Data plane-based defense system against DDoS attacks for software defined networks

Gözütok, Ahmet
Software Defined Network (SDN) is a new networking architecture. It offers promising advances and provides remarkable solutions to certain challenges in this area, yet it is still vulnerable to Distributed Denial of Service (DDoS) attacks. DDoS attacks cause devastating impacts on the SDN architecture, which may lead to failure of an entire SDN network. There is no generally accepted network defense system against these attacks for SDN architecture; in addition, there are many unresolved problems in this area. This thesis provides the MiddleModule system, which is a Network/Transport-Level DDoS attack detection and prevention system framework designed for SDN architecture. The MiddleModule system proposes a data plane-based DDoS defense system, which means this system suggests deploying the monitoring, detection and the prevention capabilities into the data plane devices, namely OpenFlow switches. In addition, the thesis states several requirements that a data plane-based defense system should satisfy and provides several attack detection algorithms against various Network/Transport-Level DDoS attack types. In the scope of this thesis, an extensive evaluation is performed on the proposed framework and on the detection algorithms, using different evaluation scenarios. The evaluation results are compared with the similar studies in the literature. Moreover, a detailed literature analysis is provided in this thesis, by explaining and classifying the related studies.


A low latency, high throughput and scalable hardware architecture for flow tables in software defined networks
Eral, Göksan; Schmidt, Şenan Ece; Department of Electrical and Electronics Engineering (2016)
Software Defined Networking (SDN) is a new paradigm which requires multi-field packet classification for each received packet by looking up Flow Tables which contain a large number of rules and corresponding actions. The rules are defined by upto 15 packet header fields including IP source and destination address. If more than one rule rule matches then the action of the highest priority rule is executed. Furthermore rules with wildcard fields are possible. The SDN Flow Table should scale with the rule coun...
Switch fabric schedulers with intelligent multi-class support: design, implementation and evaluation on FPGA /
Akpınar, Murat; Schmidt, Şenan Ece; Department of Electrical and Electronics Engineering (2014)
The applications in the contemporary computer networks require end-to-end Quality of Service (QoS). Moreover, diff erent applications have di fferent QoS requirements. Thus, it is important to support QoS in the network layer routers which can be achieved by scheduling the output queues in output queued routers. However, pure output queued routers are not easy to build. Hence, it is important to equip the fabric schedulers of input queued switches with QoS support. Thus, it is an important research problem ...
Software implementations of QoS scheduling algorithms for high speed networks /
Pehlivanlı, Aydın; Schmidt, Şenan Ece; Department of Electrical and Electronics Engineering (2015)
The end to end Quality of Service (QoS) support for the dominating multimedia traffic in the contemporary computer networks is achieved by implementing schedulers in the routers and deploying traffic shapers. To this end, realistic modeling and simulation of these components is essential for network performance evaluation. The first contribution of this thesis is the design and implementation of a C++ simulator QueST (Quality of Service simulaTor) for this task. QueST is a modular cycle accurate simulator w...
Creating application security layer based on resource access decision service
Metin, Mehmet Özer; Şener, Cevat; Department of Computer Engineering (2007)
Different solutions have been used for each security aspects (access control, application security) to secure enterprise web applications. However combining "enterprise-level" and "application-level" security aspects in one layer could give great benefits such as reusability, manageability, and scalability. In this thesis, adding a new layer to n-tier web application architectures to provide a common evaluation and enforcement environment for both enterprise-level and application level policies to bring tog...
Implementation and evaluation of the dependability plane for the dynamic distributed dependable real time industrial protocol ((D₃RIP))
Sezer, Ömer Berat; Schmidt, Şenan Ece; Schmidt, Kalus Werner; Department of Electrical and Electronics Engineering (2013)
Dynamic Distributed Dependable Real Time Ethernet Industrial Protocol (D3RIP) is a real time industrial communication protocol that runs over shared-medium Ethernet with COTS hardware. The protocol consists of an interface layer that enables time slotted communication and a coordination layer that guarantees collision avoidance and timely delivery of real time messages generated by the control application. At the current development stage, these two layers of the protocol are fully implemented and tested. T...
Citation Formats
A. Gözütok, “Data plane-based defense system against DDoS attacks for software defined networks,” M.S. - Master of Science, Middle East Technical University, 2018.