Discriminate, locate and mitigate DDoS traffic in presence of Flash Crowd in Software Defined Network

Discrimination of Flash crowd and Distributed Denial of Service (DDoS) traffic has been addressed already in legacy network and Software Defined Network (SDN), and remains a challenging task. The nature of Flash crowd and DDoS traffic is similar and becomes more complex to identify when DDoS traffic is generated from legitimate IPs of compromised hosts. Mostly, the works available in the literature are based on Entropy or Machine Learning or Deep Learning techniques to address this complex problem. The accuracy of these techniques depend on features available in datasets, which may vary from network to network. In this paper, our contribution is to devise a model based on behavior and techniques used by attackers to generate Multi-Destination (MD) DDoS traffic targeting SDN controllers. The novelty of the proposed model is to detect, locate, and mitigate MD spoof source IP/MAC and also contribute to defending malicious traffic generated using legitimate IP/MAC addresses.