DDoS protection with stateful software-defined networking

Distributed denial of service (DDoS) attacks represent one of the most critical security challenges facing network operators. Software-defined networking (SDN) permits fast reactions to such threats by dynamically enforcing simple forwarding/blocking rules as countermeasures. However, the centralization of the control plane requires that the SDN controller, besides network management operations, should also collect information to identify and mitigate the security menaces. A major drawback of this approach is that it may overload the controller and the control channel. On the other hand, stateful SDN represents a new concept, developed to improve reactivity and offload the controller by delegating local treatments to the switches. In this article, we embrace this paradigm to protect end-hosts from DDoS attacks. We propose StateSec, a novel approach based on in-switch processing capabilities to detect and mitigate flooding threats. StateSec monitors packets matching configurable traffic features without resorting to the controller. By feeding an entropy-based detection algorithm with such monitoring features, it detects and mitigates several threats such as (D)DoS with high accuracy. We implemented StateSec in an SDN platform comparing it with state-of-the-art approaches. We show that StateSec is far more efficient: It achieves very accurate detection levels, reducing at the same time the control plane overhead. We have also evaluated the memory footprint of StateSec for a possible use in production. Finally, we deployed StateSec over a real network to tune its parameters and assess its suitability to real-world deployments.