ADMS: An online attack detection and mitigation system for LDoS attacks via SDN☆
Introduction
In 2001, Asta networks monitored a new type of Denial of Service (DoS) attacks on the Internet2 backbone. Then, Kuzmanovic and Knightly first described the basic principle of the attacks at the SIGCOMM conference in 2003 [1]. They believed that the attacks are atypical DoS attacks, which can drastically reduce and throttle TCP traffic. Moreover, it is effortless for the attacks to evade the existing detection mechanism, so the attacks were vividly called “Shrew” attacks. Subsequently, other researchers named the attacks as Low-rate Denial of Service (LDoS) attacks [2]. Different from traditional DoS attacks, LDoS attacks launch intermittent high-volume requests and exploit the vulnerability of the TCP protocol adaptive system [3] to actively reduce TCP packets’ sending rate of ends. On the one hand, the performance of networks is seriously impacted by the attacks. On the other hand, because of the brief duration of each attack burst, the average attack traffic is relatively small, which is quite similar to the instantaneous burst traffic generated by many standard application services. LDoS attacks have strong concealment and destructiveness, detection and mitigation against them remain a major challenge.
And yet, for traditional networks, it is arduous to deploy actual online detection and defense solutions against LDoS attacks. Because legacy networks tightly couple the logical control and data forwarding functions on the network devices, which reduces the flexibility and scalability of the devices. Specifically, if the device needs to add new functions, the new protocols or rules must be redesigned. Therefore, detection methods for LDoS attacks in traditional networks are generally offline.
The emergence of Software Defined Networking (SDN) provides a new idea for an online manner. SDN refers to a network architecture that uses the OpenFlow protocol [4] to decouple the logical control functions. The separation increases the openness and programmability of networks and achieves the scalability of networks. Developers have the flexibility to design applications and modify network policies on upper planes using high-level languages without concern for the underlying hardware. This basis eases the deployment of online LDoS attack detection and mitigation scheme. At present, there are plenty of researches relating to the detection and defense methods of other attacks using SDN, such as DoS attacks, but extraordinary little that concern LDoS attacks based on congestion control mechanisms.
In summary, we use SDN to implement online detection and mitigation of LDoS attacks and face the following challenges.
- •
How to precisely distinguish LDoS attack traffic from benign traffic?
- •
How to accurately detect LDoS attacks as soon as possible?
- •
How to timely inform the mitigation system when attacks are detected?
- •
How to effectively filter attack traffic to mitigate attacks in real-time?
In this paper, to deal with these four challenges, we design and implement an online attack detection and mitigation system (ADMS), a scalable system in SDN. ADMS is on SDN controllers. All designs of ADMS are compliant with the OpenFlow policy and require no additional devices. This system equally focuses on both detection and mitigation, which continuously monitors networks for LDoS attacks and implements countermeasures against them. Our main contributions are as follows.
- •
The two-phase detection module of ADMS is proposed to achieve precise detection of LDoS attacks.
- •
We propose a new Sequence Matching based Dynamic Series Analysing (SMDSA) algorithm and carry out a practical mitigation module of ADMS utilizing the SMDSA algorithm.
- •
A prototype of ADMS is put into effect and we evaluate its performance in the software environment. Experimental results illustrate that ADMS can ensure accuracy in attack detection and precisely filter attack traffic in real-time.
The rest of this paper is organized as follows. Section 2 provides brief background knowledge on LDoS attacks and SDN architecture. Section 3 reviews the current researches on LDoS attacks in traditional networks and various DoS attacks in SDN. The overview of ADMS is described in Section 4. Section 5 reports the two-phase detection module and Section 6 illustrates the mitigation module. Section 7 presents experiments and results in the software environment. Section 8 discusses our proposal. Section 9 summarizes the whole paper and explores future research.
Section snippets
Background
To begin with, we provide a brief background on the LDoS attacks and SDN architecture.
Related work
LDoS attacks relate to diverse and complex network environments, including traditional networks [7], SDN [8], wireless sensor networks (WSN) [9], cloud computing networks [10] and so on. A large number of scholars have devoted themselves to the study of LDoS attacks and have proposed relevant solutions.
On the one hand, regarding the studies of LDoS attacks, Gabriel et al. [11] developed a mathematical model whose performance was evaluated by dynamically correlating the attack parameters with
System overview
Before description, we list the notations that will be used frequently later in Table 3.
The framework of ADMS is illustrated in Fig. 4. ADMS is designed on the SDN controllers and composes of three parts: information collection, two-phase detection module and mitigation module. The information collection calls API, based on to periodically gain port traffic sequence and flow table statistics traffic sequence of collection point. The collection point is the switch at the bottleneck in the
Two-phase detection module
Two-phase detection module applies two detection functions to continuously monitor the network for LDoS attacks. It first roughly detects attacks based on the port traffic, and then accurately detects them based on the flow table statistics traffic. The functions and the complete detection process are introduced below.
Mitigation module
After detecting LDoS attacks, ADMS activates the mitigation module to filter out attack traffic. The module consists of two components: attacker location and packet filter. The two components and the complete detection process are described below.
Experiments
We implement the SDN controllers-based ADMS and verify its effectiveness of LDoS attack detection and mitigation through experiments.
Security and effectiveness of ADMS
The security advantage of ADMS is that all components are deployed on the control plane. ADMS only achieves the management of the data plane through OpenFlow, including LDoS attacks detection and mitigation. As a result, it is difficult for ordinary users to access ADMS, which ensures basic security. In addition, ADMS has higher detection accuracy than other methods against LDoS attacks and effective mitigation.
Limitations of ADMS
One disadvantage of ADMS is that it cannot resist special attacks. For example, the
Conclusion and future work
LDoS attacks bring about serious damage to network performance. To address the problem of practically deploying the corresponding solutions for LDoS attacks in the traditional networks, we propose an SDN-based online ADMS, which can effectively detect and mitigate against LDoS attacks in real-time. The two-phase detection module of ADMS continuously monitors networks for LDoS attack detection. At the first phase, port traffic-based detection utilizes the new feature to determines whether
CRediT authorship contribution statement
Dan Tang: Conceptualization, Investigation, Resources, Supervision, Project administration, Funding acquisition. Xiyin Wang: Methodology, Software, Validation, Formal analysis, Investigation, Data curation, Writing – original draft, Writing – review & editing, Visualization. Yudong Yan: Investigation, Data curation, Writing – review & editing. Dongshuo Zhang: Data curation, Writing – review & editing. Huan Zhao: Investigation, Data curation.
Declaration of Competing Interest
The authors declare that they have no known competing financial interests or personal relationships that could have appeared to influence the work reported in this paper.
References (40)
- et al.
Evaluation of a low-rate DoS attack against iterative servers
Comput. Netw.
(2007) - et al.
Low rate cloud DDoS attack defense method based on power spectral density analysis
Inform. Process. Lett.
(2018) - et al.
Slow denial-of-service attacks on software defined networks
Comput. Netw.
(2020) - et al.
Power spectrum entropy based detection and mitigation of low-rate DoS attacks
Comput. Netw.
(2018) - et al.
WEDMS: An advanced mean shift clustering algorithm for LDoS attacks detection
Ad Hoc Netw.
(2020) - et al.
Mf-adaboost: Ldos attack detection based on multi-features and improved adaboost
Future Gener. Comput. Syst.
(2020) - et al.
Sequence alignment detection of TCP-targeted synchronous low-rate DoS attacks
Comput. Netw.
(2019) - et al.
An early detection of low rate DDoS attack to SDN based data center networks using information distance metrics
Future Gener. Comput. Syst.
(2018) - et al.
Towards sflow and adaptive polling sampling for deep learning based DDoS detection in SDN
Future Gener. Comput. Syst.
(2020) - et al.
Dos vulnerabilities and mitigation strategies in software-defined networks
J. Netw. Comput. Appl.
(2019)
A GRU deep learning system against attacks in software defined networks
J. Netw. Comput. Appl.
Machine learning based flow entry eviction for OpenFlow switches
A tool for the generation of realistic network workload for emerging networking scenarios
Comput. Netw.
Congestion control in IP/TCP internetworks
ACM SIGCOMM Comput. Commun. Rev.
Openflow: enabling innovation in campus networks
ACM SIGCOMM Comput. Commun. Rev.
Survey on research and progress of low-rate denial of service attacks
J. Softw.
Improving network management with software defined networking
IEEE Commun. Mag.
Approach of detecting low-rate DoS attack based on combined features
J. Commun.
Low-rate DDoS attack detection based on factorization machine in software defined network
IEEE Access
Cited by (12)
A flexible SDN-based framework for slow-rate DDoS attack mitigation by using deep reinforcement learning
2022, Journal of Network and Computer ApplicationsReal-Time Monitoring and Mitigation of SDoS Attacks Using the SDN and New Metrics
2023, IEEE Transactions on Cognitive Communications and NetworkingDHOA-ANFIS: A Hybrid Technique to Detect Routing Attacks in Wireless Body Area Network
2023, Wireless Personal CommunicationsGASF-IPP: Detection and Mitigation of LDoS Attack in SDN
2023, IEEE Transactions on Services ComputingPeakSAX: Real-Time Monitoring and Mitigation System for LDoS Attack in SDN
2023, IEEE Transactions on Network and Service Management
- ☆
This work is partially supported by National Key Research and Development Project, China (2020YFB1713400), National Natural Science Foundation of China (61772189), and Hunan Provincial Natural Science Foundation of China (2019JJ40037).