Whack-a-Mole: Software-defined Networking driven Multi-level DDoS defense for Cloud environments

摘要

With wider adoption of Software-Defined Networking (SDN), network obfuscation and resource adaptation within a cloud environment have emerged as cost-effective solutions against cyber attacks. In spite of their implementation simplicity, shortcomings of such one-dimensional strategies are considerable against sophisticated attacks where the attacker/s have enhanced visibility to the cloud network. In this paper, we propose Whack-a-Mole, a SDN-driven cloud resource management scheme through network obfuscation that can help Cloud Service Providers (CSPs) to: a) proactively protect critical services from impending DDoS attacks and b) contribute very little service interruption footprint while doing so. Whack-a-Mole works at two levels: it employs a novel virtual machine (VM) spawning model that not only creates multiple VM-replicas of critical services to new cloud resource instances, but also assigns VM-replicas' IP addresses through address space randomization. Using numerical results, we show how such VM spawning can be optimized based on realistic cloud Service Level Agreements (SLA) without compromising its effectiveness. Finally, Whack-a-Mole is implemented through SDN/OpenFlow controllers over Open vSwitches on a GENI testbed where the efficacy and effectiveness of the scheme is evaluated. The results show Whack-a-Mole to be as effective as random obfuscation in evading attack events and more than 2x better on average in attack avoidance over other static resource adaptation based defense strategies.