Countering DDoS attacks in the network requires identification of attack flows and their removal, resulting in the removal of legitimate flows as well. Mitigation of attacks near the attacker reduces the chances of affecting legitimate communication as the attack path is curtailed. Hence, an efficient DDoS countermeasure requires an efficient traceback scheme to identify the attack source in order to mitigate the attack at entry point itself. This paper proposes SD-WAN Flood Tracer to facilitate tracing the attack source in software-defined wide area network (SD-WAN). The traceback scheme is divided into two parts; the first part is internal traceback to trace the sources in the vicinity of a single controller. The second part is external traceback to trace the source belonging to another controller’s vicinity. Such a global traceback scheme prevents the impact of DDoS attacks on legitimate traffic. Not just DDoS attack sources, but this scheme may also support tracking other anomaly sources as well. The traceback scheme is lightweight with low overhead on the communication channel and converges the trace quickly. The proposed scheme is capable of efficiently tracing internal anomaly sources, as well as external anomaly sources to the farthest location, preventing damage to legitimate communications in the network.

应对网络中的DDoS攻击需要识别攻击流并将其清除，从而也清除了合法流。减少攻击者附近的攻击，可以减少攻击路径，从而减少了影响合法通信的机会。因此，有效的DDoS对策需要有效的回溯方案来识别攻击源，以便减轻入口点本身的攻击。本文提出了SD-WAN Flood Tracer，以方便在软件定义的广域网（SD-WAN）中跟踪攻击源。追溯方案分为两部分：第一部分是内部回溯，用于跟踪单个控制器附近的源。第二部分是外部回溯，以跟踪属于另一个控制器附近的源。这样的全局回溯方案可以防止DDoS攻击对合法流量的影响。不仅是DDoS攻击源，该方案还可以支持跟踪其他异常源。追溯方案是轻量级的，在通信通道上的开销很低，并且可以快速收敛跟踪。所提出的方案能够有效地将内部异常源以及外部异常源追踪到最远的位置，从而防止损坏网络中的合法通信。