© 2014 open networking foundation · 2017-10-03 · security objective • carrier grade sdn-based...
TRANSCRIPT
© 2014 Open Networking Foundation
© 2014 Open Networking Foundation
SDN Security OpenFlow-Based DDoS Attack Mitigation Ali Tizghadam, Theodor Balanescu, Rahul Kumar, Kevin Jones, Walter Miron
Security
Objective
• Carrier grade SDN-based signaling to mitigate network level Distributed Denial of Service (DDoS) attacks against service provider’s infrastructure and its customers
• Demo targets attack mitigation – In this demo detection of DDoS
attack is assumed to be handled separately
• Overall system diagram is shown
Security
Block Action Off-Ramp Action Possible Mitigation Plans
• Block action – Simply blocks traffic
• Off-Ramp action – Redirects traffic to an
intermediate site for
further investigation
Security
Lab Setup
• The diagram
shows details of
OF-based DDoS
mitigation system
in TELUS SDN
lab
SP
192.168.200.5Eth1
ASN: 65039
192.168.200.6
Bluemoon(MX960)Lo0: 172.25.212.88
mgmt: 172.18.132.245
172.18.214.237/31xe-7/0/7
172.18.214.236/31xe-4/3/3
T1600 (BR)
TOROLABSR01MX960
172.18.132.212
CILo0: 172.18.110.14
10.11.12.82/31Ae3 VLAN 1500GE-2/2/0
OF OF-SW1xe-4/2/3.0
192.168.214.1/24xe-4/2/0.0
xe-4/3/0.0OF OF-SW1
xe-4/1/3.0
TOROLABSV01Arbor CP
172.18.132.227
OF Controller Alert Listener
ETH110.0.30.3/24
ETH0172.18.179.161/24
Card 6 Port 11
IXIA61172.18.132.61
Victim Port
192.168.213.7
Card 11 Port 1
Attack Port
RE-29
Card 6 Port 6
Security Port
xe-4/1/0.0OF OF-SW1
Security
SP
192.168.200.5Eth1
ASN: 65039
192.168.200.6
Bluemoon(MX960)Lo0: 172.25.212.88
mgmt: 172.18.132.245
172.18.214.237/31xe-7/0/7
172.18.214.236/31xe-4/3/3
T1600 (BR)
TOROLABSR01MX960
172.18.132.212
CILo0: 172.18.110.14
10.11.12.82/31Ae3 VLAN 1500GE-2/2/0
OF OF-SW1xe-4/2/3.0
192.168.214.1/24xe-4/2/0.0
xe-4/3/0.0OF OF-SW1
xe-4/1/3.0
TOROLABSV01Arbor CP
172.18.132.227
OF Controller Alert Listener
ETH110.0.30.3/24
ETH0172.18.179.161/24
Attack Traffic1
Card 6 Port 11
IXIA61172.18.132.61
Victim Port
192.168.213.7
Card 11 Port 1
Legitimate Traffic1
Attack Port
RE-29
Card 6 Port 6
Security Port
xe-4/1/0.0OF OF-SW1
1
Flow Design –
Mitigation Process
• Step 1: Attack
arrives
Security
Flow Design –
Mitigation Process
• Step 2: Netflow
analysis
NetFlow2
Alert Listener
SP
192.168.200.5Eth1
ASN: 65039
192.168.200.6
Bluemoon(MX960)Lo0: 172.25.212.88
mgmt: 172.18.132.245
172.18.214.237/31xe-7/0/7
172.18.214.236/31xe-4/3/3
T1600 (BR)
TOROLABSR01MX960
172.18.132.212
CILo0: 172.18.110.14
10.11.12.82/31Ae3 VLAN 1500GE-2/2/0
OF OF-SW1xe-4/2/3.0
192.168.214.1/24xe-4/2/0.0
xe-4/3/0.0OF OF-SW1
xe-4/1/3.0
TOROLABSV01Arbor CP
172.18.132.227
OF Controller Alert Listener
ETH110.0.30.3/24
ETH0172.18.179.161/24
Card 6 Port 11
IXIA61172.18.132.61
Victim Port
192.168.213.7
Card 11 Port 1
Attack Port
RE-29
Card 6 Port 6
Security Port
xe-4/1/0.0OF OF-SW1
2
Security
Flow Design –
Mitigation Process
• Step 3: Attack detected
• Step4: Attack details fetched by Alert Listener
SP
TOROLABSV01Arbor CP
172.18.132.227
ETH110.0.30.3/24
ETH0172.18.179.161/24
Fetching Alert Details
Alert Notification3
3
4
4
OF Controller Alert Listener
Security
Flow Design –
Mitigation Process • Step 5: Attack mitigation
rule installed by OF Controller
• Step 6: Command sent to routers
OF Controller Alert Listener
ETH110.0.30.3/24
ETH0172.18.179.161/24
OpenFlow command
Attack Mitigation Rule
6
5
56
SP
192.168.200.5Eth1
ASN: 65039
192.168.200.6
Bluemoon(MX960)Lo0: 172.25.212.88
mgmt: 172.18.132.245
172.18.214.237/31xe-7/0/7
172.18.214.236/31xe-4/3/3
T1600 (BR)
TOROLABSR01MX960
172.18.132.212
CILo0: 172.18.110.14
10.11.12.82/31Ae3 VLAN 1500GE-2/2/0
OF OF-SW1xe-4/2/3.0
192.168.214.1/24xe-4/2/0.0
xe-4/3/0.0OF OF-SW1
xe-4/1/3.0
TOROLABSV01Arbor CP
172.18.132.227
Card 6 Port 11
IXIA61172.18.132.61
Victim Port
192.168.213.7
Card 11 Port 1
Attack Port
RE-29
Card 6 Port 6
Security Port
xe-4/1/0.0OF OF-SW1
Security
Flow Design –
Mitigation Process
• Step 7: Action
Attack Traffic7
Legitimate Traffic7 SP
192.168.200.5Eth1
ASN: 65039
192.168.200.6
Bluemoon(MX960)Lo0: 172.25.212.88
mgmt: 172.18.132.245
172.18.214.237/31xe-7/0/7
172.18.214.236/31xe-4/3/3
T1600 (BR)
TOROLABSR01MX960
172.18.132.212
CILo0: 172.18.110.14
10.11.12.82/31Ae3 VLAN 1500GE-2/2/0
OF OF-SW1xe-4/2/3.0
192.168.214.1/24xe-4/2/0.0
xe-4/3/0.0OF OF-SW1
xe-4/1/3.0
TOROLABSV01Arbor CP
172.18.132.227
OF Controller Alert Listener
ETH110.0.30.3/24
ETH0172.18.179.161/24
Card 6 Port 11
IXIA61172.18.132.61
Victim Port
192.168.213.7
Card 11 Port 1
Attack Port
RE-29
Card 6 Port 6
Security Port
xe-4/1/0.0OF OF-SW1
7
Security
IXIA Victim 12100 packets/s are received
IXIA Attacker ICMP – 12000 packets/s
TCP – 100 packets/s
ICMP Attack
• Generated
by Ixia
Security
ICMP Attack
Mitigation
IXIA Security 1200 packets/s are received
IXIA Victim TCP – 100 packets/s
Security
Next Steps
Detection: in next phase the replacement of Netflow with Openflow data will be explored
A second SDN controller will collect flow statistics from the routers via Openflow
Requirement for an application that will detect a security event
Once a security event is raised, the detection controller will signal the network controller
The network controller will issue one of the following commands via Openflow:
• Drop
• Off-ramp towards a defined destination
Security