In this paper, we investigate collaborative schemes to mitigate Distributed Denial of Service att... more In this paper, we investigate collaborative schemes to mitigate Distributed Denial of Service attacks in multi-domain Software Defined Networks (SDNs). The mitigation process itself is distributed, initiated by the domain of the victim, and involving all domains in the path of an attack (transit domains). We emphasize on filtering malicious flows as close to the attack sources as possible. We propose a modular and scalable approach that leverages on the SDNi (SDN interface) protocol, as the enabler for information exchange between adjacent SDN domains. We extend this protocol by publishing and exchanging pointers to incident reports, formatted according to the IETF IODEF standards and exposed through domain SDN Controllers. Thus, an SDN domain hosting the victim of the attack is able to notify the recipients about the malicious flows that they forward, requesting their filtering until the attack ceases. In order to motivate close cooperation of SDN domains governed by diverse authorities, we implemented and evaluated a reputation mechanism, whereby domains historically assess the behavior of their neighbors, discouraging assistance in case the domain of the victim has a poor cooperation track record.
Data plane programmability is a promising technology that enables rapid control loops for the det... more Data plane programmability is a promising technology that enables rapid control loops for the detection and mitigation of cyber-attacks. In this context, we propose an in-network architecture for DDoS attack detection combining important traffic metrics of malicious traffic. These pertain to number of flows and packet symmetry, maintained for protected subnets and utilized to identify anomalies. Appropriate alarms are triggered within time-based epochs and conveyed to external mitigation systems. We assess our DDoS detection schema in P4-enabled SmartNICs in terms of detection accuracy and packet processing performance. As input to our accuracy experiments we use real publicly available traffic traces. Furthermore, performance stress tests were conducted using high speed packet generators. Results exhibit that our approach is applicable in typical enterprise and/or carrier environments, featuring packet rates of 1–2 Mpps for l0G links.
In this paper, we investigate collaborative schemes to mitigate Distributed Denial of Service att... more In this paper, we investigate collaborative schemes to mitigate Distributed Denial of Service attacks in multi-domain Software Defined Networks (SDNs). The mitigation process itself is distributed, initiated by the domain of the victim, and involving all domains in the path of an attack (transit domains). We emphasize on filtering malicious flows as close to the attack sources as possible. We propose a modular and scalable approach that leverages on the SDNi (SDN interface) protocol, as the enabler for information exchange between adjacent SDN domains. We extend this protocol by publishing and exchanging pointers to incident reports, formatted according to the IETF IODEF standards and exposed through domain SDN Controllers. Thus, an SDN domain hosting the victim of the attack is able to notify the recipients about the malicious flows that they forward, requesting their filtering until the attack ceases. In order to motivate close cooperation of SDN domains governed by diverse authorities, we implemented and evaluated a reputation mechanism, whereby domains historically assess the behavior of their neighbors, discouraging assistance in case the domain of the victim has a poor cooperation track record.
Data plane programmability is a promising technology that enables rapid control loops for the det... more Data plane programmability is a promising technology that enables rapid control loops for the detection and mitigation of cyber-attacks. In this context, we propose an in-network architecture for DDoS attack detection combining important traffic metrics of malicious traffic. These pertain to number of flows and packet symmetry, maintained for protected subnets and utilized to identify anomalies. Appropriate alarms are triggered within time-based epochs and conveyed to external mitigation systems. We assess our DDoS detection schema in P4-enabled SmartNICs in terms of detection accuracy and packet processing performance. As input to our accuracy experiments we use real publicly available traffic traces. Furthermore, performance stress tests were conducted using high speed packet generators. Results exhibit that our approach is applicable in typical enterprise and/or carrier environments, featuring packet rates of 1–2 Mpps for l0G links.
Uploads
Papers by Vasilis Maglaris