@inproceedings{9e09033abcab4abdb3d9c3964429c00e,
title = "Network anti-spoofing with SDN data plane",
abstract = "Traditional DDoS anti-spoofing scrubbers require dedicated middleboxes thus adding CAPEX, latency and complexity in the network. This paper starts by showing that the current SDN match-and-action model is rich enough to implement a collection of anti-spoofing methods. Secondly we develop and utilize advance methods for dynamic resource sharing to distribute the required mitigation resources over a network of switches. None of the earlier attempts to implement anti-spoofing in SDN actually directly exploited the match and action power of the switch data plane. They required additional functionalities on top of the match-and-action model, and are not implementable on an SDN switch as is. Our method builds on the premise that an SDN data path is a very fast and efficient engine to perform low level primitive operations at wire speed. The solution requires a number of flow-table rules and switch-controller messages proportional to the legitimate traffic. To scale when protecting multiple large servers the flow tables of multiple switches are harnessed in a distributed and dynamic network based solution. We have fully implemented all our methods in either Open-Flow1.5 in Open-vSwitch and in P4. The system mitigates spoofed attacks on either the SDN infrastructure itself or on downstream servers.",
author = "Yehuda Afek and Anat Bremler-Barr and Lior Shafir",
note = "Publisher Copyright: {\textcopyright} 2017 IEEE.; 2017 IEEE Conference on Computer Communications, INFOCOM 2017 ; Conference date: 01-05-2017 Through 04-05-2017",
year = "2017",
month = oct,
day = "2",
doi = "https://doi.org/10.1109/INFOCOM.2017.8057008",
language = "الإنجليزيّة",
series = "Proceedings - IEEE INFOCOM",
publisher = "Institute of Electrical and Electronics Engineers Inc.",
booktitle = "INFOCOM 2017 - IEEE Conference on Computer Communications",
address = "الولايات المتّحدة",
}