Visible to the public A scalable and flexible DDoS mitigation system using network function virtualization

TitleA scalable and flexible DDoS mitigation system using network function virtualization
Publication TypeConference Paper
Year of Publication2018
AuthorsRashidi, B., Fung, C., Rahman, M.
Conference NameNOMS 2018 - 2018 IEEE/IFIP Network Operations and Management Symposium
Keywordsagent addition, attack traffic, batching forwarding, bucket-based forwarding mechanism, cloud computing, Computer crime, computer network security, DDoS defense framework, DDoS defense solutions, ddos mitigation, Dispatching, distributed denial of service, distributed denial of service attacks, dropping rate, enterprise networks, excessive traffic delay, firewall, firewalls, flexible DDoS mitigation system, flexible dispatcher, highly flexible solutions, Human Behavior, IP networks, legitimate traffic, metric, network function virtualization, Network Function Virtualization architecture, online websites, pubcrawl, Resiliency, Scalability, scalable DDoS mitigation system, scalable dispatcher, Scalable routing, Servers, SYN flood attack, target server, telecommunication traffic, third-party cloud-based DDoS, threat mitigation, virtual network agents, virtualisation
AbstractDistributed Denial of Service (DDoS) attacks remain one of the top threats to enterprise networks and ISPs nowadays. It can cause tremendous damage by bringing down online websites or services. Existing DDoS defense solutions either brings high cost such as upgrading existing firewall or IPS, or bring excessive traffic delay by using third-party cloud-based DDoS filtering services. In this work, we propose a DDoS defense framework that utilizes Network Function Virtualization (NFV) architecture to provide low cost and highly flexible solutions for enterprises. In particular, the system uses virtual network agents to perform attack traffic filtering before they are forwarded to the target server. Agents are created on demand to verify the authenticity of the source of packets, and drop spoofed packets in order protect the target server. Furthermore, we design a scalable and flexible dispatcher to forward packets to corresponding agents for processing. A bucket-based forwarding mechanism is used to improve the scalability of the dispatcher through batching forwarding. The dispatcher can also adapt to agent addition and removal. Our simulation results demonstrate that the dispatcher can effectively serve a large volume of traffic with low dropping rate. The system can successfully mitigate SYN flood attack by introducing minimal performance degradation to legitimate traffic.
Citation Keyrashidi_scalable_2018