Defensive Network Architectures Against Distributed Denial-of-Service Attacks
DOI:
https://doi.org/10.15662/IJARCST.2020.0305002Keywords:
Distributed Denial-of-Service (DDoS), Network Resilience, Overlay Defense, Software-Defined Networking (SDN), Network Functions Virtualization (NFV), Proactive vs. Reactive Defense, Bohatei, Poseidon (NDN)Abstract
Distributed Denial-of-Service (DDoS) attacks persistently threaten network availability and service reliability. Designing resilient networks capable of withstanding such attacks is critical. This paper surveys architecturelevel strategies and defense mechanisms developed before 2019 to bolster network resilience against DDoS threats. We categorize approaches into proactive and reactive overlays, Software-Defined Networking (SDN) and Network Functions Virtualization (NFV)-based defenses, and overlay-based session-shielding techniques. The methodology includes systematic literature analysis, performance comparison across key metrics (latency, deployment transparency, collateral damage), and integration of case studies such as Bohatei (SDN/NFV defense) and overlay frameworks like AID, WebSOS, and MOVE. Findings indicate that proactive overlays provide low latency during normal operation, while reactive overlays maintain service continuity during attacks with minimal collateral damage. SDN/NFV solutions, exemplified by Bohatei, demonstrate elastic, scalable, and responsive defense against high-throughput attacks. In Named Data Networking, Poseidon mitigates interest flooding via architectural modifications . Limitations include complexity in deployment, reliance on ISP cooperation, vulnerabilities of fixed overlay nodes, and the need for rapid detection. The proposed workflow guides deployment: threat modeling, selecting defense architecture, deploying monitoring/mitigation (e.g., SDN controllers, overlays), testing, and iterative refinement. Advantages include scalability, flexibility, and improved availability; disadvantages include cost, complexity, and potential latency during attacks. Results emphasize that hybrid models combining overlay techniques and SDN/NFV can achieve robust resilience. We conclude that multi-layered strategies are most effective, and future research should explore machine learning–enhanced detection, blockchain-assisted distributed mitigation, and real-time adaptive defense mechanisms.
References
1. Kaur, R., Sangal, A. L., & Kumar, K. (2017). Overlay based defensive architecture to survive DDoS: A comparative study. Journal of Homeland Security, SAGE .
2. Fayaz, S. K., Tobioka, Y., Sekar, V., & Bailey, M. (2015). A New Approach to DDoS Defense using SDN and NFV (Bohatei). preprint .
3. Compagno, A., Conti, M., Gasti, P., & Tsudik, G. (2013). Poseidon: Mitigating Interest Flooding DDoS Attacks in Named Data Networking. preprint .
4. Askar, S. (2015). Investigation of the Impact of DDoS Attack on Network Efficiency... .
5. Tipton H. & Krause M. (2004); Chang R.K.C. (2002); Ioannidis & Bellovin (2002). DDoS defense strategies including Pushback, ingress filtering
