Real-Time Monitoring and Mitigation of SDoS Attacks Using the SDN and New Metrics

Slow-rate denial-of-service (SDoS) attacks are a type of denial-of-service (DoS) attacks with a low attack rate. They have a flash-crowd nature and can be well concealed in legitimate traffic, so it is difficult to identify them by anti-DoS mechanisms. Existing solutions have drawbacks such as difficult deployment, poor real-time performance, and poor scalability. We propose a scheme for real-time monitoring and mitigation of SDoS attacks on the basis of a software-defined network (SDN) and new traffic metrics. The new traffic metrics are the coefficient of fluctuation (CoF) and pulse period coefficient (PPC), which can help us identify SDoS attacks in the network and locate the attackers quickly and accurately. Based on the two metrics, the scheme uses a Gaussian mixture model (GMM) to predict and cluster network traffic and obtain attacker IPs. The mitigation module installs flow rules to discard attacking flows. With blacklisting and weighted IPs, the mitigation module reduces the probability of dropping legitimate flows in case of false positives. Experiments show that our scheme is inexpensive to deploy and can identify attacks and locate attackers quickly and accurately. The mitigation strategy can mitigate SDoS attacks within 4 to 6 seconds with high probability.