Traffic Monitoring and DDoS Detection using Stateful SDN

We propose to showcase the benefits of stateful SDN in the context of DDoS detection and mitigation. By delegating some local tasks to the switch rather than relying always on the controller, it is possible to monitor data-plane traffic efficiently and to detect malicious network behaviours with high accuracy. Stateful SDN concepts are employed both to improve reactivity and to offload the controller and the control channel by delegating local treatments down to the switches. The demo illustrates how to protect end-hosts from Distributed Denial of Service (DDoS) attacks. Our approach, named StateSec, is built on advanced in-switch processing capabilities to detect and mitigate threats swiftly. StateSec relies on a detection loop to: 1) match and count a configurable set of traffic features (e.g., IP source and destination, port source and destination) without resorting to the controller; 2) use an entropy-based detection algorithm with such monitored features, 3) detect several threats such as (D) DoS and port scans with high accuracy, and 4) take countermeasures by installing OpenFlow rules at the switch.