Detecting and Mitigating DDoS Attacks with Moving Target Defense approach based on automated flow classification in SDN networks.

Abstract

The Distributed Denial of Service (DDoS) coordinates synchronized attacks on systems on the Internet using a set of infected hosts (bots). Bots are programmed to attack a determined target by firing a lot of synchronized requests, causing slowness or unavailability of the service. Recently, this type of attack has grown in magnitude, diversity, and economic cost. Thus, this paper aims to present a DDoS detection and mitigation architecture on Software Defined Networking (SDN). It considers the Moving Target Defense (MTD) approach, redirecting malicious floods for expendable low-capacity servers to protect the main server while discouraging the attacker. The redirecting decision is based on a sensor, that employs Machine Learning (ML) algorithms for flow classification. When malicious flows are detected, the sensor notifies the SDN controller to include them in the malicious lists and to realize the redirection. The validation and evaluation of the proposed architecture are conducted by simulation. Results considering different classification models (probabilistic, linear model, neural networks, and trees) and attack types indicate that the proposed architecture is efficient in detecting and mitigating DDoS attacks in approximately 3.00 seconds.

Authors
Marcos Aurelio Ribeiro
Graduate Program in Applied Computing, Federal University of Technology - Parana, Curitiba, Brazil
Mauro Sergio Pereira Fonseca
Graduate Program in Electrical and Computer Engineering, Federal University of Technology - Parana, Curitiba, Brazil
Juliana de Santi
Academic Department of Informatics, Federal University of Technology - Parana , Curitiba, Brazil

Introduction

This document presents data from the research carried out for the article "Detecting and Mitigating DDoS Attacks with Moving Target Defense approach based on automated flow classification in SDN networks.". The source code of the applications developed for this study can be verified in the GitHub repository . A demonstration video of the operation of the project is presented.

ATTACK BAD TCP FLAGS (ALL FLAGS SET) WITH RANDOM FOREST SENSOR

Graph data: CVS File

Requests to the primary server during Bad TCP flags (All Flags Set) attack with Random Forest sensor.

Requests to the secondary server during Bad TCP flags (All Flags Set) attack with Random Forest sensor.

Sockets allocated and timewait on the primary server during Bad TCP flags (All Flags Set) attack with Random Forest sensor..

Sockets allocated and timewait on the secondary server during Bad TCP flags (All Flags Set) attack with Random Forest sensor.

Request errors occurred on the primary server during Bad TCP flags (All Flags Set) attack with Random Forest sensor.

Request errors occurred on the secondary server during Bad TCP flags (All Flags Set) attack with Random Forest sensor.

Service and connection states during Bad TCP flags (All Flags Set) attack with Random Forest sensor.

ATTACK FIN ONLY SET WITH GAUSSIAN NAIVE BAYES

Graph data: CVS File

Requests to the primary server during FIN Only Set attack with Gaussian Naive Bayes sensor.

Requests to the secondary server during FIN Only Set attack with Gaussian Naive Bayes sensor.

Sockets allocated and timewait on the primary server during FIN Only Set attack with Gaussian Naive Bayes sensor.

Sockets allocated and timewait on the secondary server during FIN Only Set attack with Random Forest sensor.

Request errors occurred on the primary server during FIN Only Set attack with Gaussian Naive Bayes sensor.

Request errors occurred on the secondary server during FIN Only Set attack with Gaussian Naive Bayes sensor.

Service and connection states during FIN Only Set attack with Gaussian Naive Bayes sensor.

ATTACK SLOW HTTP POST WITH STACKING CLASSIFIER

Graph data: CVS File

Requests to the primary server during Slow HTTP POST attack with Stacking Classifier sensor.

Requests to the secondary server during Slow HTTP POST attack with Stacking Classifier sensor.

Sockets allocated and timewait on the primary server during Slow HTTP POST attack with Stacking Classifier sensor.

Sockets allocated and timewait on the secondary server during Slow HTTP POST attack with Stacking Classifier sensor.

Request errors occurred on the primary server during Slow HTTP POST attack with Stacking Classifier sensor.

Request errors occurred on the secondary server during Slow HTTP POST attack with Stacking Classifier sensor.

Service and connection states during Slow HTTP POST attack with Stacking Classifier sensor.

ATTACK SYN AND FIN SET WITH SUPPORT VECTOR SUPPORT VECTOR

Graph data: CVS File

Requests to the primary server during SYN and FIN Set attack with Support Vector Machine sensor.

Requests to the secondary server during SYN and FIN Set attack with Support Vector Machine sensor.

Sockets allocated and timewait on the primary server during SYN and FIN Set attack with Support Vector Machine sensor.

Sockets allocated and timewait on the secondary server during SYN and FIN Set attack with Support Vector Machine sensor.

Request errors occurred on the primary server during SYN and FIN Set attack with Support Vector Machine sensor.

Request errors occurred on the secondary server during SYN and FIN Set attack with Support Vector Machine sensor.

Service and connection states during SYN and FIN Set attack with Support Vector Machine sensor.

ATTACK TCP SYN FLOOD WITH MULTILAYER PERCEPTRON

Graph data: CVS File

Requests to the primary server during TCP SYN Flood attack with Multilayer Perceptron sensor.

Requests to the secondary server during SYN and FIN Set attack with Multilayer Perceptron sensor.

Sockets allocated and timewait on the primary server during TCP SYN Flood attack with Multilayer Perceptron sensor.

Sockets allocated and timewait on the secondary server during TCP SYN Flood attack with Multilayer Perceptron sensor.

Request errors occurred on the primary server during TCP SYN Flood attack with Multilayer Perceptron sensor.

Request errors occurred on the secondary server during TCP SYN Flood attack with Multilayer Perceptron sensor.

Service and connection states during TCP SYN Flood attack with Multilayer Perceptron sensor.

Project demo

Here the functioning of the proposed project is demonstrated. For the demo, the "Blue" server is the primary server, and the "red" server is the secondary server. The operation of the Machine Learning sensor and the SDN Controller are demonstrated.