Prevention of DrDoS Amplification Attacks by Penalizing the Attackers in SDN Environment

Abstract

Distributed Denial of Service (DDoS) attacks is one of the most prevalent and dangerous cyber-attacks that can bring down the targeted part of Internet infrastructure in a short amount of time, thus resulting in significant economic losses. As a defense strategy against these attacks, attack detection followed by attack mitigation is not enough as there will always be a time lag between detection and mitigation. Instead, attack prevention is a more promising strategy. This paper focuses on preventing such attacks that save the targeted (or victim’s) network from any harm and penalize the attacker’s network for making the attack. We propose two DDoS prevention techniques named Port-Mapping, and PortMergeIP, considering DNS amplification attack as a specific and one of the most dangerous types of DDoS attack. All the methods are proven to prevent the victim from the attack altogether. The packet loss is up to 98% at the attacker’s side when the proposed algorithm is implemented during a DDoS attack. The delay introduced due to the proposed algorithms is approximately 30% lesser than an existing work based on authentication.