A New Approach to DDoS Defense using SDN and NFV

TL;DR

This paper introduces Bohatei, an elastic and flexible DDoS defense system leveraging SDN and NFV to overcome limitations of traditional hardware appliances, demonstrating high scalability and responsiveness.

Contribution

The paper presents Bohatei, a novel SDN/NFV-based DDoS defense system that is scalable, responsive, and resilient to dynamic attack patterns.

Findings

Handles 500 Gbps attacks effectively

Mitigates attacks within one minute

Resilient to adaptive adversaries

Abstract

Networks today rely on expensive and proprietary hard- ware appliances, which are deployed at fixed locations, for DDoS defense. This introduces key limitations with respect to flexibility (e.g., complex routing to get traffic to these "chokepoints") and elasticity in handling changing attack patterns. We observe an opportunity to ad- dress these limitations using new networking paradigms such as software-defined networking (SDN) and network functions virtualization (NFV). Based on this observation, we design and implement of Bohatei, an elastic and flexible DDoS defense system. In designing Bohatei, we address key challenges of scalability, responsive- ness, and adversary-resilience. We have implemented defenses for several well-known DDoS attacks in Bohatei. Our evaluations show that Bohatei is scalable (handling 500 Gbps attacks), responsive (mitigating attacks within one minute), and resilient to dynamic adversaries.