Effectiveness of Entropy-Based DDoS Prevention for Software Defined Networks

This work investigates entropy-based prevention of Distributed Denial-of-Service (DDoS) attacks for Software Defined Networks (SDN). The experiments are conducted on a virtual SDN testbed setup within Mininet, a Linux-based network emulator. An arms race iterates on the SDN testbed between offense, launching botnet-based DDoS attacks with progressive sophistications, and defense who is deploying SDN controls with emerging technologies from other faucets of cyber engineering. The investigation focuses on the transmission control protocol's synchronize flood attack that exploits vulnerabilities in the three-way TCP handshake protocol, to lock up a host from serving new users. The defensive strategy starts with a common packet filtering-based design from the literature to mitigate attacks. Utilizing machine learning algorithms, SDNs actively monitor all possible traffic as a collective dataset to detect DDoS attacks in real time. A constant upgrade to a stronger defense is necessary, as cyber/network security is an ongoing front where attackers always have the element of surprise. The defense further invests on entropy methods to improve early detection of DDoS attacks within the testbed environment. Entropy allows SDNs to learn the expected normal traffic patterns for a network as a whole using real time mathematical calculations, so that the SDN controllers can sense the distributed attack vectors building up before they overwhelm the network. This work reveals the vulnerabilities of SDNs to stealthy DDoS attacks and demonstrates the effectiveness of deploying entropy in SDN controllers for detection and mitigation purposes. Future work includes provisions to use these entropy detection methods, as part of a larger system, to redirect traffic and protect networks dynamically in real time. Other types of DoS, such as ransomware, will also be considered.