A Multi-Criteria-based DDoS-Attack Prevention Solution using Software Defined Networking Phan Van Trung 1 , Truong Thu Huong 1 , Dang Van Tuyen 1 , Duong Minh Duc 1 , Nguyen Huu Thanh 1 , Alan Marshall 2 1 Hanoi University of Science and Technology, 2 University of Liverpool Abstract— Software-Defined Networking (SDN) has become a promising network architecture in which network devices are controlled by a SDN Controller. Employing SDN offers an attractive solution for network security. However the attack prediction and Prevention, especially for Distributed Denial of Service (DDoS) attacks is a challenge in SDN environments. This paper, analyzes the characteristics of traffic flows up-streaming to a Vietnamese ISP server, during both states of normal and DDoS attack traffic. Based on the traffic analysis, an SDN-based Attack Prevention Architecture is proposed that is able to capture and analyze incoming flows on-the-fly. A multi-criteria based Prevention mechanism is then designed using both hard- decision thresholds and Fuzzy Inference System to detect DDoS attack. In response to determining the presence of attacks, the designed system is capable of dropping attacks flows, demanding from the control plane. Keywords—OpenFlow/SDN; DDoS attack; Fuzzy Logic. I. INTRODUCTION Network security has become a national critical concern as we find more and more types of attacks that harass networks. Distributed Denial of Service (DDoS) attack is a serious problem at present. In this attack type, many hosts controlled by attackers, combine to send extremely-huge network traffic to victims. This causes bandwidth congestion, and the processing capability of network systems and servers to be exhausted. There are many proposed solutions for detecting and mitigating DDoS attacks. These solutions are divided into two groups: signature Prevention techniques [3][4][5] and anomaly Prevention techniques [6][7][8][9]. The solutions in the former group detect attacks by comparing incoming traffic with stored attack samples, hence they are inappropriate for detecting new DDoS attack methods. The techniques in the latter group require an exclusive device for collecting and analyzing traffic data and applying statistical analysis or machine learning methods. Some solutions are used just in offline mode to analyze in order to find out the original attack source after attack occurred. In another aspect, Software-Defined Networking (SDN) [1] is a prominent future network model nowadays. In the SDN architecture, the control plane is separated from the data plane that can provide the ability to network operators easily to monitor, control, manage and configure network resource and network state through software executing in the controller. OpenFlow/SDN [2] has come to the aforementioned scene as a promising protocol used for communicating between the control plane (controller) and the data plane (OpenFlow switch). It allows the Controller to send configuration messages to and receive messages from OpenFlow switches. As a result, administrators can centrally monitor, collect network traffics, device status in an easy way. Besides, in a SDN architecture, OpenFlow switches can provide network traffic statistical parameters, which are useful for security applications such as DDoS attack Prevention. In this paper, we propose a novel network architecture for DDoS Attack Prevention based on statistical parameters of incoming traffic using the combination of a hard threshold method and Fuzzy Logic algorithm. The statistical parameters, which are monitored by switches and periodically sent to the Controller in the SDN architecture, comprise distribution of inter-arrival time, distribution of packet quantity per flow and total number of flow entries to a server. A security application running on the controller applies the hybrid algorithm (i.e., combination of the hard threshold and fuzzy logic schemes) in response to analyzing statistical parameters and decides whether the corresponding server is either under a DDoS attack or in the normal state. The rest of the paper is structured as follows. Section II describes related works. Section III focuses on analysis of traffic collected from NetNam - one of the largest ISPs in Vietnam. The analysis provides an insight of how traffic features of incoming flows look like during a normal state and under attack state. In section IV, we propose an architecture of the DDoS-attack Prevention solution based on SDN. The hybrid algorithm that combines the hard threshold and fuzzy logic method for detecting of DDoS attack is presented in section V. Finally, conclusion and future work are mentioned in section VI. II. RELATED WORK The common approaching method of DDoS-attack detection and mitigation solutions is collecting traffic characteristics before applying different algorithms in order to confirm whether or not an attack is taking place. Each time the system detects an attack, through out the policies setting at firewalls or prevention devices, the attack traffics are identified and dropped [21]. Although there is a variety of existing algorithms such as: using entropy [10][11], source address distribution [12][13], activity profiling [14] and so on, the respective solutions mostly depend on the characteristics of particular DDoS attacks. Consequently, they can be fooled by attackers in an easy way. For instance, attackers may spoof source IP addresses by using some common tools. But if 2015 International Conference on Advanced Technologies for Communications (ATC) 978-1-4673-8374-5/15/$31.00 ©2015 IEEE 308