Fast DDoS Detection and Mitigation in SDN Environment

DDoS attacks are still growing threat to all businesses dependent on the connectivity. There are several approaches to protect against DDoS attacks, where the most cost efficient one is the out-of-path strategy to detect and mitigate the attacks. But how it fits SDN environments?

Out-of-path DDoS solution consists of Flowmon DDoS Defender for flow-based attack detection and traffic rerouting for a mitigation in on-premise devices or cloud scrubbing. This works well for physical environment. However, we are witnessing of a transition to SDN / NFV virtual environments and such environments does not usually provide with out of the box DDoS detection and mitigation capabilities. So let’s have a look on DDoS attack protection in SDN environment using Open vSwitch and Floodlight SDN controller.

Open vSwitch (OVS) is known as one of the most interesting and important open source projects. In order to abstract from the physical network infrastructure, OVS is widely used in datacenters to steer traffic among virtualized appliances running as virtual machines (VMs), apply access and security policies, and realize overlay networks by means of protocol tunneling. We will show in this article, how to use OVS for protection against volumetric DDoS attacks.

We will need following components:

  • Flowmon Collector VA or hardware appliance

  • Flowmon DDoS Defender

  • Floodlight SDN controller

  • Open vSwitch

  • We have prepared integration package which performs adding an interface to configure Open vSwitch (OVS) via Floodlight SDN controller with needed information for DDoS attack mitigation.

    Let’s dive into the details:  

    Firstly you need to export flows from the OVS to Flowmon collector. The figure shows a case when using a virtual collector so you can choose between flow export from the OVS or port mirroring that will drive the traffic to monitoring ports of the Flowmon collector.
     

    Principle of the Flowmon DDoS Defender + Floodlight controller + Open vSwitch (OVS) integration

     

     

    Figure 1: The figure shows the principle of the Flowmon DDoS Defender + Floodlight controller + Open vSwitch (OVS) integration.

    The Flowmon DDoS Defender module computes multiple adaptive baselines so when a DDoS attack comes, it is detected by exceeding the baselines. After that the Flowmon DDoS Defender generates attack signature which is passed to the SDN mitigation script. Upon receiving and parsing the signature by the script the DDoS Defender logs to the Floodlight controller and sends an ACL configuration via REST API in order to setup an ACL to start the mitigation. The ACL configuration is then issued by the controller to the OVS itself via OpenFlow protocol. As soon as the DDoS attack ends, all the ACL configuration caused by the DDoS Defender is again automatically removed from the OVS.

    Watch a demonstration video to see how the integration works in real. (Video contains no audio, please turn on Subtitles in YouTube player.)

    In conclusion you are able to quickly and completely automatically defend yourself against DDoS attacks in SDN environment whereas legitimate traffic flowing to you customers remains untouched.