An Adaptive Anti-DDoS System for IP Service Provider Backbones

  • Alberto Savio Figueira Rodrigues UFF
  • Fabio Santos UFF
  • Marcos Araujo UFF
  • Natalia Castro Fernandes UFF
DOI: https://doi.org/10.5753/sbseg.2018.4276

Resumo


This article presents an adaptive anti-DDoS system based on SDN for IP service providers' backbones. We analyzed requirements and solutions used on current IP backbones in order to manage different anti-DDoS systems to mitigate attacks to customers or to the backbone itself. The base of our proposal is a controller that synchronizes network reaction according to the volume of attacks and the available infrastructure, using a layered protection scheme. This controller dynamically provisions virtual machines and network links based on transit virtual router and forwarding (VRF). The system is able to dynamically reconfigure itself according to attack traffic patterns. As a consequence, our system improves backbone performance and customers quality of experience by reducing the impact of DDoS traffic in a more efficient way than current solutions.

Referências

Ferguson, P. and Senie, D. (2000). Network ingress filtering: Defeating denial of service attacks which employ ip source address spoofing. RFC 2827.

Gillman, D., Lin, Y., Maggs, B., and Sitaraman, R. K. (2015). Protecting websites from attack with secure delivery networks. Computer, 48(4):26–34.

Jakaria, A., Rashidi, B., Rahman, M. A., Fung, C., and Yang, W. (2017). Dynamic ddos defense resource allocation using network function virtualization. In Proceedings of the ACM International Workshop on Security in Software Defined Networks & Network Function Virtualization, SDN-NFVSec’17, pages 37–42, New York, NY, USA. ACM.

Jonker, M., Sperotto, A., van Rijswijk-Deij, R., Sadre, R., and Pras, A. (2016). Measuring the adoption of ddos protection services. In Proceedings of the 2016 Internet Measurement Conference, IMC ’16, pages 279–285, New York, NY, USA. ACM.

Rosen, E. and Rekhter, Y. (2006). BGP/MPLS IP Virtual Private Networks (VPNs). RFC 4364.

Santanna, J. J., van Rijswijk-Deij, R., Hofstede, R., Sperotto, A., Wierbosch, M., Granville, L. Z., and Pras, A. (2015). Booters — An analysis of DDoS-as-a-service attacks. In 2015 IFIP/IEEE International Symposium on Integrated Network Management (IM), pages 243–251.

Yan, Q., Yu, F. R., Gong, Q., and Li, J. (2016). Software-Defined Networking (SDN) and Distributed Denial of Service (DDoS) Attacks in Cloud Computing Environments: A Survey, Some Research Issues, and Challenges. IEEE Communications Surveys Tutorials, 18(1):602–622.

Zargar, S. T., Joshi, J., and Tipper, D. (2013). A Survey of Defense Mechanisms Against Distributed Denial of Service (DDoS) Flooding Attacks. IEEE Communications Surveys Tutorials, 15(4):2046–2069.
Publicado
25/10/2018
Como Citar

Selecione um Formato
RODRIGUES, Alberto Savio Figueira; SANTOS, Fabio; ARAUJO, Marcos; FERNANDES, Natalia Castro. An Adaptive Anti-DDoS System for IP Service Provider Backbones. In: SIMPÓSIO BRASILEIRO DE SEGURANÇA DA INFORMAÇÃO E DE SISTEMAS COMPUTACIONAIS (SBSEG), 18. , 2018, Natal. Anais [...]. Porto Alegre: Sociedade Brasileira de Computação, 2018 . p. 441-448. DOI: https://doi.org/10.5753/sbseg.2018.4276.