Abstract
As ICT resources are increasingly hosted over cloud data centre infrastructures, distributed denial of service (DDoS) attacks are becoming a major concern for cloud service providers and tenants. The lack of physical resource isolation over a cloud environment exposes nontargeted tenants to indirect performance degradation while it is increasingly challenging to distinguish between safe (e.g. internal, DMZ) and external zones. Traditional DDoS detection and prevention systems employ high-performance and high-cost bespoke appliances (middleboxes) in fixed locations of the physical infrastructure. However, this limits their provisioning abilities to a static specification, hindering extensible functionality and resulting in vendor lock-in.
In this chapter, we propose a softwarised orchestration framework for DDoS detection and mitigation in the cloud. We exploit latest advances in network functions virtualisation (NFV) to devise a modular security framework through the dynamic deployment of lightweight network functions where and when required to protect the infrastructure at the onset of DDoS attacks. We rely on the network-wide, logically centralised management of traffic and network services provided by software-defined networking (SDN) for the placement of NFs and to (re)route traffic to them. Using an example of a DDoS remediation service, we demonstrate the benefits of an extensible and reconfigurable DDoS security system that uses dynamic security module duplication and placement to remediate the performance impact of the attack on the underlying infrastructure.
This is a preview of subscription content, log in via an institution.
Buying options
Tax calculation will be finalised at checkout
Purchases are for personal use only
Learn about institutional subscriptionsNotes
- 1.
- 2.
- 3.
- 4.
- 5.
Source code and instructions to replicate this experiment are available at https://github.com/UofG-netlab/sdnfv-ddos
References
AbuHmed T, Mohaisen A, Nyang D (2008) A survey on deep packet inspection for intrusion detection systems. arXiv preprint arXiv:0803.0037
Akamai, Akamai state of the internet security report (2016). https://content.akamai.com/pg7425-uk-soti-report.html. Accessed on 18 Nov 2016
Alosaimi W, Alshamrani M, Al-Begain K (2015) Simulation-based study of distributed denial of service attacks prevention in the cloud. In: 2015 9th international conference on next generation mobile applications, services and technologies. IEEE, pp 0–65
Anwer B, Benson T, Feamster N, Levin D (2015) Programming Slick network functions. In: Proceedings of the 1st ACM SIGCOMM symposium on software defined networking research. ACM, p 14
Basile C, Pitscheider C, Risso F, Valenza F, Vallini M (2015) Towards the dynamic provision of virtualized security services. In: Cyber security and privacy forum. Springer, Cham, pp 65–76
Baumgartner K, Elasticsearch Vuln abuse on Amazon cloud and more for DDoS and profit – Kasperskylab Blog. https://securelist.com/blog/virus-watch/65192/elasticsearch-vuln-abuse-on-amazon-cloud-and-more-for-ddos-and-profit/
Bereziński P, Jasiul B, Szpyrka M (2015) An entropy-based network anomaly detection method. Entropy 17(4):2367–2408
Bhuyan MH, Bhattacharyya DK, Kalita JK (2014) Network anomaly detection: methods, systems and tools. IEEE Commun Surv Tutorials 16(1):303–336
Bosshart P, Daly D, Gibb G, Izzard M, McKeown N, Rexford J, Schlesinger C, Talayco D, Vahdat A, Varghese G et al (2014) P4: programming protocol-independent packet processors. ACM SIGCOMM Comput Commun Rev 44(3):87–95
Bremler-Barr A, Harchol Y, Hay D (2016) Openbox: a software-defined framework for developing, deploying, and managing network functions. In: Proceedings of the 2016 conference on ACM SIGCOMM, SIGCOMM’16. ACM, New York, pp 511–524. http://dx.doi.org/#1, http://doi.acm.org/10.1145/2934872.2934875
Cabaj K, Wytrebowicz J, Kuklinski S, Radziszewski P, Dinh KT (2014) SDN architecture impact on network security. In: FedCSIS position papers, pp 143–148
Cisco, Installing the IDS Appliance – Cisco. http://www.cisco.com/c/en/us/td/docs/security/ips/4-0/installation/guide/
Cziva R, Pezaros D (2017, in press) Container network functions: bringing NFV to the network edge. IEEE Commun Mag Adv Netw Softw. http://eprints.gla.ac.uk/138001/
Cziva R, Jouet S, White KJS, Pezaros DP (2015) Container-based network function virtualization for software-defined networks. In: 2015 IEEE symposium on computers and communication (ISCC), pp 415–420. http://dx.doi.org/#1
Cziva R, Jouet S, Pezaros DP (2015) GNFC: towards network function cloudification. In: 2015 IEEE conference on network function virtualization and software defined network (NFV-SDN), pp 142–148. http://dx.doi.org/#1
Cziva R, Jouet S, Pezaros DP (2016) Roaming edge vNFs using glasgow network functions. In: Proceedings of the 2016 ACM SIGCOMM conference, SIGCOMM’16. ACM, New York, pp 601–602. http://dx.doi.org/#1, http://doi.acm.org/10.1145/2934872.2959067
Cziva R, Jout S, Stapleton D, Tso FP, Pezaros DP (2016) SDN-based virtual machine management for cloud data centers. IEEE Trans Netw Serv Manag 13(2):212–225. http://dx.doi.org/#1
Deep inside a DNS amplification DDoS attack. https://blog.cloudflare.com/deep-inside-a-dns-amplification-ddos-attack/
Douligeris C, Mitrokotsa A (2004) DDoS attacks and defense mechanisms: classification and state-of-the-art. Comput Netw 44(5):643–666
Enguehard M (2016) Thyper-NF: synthesizing chains of virtualized network functions. Master’s thesis, School of Information and Communication Technology, KTH Royal Institute of Technology
Foundation L (2017) Linux foundation open vswitch. https://LinuxFoundationOpenvSwitch. Accessed on 28 Mar 2017
Gember A, Krishnamurthy A, John SS, Grandl R, Gao X, Anand A, Benson T, Akella A, Sekar V (2013) Stratos: a network-aware orchestration layer for middleboxes in the cloud. Technical report
Giotis K, Kryftis Y, Maglaris V (2015) Policy-based orchestration of NFV services in software-defined networks. In: 2015 1st IEEE conference on network softwarization (NetSoft). IEEE, pp 1–5
Gupta BB, Badve OP (2016) Taxonomy of DoS and DDoS attacks and desirable defense mechanism in a cloud computing environment. Neural Comput Appl 1–28. http://dx.doi.org/#1, http://dx.doi.org/10.1007/s00521-016-2317-5
Hilton S, Dyn Analysis Summary Of Friday October 21 Attack — Dyn Blog. http://dyn.com/blog/dyn-analysis-summary-of-friday-october-21-attack/
Idziorek J, Tannian M, Jacobson D (2011) Detecting fraudulent use of cloud resources. In: Proceedings of the 3rd ACM workshop on cloud computing security workshop. ACM, pp 61–72
Jammal M, Singh T, Shami A, Asal R, Li Y (2014) Software defined networking: state of the art and research challenges. Comput Netw 72:74–98
Joseph DA, Tavakoli A, Stoica I (2008) A policy-aware switching layer for data centers. In: Proceedings of the ACM SIGCOMM 2008 conference on data communication, SIGCOMM’08. ACM, New York, pp 51–62. http://dx.doi.org/#1, http://doi.acm.org/10.1145/1402958.1402966
Krebs B, Krebs on Security website. http://krebsonsecurity.com/
Kumar MN, Sujatha P, Kalva V, Nagori R, Katukojwala AK, Kumar M (2012) Mitigating economic denial of sustainability (EDoS) in cloud computing using in-cloud scrubber service. In: 2012 fourth international conference on computational intelligence and communication networks (CICN). IEEE, pp 535–539
Lakhina A, Crovella M, Diot C (2005) Mining anomalies using traffic feature distributions. SIGCOMM Comput Commun Rev 35(4):217–228. http://dx.doi.org/#1, http://doi.acm.org/10.1145/1090191.1080118
Lazarevic A, Ertöz L, Kumar V, Ozgur A, Srivastava J (2003) A comparative study of anomaly detection schemes in network intrusion detection. In: SDM. SIAM, pp 25–36
Liu AX (2005) A model of stateful firewalls and its properties. In: Proceedings of the 2005 international conference on dependable systems and networks, DSN’05. IEEE Computer Society, Washington, DC, pp 128–137. http://dx.doi.org/#1, http://dx.doi.org/10.1109/DSN.2005.9
Martins J, Ahmed M, Raiciu C, Olteanu V, Honda M, Bifulco R, Huici, F (2014) Clickos and the art of network function virtualization. In: Proceedings of the 11th USENIX conference on networked systems design and implementation, NSDI’14. USENIX Association, Berkeley, pp 459–473. http://dl.acm.org/citation.cfm?id=2616448.2616491
Mijumbi R, Serrat J, Gorricho JL, Bouten N, De Turck F, Boutaba R (2015) Network function virtualization: state-of-the-art and research challenges. IEEE Commun Surv Tutorials 18(1):236–262
Mininet, Mininet (2017). http://mininet.org/. Accessed on 24 Mar 2017
Modi C, Patel D, Borisaniya B, Patel H, Patel A, Rajarajan M (2013) A survey of intrusion detection techniques in cloud. J Netw Comput Appl 36(1):42–57. http://dx.doi.org/#1, http://www.sciencedirect.com/science/article/pii/S1084804512001178
Motive Security Labs (2014) Motive Malware Report 2014 H2. Technical report, Motive Security Labs. https://resources.alcatel-lucent.com/asset/184652
Osanaiye O, Choo KKR, Dlodlo M (2016) Distributed denial of service (DDoS) resilience in cloud: review and conceptual cloud ddos mitigation framework. J Netw Comput Appl 67:147–165
Qazi ZA, Tu CC, Chiang L, Miao R, Sekar V, Yu M (2013) Simple-fying middlebox policy enforcement using SDN. SIGCOMM Comput Commun Rev 43(4):27–38. http://dx.doi.org/#1, http://doi.acm.org/10.1145/2534169.2486022
Shea R, Liu J (2013) Performance of virtual machines under networked denial of service attacks: experiments and analysis. IEEE Syst J 7(2):335–345. http://dx.doi.org/#1
Sherry J, Hasan S, Scott C, Krishnamurthy A, Ratnasamy S, Sekar V (2012) Making middleboxes someone else’s problem: network processing as a cloud service. In: Proceedings of the ACM SIGCOMM 2012 conference on applications, technologies, architectures, and protocols for computer communication, SIGCOMM’12, ACM, New York, pp 13–24. http://dx.doi.org/#1, http://doi.acm.org/10.1145/2342356.2342359
Shin S, Wang H, Gu G (2015) A first step toward network security virtualization: from concept to prototype. IEEE Trans Inf Forensics Secur 10(10):2236–2249
Snort intrusion detection system. https://www.snort.org/
Somani G, Gaur MS, Sanghi D (2015) DDoS/EDoS attack in cloud: affecting everyone out there! In: Proceedings of the 8th international conference on security of information and networks, SIN’15. ACM, New York, pp 169–176. http://dx.doi.org/#1, http://doi.acm.org/10.1145/2799979.2800005
Somani G, Gaur MS, Sanghi D, Conti M, Buyya R (2015) DDoS attacks in cloud computing: issues, taxonomy, and future directions. arXiv preprint arXiv:1512.08187
Specht SM, Lee RB (2004) Distributed denial of service: taxonomies of attacks, tools, and countermeasures. In: ISCA PDCS, pp 543–550
Tartakovsky AG, Rozovskii BL, Blazek RB, Kim H (2006) A novel approach to detection of intrusions in computer networks via adaptive sequential and batch-sequential change-point detection methods. IEEE Trans Signal Process 54(9):3372–3382
The Bro Network Security Monitor. https://www.bro.org/
The Suricata open source IDS, IPS, and NSM. https://suricata-ids.org/
VivinSandar S, Shenai S (2012) Economic denial of sustainability (EDoS) in cloud services using http and xml based DDoS attacks. Int J Comput Appl 41(20):11–16
Wang B, Zheng Y, Lou W, Hou YT (2015) {DDoS} attack protection in the era of cloud computing and software-defined networking. Comput Netw 81:308–319. http://dx.doi.org/10.1016/j.comnet.2015.02.026, http://www.sciencedirect.com/science/article/pii/S1389128615000742
White KJ, Pezaros D, Denney E, Knudson M, Marnerides AK (2017) A programmable SDN+NFV-based architecture for uav telemetry monitoring. http://eprints.gla.ac.uk/130944/
Wong F, Tan CX (2014) A survey of trends in massive DDoS attacks and cloud-based mitigations. Int J Netw Secur Appl 6(3):57
Yan Q, Yu FR (2015) Distributed denial of service attacks in software-defined networking with cloud computing. IEEE Commun Mag 53(4):52–59
Yan Q, Yu FR, Gong Q, Li J (2016) Software-defined networking (SDN) and distributed denial of service (DDoS) attacks in cloud computing environments: a survey, some research issues, and challenges. IEEE Commun Surv Tutorials 18(1):602–622. http://dx.doi.org/#1
Yoon C, Park T, Lee S, Kang H, Shin S, Zhang Z (2015) Enabling security functions with SDN: a feasibility study. Comput Netw 85:19–35. http://dx.doi.org/10.1016/j.comnet.2015.05.005, http://www.sciencedirect.com/science/article/pii/S1389128615001619
Yoshida M, Shen W, Kawabata T, Minato K, Imajuku W (2014) Morsa: a multi-objective resource scheduling algorithm for NFV infrastructure. In: 2014 16th Asia-Pacific network operations and management symposium (APNOMS). IEEE, pp 1–6
Zapechnikov S, Miloslavskaya N, Tolstoy A (2015) Modeling of next-generation firewalls as queueing services. In: Proceedings of the 8th international conference on security of information and networks, SIN’15. ACM, New York, pp 250–257. http://dx.doi.org/#1, http://doi.acm.org/10.1145/2799979.2799997
Zargar ST, Joshi J, Tipper D (2013) A survey of defense mechanisms against distributed denial of service (DDoS) flooding attacks. IEEE Commun Surv Tutorials 15(4):2046–2069
Zhang Y, Beheshti N, Beliveau L, Lefebvre G, Manghirmalani R, Mishra, R, Patneyt R, Shirazipour M, Subrahmaniam R, Truchan C, Tatipamula M (2013) Steering: a software-defined networking for inline service chaining. In: 2013 21st IEEE international conference on network protocols (ICNP), pp 1–10. http://dx.doi.org/#1
Acknowledgements
The work has been supported in part by the UK Engineering and Physical Sciences Research Council (EPSRC) projects EP/L026015/1, EP/N033957/1, EP/P004024/1 and EP/L005255/1 and by the European Cooperation in Science and Technology (COST) Action CA 15127: RECODIS – Resilient communication services protecting end-user applications from disaster-based failures.
Author information
Authors and Affiliations
Corresponding author
Editor information
Editors and Affiliations
Rights and permissions
Copyright information
© 2017 Springer International Publishing AG
About this chapter
Cite this chapter
Ali, A., Cziva, R., Jouët, S., Pezaros, D.P. (2017). SDNFV-Based DDoS Detection and Remediation in Multi-tenant, Virtualised Infrastructures. In: Zhu, S., Scott-Hayward, S., Jacquin, L., Hill, R. (eds) Guide to Security in SDN and NFV. Computer Communications and Networks. Springer, Cham. https://doi.org/10.1007/978-3-319-64653-4_7
Download citation
DOI: https://doi.org/10.1007/978-3-319-64653-4_7
Published:
Publisher Name: Springer, Cham
Print ISBN: 978-3-319-64652-7
Online ISBN: 978-3-319-64653-4
eBook Packages: Computer ScienceComputer Science (R0)