In this paper, we propose a design to detect and prevent IP spoofing-based distributed denial of service (DDoS) attacks on software-defined networks (SDNs). DDoS attacks are still one of the significant problems for internet service providers (ISPs) and individual users. These attacks can disrupt customer services by targeting the availability of the system, and in some cases, they can completely shut down the target infrastructure. Protecting the system against DDoS attacks is therefore crucial for ensuring the reliability and availability of internet services. To address this problem, we propose a lightweight source address validation (LSAV) framework that leverages the flexibility of SDN architecture in ISP networks and employs a lightweight filtering mechanism that considers the cost of operation to maintain high performance. Our setup for the proposed mechanism reflects client?server communication through an ISP SDN, and we use the entry points to eliminate malicious user requests targeting the systems. We then propose a novel algorithm on top of this setup to introduce a new and more efficient approach to existing mitigation methodologies. In addition to filtering the traffic against IP spoofing-based DDoS attacks, LSAV also prioritizes low resource consumption and high performance in terms of delay and bandwidth. With this approach, we believe that ISPs can effectively defend against IP spoofing-based DDoS attacks while still preserving low resource consumption for the infrastructure and high-quality internet services for their customers.
Software-defined network, source address validation, IP spoofing prevention, security, DDoS mitigation, DoS mitigation
KARAKOÇ, ALİ and ALAGÖZ, FATİH
"LSAV: Lightweight source address validation in SDN to counteract IP spoofing-based DDoS attacks,"
Turkish Journal of Electrical Engineering and Computer Sciences: Vol. 31:
7, Article 4.
Available at: https://journals.tubitak.gov.tr/elektrik/vol31/iss7/4