|Figure 1: Components of a DDoS attack (credit Wikipedia)|
This article will show how the standard sFlow monitoring built in to most vendor's network equipment can be used to rapidly detect DDoS attacks and drive automated controls to mitigate their effect. This case study is based on a data center network consisting of approximately 500 switches and 30,000 switch ports and the charts show production traffic. This network was used as a testbed for developing the sFlow-RT analytics engine and the resulting solution is now used in production.
|Figure 2: Uncontrolled DDoS attack|
Note: This chart is from an early sFlow-RT prototype and the drop outs are spurious.
|Figure 3: Performance aware software defined networking|
|Figure 4: Five DDoS attacks within three minutes|
Note: It takes the attacker some time to fully mobilize their network of compromised hosts - if the defense actions can be deployed faster than the attacker can deploy their resources then the effect of the attack is largely eliminated.
|Figure 5: Elements of controller delay|
|Figure 6: Mitigating DDoS attack using fast controller|
This denial of service mitigation example demonstrates sFlow's unique suitability for control applications. More broadly, sFlow provides the comprehensive measurements needed to drive a variety of resource allocation and load balancing applications, including: SDN and large flows, ECMP load balancing, Load balancing LAG/ECMP groups, and cloud orchestration.
In future, expect to see sFlow-based performance awareness incorporated in a wide range of orchestration platforms, leveraging existing infrastructure to increase performance, reduce costs and ensuring quality of service - ask vendors about their plans.