SDSNM: A Software-Defined Security Networking Mechanism to Defend against DDoS Attacks

The Distributed Denial of Service (DDoS) attack has seriously harmed network availability over decades and there is still no effective defense mechanism. The emerging software-defined networking (SDN) gives a new way to rethink the defense of DDoS attacks. In this paper, we first modeled DDoS attacks from the perspective of network architecture. Then a software-defined security networking mechanism (SDSNM) was proposed to remove or restrict these necessary conditions which were summarized from the model. The SDSNM is mainly implemented at the edge SDN networks as well as inherits the infrastructure of IP core network. The Cloud computing and Chord technologies were applied to solve the expansibility and consistency problems. Experiments based on the prototype proved that the brand new mechanism was feasible and incrementally deployable. DDoS attacks were unable to be launched if strict access control policies were used. The attacker along with hosts in botnet can be located quickly and accurately when loose access control policies were used.