An SDN-based Approach For Defending Against Reflective DDoS Attacks

TL;DR

This paper presents a flexible, protocol-agnostic SDN-based system for automatically defending against DRDoS attacks, including memcached-based attacks, without needing prior knowledge of attack specifics.

Contribution

It introduces a novel SDN-driven approach that provides transparent, automated, and effective mitigation against arbitrary DRDoS attacks without requiring target host cooperation.

Findings

Effective mitigation of DRDoS attacks demonstrated

Protocol-agnostic defense mechanism validated

System operates transparently without target host assistance

Abstract

Distributed Reflective Denial of Service (DRDoS) attacks are an immanent threat to Internet services. The potential scale of such attacks became apparent in March 2018 when a memcached-based attack peaked at 1.7 Tbps. Novel services built upon UDP increase the need for automated mitigation mechanisms that react to attacks without prior knowledge of the actual application protocols used. With the flexibility that software-defined networks offer, we developed a new approach for defending against DRDoS attacks; it not only protects against arbitrary DRDoS attacks but is also transparent for the attack target and can be used without assistance of the target host operator. The approach provides a robust mitigation system which is protocol-agnostic and effective in the defense against DRDoS attacks.