In this paper we investigate synergies between Network Functions Virtualization (NFV) architectures and Software-Defined Networks (SDN). We identify value adding capabilities such technologies may offer to telecom providers regarding agile management and deployment of network functions across their infrastructures. Specifically, we propose a modular NFV architecture that permits policy-based management of Virtualized Network Functions (VNFs). Hence we can handle the lifecycle of VNFs and dynamically instantiate business applications as Service Chains of diverse VNFs delivered to large scale customers. To describe network resources, network control functions and VNFs capabilities we introduced an Information Model that abstracts these elements. In order to verify the proposed architecture we considered the case of multiple Content Delivery Network (CDN) providers having CDN caching nodes hosted by another operator. We implemented and deployed VNFs capable to map virtual links on the physical substrate and monitor the traffic of each client, ultimately providing the means to instantiate and orchestrate a policy-based traffic engineering service as a business application.
In this paper, we investigate the applicability of inserting an OpenFlow middlebox to enhance the remotely triggered black hole routing mechanism, to mitigate distributed denial of service (DDoS) attacks in legacy networks. Specifically, we propose a modular architecture that exploits the network programmability of software-defined networking within the context of network functions virtualization, deploying on-demand virtualized network functions (VNFs) capable to manipulate and filter malicious traffic. Leveraging on the OpenFlow control functionality, we match and handle traffic on a per-flow level, preserving connectivity to/from the victim while pushing the mitigation process upstream, towards the edge of the affected network. To that end, a multilevel anomaly detection and identification mechanism was developed, pinpointing the victim in case an attack is detected. Subsequently, a virtualized network function instructs the edge router to forward all traffic destined to the victim to an OpenFlow switch, acting as a middlebox capable to filter malicious traffic identified by an OpenFlow controller, while preserving benign flows. The proposed architecture was implemented and evaluated based on the combination of datasets containing traces of real DDoS attacks and normal background traffic from our university campus network. Our analysis illustrated a clear clustering of Internet protocol prefixes used by malicious sources; thus, we implemented a longest common prefix aggregation algorithm to enable scaling of the proposed mitigation process, overcoming constraints due to hardware limitations of OpenFlow devices. Our analysis verifies that the proposed modular and scalable schema can efficiently identify DDoS attack victims and filter malicious traffic, without exhausting system and network resources.
scite is a Brooklyn-based organization that helps researchers better discover and understand research articles through Smart Citations–citations that display the context of the citation and describe whether the article provides supporting or contrasting evidence. scite is used by students and researchers from around the world and is funded in part by the National Science Foundation and the National Institute on Drug Abuse of the National Institutes of Health.