SENSS: Software Defined Security Service

Network attacks have long been an important problem, and have attracted a lot of research in academic and commercial sector. With a rapidly growing number of critical as well as business applications deployed on the Internet today, network attacks have both become more lucrative for the attackers and more damaging to the victims. The implications of network attacks on the victim can be huge. For example a distributed denial-of-service (DDoS) can overwhelm the victim and make it unable to handle its regular business. A large-volume DDoS attack can further cause collateral damage to traffic that shares links with the victim’s traffic, leading to large traffic drops, BGP session interruptions and routing interruptions [6]. Besides the data plane attacks, control plane misconfigurations and attacks on the interdomain routing protocol BGP [5] can have dire implications for victim networks. For example, the prefix-hijacking attack injects and propagates false routes to the Internet, causing victim’s traffic to be redirected to the attacker networks for sniffing, modification or dropping [1]. Traffic sniffing and modification are very difficult to detect and mitigate, and create huge security and privacy issues for the victim, while blackholing severely affects online businesses and critical infrastructures. Many solutions have been proposed to detect and mitigate individual attacks. For example, in DDoS realm many victim-deployed or ISP-deployed DDoS defenses, overlay-based DDoS defenses [3] and content replication to sustain high-volume attacks have been proposed and deployed. In routing realm, detection approaches that monitor live BGP data feeds and conduct data plane probing have been proposed to diagnose prefix-hijacking attacks. But ultimately, traffic flows, attacks, and their routes are the results of actions of multiple networks, each following its individual interests and priorities. Thus, while many attack instances can be handled by the victim and its local ISP, there will always exist attacks that cannot be diagnosed or mitigated without help from remote networks, which are involved in sourcing or carrying traffic to the victim. Today’s Internet lacks such wide-scale, general service for automated inter-ISP collaboration on security problem diagnosis and mitigation. There have been numerous research works on inter-ISP collaboration for attack diagnosis and mitigation, such as collaborative DDoS defenses, collaborative worm defenses, and collaborative routing defenses. However, most proposals are still not deployed today because: (1) Most of the proposals only focus on detection or mitigation of one attack type or variant; (2) Some solutions require complex changes of the data plane or new router functionality, which are difficult to achieve; (3) Some solutions do not create proper incentives for ISPs to collaborate with each other.