27 Feb 2017
Information and Communications Technologies
CoFence: A Collaborative DDoS Defence
Professors Mohamed Cheriet and Kim Khoa Nguyen, of the Synchromedia laboratory, organised a mini-conference, as part of IEEE’s 12th International Conference on Network and Service Management (CNSM), hosted from October 31 to November 4, 2016, at the École de technologie supérieure (ÉTS).
This article is an overview of CoFence: A Collaborative DDoS Defence Using Network Function Virtualization, presented by Carol Fung, Associate Professor of the Computer Science Department at Virginia Commonwealth University, It was written by a student researcher of the synchromedia laboratory who attended the conference.
CoFence is a virtualization-based platform that handles large volumes of Distributed Denial of Service (or DDoS) attacks through resource sharing in a collaborative manner. This platform allows a domain network to decide the amount of resources to share with other domains while guaranteeing Fairness, Incentive-compatibility and Reciprocity.
DDoS Attacks: How to Mitigate them?
In a nutshell, a Distributed Denial of Service (or DDoS) attack is an attempt to temporarily or indefinitely interrupt the functions of a server by overwhelming it with an enormous number of requests from multiple sources. The input of this type of attack is simply a huge network of infected computers, known as “botnet,” generating enough traffic to overload the victim. Because of the black market proliferation and the growth of “DDoS as a service,” DDoS attacks are getting more evil and are fast becoming our worst nightmare. Many of us still remember the DDoS attack against the Clinton and Trump campaigns a few months ago.
The straightforward approach to mitigate DDoS is to block traffic that is identified as malicious and to allow the legitimate one into the system. Another approach is to back track to the origins of a botnet. In fact, no matter how well those two methods can theoretically perform to detect a potential DDoS, either of them likely drains off available resources when the number of requests increases. Therefore, traditional device-based DDoS mitigation is limited not only by the computation capacity of the dedicated network functions (e.g. firewall, IPS) but also by the high cost and long cycle time required when upgrading or adding new hardware. The authors in article  address this issue by adopting the Network Function Virtualization technology, which makes device upgrading and resource allocation fast, inexpensive, and consequently brings a great opportunity for DDoS defense. The idea is for domains to collaborate with each other when any one is faced with a potential DDoS traffic. In other words, excessive traffic to one domain could be steered to other trusted external ones, which are responsible for filtering DDoS and forwarding the filtered clean traffic back to the targeted domain. The same applies to deal with situations where multiple domains ask for help.
Collaborative DDoS Defense (CoFence)
The goal of CoFence is to provide a platform for domain networks (e.g., an enterprise network or an ISP) to support each other in order to reduce vulnerability against large-scale DDoS attacks. By leveraging practices in cloud elasticity and agility, each NFV-enabled domain network can contribute its spare network resource to benefit other domains in the network when needed. In a case study shown in Figure 1, Domain 1 is equipped with virtual devices (i.e. gateway, IPS, firewall) with a capacity that can be dynamically configured thanks to NFV technology. Upon receiving external traffic, the virtual IPS determines whether or not it is a DDoS attack from botnet to public server. If so, some incoming traffic is redirected to other domains (represented by red arrows). The clean traffic is then sent back to Domain 1.
Resource Allocation Mechanism
This mechanism is used to decide if a domain is willing to share its available resource to help the others, and, if so, how much it should offer. There are three goals when designing such a resource allocation mechanism, namely, Fairness, Incentive-compatibility and Reciprocity.
To build such a mechanism that fulfills the above requirements, it is important for a node to acknowledge how much its neighbor nodes have helped in the past. The authors propose what can be called a “helping credit” which represents the cumulative help resource a node offered in the past. Accordingly, when a domain is under a DDoS attack, it asks for help first from the neighbor with the highest credit, before the others. When the process is complete, the domain updates the credit of its neighbors. For more details on credit mechanisms and collaborative algorithms, interested readers may refer to publication .
The advantages of NFV-based platforms like CoFense in the battle against DDoS are illustrated by the experimental results in various case studies.
As shown in Figure 2, node is overloaded during a 10s to 20s DDoS attack and typically has to drop most of its traffic.
However, this drop rate is reduced somewhat (Figure 3) when CoFence is deployed and enables external support from its neighbor.
Figure 4 demonstrates a case study in which five nodes (N1 ~ N5) have one shared helper with varying capacity. They receive different amounts of support depending on their reputation. N1 is the last one getting support from the helper, if available, while N5 always gets assistance from the helper.
In this article, one of the benefits of applying NFV technology to address DDoS challenges has been illustrated. The collaboration among domains benefits from the ability of providing virtual resource almost instantaneously to a requestor. Moreover, the elasticity of a virtualized system enables more efficient and effective resource usage, while improving its robustness in terms of quick response to computing resource requirements. As a result, this process helps minimize the impact of a DDoS attack.
Duong Tuan Nguyen
Duong Tuan Nguyen is a PhD student in the Department of Systems Engineering at ÉTS. His research interests include cloud/fog computing, software-defined networking, IoT service chains, network optimization and smart services.
Program : Electrical Engineering
Research chair : Canada Research Chair in Smart Sustainable Eco-Cloud
Research laboratories : SYNCHROMEDIA – Multimedia Communication in Telepresence