Opened 4 years ago

Closed 4 years ago

#1377 closed (fixed)

Experimentation of SDN-Supported Collaborative DDoS Attack Detection and Containment

Reported by: Owned by:
Priority: major Milestone:
Component: GPO Version: SPIRAL7
Keywords: GEC22 Cc:


Demo Title: "Experimentation of SDN-Supported Collaborative DDoS Attack Detection and Containment" Tommy Chin, Xenia Mountrouidou, Xiangyang Li, Kaiqi Xiong

One-sentence layman's description:

This demo shows a collaborative monitoring and correlation approach to mitigate the effects of the surge in network traffic of a flooding Denial of Service attack that can cause loss of service for legitimate sites.

Who should see this demo?

Attendees interested in Cybersecurity attack detection, and mitigation techniques.

Demo description paragraph(s): “Elevator speech” description that identifies (a) what you are demonstrating and (b) why it is important. This description may be used for advance publicity and to help attendees identify the demonstrations they wish to see.

Software-defined networking (SDN) and OpenFlow offer great support to dynamically adapt a network and to access data on different network layers as needed. Such advantages have been driving recent research efforts to develop new security applications and services. However, most studies on attack detection and containment have not really differentiated their solutions from the traditional ones, without fully taking advantage of the unique capabilities provided by SDN. Moreover, even if some of these studies provide interesting visions of what can be achieved, they stop short of presenting realistic application scenarios and experimental results. We present a novel attack detection and containment approach that is coordinated by distributed network monitors and controllers/correlators centralized on an SDN OpenFlow Virtual Switch (OVS). With different views and information availability, these elements collaboratively detect signature constituents of an attack that possess different characteristics of scale and detail. Therefore, this approach is able to not only quickly issue an alert against potential threats followed by careful verification for high accuracy, but also balance the workload on the OVS. We apply the proposed approach to TCP SYN flood attacks using Global Environment for Network Innovations (GENI). This realistic experimentation has provided us with insightful findings helpful to our goal toward a systematic methodology of SDN-supported attack detection and containment. First, we have demonstrated through experimentation the scalability of our collaborative scheme. Second, we have studied how the combination of alerts by the monitor and deep packet inspection by the correlator, can increase the speed and accuracy of attack identification. Our experiments, in the context of a small to medium corporate network, have demonstrated the effectiveness and scalability of the SDN-supported detection and containment approach..

List of equipment that will need AC connections (e.g. laptop, switch, monitor): Laptop and a monitor.

Total number of wired network connections (sum standard IP and VLAN connections):

One wired network connection.

Number of wired layer 2 VLANs (if any):

One VLAN for single network connection

Specify VLAN number, if known, approximate bandwidth, and whether tagged or untagged.

Any number (including VLAN 1)

Number of wireless network connections (include required bandwidth if significant):


Number of static addresses needed (if any):


Monitor (y/n, specify VGA or DVI):

VGA Monitor with minimal of resolution of 1440x900 or 1280x1024

Number of posters (max size poster boards are 30" x 40"):


Special requests: Include any specific network connectivity needs (e.g. VLANs to a particular GENI location, projects you'd like to be near, etc.)

Change History (6)

comment:1 Changed 4 years ago by

Status: newaccepted

Thanks for the demo submission, I will follow up with confirmation of available resources.

Of note, NSF will be looking at this wiki page, so please feel free to update if you notice any errors or wish to update your demo description.

comment:2 Changed 4 years ago by

We are now able to confirm the availability of your requested resources. Please update this ticket if you have any questions or concerns. See you in DC!

comment:3 Changed 4 years ago by

What kind layer 2 connectivity do you need? A tagged or untagged vlan. Coming to the demo floor or in GENI?

comment:4 Changed 4 years ago by

Hi, we are looking for more details on what kind of connectivity is needed so we can best accommodate your request for a VLAN at the demo site. A few questions that can help us:

  1. Where will your connection come from (e.g. will this come from a specific Internet2 connector)? Have you determined a VLAN ID for that remote side (we will need to know this ID if it is a circuit within Internet2)?
  2. At the demo site, do you have a preference for your device to connect to the VLAN on a tagged or an untagged connection? If you have no preference, we suggest untagged.
  3. Do you have any specific bandwidth requirements?
  4. Are there any other assumptions or expectations that might be relevant?

comment:5 Changed 4 years ago by

Updated participants to:


comment:6 Changed 4 years ago by

Resolution: fixed
Status: acceptedclosed

Thanks for joining us in DC this year. We hope everything worked as you expected.

Please feel free to update / append the wiki page for the Demo Night here:

Note: See TracTickets for help on using tickets.