack. We implement the mechanism and analyze its performance on a physical SDN testbed using a comprehensive set of real-life normal traffic traces and synthetic attack traces. The results indicate that the mechanism is effective in maintaining roughly 50% to 80% service levels even when hit by an overwhelming attack.

UR - http://www.scopus.com/inward/record.url?scp=84960950467&partnerID=8YFLogxK

UR - http://www.scopus.com/inward/citedby.url?scp=84960950467&partnerID=8YFLogxK

U2 - 10.1109/CloudNet.2015.7335317

DO - 10.1109/CloudNet.2015.7335317

M3 - Conference contribution

AN - SCOPUS:84960950467

SN - 9781467395014

SP - 248

EP - 254

BT - 2015 IEEE 4th International Conference on Cloud Networking, CloudNet 2015

PB - Institute of Electrical and Electronics Engineers Inc.

ER -