VFence: A Defense against Distributed Denial of Service Attacks using Network Function Virtualization

With the exponential growth of the Internet use, cyber-threats are emerging rapidly. Distributed Denial of Service (DDoS) attack is one of the most common but damaging kinds of cyberattacks. A DDoS attack to a server typically prevents clients from receiving service by making the server overwhelmed with many invalid service requests. It is always a challenging problem to protect a system from DDoS attacks as it is not trivial to distinguish between an attack packet and a legitimate one. In this work, we have proposed VFence - a defense mechanism against DDoS attack that leverages the capability of the Network Function Virtualization (NFV) architecture. NFV is the technology of virtualizing network functions in virtual machines on commodity servers and it allows a flexible and dynamic implementation of the network functions. Our proposed mechanism uses network agents to intercept packets when the system is potentially under attack, to verify their authenticity, and to keep the server safe by dropping illegitimate packets. Since the attack intensity often varies, our NFV-based defense framework deploys agents dynamically to balance the attack load. Our simulation results demonstrate that the mechanism can successfully defeat the DDoS attacks by having all legitimate requests served, and the increase in the server's response time is insignificant compared to that of a successful DDoS attack.