StateSec: Stateful Monitoring for DDoS Protection in Software Defined Networks

To be presented at IEEE NetSoft, 3-7 July 2017, Bologna, ItalyInternational audienceSoftware-Defined Networking (SDN) allows for fast reactions to security threats by dynamically enforcing simple forwarding rules as countermeasures. However, in classic SDN all the intelligence resides at the controller, with the switches only capable of performing stateless forwarding as ruled by the controller. It follows that the controller, in addition to network management and control duties, must collect and process any piece of information required to take advanced (stateful) forwarding decisions. This threatens both to overload the controller and to congest the control channel. On the other hand, stateful SDN represents a new concept, developed both to improve reactivity and to offload the controller and the control channel by delegating local treatments to the switches. In this paper, we adopt this stateful paradigm to protect end-hosts from Distributed Denial of Service (DDoS). We propose StateSec, a novel approach based on in-switch processing capabilities to detect and mitigate DDoS attacks. StateSec monitors packets matching configurable traffic features (e.g., IP src/dst, port src/dst) without resorting to the controller. By feeding an entropy-based algorithm with such monitoring features, StateSec detects and mitigates several threats such as (D)DoS and port scans with high accuracy. We implemented StateSec and compared it with a state-of-the-art approach to monitor traffic in SDN. We show that StateSec is more efficient: it achieves very accurate detection levels, limiting at the same time the control plane overhead

Lightweight tag-based forwarding among competing gateways in Wireless Mesh Networks

International audienc

Intelligent Routing Scheme in Home Networks

International audienc

Lightweight tag-based forwarding among competing gateways in Wireless Mesh Networks

International audienc

Scaling end-to-end measurements in heterogeneous wireless mesh networks

International audienceIn large scale deployments of Wireless Mesh Networks (WMNs), access to the Internet is ensured by multiple gateways spread over the network. In such environments that rely on heterogeneous backhaul technologies offering different and time-varying bandwidth, delay or jitter characteristics, monitoring the end-to-end performances on the diversity of paths Internet flows can be forwarded on is challenging: the end-to-end measurement strategy must capture the diversity of backhaul connections, as well as multi-hop behavior within the mesh, and it must scale with the number of gateways, nodes and flows. In this paper we propose and evaluate the scalability of two measurement strategies for the monitoring of end-to-end paths. We establish closed form formulas for the overhead incurred by these measurement strategies, and compare their efficiency against greedy measurements in grid topologies. We conclude that one can reach linear increase in the number of probing nodes in place of an exponential growth for greedy end-to-end measurements. We extend these results to also show that this strategy takes advantage of dense topologies