Detecting and mitigating DDoS attacks with moving target defense approach based on automated flow classification in SDN networks

The Distributed Denial of Service (DDoS) coordinates synchronized attacks on systems on the Internet using a set of infected hosts (bots). Bots are programmed to attack a determined target by firing a lot of synchronized requests, causing slowness or unavailability of the service. This type of attack has recently grown in magnitude, diversity, and economic cost. Thus, this paper presents a DDoS detection and mitigation architecture based on Software Defined Networking (SDN). It considers the Moving Target Defense (MTD) approach, redirecting malicious floods to expendable low-capacity servers to protect the main server while discouraging the attacker. The redirecting decision is based on a sensor, that employs Machine Learning (ML) algorithms for flow classification. When malicious flows are detected, the sensor notifies the SDN controller to include them in the malicious hosts lists and to realize the redirection. The validation and evaluation of the proposed architecture are conducted by simulation. Results considering different classification models (probabilistic, linear model, neural networks, and trees) and attack types indicate that the proposed architecture is efficient in detecting and mitigating DDoS attacks in approximately 3 seconds.