Counteracting UDP Flooding Attacks in SDN

Similar documents
EXPERIMENTAL STUDY OF FLOOD TYPE DISTRIBUTED DENIAL-OF- SERVICE ATTACK IN SOFTWARE DEFINED NETWORKING (SDN) BASED ON FLOW BEHAVIORS

Security Threats in the Data Plane of Software-Defined Networks

Programming Assignment

Flow Analyzer 1.0 Help Guide FLOW ANALYZER 1.0. By Nuviso

Participatory Networking: An API for Application Control of SDNS SIGCOMM 13

Disrupting SDN via the Data Plane: A Low-Rate Flow Table Overflow Attack

Design and development of the reactive BGP peering in softwaredefined routing exchanges

Real Time Monitoring of Packet Loss in Software Defined Networks

Lab 3: Simple Firewall using OpenFlow

OTSDN What is it? Does it help?

Stateful Firewall Application on Software Defined Networking

Detecting Suspicious Behavior of SDN Switches by Statistics Gathering with Time

9. Security. Safeguard Engine. Safeguard Engine Settings

On the State of the Inter-domain and Intra-domain Routing Security

Outline. What is TCP protocol? How the TCP Protocol Works SYN Flooding Attack TCP Reset Attack TCP Session Hijacking Attack

AN exam March

Anti-DDoS. User Guide. Issue 05 Date

PIRE ExoGENI ENVRI preparation for Big Data science

Michael Johas Teener. April 11, 2008

Configuring attack detection and prevention 1

Outline. A Professional Company in Software-Defined Networking (SDN) Copyright , EstiNet Technologies Inc. All Rights Reserved..

DevoFlow: Scaling Flow Management for High Performance Networks

Analysis of Attacks and Defense Mechanisms for QoS Signaling Protocols in MANETs

A POX Controller Module to Collect Web Traffic Statistics in SDN Environment

TOWARDS REMOTE ACCESS TO VIRTUALIZED TELECOM RESEARCH INFRASTRACTURS

OpenFlow DDoS Mitigation

Our Narrow Focus Computer Networking Security Vulnerabilities. Outline Part II

The University of Kansas

A Novel vcpe Framework for Enabling Virtual Network Functions with Multiple Flow Tables Architecture in SDN Switches

Configuring attack detection and prevention 1

Delay Controlled Elephant Flow Rerouting in Software Defined Network

Chapter 5 Network Layer: The Control Plane

LECTURE WK4 NETWORKING

Computer Security: Principles and Practice

Managing Latency in IPS Networks

SDN-based Defending against ARP Poisoning Attack

CS 716: Introduction to communication networks th class; 7 th Oct Instructor: Sridhar Iyer IIT Bombay

Best Practice - Protect Against TCP SYN Flooding Attacks with TCP Accept Policies

Chapter 4 Network Layer: The Data Plane

Activity-Based Congestion Management for Fair Bandwidth Sharing in Trusted Packet Networks

Mininet & OpenFlow 24/11/2016

Chapter 4 Network Layer: The Data Plane. Part A. Computer Networking: A Top Down Approach

Table of Contents. 1 Intrusion Detection Statistics 1-1 Overview 1-1 Displaying Intrusion Detection Statistics 1-1

Chair for Network Architectures and Services Department of Informatics TU München Prof. Carle. Network Security. Chapter 8

CCNA 1 Chapter 7 v5.0 Exam Answers 2013

Cybersecurity Threat Mitigation using SDN

Class A Bridge Latency Calculations

Informatica Universiteit van Amsterdam. Distributed Load-Balancing of Network Flows using Multi-Path Routing. Kevin Ouwehand. September 20, 2015

A Study on Intrusion Detection Techniques in a TCP/IP Environment

NFVnice: Dynamic Backpressure and Scheduling for NFV Service Chains

Anti-DDoS. User Guide (Paris) Issue 01 Date HUAWEI TECHNOLOGIES CO., LTD.

ECE 697J Advanced Topics in Computer Networks

DDoS Testing with XM-2G. Step by Step Guide

Making Friends with Broadcast. Administrivia

Available online at ScienceDirect. Procedia Computer Science 34 (2014 )

SoftRing: Taming the Reactive Model for Software Defined Networks

AN INTRODUCTION TO ARP SPOOFING

Software-Defined Networking (SDN) Now for Operational Technology (OT) Networks SEL 2017

UNIVERSITY OF TORONTO ELECTRICAL AND COMPUTER ENGINEERING ECE 361 Test February 2, 2012

Slicing a Network. Software-Defined Network (SDN) FlowVisor. Advanced! Computer Networks. Centralized Network Control (NC)

CSE 565 Computer Security Fall 2018

ECE 650 Systems Programming & Engineering. Spring 2018

Design and Implementation of Advanced Internet Management System

PIX-IE An SDN-based Programmable Internet exchange

Configuration Guide TL-ER5120/TL-ER6020/TL-ER REV3.0.0

User Guide TL-R470T+/TL-R480T REV9.0.2

Configuring Asynchronous Serial Traffic over UDP

OpenFlow Software Switch & Intel DPDK. performance analysis

The trace file is here:

Supporting Service Differentiation for Real-Time and Best-Effort Traffic in Stateless Wireless Ad-Hoc Networks (SWAN)

ONOS: TOWARDS AN OPEN, DISTRIBUTED SDN OS. Chun Yuan Cheng

PROBLEMSAND EXERCISES

NETWORK SECURITY. Ch. 3: Network Attacks

Last lecture we talked about how Intrusion Detection works. Today we will talk about the attacks. Intrusion Detection. Shell code

NetWare Link-Services Protocol

20-CS Cyber Defense Overview Fall, Network Basics

Venkata N. Padmanabhan Microsoft Research A Proposal for SLUMS SLUMS BOF, 44th IETF March 1999

Lab Exercise UDP & TCP

Chapter 3 Packet Switching

Monitoring Data CHAPTER

Wireless Network Security Spring 2016

Why dynamic route? (1)

CSE398: Network Systems Design

Design and Evaluation of a new MAC Protocol for Long- Distance Mesh Networks by Bhaskaran Raman & Kameswari Chebrolu ACM Mobicom 2005

PathMon: Path-Specific Traffic Monitoring in OpenFlow-Enabled Networks

Application-Aware SDN Routing for Big-Data Processing

DDoS Defense Mechanisms for IXP Infrastructures

BAMA Simulator. (Bandwidth Measurement Algorithms)

Software-Defined Networking (Continued)

Traffic Isolation on Multi-Tenant Data Center Networks

Computer Science 461 Final Exam May 22, :30-3:30pm

PacketExpert PDF Report Details

Applications and Performance Analysis of Bridging with Layer-3 Forwarding on Wireless LANs

A Software Tool for Network Intrusion Detection

Lab 9 (Traffic Measurement)

TCP/IP Attack Lab. 1 Lab Overview. 2 Lab Environment. 2.1 Environment Setup. SEED Labs TCP/IP Attack Lab 1

Chapter 7. Denial of Service Attacks

FloodShield: Securing the SDN Infrastructure Against Denial-of-Service Attacks

Extending Dijkstra s Shortest Path Algorithm for Software Defined Networking

The Load Balancing Research of SDN based on Ant Colony Algorithm with Job Classification Wucai Lin1,a, Lichen Zhang2,b

Transcription:

Counteracting UDP Flooding Attacks in SDN Yung-Hao Tung, Hung-Chuan Wei, Chia-Mu Yu Yuan Ze University

Outline SDN overview Problem statement Proposed method Experiments 2

SDN Introduction Centralized approach SDN mainly divided into control plane and data plane SDN uses the OpenFlow protocol SDN switch has a flow table, trying to have a rule match against the received packets 3

SDN Introduction Framework: API Openflow Bandwidth Management AP Virtual Network Function Access Control Mechanisms Control plane SDN Controller/Network Management Switch Switch Switch Data plane Switch 4

Problem Statement Network Security The easiest way of compromising a network is to launch a flooding attack (ex: TCP SYN flooding, UDP flooding etc ). SDN Security Problems When a new flow arrives, the SDN switch will send a packet-in message to the SDN controller. However, intentional abusing the controller (or say packet-in message) may incur the security problem. 5

Problem Statement Simulation SDN Network Attack Graph Controller Flooding attack Flooding attack Switch Host1 Host2 Host3 6

PROTOCOL DESIGN Our experiment can be divided into two phases First, consider a bunch of simple UDP packets transmitted to the switch. Then, we began to do the code implementation on the simulated switch and controller, and evaluated the performance and the security of our defense mechanism. 7

PROTOCOL DESIGN Attack Model: In the case of no match found, the controller will perform a broadcast to ask whether there is a match for the purpose of IP addresses. The attacker can assign a random value to the destination field in the packet. def generate_ip(): # Create random IP return str(random.randint(0, 255)) + '.'\ + str(random.randint(0, 255)) + '.'\ + str(random.randint(0, 255)) + '.'\ + str(random.randint(0, 255)) UDP Packet Section. 8

PROTOCOL DESIGN Total Rate CPU(s) Load avg. Normal state 5 kbits/sec 0.6 us 0.32 Attack state 6100 kbits/sec 27 us 0.87 9

Initial Settings Defense Architecture Start analysis mode If r3 > t3 YES Drop packet r3 : The number of packets receive by the port t3 : The number of packets sent by the port If t3 >= r3 NO YES Normal network status Defense architecture flow chart 10

Defense Architecture Our analysis model has two conditions. If the received packet (r3) > send packets (t3): This means that the destination of the sending packet does not exist in the current network, resulting in the controller constantly broadcasting. If the packet is sent (t3) > = receive packets (r3): The controller can handle the packet-in message and broadcast packets. 11

Defense Architecture UDP Defense Section @set_ev_cls(ofp_event.eventofppacketin, MAIN_DISPATCHER) def _packet_in_handler(self, ev): if ev.msg.msg_len < ev.msg.total_len: self.logger.debug("packet truncated: only %s of %s bytes", ev.msg.msg_len, ev.msg.total_len).. if(r3 > t3): actions = [].. elif(t3 >= r3): flooding 12

Defense Architecture Return packets on all ports body = ev.msg.body self.logger.info('datapath port ' 'rx-pkts rx-bytes rx-error ' 'tx-pkts tx-bytes tx-error') self.logger.info('---------------- -------- ' '-------- -------- -------- ' '-------- -------- --------') for stat in sorted(body, key=attrgetter('port_no')): self.logger.info('%016x %8x %8d %8d %8d %8d %8d %8d', ev.msg.datapath.id, stat.port_no, stat.rx_packets, stat.rx_bytes, stat.rx_errors, stat.tx_packets, stat.tx_bytes, stat.tx_errors 13

EXPERIMENTS Experiment Setting In the experiment. we use mininet to simulate the SDN OpenFlow switch, and use RYU to simulate the controller. Moreover, IPerf, TOP, IPTRAF are used as monitoring tools. For the network topology, we considered two physical hosts and a controller. They are on different physical machines for ensuring more accurate measurement. 14

EXPERIMENTS Defense Achievements In our experiment, we consider two cases (with and without attack) and observe the difference between these two cases. 15

EXPERIMENTS Network bandwidth and controller performance comparison IPerf Top IPtraf No Defense TX bps:412 Bytes/s CPU(s): 27.2 us Total rate: 6139.0 Kbits/sec 4846.4 packets/sec Defense TX bps: 33 Bytes/s CPU(s): 14.8 us Total rate: 2790.7 Kbits/sec 1861.8 packets/sec 16

Related Work Comparison of Defense FloodGuard UDP No Defense 7 Mbps 6 Mbps Defense 2 Mbps 2 Mbps 17

CONCLUSION The proposed defense resist against the UDP flooding with a minor modification in SDN module. The countermeasure particularly designed for only UDP flooding works with better performance 18

Let us know if you have any comments or questions. Thank you for listening. Mailbox: s1036023@mail.yzu.edu.tw s1036010@mail.yzu.edu.tw chiamuyu@saturn.yzu.edu.tw 19

Question Given the operation flow chart probing the switches periodically, it would be a naturally raised question how much overhead this approach would introduce. Furthermore, this question extends to what is the parameters we should consider to trade off security and performance compromise. 20

Answer Using this method, we are only at the expense of request packet for some time. The following mechanisms to facilitate the analysis. Although this sacrifices some benign request, but in exchange for increased security. But in the time of the attack, a benign request to wait for a short time. 21

Qustion The conditions, 'If r3 > t3' or 't3 >= r3' over simplifies or ignores lots of other possibilities considering the nature of UDP traffic ( eg. streaming applications). 22

Answer Perhaps while watching the movie, the flow slightly. But the normal traffic. This time we use to calculate packet per second to reduce false positives. 23

2024 © technodocbox.com Privacy Policy | Terms of Service | Feedback