SDN-based Intelligent DDoS Cleaning System

SDN-based Intelligent DDoS Cleaning System

dezembro 16, 2019 | Adeline Zhang

Traditional DDoS protection solutions are designed to address flexibility, scheduling, and value addition requirements. However, the advent of the software-defined networking (SDN) technology, especially its combination with network virtualization, provides a new way to deploy security devices. NSFOCUS’s SDN-based intelligent cleaning system discussed here can intelligently detect DDoS attacks and work out an optimal cleaning policy before selecting the most appropriate cleaning resources in real time, thus implementing intelligent traffic cleaning on demand to effectively protect users from DDoS attacks.


DDoS Attack Trend

Currently, DDoS attack forms tend to be polarized: Volumetric attacks increase so rapidly as to pose threats to Internet backbone networks. Besides, such attacks are moving towards the cloud. Meanwhile, low and medium-volume skill-based attacks are growing stealthily, targeting flaws in the business design of various industries. These attacks can easily lead to users’ business running slowly or even being unable to function. More and more attackers combine both volumetric attacks and skill-based attacks, adding to the difficulty of defeating DDoS attacks.

SDN Technology

Software-defined networking (SDN) is a brand new architecture that implements automated and centralized network management and control through the logically centralized control plane. SDN-based centralized network control and real-time traffic scheduling technologies have been widely used in data centers, cloud services, and network functions virtualization, among other scenarios.

This intelligent DDoS cleaning system integrates DDoS protection with the SDN technology. It works as follows: The security data plane is separated from the control plane and physical and virtual network security devices are decoupled from their access mode, deployment mode, and functions. Also, the underlying layer is abstracted into resources within security resource pools and the top layer provides security functions through intelligent and automatic service orchestration and management by means of software programming. In this way, flexible security is achieved.

Challenges Facing Traditional DDoS Cleaning Solutions

Challenges to Individual Cleaning Nodes

Individual cleaning nodes are faced with the following challenges:

  • There is nothing individual cleaning nodes can do if the maximum cleaning capacity is exceeded.

When dealing with attack traffic of an unknown volume, users are often unable to accurately define the cleaning capacity of cleaning devices. Once the attack traffic goes beyond the protection capability of those devices, normal service operations will be affected.

  • Due to highly integrated protection capabilities, individual nodes deal with mixed-vector attacks less efficiently.

To deal with increasingly complicated attack scenarios, a single cleaning hardware device almost integrates all common attack protection algorithms. This results in highly complicated software for these devices. In fact, DDoS attacks are usually a hybrid of several kinds of attacks or a fixed combination of various vectors. However, a complicated software model tends to cause inefficient CPU/memory utilization.

  • A single node is not reliable enough in terms of online protection.

When it comes to reliability, a cleaning device, in the case of a software or hardware failure or during upgrade or maintenance, may stop protecting customers’ business for a while, leaving the business exposed to attack risks.

Challenges to Cleaning Device Clusters

As a single cleaning device provides insufficient cleaning capabilities, people often think of deploying multiple devices in cluster mode for greater defense capabilities. However, such a cluster adopts the load balancing model which demands that cleaning devices within the cluster have consistent performance and features. Actually, with the constant evolution of cleaning devices, such devices differ greatly in cleaning capabilities and are unlikely to provide the same features. For example, some cleaning devices support hardware encryption and decryption to deliver good HTTPS protection performance, while old devices are short of these functions. Owing to these restrictions, cluster networking is subject to various conditions and even certain cleaning devices have to be upgraded or phased out, leading to low asset utilization.

SDN-based Intelligent Cleaning System

System Deployment View

This intelligent cleaning system consists of two parts: management domain and business domain.

The management domain is used to transfer directives between the intelligent cleaning platform, traffic controller (WITH SDN), traffic monitoring device (NTA), and the cleaning node cluster.

The concept of the business domain goes like this: When the traffic monitoring device detects an attack, it will report attack and traffic information to the intelligent cleaning platform which will issue traffic diversion and scheduling directives to finally direct the traffic to the ingress of the SDN switch. All cleaning devices are directly connected to the SDN switch which has a direct connection to the upper-layer switch. After diverting and cleaning traffic, such devices forward the cleaned traffic to the SDN switch for injection to the network.

System Architecture

System architecture

Northbound Interfaces of the Intelligent Cleaning Platform

The intelligent cleaning platform provides the following northbound interfaces:

  • Cleaning request handling: interface for receiving the information about the protected server and performing preliminary logical operations. If the intelligent cleaning platform cannot provide the desired performance or features, the interface displays an error; otherwise, it delivers a traffic monitoring request to NTA.
  • Cleaning report: interface for generating multidimensional reports to present the effect of DDoS protection for the target server.
  • Device maintenance: interface for device maintenance, including routine version upgrade or device getting online or offline.

SDN Path Management

The intelligent cleaning platform dispatches specific forwarding routing tables through the OpenFlow protocol. In this way, the destination port to which the traffic to be cleaned will be forwarded can be defined dynamically in real time, allowing the traffic to be directed to the matching cleaning device for sanitization.

Cleaning Device Topology Discovery

As the cleaning center rapidly expands to contain more cleaning devices, it seems to be impractical for technical engineers to configure and maintain network devices manually due to the increasingly heavy workload. Besides, human errors can easily occur.

Via the Link Layer Discovery Protocol (LLDP), network devices notify the information at the link layer to each other and finally constitute the network topology through calculations.

About LLDP

LLDP is a layer 2 discovery protocol defined in IEEE 802.1AB. It provides a standard way of link-layer discovery. It allows one device connected to the local area network (LAN) to send its main capability, management address, device ID, and interface ID to other devices within the same LAN. Via LLDP, as the network expands rapidly, the network management system can rapidly master the layer 2 network topology information and changes in the topology.

Enabling LLDP on the SDN switch and cleaning devices connected to the network makes it possible to automatically discover the network topology of cleaning devices connected to the SDN switch.

Traffic Monitoring and Diversion

The intelligent cleaning platform provides real-time traffic monitoring for protected IP addresses by using NSFOCUS NTA. It works like this: Once the traffic of a protected IP address exceeds the predefined threshold, NTA proactively sends an alert to this platform which, through protection policy calculations, issues a traffic diversion directive to NTA for real-time traffic monitoring and diversion.

Cleaning Resource Management

Cleaning devices, after being connected to the management network of the intelligent cleaning platform, can proactively report their own cleaning capacity and features. This platform calculates cleaning resources of cleaning devices in real time, including the overall cleaning capacity and the cleaning capacity that is already in use. When an attack occurs, this platform first identifies the attack traffic size and category and then selects the matching cleaning resources and refreshes the cleaning resource pool.

Cleaning Policy Calculation

Based on the identified attack category, the intelligent cleaning platform calculates the most appropriate protection algorithm and dispatch it to the selected cleaning device. If the attack traffic changes or the protection effect is not satisfactory, this platform will recalculate the protection algorithm and dispatch it to the selected cleaning device, thus realizing real-time calculation and dynamic updating of cleaning policies.

Values Brought by the Intelligent Cleaning System

Closed-Loop Protection

The intelligent cleaning system can monitor network traffic, choose appropriate resources for real-time optimal matching, as well as dispatch the defined policies for on-demand sanitization of attack traffic. Once the attack stops, this system automatically releases cleaning resources. In this way, this system implements closed-loop protection.


The intelligent cleaning system has the following merits:

  • Alleviating the workload for cleaning devices

Cleaning devices only provide such protection features as cleaning algorithms, while the intelligent cleaning platform takes charge of BGP diversion and web management. This guarantees efficient utilization of hardware resources of cleaning devices, while reducing the software complexity.

  • Effectively protecting customers’ assets

Cleaning devices can vary in the cleaning capacity and features and their cleaning capabilities can be given to full play.

  • Reducing the workload of network maintenance engineers

Through the link-layer discovery protocol, cleaning devices can report information about neighbors directly connecting to the devices to the intelligent cleaning platform, finally achieving automatic discovery of the cleaning device topology and really realizing the plug-and-play effect.

  • Significantly improving the protection performance

This platform uses protection features of hardware devices to improve the protection performance. For example, it makes full use of features of switches, such as using the switch chip’s access control list (ACL) resources to report blacklisted terminal information generated by algorithms of cleaning devices to the intelligent cleaning platform which will generate an ACL and dispatch it to the SDN switch. This greatly increases the forwarding performance as well as delivers better protection results by allowing cleaning devices to only focus on the traffic of unknown terminals.

  • Maximizing the resource utilization

Protection policies are dispatched automatically. When detecting an attack, the intelligent cleaning platform chooses the matching protection device through real-time calculation, creates effective protection policies, and automatically dispatches them to the corresponding cleaning device. Besides, the attack traffic is scheduled automatically. After policies are dispatched, the intelligent cleaning platform instructs NTA to schedule traffic remotely, as well as opens the cleaning device’s corresponding port connected to the SDN switch to implement real-time intelligent traffic scheduling.

  • Intelligent hardware maintenance

Cleaning devices are maintained via the intelligent cleaning platform. The intelligent cleaning platform can customize the upgrade and maintenance plan for cleaning devices without affecting the customers’ business. In this way, customers’ business will be out of protection during upgrade and maintenance of cleaning devices. Besides, the intelligent cleaning platform employs the concept of clustering, i.e., grouping multiple cleaning devices into a cluster to effectively prevent single points of failure (SPOFs) of this platform.