Abstract

As ICT resources are increasingly hosted over Cloud Data Center infrastructures, Distributed Denial of Service (DDoS) attacks are becoming a major concern for Cloud service providers and tenants. The lack of physical resource isolation over a Cloud environment exposes non-targeted tenants to indirect performance degradation while it is increasingly challenging to distinguish between safe (e.g., internal, DMZ) and external zones. Traditional DDoS detection and prevention systems employ high-performance and high-cost bespoke appliances (middleboxes) in fixed locations of the physical infrastructure. However, this limits their provisioning abilities to a static specification, hindering extensible functionality and resulting in vendor lock-in. In this chapter, we propose a softwarised orchestration framework for DDoS detection and mitigation in the cloud. We exploit latest advances in Network Function Virtualization (NFV) to devise a modular security framework through the dynamic deployment of lightweight network functions where and when required to protect the infrastructure at the onset of DDoS attacks. We rely on the networkwide, logically-centralised management of traffic and network services provided by Software-Defined Networking (SDN) for the placement of NFs and to (re-)route traffic to them. Using an example of a DDoS remediation service, we demonstrate the benefits of an extensible and reconfigurable DDoS security system that uses dynamic security module duplication and placement to remediate the performance impact of the attack on the underlying infrastructure.