Synchronizing DDoS defense at network edge with P4, SDN, and Blockchain

Botnet-originated DDoS attacks continue to plague the internet and disrupt services for legitimate users. While various proposals have been presented in the last two decades, the botnet still has advantages over the defenders, because botnets have orchestrated processes to launch disruptive attacks. On the other hand, the defenders use manual methods, siloed tools, and lack orchestration among different organizations. These unorchestrated efforts slow down the attack response and extend the lifespan of botnet attacks. This article presents shieldSDN and shieldCHAIN, an inter-organization collaborative defense framework using P4, SDN, and Blockchain, which extends our earlier research on microVNF, a solution of Edge security for SIP-enabled IoT devices with P4. Besides mitigating DDoS attacks, microVNF also produces attack fingerprints called Indicator of Compromise (IOC) records. ShieldSDN and shieldCHAIN distribute these IOCs to other organizations so that they can create their own packet filters. Effectively, shieldSDN and shieldCHAIN synchronize packet filters for different organizations to mitigate against the same botnet strain. Four experiments were performed successfully to validate the functionalities of shieldSDN and shieldCHAIN. The scope for the first experiment was intra-company, while the second, third, and fourth experiments were inter-company. In the first experiment, shieldSDN extracted IOCs from the source switch and installed these as packet filters on other switches within the same organization (in the U.S.). In the second experiment, the shieldCHAIN in the publishing organization (in the U.S.) shared IOCs by posting them to the Blockchain. In the third experiment, the shieldCHAIN in the subscriber organizations (in Singapore & the U.K.) retrieved these IOCs from Blockchain. Finally, in the last experiment, the shieldCHAIN in the subscriber organizations installed the retrieved IOCs as packet filters; that are identical to those in the originating organization. To the best of our knowledge, this is the first framework that uses the P4 switch, SDN controller, and Blockchain together for this use case. As SDN and Blockchain gain acceptance, this framework empowers community members to collaborate and defend against botnet DDoS attacks.