Virtual Network Functions Placement for Defense Against Distributed Denial of Service Attacks

In this paper, we are interested in the problem of Virtual Network Function (NFV) placement to counter Distributed Denial of Service (DDoS) attacks. A DDoS attack is one of the most common and damaging types of cyberattacks. In Network Function Virtualization (NFV) technology network functions, more specifically security mechanisms, are implemented as software. Such approach significantly reduces the cost of the infrastructure and simplifies the deployment of new services. We propose two new models for this critical and complex problem. The first model is a mixed-integer linear program aiming at eliminating all DDos attacks before they reach their target. As its size grows exponentially with the network size, we propose a constraint generation algorithm to solve it. The numerical results obtained for different realistic network instances show the effectiveness of our approach. The second model is a bilevel programming problem that achieves a trade-off between NFVs placement costs and security levels requirements. Our results show that this mechanisms overcomes DDos attacks by effectively filtering attacks while minimizing the total cost of deployed NFV.