Bohatei: Flexible and Elastic DDoS Defense
DDoS attacks are constantly increasing in number, scale, and diversity causing a significant damage to organizations and Internet users. Current DDoS defense solutions rely on proprietary hardware appliances with fixed traffic processing capacity, fixed defense capabilities, and deployed at fixed locations. This makes the current practice fundamentally inflexible and expensive.
In response, we have designed Bohatei, a first-of-its-kind system that embraces new paradigms such as software-defined networking (SDN) and network functions virtualization (NFV) to dramatically improve the state-of-the-art DDoS defense. Our evaluations show that Bohatei is highly scalable, responsive, and adversary-resilient. Bohatei is designed to be immediately deployable.
Looking beyond DDoS defense, we believe our design and implementation of Bohatei can be a harbinger for several other network security services that are plagued with similar problems (e.g., high cost, inflexibility, and inelasticity with respect to attack volume).
Bohatei in 1 minute
You can find the codebase for Bohatei here.
Here is a time-lapse of the system demo:
Back to Seyed's home page
Enforcing Network-Wide Policies in the Presence of Dynamic Middlebox Actions using FlowTags [ PDF ] [ Slides ]
Seyed K. Fayaz, Luis Chiang, Vyas Sekar, Minlan Yu, and Jeffrey C. Mogul
USENIX NSDI, 2014 [ BibTeX ]