Leveraging SDN for Efficient Anomaly Detection and Mitigation on Legacy Networks

Abstract

In this paper, we investigate the applicability of Software-Defined Networking (SDN), and specifically the use of the OpenFlow protocol as a means to enhance the legacy Remote Triggered Black-Hole (RTBH) routing approach, towards Distributed Denial of Service (DDoS) attack mitigation. More specifically, we exploit the network programmability of OpenFlow to match and handle traffic on a per-flow level, in order to preserve normal operation of the victim, while pushing the mitigation process upstream towards the edge of the network. To this end, we implemented and evaluated a sketch-based anomaly detection and identification mechanism, capable of pinpointing the victim and remotely triggering the mitigation of the offending network traffic. The evaluation is based on the combination of datasets containing real DDoS attacks and normal background traffic from an operational university campus network. Our results demonstrated that the proposed approach succeeds in identifying the victim of the attack and efficiently filtering the malicious sources.