SDNFV-based DDoS detection and remediation in multi-tenant, virtualized infrastructures

Ali, A. F. T., Cziva, R., Jouet, S. and Pezaros, D. (2017) SDNFV-based DDoS detection and remediation in multi-tenant, virtualized infrastructures. In: Guide to Security in SDN and NFV: Challenges, Opportunities, and Applications. Series: Computer communications and networks. Springer. (Accepted for Publication)

[img] Text
142383.pdf - Accepted Version
Restricted to Repository staff only

444kB

Abstract

As ICT resources are increasingly hosted over Cloud Data Center infrastructures, Distributed Denial of Service (DDoS) attacks are becoming a major concern for Cloud service providers and tenants. The lack of physical resource isolation over a Cloud environment exposes non-targeted tenants to indirect performance degradation while it is increasingly challenging to distinguish between safe (e.g., internal, DMZ) and external zones. Traditional DDoS detection and prevention systems employ high-performance and high-cost bespoke appliances (middleboxes) in fixed locations of the physical infrastructure. However, this limits their provisioning abilities to a static specification, hindering extensible functionality and resulting in vendor lock-in. In this chapter, we propose a softwarised orchestration framework for DDoS detection and mitigation in the cloud. We exploit latest advances in Network Function Virtualization (NFV) to devise a modular security framework through the dynamic deployment of lightweight network functions where and when required to protect the infrastructure at the onset of DDoS attacks. We rely on the networkwide, logically-centralised management of traffic and network services provided by Software-Defined Networking (SDN) for the placement of NFs and to (re-)route traffic to them. Using an example of a DDoS remediation service, we demonstrate the benefits of an extensible and reconfigurable DDoS security system that uses dynamic security module duplication and placement to remediate the performance impact of the attack on the underlying infrastructure.

Item Type:Book Sections
Status:Accepted for Publication
Glasgow Author(s) Enlighten ID:Cziva, Mr Richard and Ali, Abeer Farouk Tawfeek and Pezaros, Dr Dimitrios and JOUET, SIMON
Authors: Ali, A. F. T., Cziva, R., Jouet, S., and Pezaros, D.
College/School:College of Science and Engineering > School of Computing Science
Publisher:Springer

University Staff: Request a correction | Enlighten Editors: Update this record

Project CodeAward NoProject NamePrincipal InvestigatorFunder's NameFunder RefLead Dept
643481A Situation-aware information infrastructureDimitrios PezarosEngineering and Physical Sciences Research Council (EPSRC)EP/L026015/1COM - COMPUTING SCIENCE
709131Network Measurement as a Service (MaaS)Dimitrios PezarosEngineering and Physical Sciences Research Council (EPSRC)EP/N033957/1COM - COMPUTING SCIENCE
722161FRuIT: The Federated RaspberryPi Micro-Infrastructure TestbedJeremy SingerEngineering and Physical Sciences Research Council (EPSRC)EP/P004024/1COM - COMPUTING SCIENCE
608831IMC2: Instrumentation, Measurement and Control for the CloudDimitrios PezarosEngineering and Physical Sciences Research Council (EPSRC)EP/L005255/1COM - COMPUTING SCIENCE