A scalable anomaly detection and mitigation architecture for legacy networks via an OpenFlow middlebox

In this paper, we investigate the applicability of inserting an OpenFlow middlebox to enhance the remotely triggered black hole routing mechanism, to mitigate distributed denial of service DDoS attacks in legacy networks. Specifically, we propose a modular architecture that exploits the network programmability of software-defined networking within the context of network functions virtualization, deploying on-demand virtualized network functions VNFs capable to manipulate and filter malicious traffic. Leveraging on the OpenFlow control functionality, we match and handle traffic on a per-flow level, preserving connectivity to/from the victim while pushing the mitigation process upstream, towards the edge of the affected network. To that end, a multilevel anomaly detection and identification mechanism was developed, pinpointing the victim in case an attack is detected. Subsequently, a virtualized network function instructs the edge router to forward all traffic destined to the victim to an OpenFlow switch, acting as a middlebox capable to filter malicious traffic identified by an OpenFlow controller, while preserving benign flows. The proposed architecture was implemented and evaluated based on the combination of datasets containing traces of real DDoS attacks and normal background traffic from our university campus network. Our analysis illustrated a clear clustering of Internet protocol prefixes used by malicious sources; thus, we implemented a longest common prefix aggregation algorithm to enable scaling of the proposed mitigation process, overcoming constraints due to hardware limitations of OpenFlow devices. Our analysis verifies that the proposed modular and scalable schema can efficiently identify DDoS attack victims and filter malicious traffic, without exhausting system and network resources. Copyright © 2015 John Wiley & Sons, Ltd.