LSAV: Lightweight source address validation in SDN to counteract IP spoofing-based DDoS attacks

IF 1.2 4区计算机科学 Q4 COMPUTER SCIENCE, ARTIFICIAL INTELLIGENCE

Turkish Journal of Electrical Engineering and Computer Sciences Pub Date : 2023-11-30 DOI:10.55730/1300-0632.4042

Ali Karakoç, Fati̇h Alagöz

{"title":"LSAV: Lightweight source address validation in SDN to counteract IP spoofing-based DDoS attacks","authors":"Ali Karakoç, Fati̇h Alagöz","doi":"10.55730/1300-0632.4042","DOIUrl":null,"url":null,"abstract":": In this paper, we propose a design to detect and prevent IP spoofing-based distributed denial of service (DDoS) attacks on software-defined networks (SDNs). DDoS attacks are still one of the significant problems for internet service providers (ISPs) and individual users. These attacks can disrupt customer services by targeting the availability of the system, and in some cases, they can completely shut down the target infrastructure. Protecting the system against DDoS attacks is therefore crucial for ensuring the reliability and availability of internet services. To address this problem, we propose a lightweight source address validation (LSAV) framework that leverages the flexibility of SDN architecture in ISP networks and employs a lightweight filtering mechanism that considers the cost of operation to maintain high performance. Our setup for the proposed mechanism reflects client–server communication through an ISP SDN, and we use the entry points to eliminate malicious user requests targeting the systems. We then propose a novel algorithm on top of this setup to introduce a new and more eﬀicient approach to existing mitigation methodologies. In addition to filtering the traﬀic against IP spoofing-based DDoS attacks, LSAV also prioritizes low resource consumption and high performance in terms of delay and bandwidth. With this approach, we believe that ISPs can effectively defend against IP spoofing-based DDoS attacks while still preserving low resource consumption for the infrastructure and high-quality internet services for their customers.","PeriodicalId":49410,"journal":{"name":"Turkish Journal of Electrical Engineering and Computer Sciences","volume":"23 1","pages":""},"PeriodicalIF":1.2000,"publicationDate":"2023-11-30","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"","citationCount":"0","resultStr":null,"platform":"Semanticscholar","paperid":null,"PeriodicalName":"Turkish Journal of Electrical Engineering and Computer Sciences","FirstCategoryId":"94","ListUrlMain":"https://doi.org/10.55730/1300-0632.4042","RegionNum":4,"RegionCategory":"计算机科学","ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":null,"EPubDate":"","PubModel":"","JCR":"Q4","JCRName":"COMPUTER SCIENCE, ARTIFICIAL INTELLIGENCE","Score":null,"Total":0}

引用次数: 0

Abstract

: In this paper, we propose a design to detect and prevent IP spoofing-based distributed denial of service (DDoS) attacks on software-defined networks (SDNs). DDoS attacks are still one of the significant problems for internet service providers (ISPs) and individual users. These attacks can disrupt customer services by targeting the availability of the system, and in some cases, they can completely shut down the target infrastructure. Protecting the system against DDoS attacks is therefore crucial for ensuring the reliability and availability of internet services. To address this problem, we propose a lightweight source address validation (LSAV) framework that leverages the flexibility of SDN architecture in ISP networks and employs a lightweight filtering mechanism that considers the cost of operation to maintain high performance. Our setup for the proposed mechanism reflects client–server communication through an ISP SDN, and we use the entry points to eliminate malicious user requests targeting the systems. We then propose a novel algorithm on top of this setup to introduce a new and more eﬀicient approach to existing mitigation methodologies. In addition to filtering the traﬀic against IP spoofing-based DDoS attacks, LSAV also prioritizes low resource consumption and high performance in terms of delay and bandwidth. With this approach, we believe that ISPs can effectively defend against IP spoofing-based DDoS attacks while still preserving low resource consumption for the infrastructure and high-quality internet services for their customers.

查看原文本刊更多论文

LSAV：SDN 中的轻量级源地址验证，抵御基于 IP 欺骗的 DDoS 攻击

:在本文中，我们提出了一种设计方案，用于检测和预防软件定义网络（SDN）上基于 IP 欺骗的分布式拒绝服务（DDoS）攻击。DDoS 攻击仍然是互联网服务提供商（ISP）和个人用户面临的重大问题之一。这些攻击会破坏系统的可用性，从而中断客户服务，有时甚至会完全关闭目标基础设施。因此，保护系统免受 DDoS 攻击对于确保互联网服务的可靠性和可用性至关重要。为解决这一问题，我们提出了一种轻量级源地址验证（LSAV）框架，该框架充分利用了互联网服务提供商网络中 SDN 架构的灵活性，并采用了一种轻量级过滤机制，在保持高性能的同时考虑了运行成本。我们提出的机制设置反映了通过 ISP SDN 进行的客户端-服务器通信，我们利用入口点来消除针对系统的恶意用户请求。然后，我们在此基础上提出了一种新算法，为现有的缓解方法引入了一种更高效的新方法。除了过滤流量以抵御基于IP欺骗的DDoS攻击外，LSAV还优先考虑低资源消耗和高性能（延迟和带宽）。通过这种方法，我们相信互联网服务提供商可以有效抵御基于IP欺骗的DDoS攻击，同时还能为基础设施保留低资源消耗，为客户提供高质量的互联网服务。

本文章由计算机程序翻译，如有差异，请以英文原文为准。

求助全文

约1分钟内获得全文求助全文

来源期刊

Turkish Journal of Electrical Engineering and Computer Sciences COMPUTER SCIENCE, ARTIFICIAL INTELLIGENCE-ENGINEERING, ELECTRICAL & ELECTRONIC

CiteScore

2.90

自引率

9.10%

发文量

审稿时长

6.9 months

期刊介绍： The Turkish Journal of Electrical Engineering & Computer Sciences is published electronically 6 times a year by the Scientific and Technological Research Council of Turkey (TÜBİTAK) Accepts English-language manuscripts in the areas of power and energy, environmental sustainability and energy efficiency, electronics, industry applications, control systems, information and systems, applied electromagnetics, communications, signal and image processing, tomographic image reconstruction, face recognition, biometrics, speech processing, video processing and analysis, object recognition, classification, feature extraction, parallel and distributed computing, cognitive systems, interaction, robotics, digital libraries and content, personalized healthcare, ICT for mobility, sensors, and artificial intelligence. Contribution is open to researchers of all nationalities.