An SDN-Assisted Defense Mechanism for the Shrew DDoS Attack in a Cloud Computing Environment

Abstract

The integration of cloud computing with Software Defined Networking (SDN) addresses several challenges of a typical cloud infrastructure such as complex inter-networking, data collection, fast response, etc. Though SDN-based cloud opens new opportunities, the SDN controller may itself become vulnerable to several attacks. The unique features of SDN are used by the attackers to implement the severe Distributed Denial of Service (DDoS) attacks. Several approaches are available in literature to defend against the traditional DDoS flooding attacks in SDN-cloud. To elude the detection systems, attackers try to employ the cultivated attack strategies. Such sophisticated DDoS attack strategies are implemented by generating low-rate attack traffic. The most common type of Low-Rate DDoS (LR-DDoS) attack is the Shrew attack. The existing approaches are not capable to detect, mitigate, and traceback such attacks. Thus, this work discusses a new mechanism which not only detects and mitigates the shrew attack but traces back the location of the attack sources as well. The attack is detected using the information entropy variations, and the attack sources are traced-back using the deterministic packet marking scheme. The experiments are performed in a real SDN-cloud scenario, and the experimental results show that the approach requires 1 packet and 8.27 packets on an average to locate the bots and attackers respectively. The approach detects and traces back the attack sources in between 14.45 ms to 10.02 s and provides 97.6% accuracy.

Change history

• 03 February 2021

  The term ‘Mechanism’ in the article title was erroneously published as ‘Mechduanism’. The error has been corrected.

References

1. 1.

   Agrawal, N., Tapaswi, S.: A proactive defense method for the stealthy EDoS attacks in a cloud environment. Int. J. Netw. Manag. 30, e2094 (2020). https://doi.org/10.1002/nem.2094

2. 2.

   Jabbarifar, M., Shameli-Sendi, A., Kemme, B.: A scalable network-aware framework for cloud monitoring orchestration. J. Netw. Comput. Appl. 133, 1–14 (2019). https://doi.org/10.1016/j.jnca.2019.02.006

3. 3.

   Yan, Q., Yu, F.R., Gong, Q., Li, J.: Software-defined networking (SDN) and distributed denial of service (DDoS) attacks in cloud computing environments: a survey, some research issues, and challenges. IEEE Commun. Surv. Tutor. 18(1), 602–622 (2016). https://doi.org/10.1109/COMST.2015.2487361

4. 4.

   Mousavi, S.M., St-Hilaire, M.: Early detection of DDoS attacks against software defined network controllers. J. Netw. Syst. Manag. 26(3), 573–591 (2018). https://doi.org/10.1007/s10922-017-9432-1

5. 5.

   Jarraya, Y., Madi, T., Debbabi, M.: A survey and a layered taxonomy of software-defined networking. IEEE Commun. Surv. Tutor. 16(4), 1955–1980 (2014). https://doi.org/10.1109/COMST.2014.2320094

6. 6.

   Sahay, R., Meng, W., Jensen, C.D.: The application of software defined networking on securing computer networks: a survey. J. Netw. Comput. Appl. 131, 89–108 (2019). https://doi.org/10.1016/j.jnca.2019.01.019

7. 7.

   Yeganeh, S.H., Tootoonchian, A., Ganjali, Y.: On scalability of software-defined networking. IEEE Commun. Mag. 51(2), 136–141 (2013). https://doi.org/10.1109/MCOM.2013.6461198

8. 8.

   Banikazemi, M., Olshefski, D., Shaikh, A., Tracey, J., Wang, G.: Meridian: an SDN platform for cloud network services. IEEE Commun. Mag. 51(2), 120–127 (2013). https://doi.org/10.1109/MCOM.2013.6461196

9. 9.

   Mayoral, A., Vilalta, R., Munoz, R., Casellas, R., Martínez, R.: SDN orchestration architectures and their integration with cloud computing applications. Opt. Switch. Netw. 26, 2–13 (2017). https://doi.org/10.1016/j.osn.2015.09.007

10. 10.

    Conti, M., Lal, C., Mohammadi, R., Rawat, U.: Lightweight solutions to counter DDoS attacks in software defined networking. Wirel. Netw. 25(5), 2751–2768 (2019). https://doi.org/10.1007/s11276-019-01991-y

11. 11.

    Agrawal, N., Tapaswi, S.: Detection of low-rate cloud DDoS attacks in frequency domain using fast hartley transform. Wirel. Pers. Commun. 112, 1762 (2010). https://doi.org/10.1007/s11277-020-07125-4

12. 12.

    Agrawal, N., Tapaswi, S.: Defense mechanisms against DDoS attacks in a cloud computing environment: state-of-the-art and research challenges. IEEE Commun. Surv. Tutor. 21(4), 1–27 (2019). https://doi.org/10.1109/COMST.2019.2934468

13. 13.

    Dong, S., Abbas, K., Jain, R.: A survey on distributed denial of service (DDoS) attacks in SDN and cloud computing environments. IEEE Access. 7, 80813–80828 (2019). https://doi.org/10.1109/ACCESS.2019.2922196

14. 14.

    Cambiaso, E., Papaleo, G., Aiello, M.: Slowcomm: design, development and performance evaluation of a new slow DoS attack. J. Inf. Secur. Appl. 35, 23–31 (2017). https://doi.org/10.1016/j.jisa.2017.05.005

15. 15.

    Agrawal, N., Tapaswi, S.: Low rate cloud ddos attack defense method based on power spectral density analysis. Inf. Process. Lett. 138, 44–50 (2018). https://doi.org/10.1016/j.ipl.2018.06.001

16. 16.

    Hong, K., Kim, Y., Choi, H., Park, J.: SDN-assisted slow HTTP DDoS attack defense method. IEEE Commun. Lett. 22(4), 688–691 (2017). https://doi.org/10.1109/LCOMM.2017.2766636

17. 17.

    Perez-Diaz, J.A., Valdovinos, I.A., Choo, K.K.R., Zhu, D.: A flexible SDN-based architecture for identifying and mitigating low-rate DDoS attacks using machine learning. IEEE Access 8, 155859–155872 (2020). https://doi.org/10.1109/ACCESS.2020.3019330

18. 18.

    Luo, J., Yang, X., Wang, J., Xu, J., Sun, J., Long, K.: On a mathematical model for Low-Rate Shrew DDoS. IEEE Trans. Inf. Forensics Secur. 9(7), 1069–1083 (2014). https://doi.org/10.1109/TIFS.2014.2321034

19. 19.

    Xie, R., Xu, M., Cao, J., Li, Q.: SoftGuard: defend against the low-rate TCP attack in SDN. In: Proceedings of the IEEE International Conference on Communications (ICC), pp. 1–6, Shanghai, China, (2019). https://doi.org/10.1109/ICC.2019.8761806

20. 20.

    Somani, G., Gaur, M.S., Sanghi, D., Conti, M., Rajarajan, M., Buyya, R.: Combating DDoS attacks in the cloud: requirements, trends, and future directions. IEEE Cloud Comput. 4(1), 22–32 (2017). https://doi.org/10.1109/MCC.2017.14

21. 21.

    Agrawal, N., Tapaswi, S.: A lightweight approach to detect the low/high rate IP spoofed cloud DDoS attacks. In: Proceedings of the of IEEE \(7^{th}\) International Symposium on Cloud and Service Computing (SC2), pp. 118–123 (2017). https://doi.org/10.1109/SC2.2017.25

22. 22.

    Dong, P., Du, X., Zhang, H., Xu, T.: A detection method for a novel DDoS attack against SDN controllers by vast new low-traffic flows. In: Proceedings of the IEEE International Conference on Communications (ICC), pp. 1-6, Kuala Lumpur, Malaysia (2016). https://doi.org/10.1109/ICC.2016.7510992

23. 23.

    Agrawal, N., Tapaswi, S.: Defense schemes for variants of distributed-denial-of-service (DDoS) attacks in cloud computing: a survey. Inf. Secur. J. 26(2), 61–73 (2017). https://doi.org/10.1080/19393555.2017.1282995

24. 24.

    Singh, M.P., Bhandari, A.: New-flow based DDoS attacks in SDN: taxonomy, rationales, and research challenges. Comput. Commun. 154, 509–527 (2020). https://doi.org/10.1016/j.comcom.2020.02.085

25. 25.

    Yan, Q., Yu, F.R.: Distributed denial of service attacks in software-defined networking with cloud computing. IEEE Commun. Mag. 53(4), 52–59 (2015). https://doi.org/10.1109/MCOM.2015.7081075

26. 26.

    Fouladi, R.F., Ermiş, O., Anarim, E.: A DDoS attack detection and defense scheme using time-series analysis for SDN. J. Inf. Secur. Appl. 54, 102587 (2020). https://doi.org/10.1016/j.jisa.2020.102587

27. 27.

    Xing, T., Huang, D., Xu, L., Chung, C.J., Khatkar, P.: Snortflow: a openflow-based intrusion prevention system in cloud environment. In: Proceedings of the of IEEE \(2^{nd}\) GENI Research and Educational Experiment Workshop (GREE), pp. 89–92. (2013). https://doi.org/10.1109/GREE.2013.25

28. 28.

    Chen, Z., Jiang, F., Cheng, Y., Gu, X., Liu, W., Peng, J.: XGBoost classifier for DDoS attack detection and analysis in SDN-based cloud. In: Proceedings of the IEEE International Conference on Big Data and Smart Computing (BigComp), pp. 251–256. (2018). https://doi.org/10.1109/BigComp.2018.00044

29. 29.

    Zhu, L., Tang, X., Shen, M., Du, X., Guizani, M.: Privacy-preserving DDoS attack detection using cross-domain traffic in software defined networks. IEEE J. Sel. Areas Commun. 36(3), 628–643 (2018). https://doi.org/10.1109/JSAC.2018.2815442

30. 30.

    Zheng, J., Li, Q., Gu, G., Cao, J., Yau, D.K., Wu, J.: Realtime DDoS defense using COTS SDN switches via adaptive correlation analysis. IEEE Trans. Inf. Forensics Secur. 13(7), 1838–1853 (2018). https://doi.org/10.1109/TIFS.2018.2805600

31. 31.

    Wang, R., Jia, Z., Ju, L.: An entropy-based distributed DDoS detection mechanism in software-defined networking. In: Proceedings of the IEEE Trustcom/BigDataSE/ISPA, pp. 310–317. (2015). https://doi.org/10.1109/Trustcom.2015.389

32. 32.

    Sahay, R., Blanc, G., Zhang, Z., Debar, H.: ArOMA: an SDN based autonomic DDoS mitigation framework. Comput. Secur. 70, 482–499 (2017). https://doi.org/10.1016/j.cose.2017.07.008

33. 33.

    Chesla, A., Doron, E.: Techniques for traffic diversion in software defined networks for mitigating denial of service attacks. United States patent application US 14/728,405 (2016)

34. 34.

    Wang, B., Zheng, Y., Lou, W., Hou, Y.T.: DDoS attack protection in the era of cloud computing and software-defined networking. Comput. Netw. 81, 308–319 (2015). https://doi.org/10.1016/j.comnet.2015.02.026

35. 35.

    Buragohain, C., Medhi, N.: FlowTrApp: an SDN based architecture for DDoS attack detection and mitigation in data centers. In: Proceedings of the IEEE \(3^{rd}\) International Conference on Signal Processing and Integrated Networks (SPIN), pp. 519–524. (2016). https://doi.org/10.1109/SPIN.2016.7566750

36. 36.

    Singh, K., Singh, P., Kumar, K.: A systematic review of IP traceback schemes for denial of service attacks. Comput. Secur. 56, 111–139 (2016). https://doi.org/10.1016/j.cose.2015.06.007

37. 37.

    Zhang, H., Reich, J., Rexford, J.: Packet Traceback for Software-Defined Networks, pp. 1–7. Princeton University Press, Princeton (2015)

38. 38.

    Belenky, A., Ansari, N.: IP traceback with deterministic packet marking. IEEE Commun. Lett. 7(4), 162–164 (2003). https://doi.org/10.1109/LCOMM.2003.811200

39. 39.

    Francois, J., Festor, O.: Anomaly traceback using software defined networking. In: Proceedings of the IEEE International Workshop on Information Forensics and Security (WIFS), pp. 203–208. (2014). https://doi.org/10.1109/WIFS.2014.7084328

40. 40.

    Savage, S., Wetherall, D., Karlin, A., Anderson, T.: Network support for IP traceback. IEEE/ACM Trans. Netw. 9(3), 226–237 (2001). https://doi.org/10.1109/90.929847

41. 41.

    Belenky, A., Ansari, N.: On deterministic packet marking. Comput. Netw. 51(10), 2677–2700 (2007). https://doi.org/10.1016/j.comnet.2006.11.020

42. 42.

    Rajam, V.S., Shalinie, S.M.: A novel traceback algorithm for DDoS attack with marking scheme for online system. In: Proceedings of the IEEE International Conference on Recent Trends In Information Technology (ICRTIT), pp. 407–412. (2012). https://doi.org/10.1109/ICRTIT.2012.6206751

43. 43.

    Jin, G., Yang, J.: Deterministic packet marking based on redundant decomposition for IP traceback. IEEE Commun. Lett. 10(3), 204–206 (2006). https://doi.org/10.1109/LCOMM.2006.1603385

44. 44.

    Yu, S., Zhou, W., Guo, S., Guo, M.: A feasible IP traceback framework through dynamic deterministic packet marking. IEEE Trans. Comput. 65(5), 1418–1427 (2016). https://doi.org/10.1109/TC.2015.2439287

45. 45.

    Xiang, Y., Zhou, W., Guo, M.: Flexible deterministic packet marking: an IP traceback system to find the real source of attacks. IEEE Trans. Parallel Distrib. Syst. 20(4), 567–580 (2009). https://doi.org/10.1109/TPDS.2008.132

46. 46.

    Patel, H., Jinwala, D.C.: LPM: a lightweight authenticated packet marking approach for IP traceback. Comput. Netw. 140, 41–50 (2018). https://doi.org/10.1016/j.comnet.2018.04.014

47. 47.

    Goodrich, M.T.: Probabilistic packet marking for large-scale IP traceback. IEEE/ACM Trans. Netw. 16(1), 15–24 (2008). https://doi.org/10.1109/TNET.2007.910594

48. 48.

    Nur, A.Y., Tozal, M.E.: Record route IP traceback: combating DoS attacks and the variants. Comput. Secur. 72, 13–25 (2018). https://doi.org/10.1016/j.cose.2017.08.012

49. 49.

    Hoque, N., Bhattacharyya, D.K., Kalita, J.K.: Botnet in DDoS attacks: trends and challenges. IEEE Commun. Surv. Tutor. 17(4), 2242–2270 (2015). https://doi.org/10.1109/COMST.2015.2457491

50. 50.

    Xiang, Y., Li, K., Zhou, W.: Low-rate DDoS attacks detection and traceback by using new information metrics. IEEE Trans. Inf. Forensics Secur. 6(2), 426–437 (2011). https://doi.org/10.1109/TIFS.2011.2107320

51. 51.

    Sahoo, K.S., Puthal, D., Tiwary, M., Rodrigues, J.J., Sahoo, B., Dash, R.: An early detection of low rate DDoS attack to SDN based data center networks using information distance metrics. Future Gener. Comput. Syst. 89, 685–697 (2018)

52. 52.

    Chen, Y., Hwang, K., Kwok, Y.K.: Collaborative defense against periodic shrew DDoS attacks in frequency domain. ACM Trans Inf. Syst. Secur. (TISSEC) 66(9), 1–30 (2005). https://doi.org/10.1016/j.jpdc.2006.04.007

53. 53.

    Amazon Web Services. https://aws.amazon.com/documentation/

54. 54.

    Mininet. http://mininet.org/

55. 55.

    FlowVisor OpenFlow Controller. https://github.com/OPENNETWORKINGLAB/flowvisor/wiki

56. 56.

    OpenDayLight SDN Controller. https://docs.opendaylight.org/en/stable-oxygen/getting-started-guide/introduction.html

57. 57.

    Low Orbit Ion Canon. https://github.com/NewEraCracker/LOIC