Today, at Networking Field Day 7, Ramki Krishnan of Brocade Networks demonstrated how the sFlow and OpenFlow standards can be combined to deliver DDoS mitigation as a service. Ramki is a co-author of related Internet Drafts: Large Flow Use Cases for I2RS PBR and QoS and Mechanisms for Optimal LAG/ECMP Component Link Utilization in Networks.
Prolexic Publishes Top 10 DDoS Attack Trends for 2013, World's largest DDoS strikes US, Europe.
The key making this solution scale is the use of hybrid port OpenFlow. By default, all traffic is handled by the switch's normal hardware switching and routing function without any intervention from the controller. The OpenFlow rules are used to override the normal forwarding behavior for the selected flow. The solution uses a software controller to leverages the standard sFlow and OpenFlow capabilities of existing network hardware to provide a scaleable, automated, cost effective solution that allows ISP/IX networks to effectively mitigate flood attacks.
The sFlow-RT software performs a number of functions:
- Provides a REST API allowing the customer to set thresholds and mitigation policies
- Detects the DDoS attack
- Extracts attributes that characterize the attack traffic - UDP source port (123) and destination IP address (126.96.36.199) in this example
- Constructs a filter to drop the attack
- Makes a call to OpenDaylight's Flow Programmer REST API to instruct OpenDaylight to send the filter as an OpenFlow rule the MLXe
- Continues to monitor the DDoS traffic
- Makes a call to OpenDaylight to remove the rule once the attack subsides
- Provides statistics to drive the demo dashboard - which in a real deployment would be the customer portal
This demonstration of DDoS mitigation is only one application of this architecture - Ramki's OpenDaylight Summit talk Flow-aware Real-time SDN Analytics (FRSA) presented a number of others.