SDN-based DDoS mitigation


Scientific context

SDN (Software-Defined Networking) is a recent networking paradigm promoting high flexibility and configuration of networks. It allows to reconfigure forwarding devices (routers, switches). In such a context, SDN can be especially considered to get together network devices to counter-act against a running attack.

Distributed Denial-of-Service (DDoS) attacks represent a major threat in Internet [1,2] due to the disruption they cause and also the lack of an easy defense. These attacks launched from botnet or a collection of remotely-controlled computers to saturate data links leading to a target with hundreds of Gbps of traffic volume. Most of current techniques for mitigating DDoS attacks rely on increasing the service capacity by cloud-based techniques making thus the cloud absorbing the heavy load of the DDoS [3]. However, these solutions are costly and also introduce privacy issues since they require that companies redirect their network traffic to these cloud providers. In addition, many companies are not able to reroute their networks if they do not own their own IP range.

 

Objective

The objective of the thesis is to design mechanisms to absorb attacks within the network itself. The designed mechanisms rely on stochastic techniques to properly redefine routing decisions in real-time to scatter as most as possible DDoS traffic. We consider that detection of the attack itself is performed using state-of-the art techniques. However, the main challenge to be addressed is real-time DDoS mitigation through network re-configuration. Indeed, the network devices represent available resources which can be used for absorbing the attacks, especially if all of them are well-synchronized by empowering SDN and its capabilities of making dynamic and programmable networks.

The first research question to address is the orchestration of in-network absorption of large scale DDoS attacks, i.e. making the network a DDoS absorber. The goal is to investigate how to use efficiently and as many as possible network paths as well as introducing delays in message delivery when a network is being attacked. However, due to the scale of some DDoS, we also investigate hybrid models. Hence, the second question is related to the synchronization of in-network and cloud-based absorption of DDoS.

 

Approach

From now on, the network is assimilated to a connected graph. Data transmission through this network may be modelled by a complex dynamical system on the graph, in which only initial conditions are random. In presence of a DDoS attack, too many packets of data reach a same node of the network which leads to completely consuming its computational resources and legitimate users can no longer access the node services. A first challenge is to model a realistic dynamical system describing data transmission through some network graphs from the literature. We will also be able to simulate DDoS attacks by means of stochastic models of data entering a network. Our simulation model could be inspired by stochastic modelling of traffic flows [4] that presents many similarities with our problem.

Our strategy requires to identify the “healthy” states of the network which will be for us target states. The approach is based on the construction of a stochastic dynamical system on the network, that may follow non direct routes and/or introduce delays, and that will converge to these targets. The idea is to make random but well-chosen decisions in order to bring the network closer to the healthy states, or, in an equivalent way, farther from the failure. Indeed, an ideal approach considering all possible reconfigurations to find the optimal ones does not scale. Thus, in this work we will focus on defining local optimisation techniques which will converge to the global optimum. It will greatly reduce the processing time for routing decisions but convergence time has then to be carefully addressed. The stochastic dynamical system could rely on Metropolis-Hastings algorithm to construct a Markov chain that converges to a given target distribution. These techniques are highly connected with simulated annealing and well-adapted to tackle combinatorial optimisation problems [5].

The strategy that we propose should take into account the presence of other data transmission flows that are not related to the attack. A first step is to construct a strategy under an average flow through the network. Nevertheless, this data flow is highly non deterministic: its variation should be considered to propose a good strategy, both for avoiding to stop the other flows and for taking better decisions to absorb the attack. We will obtain a Metropolis-Hastings Markov chain in random media: we will deal with the question of its convergence towards the target law, in both theoretical and numerical points of view. Similar methods have recently been addressed in the context of aircraft trajectory optimisation [6].

In this thesis the PhD candidate will elaborate mechanisms for selecting and adapting different mathematical techniques for modelling nodes interconnectivity as well as network traffic such that it is possible to redefine the associated traffic forwarding rules. The main challenge to address is scalability regarding the variety and number of traffic flows to handle and to mitigate DDoS attacks as fastest as possible. To achieve that, the PhD candidate will have to design new network management control mechanisms to proactively calculate undesired network states and their associated mitigation strategies. Then, based on network monitoring, the goal is to detect when the network changes (mainly traffic flows) tend to reach such an undesired situation and so trigger counter-measures (reconfiguration) at the right time. Therefore, a new orchestration technique leveraging SDN will be designed and evaluated, especially in terms of attack mitigation efficiency (time to mitigate/recover to a normal state), network overhead (e.g. reconfiguration messages but also route instability if the system is too sensitive). As highlighted before, the resolution technique will also consider cloud services to deploy absorbing services, but they introduce an important cost that should be included in the traffic absorption model.

 

 

Supervision

Advisor: Prof. Isabelle Chrisment (LORIA), isabelle.chrisment@loria.fr
Co-advisors:

Doctoral school: IAEM Lorraine Graduate School

 

How to apply

In order to prepare a PhD thesis within the Lorraine Université d’Excellence Program, the interested candidate should consult the PhD topics offered in each social and economic challenges.
These PhD thesis topics are proposed by faculty members or researchers accredited to supervise research.

Candidate application period: according to graduate school schedule

Each candidate may submit an application on up to three separate research topics.

Application analysis period by each graduate school
The graduate school reviews the applicants for a doctoral contract in the relevant disciplines. They check the level of supervision for each supervisor and the situation of trained doctors. Each candidate will meet the laboratory director, a supervisor or a representative from the graduate school. This interview is to identify the candidate’s motivations and suitability as a candidate for the PhD project proposed by the supervisor. A recommendation will be made to the graduate school. This will summarize the strengths and/or weaknesses of the application.

PhD grants will include monthly income for the PhD student (roughly 1700 € for research only, complement can be provided for teaching missions) and environment for research in the research unit.

Please be aware that in order to offer a variety of subjects, more positions are posted here than available funding. The LUE executive committee will make the final choice on the granted funding (up to 12 positions), based on the recommendations by the doctoral schools.