SDN-Assisted Network-Based Mitigation of Slow DDoS Attacks
This addresses the challenge of securing network services against stealthy attacks for network operators, shifting responsibility from service operators, but it is incremental as it builds on previous work.
The paper tackles the problem of detecting and mitigating slow DDoS attacks, which are hard to identify due to attackers following protocol specifications, by developing a network-based framework that uses packet rate and uniformity measurements to reliably identify attackers without server access, achieving reliable identification after a training period.
Slow-running attacks against network applications are often not easy to detect, as the attackers behave according to the specification. The servers of many network applications are not prepared for such attacks, either due to missing countermeasures or because their default configurations ignores such attacks. The pressure to secure network services against such attacks is shifting more and more from the service operators to the network operators of the servers under attack. Recent technologies such as software-defined networking offer the flexibility and extensibility to analyze and influence network flows without the assistance of the target operator. Based on our previous work on a network-based mitigation, we have extended a framework to detect and mitigate slow-running DDoS attacks within the network infrastructure, but without requiring access to servers under attack. We developed and evaluated several identification schemes to identify attackers in the network solely based on network traffic information. We showed that by measuring the packet rate and the uniformity of the packet distances, a reliable identificator can be built, given a training period of the deployment network.