Data plane-based defense system against DDoS attacks for software defined networks

Gözütok, Ahmet
Software Defined Network (SDN) is a new networking architecture. It offers promising advances and provides remarkable solutions to certain challenges in this area, yet it is still vulnerable to Distributed Denial of Service (DDoS) attacks. DDoS attacks cause devastating impacts on the SDN architecture, which may lead to failure of an entire SDN network. There is no generally accepted network defense system against these attacks for SDN architecture; in addition, there are many unresolved problems in this area. This thesis provides the MiddleModule system, which is a Network/Transport-Level DDoS attack detection and prevention system framework designed for SDN architecture. The MiddleModule system proposes a data plane-based DDoS defense system, which means this system suggests deploying the monitoring, detection and the prevention capabilities into the data plane devices, namely OpenFlow switches. In addition, the thesis states several requirements that a data plane-based defense system should satisfy and provides several attack detection algorithms against various Network/Transport-Level DDoS attack types. In the scope of this thesis, an extensive evaluation is performed on the proposed framework and on the detection algorithms, using different evaluation scenarios. The evaluation results are compared with the similar studies in the literature. Moreover, a detailed literature analysis is provided in this thesis, by explaining and classifying the related studies.


A low latency, high throughput and scalable hardware architecture for flow tables in software defined networks
Eral, Göksan; Schmidt, Şenan Ece; Department of Electrical and Electronics Engineering (2016)
Software Defined Networking (SDN) is a new paradigm which requires multi-field packet classification for each received packet by looking up Flow Tables which contain a large number of rules and corresponding actions. The rules are defined by upto 15 packet header fields including IP source and destination address. If more than one rule rule matches then the action of the highest priority rule is executed. Furthermore rules with wildcard fields are possible. The SDN Flow Table should scale with the rule coun...
Switch fabric schedulers with intelligent multi-class support: design, implementation and evaluation on FPGA /
Akpınar, Murat; Schmidt, Şenan Ece; Department of Electrical and Electronics Engineering (2014)
The applications in the contemporary computer networks require end-to-end Quality of Service (QoS). Moreover, diff erent applications have di fferent QoS requirements. Thus, it is important to support QoS in the network layer routers which can be achieved by scheduling the output queues in output queued routers. However, pure output queued routers are not easy to build. Hence, it is important to equip the fabric schedulers of input queued switches with QoS support. Thus, it is an important research problem ...
Implementation and evaluation of the dependability plane for the dynamic distributed dependable real time industrial protocol ((D₃RIP))
Sezer, Ömer Berat; Schmidt, Şenan Ece; Schmidt, Kalus Werner; Department of Electrical and Electronics Engineering (2013)
Dynamic Distributed Dependable Real Time Ethernet Industrial Protocol (D3RIP) is a real time industrial communication protocol that runs over shared-medium Ethernet with COTS hardware. The protocol consists of an interface layer that enables time slotted communication and a coordination layer that guarantees collision avoidance and timely delivery of real time messages generated by the control application. At the current development stage, these two layers of the protocol are fully implemented and tested. T...
Creating application security layer based on resource access decision service
Metin, Mehmet Özer; Şener, Cevat; Department of Computer Engineering (2007)
Different solutions have been used for each security aspects (access control, application security) to secure enterprise web applications. However combining "enterprise-level" and "application-level" security aspects in one layer could give great benefits such as reusability, manageability, and scalability. In this thesis, adding a new layer to n-tier web application architectures to provide a common evaluation and enforcement environment for both enterprise-level and application level policies to bring tog...
A conformance and interoperability test suite for Turkey’s National Health Information System (NHIS) and an interactive test control and monitoring environment
Sınacı, Ali Anıl; Doğaç, Asuman; Department of Computer Engineering (2009)
Conformance to standards and interoperability is a major challenge of today`s applications in all domains. Several standards have been developed and some are still under development to address the various layers in the interoperability stack. Conformance and interoperability testing involves checking whether the applications conform to the standards so that they can interoperate with other conformant systems. Only through testing, correct information exchange among applications can be guaranteed. National H...
Citation Formats
A. Gözütok, “Data plane-based defense system against DDoS attacks for software defined networks,” M.S. - Master of Science, Middle East Technical University, 2018.