SDN-based DDoS Attack Detection with Cross-Plane Collaboration and Lightweight Flow Monitoring

Distributed Denial of Service (DDoS) attack is one of the biggest concerns for security professionals. Traditional DDoS attack detection mechanisms are based on middle-box devices or SDN controllers, which either lack network-wide monitoring information or suffer with serious southbound communication overhead and detection delay. In this paper, we propose a SDN-based DDoS attack detection framework with cross-plane collaboration called OverWatch, which performs a two-stage granularity filtering procedure between coarse-grained detection data plane and fine-grained detection control plane for abnormal flows. It leverages computational capabilities that currently underutilized on OpenFlow switches to shrink the detection range for fine-grained DDoS attack detections. In OverWatch, we propose a lightweight flow monitoring algorithm to capture the key features of DDoS attack traffics on the data plane by polling the values of counters in OpenFlow switches. Experiments are conducted in an evaluating network with a FPGA-based OpenFlow switch prototype and the Ryu controller, which reveal that our proposed OverWatch framework and flow monitoring algorithm can greatly improve the detection efficiency, as well as reduce the detection delay and southbound communication overhead.