Mitigating Crossfire Attacks using SDN-based Moving Target Defense

Recent research demonstrated that software defined networking (SDN) can be leveraged to enable moving target defense (MTD) to mitigate distributed denial of service (DDoS) attacks. The network states are continuously changed in MTD by effectively collecting information from the network and enforcing certain security measures on the fly in order to deceive the attackers. Being motivated from the success of SDN-based maneuvering, this work targets an emerging type of DDoS attacks, called Crossfire, and proposes an SDN-based MTD mechanism to defend against such attacks. We analyze Crossfire attack planning and utilize the analyzed results to develop the defense mechanism which in turn reorganize the routes in such a way that the congested links are avoided during packet forwarding. The detection and mitigation techniques are implemented using Mininet emulator and Floodlight SDN controller. The evaluation results show that the route mutation can effectively reduce the congestion in the targeted links without making any major disruption on network services.