EXPERIMENTAL STUDY OF FLOOD TYPE DISTRIBUTED DENIAL-OF- SERVICE ATTACK IN SOFTWARE DEFINED NETWORKING (SDN) BASED ON FLOW BEHAVIORS

Similar documents
DDoS PREVENTION TECHNIQUE

Configuring attack detection and prevention 1

Configuring attack detection and prevention 1

Attack Prevention Technology White Paper

Chair for Network Architectures and Services Department of Informatics TU München Prof. Carle. Network Security. Chapter 8

Table of Contents. 1 Intrusion Detection Statistics 1-1 Overview 1-1 Displaying Intrusion Detection Statistics 1-1

Security+ Guide to Network Security Fundamentals, Fourth Edition. Network Attacks Denial of service Attacks

Intrusion Detection System For Denial Of Service Flooding Attacks In Sip Communication Networks

Ping of death Land attack Teardrop Syn flood Smurf attack. DOS Attack Methods

Denial of Service (DoS) attacks and countermeasures

DDoS Testing with XM-2G. Step by Step Guide

Chapter 10: Denial-of-Services

Chapter 7. Denial of Service Attacks

CSE 565 Computer Security Fall 2018

Analysis. Group 5 Mohammad Ahmad Ryadh Almuaili

Cloudflare Advanced DDoS Protection

Network Security. Evil ICMP, Careless TCP & Boring Security Analyses. Mohamed Sabt Univ Rennes, CNRS, IRISA Thursday, October 4th, 2018

ANALYSIS AND EVALUATION OF DISTRIBUTED DENIAL OF SERVICE ATTACKS IDENTIFICATION METHODS

Denial of Service. Serguei A. Mokhov SOEN321 - Fall 2004

Hands-On Ethical Hacking and Network Defense Chapter 5 Port Scanning

Hands-On Ethical Hacking and Network Defense Chapter 5 Port Scanning

Basic Concepts in Intrusion Detection

Computer Security: Principles and Practice

A Software-Defined Networking Security Controller Architecture. Fengjun Shang, Qiang Fu

HP High-End Firewalls

DENIAL OF SERVICE ATTACKS

Denial of Service (DoS)

Denial of Service and Distributed Denial of Service Attacks

Stateful Firewall Application on Software Defined Networking

Internet Layers. Physical Layer. Application. Application. Transport. Transport. Network. Network. Network. Network. Link. Link. Link.

HP High-End Firewalls

DDoS and Traceback 1

network security s642 computer security adam everspaugh

Internetwork Expert s CCNA Security Bootcamp. Common Security Threats

IBM i Version 7.3. Security Intrusion detection IBM

Layer 4: UDP, TCP, and others. based on Chapter 9 of CompTIA Network+ Exam Guide, 4th ed., Mike Meyers

COMPUTER NETWORK SECURITY

WHITE PAPER. DDoS of Things SURVIVAL GUIDE. Proven DDoS Defense in the New Era of 1 Tbps Attacks

NETWORK SECURITY. Ch. 3: Network Attacks

Distributed Systems. 29. Firewalls. Paul Krzyzanowski. Rutgers University. Fall 2015

SecBlade Firewall Cards Attack Protection Configuration Example

CSC 574 Computer and Network Security. TCP/IP Security

Network Security. Chapter 0. Attacks and Attack Detection

Security Threats in the Data Plane of Software-Defined Networks

Assessment of High and Low Rate Protocol-based Attacks on Ethernet Networks

To Study and Explain the Different DDOS Attacks In MANET

Last lecture we talked about how Intrusion Detection works. Today we will talk about the attacks. Intrusion Detection. Shell code

ELEC5616 COMPUTER & NETWORK SECURITY

MITIGATING DDOS ATTACK IN CLOUD ENVIRONMENT WITH PACKET FILTERING USING IPTABLES

SDN-based Defending against ARP Poisoning Attack

Counter and Network Density Based Detection and Prevention Scheme of DOS Attack in MANET

Anti-DDoS. FAQs. Issue 11 Date HUAWEI TECHNOLOGIES CO., LTD.

Guide to DDoS Attacks November 2017

Distributed Denial of Service (DDoS)

PROTECTING INFORMATION ASSETS NETWORK SECURITY

A Software Tool for Network Intrusion Detection

HP Load Balancing Module

NISCC Technical Note 06/02: Response to Distributed Denial of Service (DDoS) Attacks

Distributed Systems. 27. Firewalls and Virtual Private Networks Paul Krzyzanowski. Rutgers University. Fall 2013

Threat Pragmatics. Target 6/19/ June 2018 PacNOG 22, Honiara, Solomon Islands Supported by:

Configuring Flood Protection

A proposal of a countermeasure method against DNS amplification attacks using distributed filtering by traffic route changing

Routing Security DDoS and Route Hijacks. Merike Kaeo CEO, Double Shot Security

IoT DDoS Attacks Detection based on SDN RAMTIN ARYAN

Cisco IOS Classic Firewall/IPS: Configuring Context Based Access Control (CBAC) for Denial of Service Protection

Defending Against Black Nurse DoS Attacks

Check Point DDoS Protector Introduction

IPv6 Firewall Support for Prevention of Distributed Denial of Service Attacks and Resource Management

Capability Analysis of Internet of Things (IoT) Devices in Botnets & Implications for Cyber Security Risk Assessment Processes (Part One)

Our Narrow Focus Computer Networking Security Vulnerabilities. Outline Part II

CYBER ATTACKS EXPLAINED: PACKET SPOOFING

A Review on ICMPv6 Vulnerabilities and its Mitigation Techniques: Classification and Art

Are You Fully Prepared to Withstand DNS Attacks?

R (2) Implementation of following spoofing assignments using C++ multi-core Programming a) IP Spoofing b) Web spoofing.

estadium Project Lab 2: Iperf Command

Your projected and optimistically projected grades should be in the grade center soon o Projected: Your current weighted score /30 * 100

Flooding Attacks by Exploiting Persistent Forwarding Loops

Defending against Flooding-Based Distributed Denial-of-Service Attacks: A Tutorial

9. Security. Safeguard Engine. Safeguard Engine Settings

Denial of Service, Traceback and Anonymity

Dan Boneh, John Mitchell, Dawn Song. Denial of Service

Exit from Hell? Reducing the Impact of Amplification DDoS Attacks Marc Kührer, Thomas Hupperich, Christian Rossow, and Thorsten Holz

Detecting Distributed Denial-of. of-service Attacks by analyzing TCP SYN packets statistically. Yuichi Ohsita Osaka University

Different Layers Lecture 20

Strengthening and Securing the TCP/IP Stack against SYN Attacks

Leveraging SDN for Collaborative DDoS Mitigation

Sun Mgt Bonus Lab 2: Zone and DoS Protection on Palo Alto Networks Firewalls 1

A senior design project on network security

Network Security. Thierry Sans

Contents. Denial-of-Service Attacks. Flooding Attacks. Distributed Denial-of Service Attacks. Reflector Against Denial-of-Service Attacks

haltdos - Web Application Firewall

OpenFlow DDoS Mitigation

DDoS Detection in SDN Switches using Support Vector Machine Classifier

Anatomy and Mechanism of DOS attack

International Journal of Scientific & Engineering Research, Volume 7, Issue 12, December ISSN

The Protocols that run the Internet

Towards Intelligent Fuzzy Agents to Dynamically Control the Resources Allocations for a Network under Denial of Service Attacks

Network Security Protocols NET 412D

Denial of Service. Eduardo Cardoso Abreu - Federico Matteo Bencic - Pavel Alexeenko -

TESTING DDOS DEFENSE EFFECTIVENESS AT 300 GBPS SCALE AND BEYOND

Transcription:

EXPERIMENTAL STUDY OF FLOOD TYPE DISTRIBUTED DENIAL-OF- SERVICE ATTACK IN SOFTWARE DEFINED NETWORKING (SDN) BASED ON FLOW BEHAVIORS Andry Putra Fajar and Tito Waluyo Purboyo Faculty of Electrical Engineering, Telkom University, Bandung, Indonesia E-Mail: an.driy@live.com ABSTRACT Distributed Denial of Services (DDoS) attacks are one of well-known and dangerous threats to the current network which always exists and evolves in line with the development of the network itself. Current network development has entered the Software Defined Networking (SDN) era which offers centralized control and programmability network by decoupling the network control and data plane that bring on us a dynamic, cost-effective, manageable and agile platform. On the down-side, this centralized platform can bring new security challenges such as DDoS attacks on the central controller which could compromise the entire network. The most common DDoS attack is Flood based DDoS attack. This attack is quite easy to do and very effective strikes the target. This paper offers some experimental study for detecting this kind of DDoS attack using flow behaviors to give an idea for researcher about the DDoS attack and the effect for the network. Keywords: experimental, distributed denial of services, software defined networking. INTRODUCTION The emerged software-defined networking platform could change the trend of networking in the future with its promising feature that could strengthen the network security with its basic nature such as centralized network monitoring and provisioning and centralization of security and policy control which is not exist in the current network [1]. Although the SDN platform offers a great impact on security, this platform still has vulnerable side that can be exploited with malicious intent. One of a reputable threat on the network is DDoS attacks. The generic characteristic of this attack drains the resources (bandwidth or connectivity) of network, server or application since the resources are limited in order to disrupt the service for legitimate users. Douligeris et al. [2] classifies the DDoS Attacks by exploited vulnerability in the following categories: flood attacks, amplification attacks, protocol exploit attacks and malformed packet attacks. attack is known as Smurf attacks (see Figure-3) and Fraggle attacks [6]. Spoofed UDP Packet A. Flood attacks aim to deplete the victim s network resource such as network bandwidth by flooding it using User Datagram Protocol (UDP) Flood or Internet Control Message Protocol (ICMP) Flood until the victim can no longer receive the legitimate traffic. While UDP Flood [3] attack is an attack that used a huge number of UDP packets (random or same port) to overwhelming the victim (Figure-1), ICMP Flood uses the ICMP [4] (Ping) echo request packets for disrupt the legitimate traffic reach the victim (see Figure-2). B. Amplifying the volume of attack traffic is characteristic of Amplification DDoS Attack. The attacker used other trigger machines to maximize the volume of attack traffic with only minimum traffic that sent to the triggered machine. Attack traffic volume from UDP based attack can be amplified, this ICMP error packets of destination unreachable Figure-1. UDP flood attack [3]. Figure-2. ICMP flood attack [4]. 3453

Spoofed UDP Packet METHOD In this paper, we offer a method to detect flood type DDoS attack using industry standard flow analysis tools (sflow) and iperf. These tools provide some feature that can control and manage network usage especially sflow. The method itself can be seen in figure 5. We add monitoring plane to complement the basic data plane and control plane on SDN platform. This monitoring plane that provides from sflow used for measuring network traffic, collecting, storing and analyzing then, the result is sent to SDN controller for specifying the suitable rule policy. EXPERIMENT SETUP The simulation tool and another simulation environment can be seen in Table-1. Table-1. Simulation setup. ICMP error packets of destination unreachable Figure-3. UDP flood attack [3]. C. Exploiting the specific feature of the protocol planted at the victim to deplete the server resource is characteristic of protocol exploits attack. One of the common attacks that exploit the protocol is TCP SYN attack (Figure 4) which exploits the three-way handshake in the TCP connection setup. In TCP SYN attacks, an attacker sent a huge number of initial SYN request (spoofed) to the victim, then the victim replies it all with SYN/ACK to nonexistent IP and waiting for the non-existent ACK. This waiting session will overload the queue buffer and make the victim unable to process other incoming connection. D. Malformed packet attack is the type of attack that sending forged packets that will overload the victim with no use packet but must be processed and consuming the resources. Simulation tool Mininet Platform Windows 10 OS CPU RAM SDN Controller Supporting Tools Ubuntu 16 VM Intel core i7 2600k (3,4Ghz) 8Gb Floodlight JDK 8, Ant, Atom, HPing3 Mausezahn, iperf, sflow The network topology for this simulation is indicated in Figure-5. Denote the n-th host/user by hn (n = 1, 2, 3,, 16) and s-th switch by sm (m = 1, 2, 3, 4). All of the switch monitored by sflow and controlled by SDN controller. In order to facilitate the discussions, we restrict the topology as that shown in Figure-7. SYN-ACK SYN-ACK SYN-ACK SYN-ACK Figure-4. TCP SYN attack. However, flood attack is the most common scenario that used by an attacker to execute the DDoS attack. In this paper, we present the detection simulation for flood type DDoS attack using flow behaviors analysis in order to ease another researcher to understand the behaviors of this attack type and its effect on the network. Figure-5. Network topology for simulation. The h2 with IP 10.0.0.2 represent the attacker, h3 and h4 (10.0.0.3 and 10.0.0.4) as a legitimate user and the 3454

victim is h1 with IP 10.0.0.1. The switch s1 monitored by sflow in order to detect any malicious traffic. Security Knowledge User Control Plane (OpenFlow Protocol) Data Plane Monitoring Plane User User User User Figure-6. Simulation method. The first simulation we will find out the TCP Throughput of the network using iperf. After that, h2 (attacker) send malicious traffic to h1 and the maximal TCP throughput and latency will calculate again., h2 (10.0.0.2) RESULT Simulation 1: TCP throughput each user Based on topology on Figure-2, we find out the total TCP bandwidth between h1 and h2, h3, h4 using iperf. The TCP server represented by h1 using the default port, default TCP window size (86, 3 KByte), and the interval is 1 second. H2, h3, and h4 test the consecutive TCP Throughput to h1 and the result can be seen in figure 8 below: User 3, h3 (10.0.0.3), h1 SimpleHTTPServer (10.0.0.1) User 4, h4 (10.0.0.4) Figure-7. Restricted topology. The h2 with IP 10.0.0.2 represent the attacker, h3 and h4 (10.0.0.3 and 10.0.0.4) as a legitimate user and the victim is h1 with IP 10.0.0.1. The switch s1 monitored by sflow in order to detect any malicious traffic. The first simulation we will find out the TCP Throughput of the network using iperf. After that, h2 (attacker) send malicious traffic to h1 and the maximal TCP throughput and latency will calculate again. Figure-8. TCP throughput for each hn. h2, h3, and h4 similarly have the same TCP Throughput which is 88 Mbits/sec because we set the bandwidth link at 100 Mbits/sec. This scenario match with RFC 6349 [7] 3455

which is for 100 Mbits/sec has maximum achievable TCP throughput at 94,9 Mbits/sec. Simulation 2: Legitimate Traffic vs TCP Flood attack. In this step, h3 and h4 will send constant 10Mbits traffic to h1 for 50 s. After 20 s, h2 execute attack traffic to h1 and stop the attack at 40 s. The result of this simulation can see in Figure-9. Figure-11. UDP throughput without and during UDP flood attack. Figure 9. Legitimate vs attack traffic. In Figure-9, we can see that the legitimate traffic constant at 10 Mbits/sec until 20 s. After an attack was executed at 20 s, the legitimate traffic drops to almost 0 Mbits/s until the attack was stopped. From this simulation, we can assume that the attack traffic consumed all of the TCP throughputs and inflict the link for h3 and h4 to h1 temporary down, see Figure-10. Both h3 and h4 could not get the ping reply from h1 during the attack (delay 20ms). CONCLUSION AND FUTURE WORK In this paper, we performed a flood type of DDoS attack on SDN platform simulation. The result of this simulation can be used as an overview to identify behaviors of flood type DDoS attack and the effect for the network. Actually, distributed DoS attack is performed by a lot of host/attacker, but in this simulation only performed by only one host (h2) however, it can represent the implication of the distributed DoS attack. Flood type DDoS attack commonly drains the network resource so that other legitimate user could not get normal services from the network. With SDN feature, this type of attack is easy to detect and identify from its traffic which is have anomaly such as large bursty traffic. For the future work, intrusion detection can be implemented for this kind type of attack based on traffic flow behaviors. Moreover, the defense mechanism could repeal all of type DDoS attack. REFERENCES [1] N. McKeown and T. Anderson. 2008. OpenFlow: Enabling Innovation in Campus Networks. ACM SIGCOMM Computer Communication Review. [2] A. M. Christos Douligeris. 2004. DDoS attacks and defense mechanisms: classification and state-of-theart. Computer Networks. 44: 634-666. Figure-10. ICMP to h1. Simulation 3: UDP throughput vs UDP flood attack In this simulation, UDP Throughput will calculate using IPerf. This calculation will take before and during UDP Flood attack. In Figure-11 we can see the UDP Throughput have constant values without the attack. This throughput dropped during the attack at around 38 Mbps and may not reach 0 Mbps like TCP because UDP is connectionless protocol so the sender still sends the packets without acknowledgment from the receiver although the receiver does not receive the packet [8]. [3] S. S. Kolahi, K. Treseangrat and B. Sarrafpour. 2015. Analysis of UDP DDoS Flood Cyber Attack and Defense Mechanisms on Web Server with Linux Ubuntu 13. In International Conference on Communications, Signal Processing, and their Applications (ICCSPA), Sharjah. [4] Harshita. 2017. Detection and Prevention of ICMP Flood DDOS Attack. International Journal of New Technology and Research (IJNTR). 3: 63-69. [5] CERT/CC. Smurf IP Denial-of-Service Attacks. 13 March 2000. [Online]. Available: https://www.cert.org/historical/advisories/ca-1998-01.cfm 3456

[6] S. Kumar. 2007. Smurf-based Distributed Denial of Service (DDoS) Attack Amplification on Internet. in Second International Conference on Internet Monitoring and Protection (ICIMP 2007), California. [7] Constantine and e. al. August 2011. RFC 6349 Framework for TCP Throughput Testing. [Online]. Available: https://tools.ietf.org/html/rfc6349#section- 3.2.2. [8] S. S. Kolahi and P. Li. 2011. Evaluating IPv6 in Peerto Peer 802.11n Wireless LANs. IEEE Internet Computing. 15(4): 72. 3457

2024 © technodocbox.com Privacy Policy | Terms of Service | Feedback