Dynamic DDoS Defense


Let’s face it, DDoS attacks are growing both in size and complexity. Botnets used to launch DDoS attacks can contain anywhere from hundreds of thousands to millions of bots and as long as malware is prevalent across the Internet those numbers will continue to grow. Not to mention new avenues for reflection and amplification types of attack are appearing everyday (it started with ICMP and DNS, and now there’s NTP, SNMP, SSDP and even malvertising and XSS vulnerabilities are being leveraged to launch attacks). DDoS attacks are scaling faster than our onsite mitigation appliances but it’s not due to the technology becoming outdated, but rather the complex nature of building a network. Each additional device on the network requires configuration (and usually reconfiguration of other devices) and can take a lot of time and effort to setup and ensure that the change doesn’t break anything in your network or cause your production environment to fall flat on its face. Lucky for us there’s light at the end of the UDP flooded tunnel in the way of Software Defined Networks.

Brief Overview of SDN and its benefits

SDN strives to separate the control plane (the logic that defines how packets should be forwarded in a network) and the data plane (the devices responsible for actually handling and forwarding packets). It does this by centralizing the forwarding logic into a single controller (or multiple for redundancy or more complicated SDN setups) which will have a full view of the entire network and will push out forwarding rules to all of the switches and routers within a network. These rules define a pattern used to match network flows as well as an action or multiple actions to be carried out by the network device, which could include modifying the packet, forwarding it to another device, or simply dropping it. The controller provides a programmable interface, allowing network engineers to define their own logic for how all of the network devices should behave. The network devices can also provide feedback to the controller in the form of measurement metrics (ex. current throughput of a network device) or even packets, if a device in unsure of how to forward it within the network. This allows the network behaviour to dynamically change based on the feedback received allowing for tasks such as load balancing, enforcement of Access Control Lists, and even behavioral analysis for identifying and blocking malicious traffic, to be done by the network devices themselves. Currently, one of the more popular standards driving the shift to SDN is called OpenFlow and when it is supported on network devices, it gives the controller an interface in which it can communicate with the data plane.

How can a SDN mitigate a DDoS Attack

The complete view of the network a SDN controller has, coupled with the ability to modify how traffic is handled in that network, makes SDNs well suited for mitigating a DDoS attack. During a DDoS attack, a large number of packets or requests are directed at a target from a large number of sources. In less sophisticated attacks, there will usually be a pattern or unique signature to the traffic allowing it to be identified. Some identifiers include an unusually large number of requests from a single source (a person wouldn’t reload a web page 10 times a second) or a continuous repetition of the data being sent. To block an attack, a controller would require a constant stream of information about the current state of the network, usually provided by the network devices themselves. It can then use this information to identify potentially malicious flows, and push out rules to all of the network devices to block that particular flow, or generate a signature from the flow and use that to block any future flows.

A typical set up will have a service running on the network devices to provide metrics about the network (ex. sFlow). An analytics program running on the controller receives and analyzes all of the network information to detect and identify any malicious flows. It would then choose an appropriate action to take in order to mitigate the attack (ex. drop traffic from a particular source) and then instruct the controller to push out rules to the appropriate network devices to execute the chosen action.

Benefits of SDN

The main benefits of SDN networks are having a distributed platform with centralized control and management, scalability, and customizability. Centralized control and management can greatly reduce the time it takes to mitigate an attack. Information about network traffic is collected from all network devices, allowing you to identify malicious flows and generate signatures and rules for handling that traffic by correlating data from the entire network. Any rules for blocking malicious flows can then be pushed out to all network devices, preventing an attacker from switching their target, as well as making it less effective to switch the sources of an attack. Since SDNs are distributed by nature, the load of mitigating an attack can be distributed amongst all of your edge routers. Additionally, if one device fails, the controller can automatically reroute traffic, eliminating single points of failure and promoting better availability of your network.

Scalability comes from the fact that adding additional network devices takes less time and configuration due to the centralized control. This has the added benefit that if you’re increasing your network capacity by adding additional devices, you’re simultaneously increasing your DDoS mitigation capacity as well, reducing overall overhead of the process. Vendors have also started to implement Hybrid OpenFlow on their devices, where the built-in switching logic of a device is used by default and OpenFlow is used for exceptions. This reduces some of the performance overhead that comes with SDNs and enables a SDN to achieve line speeds under normal conditions, which can be crucial for building a highly scalable network solution.

A controller can expose a number of different APIs that allow network operators and programmers to run applications on top of the controllers to customize how a network behaves. This allows networks to become highly adaptive and better suited to deal with the ever-changing DDoS threat landscape. Additionally, there’s less overhead for updating applications or adding additional ones since only the controllers need to be updated, rather than every network device.


DDoS is constantly evolving. Attacks are growing in size, new attack vectors are being utilized and even older attacks are being revamped to be effective and dangerous again (ex. Tsunami SYN Flood). Attackers are also discovering new means of launching DDoS attacks with ease, whether it is reflection/amplification attacks (NTP, SNMP, SSDP, WordPress) or direct floods using any number of botnets for hire. To keep up with the ever-changing threat landscape we need a solution that’s flexible and customizable so that it can evolve when the attacks evolve. It needs to be able to scale to handle the increasing size of the attacks. SDNs are well suited to tackle these challenges and in the coming years could prove to be the most effective solution, enabling your network to adapt on the fly.