Demonstration of a framework for enabling security services collaboration across multiple domains

Network virtualization technologies are creating a new era for information security, enabling the on demand creation and deployment of security appliances (generically called security service functions - SSF) for detecting and/or mitigating attacks. However, given the increasing size and complexity of contemporary attacks, it is usually hard for a single administrative domain to deal with several malicious flows by itself, which motivates the collaboration among SSFs from multiple domains. In this paper, we present a technical demonstration of a framework that leverages SDN (Software Defined Networking) and SFC (Service Function Chaining) to enhance the collaboration among different SSFs for mitigating large scale attacks. This framework allows SSFs from different domains to negotiate and dynamically control the amount of resources allocated for collaboration, in what we call a “best-effort” collaboration mode. The demonstration hereby presented consists in a video streaming service that is targeted by a volumetric denial-of-service attack, showing basically two situations: (1) after the attack reaches a certain volume, the SSF from the streaming service's domain becomes unable to handle the attack on its own, so packets are dropped and the video quality decreases; and (2) when there is a collaboration among SSFs, the amount of traffic dropped is considerably reduced, so the video quality is preserved even during the attack.