Behavioral security threat detection strategies for data center switches and routers

Abstract

Behavioral security threats such as Distributed Denial of Service (DDoS) attacks are an ongoing problem in large scale Data Centers (DC) and pose huge performance challenges to DC operators. Typically, a dedicated Firewall/DDoS appliance is needed for Layer 2-7 behavioral security threat detection and mitigation. This solution is cost prohibitive for large scale multi-tenant DCs with high throughput performance needs. This paper examines various Layer 2-4 behavioral security threat detection methods and assists which are implement able in the switches and routers at low cost. For DCs, this complements the overall behavioral security threat detection strategy and enables operators to offer tiered services. Extensions to emerging NFV and SDN scenarios are also discussed.