Elastically Augmenting the Control-path Throughput in SDN to Deal with Internet DDoS Attacks

IF 3.9 3区 计算机科学 Q2 COMPUTER SCIENCE, INFORMATION SYSTEMS
Yuanjun Dai, An Wang, Yang Guo, Songqing Chen
{"title":"Elastically Augmenting the Control-path Throughput in SDN to Deal with Internet DDoS Attacks","authors":"Yuanjun Dai, An Wang, Yang Guo, Songqing Chen","doi":"https://dl.acm.org/doi/10.1145/3559759","DOIUrl":null,"url":null,"abstract":"<p>Distributed denial of service (DDoS) attacks have been prevalent on the Internet for decades. Albeit various defenses, they keep growing in size, frequency, and duration. The new network paradigm, Software-defined networking (SDN), is also vulnerable to DDoS attacks. SDN uses logically centralized control, bringing the advantages in maintaining a global network view and simplifying programmability. When attacks happen, the control path between the switches and their associated controllers may become congested due to their limited capacity. However, the data plane visibility of SDN provides new opportunities to defend against DDoS attacks in the cloud computing environment. To this end, we conduct measurements to evaluate the throughput of the software control agents on some of the hardware switches when they are under attacks. Then, we design a new mechanism, called <i>Scotch</i>, to enable the network to scale up its capability and handle the DDoS attack traffic. In our design, the congestion works as an indicator to trigger the mitigation mechanism. <i>Scotch</i> elastically scales up the control plane capacity by using an Open vSwitch-based overlay. <i>Scotch</i> takes advantage of both the high control plane capacity of a large number of vSwitches and the high data plane capacity of commodity physical switches to increase the SDN network scalability and resiliency under abnormal (e.g., DDoS attacks) traffic surges. We have implemented a prototype and experimentally evaluated <i>Scotch</i>. Our experiments in the small-scale lab environment and large-scale GENI testbed demonstrate that <i>Scotch</i> can elastically scale up the control channel bandwidth upon attacks.</p>","PeriodicalId":50911,"journal":{"name":"ACM Transactions on Internet Technology","volume":"8 1","pages":""},"PeriodicalIF":3.9000,"publicationDate":"2023-02-23","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"","citationCount":"0","resultStr":null,"platform":"Semanticscholar","paperid":null,"PeriodicalName":"ACM Transactions on Internet Technology","FirstCategoryId":"94","ListUrlMain":"https://doi.org/https://dl.acm.org/doi/10.1145/3559759","RegionNum":3,"RegionCategory":"计算机科学","ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":null,"EPubDate":"","PubModel":"","JCR":"Q2","JCRName":"COMPUTER SCIENCE, INFORMATION SYSTEMS","Score":null,"Total":0}
引用次数: 0

Abstract

Distributed denial of service (DDoS) attacks have been prevalent on the Internet for decades. Albeit various defenses, they keep growing in size, frequency, and duration. The new network paradigm, Software-defined networking (SDN), is also vulnerable to DDoS attacks. SDN uses logically centralized control, bringing the advantages in maintaining a global network view and simplifying programmability. When attacks happen, the control path between the switches and their associated controllers may become congested due to their limited capacity. However, the data plane visibility of SDN provides new opportunities to defend against DDoS attacks in the cloud computing environment. To this end, we conduct measurements to evaluate the throughput of the software control agents on some of the hardware switches when they are under attacks. Then, we design a new mechanism, called Scotch, to enable the network to scale up its capability and handle the DDoS attack traffic. In our design, the congestion works as an indicator to trigger the mitigation mechanism. Scotch elastically scales up the control plane capacity by using an Open vSwitch-based overlay. Scotch takes advantage of both the high control plane capacity of a large number of vSwitches and the high data plane capacity of commodity physical switches to increase the SDN network scalability and resiliency under abnormal (e.g., DDoS attacks) traffic surges. We have implemented a prototype and experimentally evaluated Scotch. Our experiments in the small-scale lab environment and large-scale GENI testbed demonstrate that Scotch can elastically scale up the control channel bandwidth upon attacks.

弹性增强SDN控制路径吞吐量以应对Internet DDoS攻击
分布式拒绝服务(DDoS)攻击已经在互联网上流行了几十年。尽管有各种各样的防御措施,但它们的规模、频率和持续时间都在不断增长。新的网络模式,软件定义网络(SDN),也容易受到DDoS攻击。SDN采用逻辑上的集中控制,具有保持全局网络视图和简化可编程性的优点。当攻击发生时,交换机及其关联控制器之间的控制路径可能会因容量有限而拥塞。然而,SDN的数据平面可见性为防范云计算环境下的DDoS攻击提供了新的契机。为此,我们进行了测量,以评估某些硬件交换机受到攻击时软件控制代理的吞吐量。然后,我们设计了一种名为Scotch的新机制,使网络能够扩展其能力并处理DDoS攻击流量。在我们的设计中,拥塞作为触发缓解机制的指示器。Scotch通过使用基于Open vswitch的覆盖弹性扩展控制平面容量。Scotch利用大量虚拟交换机的高控制平面容量和商品物理交换机的高数据平面容量,增加SDN网络在异常流量(如DDoS攻击)激增时的可扩展性和弹性。我们已经实现了一个原型,并对Scotch进行了实验评估。我们在小型实验室环境和大型GENI测试平台上的实验表明,Scotch可以在攻击时弹性地扩展控制信道带宽。
本文章由计算机程序翻译,如有差异,请以英文原文为准。
求助全文
约1分钟内获得全文 求助全文
来源期刊
ACM Transactions on Internet Technology
ACM Transactions on Internet Technology 工程技术-计算机:软件工程
CiteScore
10.30
自引率
1.90%
发文量
137
审稿时长
>12 weeks
期刊介绍: ACM Transactions on Internet Technology (TOIT) brings together many computing disciplines including computer software engineering, computer programming languages, middleware, database management, security, knowledge discovery and data mining, networking and distributed systems, communications, performance and scalability etc. TOIT will cover the results and roles of the individual disciplines and the relationshipsamong them.
×
引用
GB/T 7714-2015
复制
MLA
复制
APA
复制
导出至
BibTeX EndNote RefMan NoteFirst NoteExpress
×
提示
您的信息不完整,为了账户安全,请先补充。
现在去补充
×
提示
您因"违规操作"
具体请查看互助需知
我知道了
×
提示
确定
请完成安全验证×
copy
已复制链接
快去分享给好友吧!
我知道了
右上角分享
点击右上角分享
0
联系我们:info@booksci.cn Book学术提供免费学术资源搜索服务,方便国内外学者检索中英文文献。致力于提供最便捷和优质的服务体验。 Copyright © 2023 布克学术 All rights reserved.
京ICP备2023020795号-1
ghs 京公网安备 11010802042870号
Book学术文献互助
Book学术文献互助群
群 号:481959085
Book学术官方微信