Cybersecurity Threat Mitigation using SDN

Transcription

1 Cybersecurity Threat Mitigation using SDN Mohd Zafran (PhD Candidate) & Koji Okamura Graduate School of Information Science and Electrical Engineering Kyushu University Kyushu University, Japan 29/9/2017 1

2 Introduction (Problem Statement & Research Proposal) Methodology SDN Setup Kyushu Univ. - UNSW Conclusion Kyushu University, Japan 29/9/2017 2

3 What is Software Define Network?

4 Control plane Control plane Control plane Control plane SDN Controller Control plane Control plane Control plane Control plane SDN Controller Distributed Control Previous/Current Network Hybrid Control Current/Future Network Centralized Control Current/Future Network OpenFlow OpenFlow

5 A distributed denial-of-service (DDoS) Botnet attack on server Botnet Botnet Mail transfer Agent Fig. 1 Botnet Attack using syn flood attack technique scenario 29/9/2017 Kyushu University, Japan 5

6 Problem Statement Botnet attack will consume all resource such as cpu, network and storage. These attack also term as Distributed Denial of Services (Ddos) attacks as the flood traffic comes from many machines, and is not a single flow on the network.when an attack target host upstreams network bandwith,these attack also named as bandwith attack The bigger network bandwidth, different IDS and IPS capacity need to be use Kyushu University, Japan 29/9/ Fig. 2 Intrusion Detection System & Intrusion Prevention System

7 Introduction: The proposed approach By using SDN Technology at multi domain, SDN Control can detect the spam botnet flow before the botnet arrive to destination ip. Existing spam filtering database such as spamhaus and spamcop, can be integrate by develop new app at SDN CTRL layer to retrieve the information about spam botnet source blacklisted IP and feed new information about botnet IP source blacklisted. By having the information on botnet blacklisting source IP. The early mitigation on botnet can be done. Flows can be specified using any or a combination the following ten tuples, match fields:in Port, VLAN-ID, Source MAC, Destination MAC, Ethernet Type, Source IP, Destination IP, Protocol, Source Port, Destination Port By using 10 tuples field be use to create a new algorithm to detect the flow of botnet. Kyushu University, Japan 29/9/2017 7

8 Botnet attack scenario SDN Domain A SDN Domain Spam Haus Server SDN Domain SDN Domain SDN Domain B server A SDN Domain C server B Fig. 3 Botnet attack from two domain Kyushu University, Japan 29/9/ server C

9 Methodology: Design mechanism of SDN Every Domain SDN Controller Sending information about flow count /flow size and packet size Specific on port number & Destination IP to Main SDN controller Server Main SDN Controller SpamHaus server Feed information to spamhaus Decision for identify botnet attack 29/9/2017 Install the domain with blacklist ip Kyushu University, Japan 9

10 The flowchart mechanism of SDN New flow entry coming at Domain R1,R2, R3 Check src ip (blacklist) yes Drop packet No Server Main SDN Controller SpamHaus server Send flow entry match information (TCP /UDP 25/110) DST IP to SDN controller in every Domain Permit the flow message and forward the packet to next node NO Controller check the Botnet Attacks Based on Decision Tree Algorithm Kyushu University, Japan Drop the next packet from the same ip src flow message update information blacklist ip to spamhaus server Yes 10 29/9/2017

11 Retrieve flow information before arrive at targeted Domain Time stamp Flow entry Ip src Ip dst SDN Domain A SDN Domain A Time stamp Flow exit Ip src Ip dst Spam Haus Server SDN Domain B SDN Domain C SDN Domain B server A SDN Domain C server B Fig. 7 Botnet attack from domain A Kyushu University, Japan 29/9/ server C

12 Early Botnet Attack detection close to smtp server attack target on multi Domain using SDN technology Scenario: Assume that there 1 protocols serving for smtp Server are monitored at 4 different periods, where the time-period series is listed as : Fig. 8 Botnet attack from domain A Kyushu University, Japan 29/9/

13 Decision Tree Algorithm T 3whs<=0.045 T Ham T Ham Rtt_C_S <= 0.03s F RTO_s_c<= 2.2s F T F fgnr_ttl<=98 Ham Spam F Spam Symbols Ham = Legitimate Spam = Spam Rtt_C_S = RTT packet in Flow Table Client<-> Server 3whs = Flow duration between the arrival of SYN from Client and Flow Duration Ack of Syn/ACK by Server Fngr_ttl = time to live packet client, if more 98 will be windows platform RTO_s_c = Retransmission timeout from server to client in second Fig. 13 Fragment of tree using packet + flow features Kyushu University, Japan 29/9/

14 PSEUDOCODE If dst port= 25 Then Forward to controller Packet_in Flow count go to module 1 Else drop the packet Module 1 (RTT Client between Server) Module 2 (3 way hand shake flow count and time) If rtt client <-> server between two switch t>= s Then go to module 2 Else go to module 3 If flow count packet_in = 2,same src ip same dist ip,time arrival for 2 nd flow <= for between client <-> server Then install the flow in flow table, forward the next packet Else go to module 4 Fig. 14 Pseudocode using decision tree algorithm Kyushu University, Japan 29/9/

15 PSEUDOCODE Module 3 (RTO_s_c) If RTO from server less than 2.2 second Then install the flow in the flow table and forward the next packet Else blacklist the ip source send information to spamhaus Module 4 TTL feature If ip ttl <= 96 Then install the flow in the flow table and forward the next packet Else blacklist the ip source send information to spamhaus Fig. 14 Pseudocode using decision tree algorithm Kyushu University, Japan 29/9/

16 RTT (module 1) Time record started after packet out (server -> client) SDN Domain B SDN Domain B Packet_in First time, Start flow count=1 SDN Domain A SDN Domain A server A Time stamp Flow entry Packet out Time stamp Packet_in 2 nd Time Flow count =2 1 RTT complete Client<-> Server SDN Domain C Spam Haus Server SDN Domain C server B Fig. 15 Roundtrip time calculation in Openflow Kyushu University, Japan 29/9/ server C

17 3 way handshake time (module 2)Time record started after packet out (server -> client) SDN Domain B SDN Domain B Packet_in First time, Start flow count=1 SDN Domain A SDN Domain A server A Time stamp Flow entry Packet out Time stamp Packet_in 2 nd Time Flow count =2 3whs complete Client<-> Server SDN Domain C Spam Haus Server SDN Domain C server B Sym: Syn Syn-Ack Ack Fig way handshake time calculation in Openflow Kyushu University, Japan 29/9/ server C

18 Module 4 : TTL (hop limit) feature (Recap) Most of botnet came from windows platform Kyushu University, Japan 29/9/

19 SDN Setup Kyushu Univ. SINET AARNET UNSW VLAN VLAN VLAN Kyushu University, Japan 29/9/

20 Conclusion By using Decision Three Algorithm we can study the Botnet attacks at early stage before arrive to target Server Most of botnet attacks come from windows based platform This approach only valid within under multi domain SDN controller environment. RTT and RTO are related to the Botnet attacks smtp server. These research also can be focus on other protocol such as http Kyushu University, Japan 29/9/

21 END Thank You Kyushu University, Japan 29/9/