SDN-based Dynamic and Adaptive Policy Management System to Mitigate DDoS Attacks Rishikesh Sahay Institut Mines-Télécom, Télécom SudParis rishikesh.sahay@telecom- sudparis.eu Gregory Blanc Institut Mines-Télécom, Télécom SudParis gregory.blanc@telecom- sudparis.eu Zonghua Zhang Institut Mines-Télécom, IMT Lille Douai zonghua.zhang@imt-lille- douai.fr Khalifa Toumi Institut Mines-Télécom, Télécom SudParis khalifa.toumi@telecom- sudparis.eu Hervé Debar Institut Mines-Télécom, Télécom SudParis herve.debar@telecom- sudparis.eu ABSTRACT This paper presents a dynamic policy enforcement mecha- nism that allows ISPs to specify security policies to miti- gate the impact of network attacks by taking into account the specific requirements of their customers. The proposed policy-based management framework leverages the recent Software-Defined Networking (SDN) technology to provide a centralized platform that allows network administrators to define global network and security policies, which are then enforced directly to the OpenFlow switches. One of the ma- jor objectives of such a framework is to achieve fine-grained and automated attack mitigation in the ISP network, ulti- mately reducing the impact of attack and collateral dam- age to the customer networks. To evaluate the feasibility and effectiveness of framework, we develop a prototype that serves for one ISP and three customers. The experimental results demonstrate that our framework can successfully re- duce the collateral damage on a customer network caused by the attack traffic targeting another customer network. More interestingly, the framework can provide rapid response and mitigate the attack in a very short time. Keywords Security policy, Policy management, SDN 1. INTRODUCTION In today’s Internet, traffic engineering is mainly performed by the Internet Service Providers (ISP), while the customers are usually passive. As we know, one of the major objec- tives of traffic engineering is to mitigate traffic congestion, Permission to make digital or hard copies of all or part of this work for personal or classroom use is granted without fee provided that copies are not made or distributed for profit or commercial advantage and that copies bear this notice and the full citation on the first page. To copy otherwise, or republish, to post on servers or to redistribute to lists, requires prior specific permission and/or a fee. Copyright 2017 ACM 978-1-4503-4486-9/17/04. . . $15.00 http://dx.doi.org/xx.xxxx/xxxxxxx.xxxxxxx which can be caused, among others, by attacks. The lack of collaboration between an ISP and its customers may even- tually lead to dissatisfaction among its customers, as legiti- mate traffic may get dropped. For example, when defending against Distributed Denial of Service (DDoS) attacks that attempt to deplete an ISP’s bandwidth, simply prioritiz- ing legitimate traffic or redirecting suspicious traffic for one customer may impact other customers of the same ISP, con- sidering the fact that the same path can be shared between different customers in an ISP network. As a matter of fact, without collaborating with their ISPs, customers do not have much control over the incoming traf- fic, apart from blocking the attack traffic at their border router. Therefore, it is in the interest of both the victim network and its ISP to collaborate for traffic engineering to mitigate the effect of congestion. In this case, the customer can express finer requirements that can be addressed as dif- ferentiated services by the ISP. Despite a large number of solutions [8, 10] proposed for traffic engineering, they have not been considered for widespread deployment, chiefly due to the complexity involved in the network management task, such as configuring switches and routers for policy enforce- ment. According to a report from Juniper [12], the network downtime due to human error accounts for 80% of the to- tal network downtime. The manual configuration therefore hinder the dynamic deployment of network services, further downgrading the Quality of Service (QoS) level for the cus- tomers of an ISP. Another fact is that service providers statically provision se- curity devices with the dedicated network devices, and define the ordering constraints that must be applied to the pack- ets [11]. These security and network devices are generally distributed in the network through separate VLANs, while network policy is usually applied per VLAN. This essen- tially leads to static service chaining with the deployment of static policies for steering network traffic to the security and network devices [11]. This topological dependency with the deployment of middleboxes makes ISPs reluctant to deploy new security functions in their networks for providing secu- rity services to their customers. Furthermore, all the traffic,