A Network Segmentation Architecture for Flow Aggregation and DDoS Mitigation in SDN Using RAPID Flow Rules

Distributed Denial-of-Service (DDoS) attacks have always posed a major threat to networks directly or as a cover for more sophisticated attacks. In recent years, with advances such as the large number of IoT nodes, amplifying platforms like Botnets-as-a-Service, etc., the number of DoS attacks has increased significantly, and the attacks have become more sophisticated. The new paradigm of Software-Defined Networking (SDN) enables a centralized view of the network, which has promising potential for efficient detection and mitigation of such attacks. This modern approach, however, exposes more areas of attack, such as Buffer Saturation, Link Flooding, Flow Table Overflow (FTO), and Controller Saturation. In this paper, we propose a novel, extremely lightweight, simple, yet effective, integrated approach, called Rapid Protection in Dataplane-DDoS (RAPID), for the detection and mitigation of several DoS attacks in SDN scenarios. Our approach couples the centralized view of the SDN networks with network segmentation based on the IP assignment, to generate a novel set of flow rules that can be used to manage the network in a way that allows for a smaller number of overall rules for proactively preventing FTO altogether while generating some novel statistics thereby adding the capability of fast detection and traceback of the origins of attacks to the controller. We evaluate the performance of the proposed scheme - RAPID - with Mininet and Ryu to demonstrate its effectiveness in detecting and mitigating several attacks while maintaining network performance.