An insidious aspect of the Internet model is that receivers of data have no control over the resources consumed on their behalf: a host can receive a repetitive stream of packets regardless of whether they are desired. Denial-of-Service (DoS) attacks, which exploit this feature of the Internet model, are now a prominent issue due to their ability to disrupt services and communication infrastructure. A DoS attack consumes the resources of a remote host and/or network in an effort to deny the use of those resources to legitimate users. For example, a flooding DoS attack may inundate a victim with so much additional malicious traffic that its network connection or its servers become saturated. The result is a network and/or end-system that is no longer able to respond to normal requests in a timely manner, effectively disabling the service. A variety of DoS attack techniques exist that exploit existing software flaws to cause remote hosts to either crash or significantly degrade in performance. Either upgrading faulty software or filtering particular packet sequences can sometimes prevent such attacks.
In some cases, a single host carrying out a flooding DoS attack can have a devastating effect on a victim. Even more damaging is an attack that is amplified by the use of multiple hosts to launch a coordinated attack against a single victim. This type of attack is called a Distributed Denial of Service (DDoS) attack.
DDoS attacks pose an immense threat to the Internet, and many defense mechanisms have been proposed to combat the problem. However, attackers constantly modify their tools to bypass these security systems, and researchers in turn need to modify their approaches to handle new attacks.
Early work in the area of DoS (and DDoS) attack mitigation sought to make all sources of traffic identifiable, e.g., ingress filtering discards packets with widely spoofed addresses at the edge of the network, and traceback involves maintaining state so that receivers can reconstruct the path of unwanted traffic.
Although DDoS attacks can sometimes have predictable effects, it is still difficult to mitigate them. One group of methods is on establishing a framework so that the attack cannot block legitimate users from accessing resources. These techniques may include authorizing only legitimate users to access protected servers and applying packet filters in routers to drop spoofed Internet Protocol (IP) packets.
A different tactic is to configure a network to limit communication to previously established patterns, e.g., by giving legitimate hosts an offline authenticator that permits these hosts to send to specific destinations. However, this approach does not protect public servers (e.g., www.google.com) that are in general unable to arrange an offline authenticator for legitimate senders prior to communication.
Another solution is to limit host communication patterns to client-server communication only by separating client and server address spaces. The network does not permit any inter-host communication by default, unless a destination explicitly requests to receive from a sender. Both solutions limit DoS attacks to private end hosts, but require additional mechanisms to protect open public servers.
Yet a further solution is to use a DoS prevention and mitigation scrubber box, which integrates complex functionality to detect and mitigate DoS attacks to a network destination. However, such solutions typically lack programmability since the scrubber box is a “black box.” This scrubber box also sits at only one location at the network and therefore may introduce additional overhead in the network.
A recent network architecture proposal has drawn significant interests from both academia and industry. In this new architecture, the control plane is decoupled from the forwarding plane and the entire router is built as a distributed system. Such a system may be referred to as a Software Defined Network (SDN). A SDN includes a network-wide control platform, running on one or more servers, which oversees a set of comparatively simple switches or network elements. However, there is currently no method of performing DDoS prevention or mitigation in SDNs.