SDN-Assisted Network-Based Mitigation of Slow DDoS Attacks

TL;DR

This paper presents a network-based approach using SDN to detect and mitigate slow DDoS attacks without server access, leveraging traffic analysis techniques for identification.

Contribution

It extends a framework to detect slow DDoS attacks within the network using traffic features, without needing server cooperation.

Findings

Reliable attacker identification using packet rate and distance uniformity

Effective mitigation of slow DDoS attacks within network infrastructure

No server access required for detection and mitigation

Abstract

Slow-running attacks against network applications are often not easy to detect, as the attackers behave according to the specification. The servers of many network applications are not prepared for such attacks, either due to missing countermeasures or because their default configurations ignores such attacks. The pressure to secure network services against such attacks is shifting more and more from the service operators to the network operators of the servers under attack. Recent technologies such as software-defined networking offer the flexibility and extensibility to analyze and influence network flows without the assistance of the target operator. Based on our previous work on a network-based mitigation, we have extended a framework to detect and mitigate slow-running DDoS attacks within the network infrastructure, but without requiring access to servers under attack. We developed and evaluated several identification schemes to identify attackers in the network solely based on network traffic information. We showed that by measuring the packet rate and the uniformity of the packet distances, a reliable identificator can be built, given a training period of the deployment network.