DDoS attacks mathematical modelling in software defined networks for enhanced detection systems

Denial of Service and Distributed Denial of Service (DoS/DDoS) seek to disrupt the availability of a victim server, online service or network by overwhelming the target or the surrounding infrastructure with traffic from one or multiple sources. DoS/DDoS attacks have been one of the biggest threats against communication networks and applications throughout the years. Modelling DoS/DDoS attacks is necessary to get a better understanding of their behaviour at each step of the attack process, from the Botnet recruitment up to the dynamics of the attack. A deeper understanding of DoS/DDoS attacks would lead to the development of more efficient solutions and countermeasures to mitigate their impact. Especially when DDoS attacks costs oscillated between $25,000 and $249,000 for 58% of companies around the world in 2018. We present a classification approach for existing DoS/DDoS models in different kinds of networks; traditional networks, Software Defined Networks (SDN) and virtual networks. In addition, our research provides a thorough review and comparison of the existing attack models, in particular we explain, analyze and simulate different aspects of three prominent models; congestion window, queuing, and epidemic models. Furthermore, we quantify the damage of DoS/DDoS attacks at three different levels; protocol (Transmission Control Protocol-TCP), device's resources (bandwidth, CPU, memory), and network (infection and recovery speed). Software-Defined Networking (SDN) decoupled architecture provides greater network visibility for network operators allowing effective resource management and enhances networks security. However, the SDN centralized architecture, the communication channels between planes and the limited resources can make SDN systems vulnerable against DoS/DDoS attacks. To have a better understanding of the attack dynamics and lead to future mitigation techniques, modelling DoS/DDoS attacks for SDN is necessary. Low-rate DDoS attacks, or "shrew attacks", are typical stealth attacks that seek to throttle the TCP bandwidth of an specific target with a low attack cost. Low-rate DDoS attacks exploit the inherent vulnerability in the retransmission timeout (RTO) mechanism used in TCP congestion protocol. When several losses take place due to congestion, TCP reduces its congestion window (cwnd) to the minimum value and wait for a period of time (RTO) before the packet is resent. Congestion control is indispensable in TCP communications, so that the resulting vulnerabilities are inherent to the protocol and cannot be eliminated by changing its design. SDN uses TCP to establish communication between the control plane and the data plane (southbound channel), through protocols such as OpenFlow (OF) and the P4 programming language. We detail the ways how OF and P4 can be exploited by shrew DDoS attacks. To evaluate the effectiveness of our model, we present how OF and P4 legitimate messages can be used as traffic in a shrew DDoS attack. We identify and classify the possible messages that can be generated for this purpose. Finally, we present a model for low-rate DDoS attacks in SDN based on the TCP congestion mechanism behaviour. Our model allows to understand the SDN behaviour and impact under shrew DDoS attack. Specifically, the model leads us to quantify the attack effect of the shrew attack vector in SDN based on the attack magnitude and the number of forwarding devices sending traffic. Such understanding of the attack is fundamental in the development of mitigation solutions. During COVID-19 the new normal became an increased reliance on remote connectivity, and that fact is far away to change any time soon. The increasing number of networked devices connected to the Internet is causing an exponential growth of botnets. Subsequently, the number of DDoS (Distributed Denial of Service) attacks registered around the world also increased, especially during the pandemic lockdown. Therefore, it is crucial to understand how botnets are formed and how bots propagate within networks. In particular, analytic modelling of the botnets epidemic process is an essential component for understanding DDoS attacks, and thus mitigate their impact. We propose two analytic epidemic models; (i) the first one for enterprise Software Define Networks (SDN) based on the SEIRS (Susceptible - Exposed - Infected - Recovered) approach, while (ii) the second model is designed for service providers' SDN, and it is based on a novel extension of a SEIRS-SEIRS vector-borne approach. Both models illustrate how bots spread in different types of SDN networks. We found that bot infection behaves in a similar way to human epidemics, such as the novel COVID-19 outbreak. We present the calculation of the basic reproduction number Ro for both models and we test the system stability using the next generation matrix approach. We have validated the models using the final value theorem (FVT), with which we can determine the steady-state values that provide a better understanding of the propagation process. The previously defined mathematical models provide a complete insight about the behaviour of low-rate DDoS attacks against the SDN controller and also the impact that the size of a botnet has when launching the attack. Then, we analyse how close the developed models behave with a real testbed under a DDoS attack scenario. For such purpose, the testbed architecture is designed and configured in order to analyse the low rate DDoS attack model in a real scenario. The attack follows the low-rate burst fashion (square wave). Once we replicated and evaluated the attack models in the testbed and validated their behaviour, we then identify the most efficient way to detect low-rate DDoS attacks and epidemic spread within SDN networks. Therefore, we present a detection solution against the proposed low-rate DDoS attack model using machine learning (ML) algorithms. Following the attack patterns specified by our models, we are able to extract key features from the incoming traffic, allowing to recognise and label the malicious traffic in order to train the ML algorithm. The ML models have been trained and tested with a low-rate DDoS attack data-set and the testbed traffic. The results show that our detection solution developed with an attack model as its foundation has better accuracy compared to the existing solutions in the literature, which are not based in a previously defined attack model. Demonstrating the importance of attack modelling for enhanced detection purposes.