Mr Man Ming Andrew Hon
Mr Yiu Lun Victor Wong
Dr Jie James Deng
Mr Bo Albert Li
Mr Man Sheung Kenneth Lau
OGCIO
Hong Kong University of Science and Technology
Institute for Infocomm Research, A*STAR Singapore
Current technology relying on client-side defence mechanisms is ineffective to withstand DDoS (Distributed Denial of Service) attacks, wherein an attacker sends in a lot of traffic or makes a huge number of service requests to a victim so as to bring down the service to legitimate users. For instance, attacker trace-back is impossible due to spoofed IP addresses and nothing can be done when the last-mile link is jammed with DDoS traffic. More effective defence has to be based on traffic analysis and filtering further upstream. This project proposes to evaluate the capability of SDNs (Software Defined Networks) for fine-grained traffic monitoring and upstream in-line filtering in DDoS protection, and design the architecture of an agile DDoS protection platform leveraging on the capabilities brought about by the SDN paradigm, namely, programmability, centralized control and fine granular traffic management and monitoring, to collect statistics for DDoS analytics and filter traffic upstream on a per-flow basis. Based on a hybrid approach, the platform performs analytics over data from different sources (upstream through SDN, at the victim-side, and possibly from a threat intelligence framework) and automatically generates Openflow rules for SDN switches to carry out filtering. Such a platform could increase the resilience of Hong Kong’s cyberspace to DDoS attacks and foster a conducive ecosystem for security service providers.
