ddos attack detection & mitigation in sdn
TRANSCRIPT
![Page 1: DDoS Attack Detection & Mitigation in SDN](https://reader033.vdocument.in/reader033/viewer/2022052308/58707af21a28ab57368b506f/html5/thumbnails/1.jpg)
DDoS Attack Detection & Mitigation in SDNFINAL VIVA PRESENTATION 2014-12-08
COMSE-6998
Presented by Chao CHEN (cc3736)
![Page 2: DDoS Attack Detection & Mitigation in SDN](https://reader033.vdocument.in/reader033/viewer/2022052308/58707af21a28ab57368b506f/html5/thumbnails/2.jpg)
Key WordsDDoS Attack Detection and Mitigation
Type: ICMP Flood SYN Flood DNS Amplification UDP Flood
InMon sFlow-RT + Floodlight controller + Mininet
SDN Application to perform DDoS Protection
![Page 3: DDoS Attack Detection & Mitigation in SDN](https://reader033.vdocument.in/reader033/viewer/2022052308/58707af21a28ab57368b506f/html5/thumbnails/3.jpg)
RESEARCH BACKGROUNDSCHEME DESIGN
APPLICATION DEVELOPMENTENVIRONMENT ESTABLISHMENT
TEST & EVALUATION
![Page 4: DDoS Attack Detection & Mitigation in SDN](https://reader033.vdocument.in/reader033/viewer/2022052308/58707af21a28ab57368b506f/html5/thumbnails/4.jpg)
RESEARCH BACKGROUND
![Page 5: DDoS Attack Detection & Mitigation in SDN](https://reader033.vdocument.in/reader033/viewer/2022052308/58707af21a28ab57368b506f/html5/thumbnails/5.jpg)
Research Background
Real Time detection and mitigation with lowest cost of device deployment
![Page 6: DDoS Attack Detection & Mitigation in SDN](https://reader033.vdocument.in/reader033/viewer/2022052308/58707af21a28ab57368b506f/html5/thumbnails/6.jpg)
Research Background
sFlow = sampled Flow
Device Capability → Easy Deployment Physical Device: Cisco Nexus 3000/3100 series
IBM c/g/m/r/s/x/y series Juniper EX 2200/3200/3300/4200/6200 series ……
Virtual Device: OpenVSwitch Apache Nginx
…… sFlow Collectors: InMon sFlow-RT
Brocade Network Advisor ……
SDN analytics and control using sFlow standard
![Page 7: DDoS Attack Detection & Mitigation in SDN](https://reader033.vdocument.in/reader033/viewer/2022052308/58707af21a28ab57368b506f/html5/thumbnails/7.jpg)
Research Background
sFlow + Openflow1. switch samples packets2. switch sends the header of sampled packets to sFlow-RT
3. sFlow-RT maps it into fine-grained flow(e.g. tcpflags=SYN, icmptype=3…)
4. if exceed the threshold, trigger an event5. events accessible from external apps through REST API
![Page 8: DDoS Attack Detection & Mitigation in SDN](https://reader033.vdocument.in/reader033/viewer/2022052308/58707af21a28ab57368b506f/html5/thumbnails/8.jpg)
Research Background
sFlow + Openflow1. switch samples packets2. switch sends the header of sampled packets to sFlow-RT
3. sFlow-RT maps it into fine-grained flow(e.g. tcpflags=SYN, icmptype=3…)
4. if exceed the threshold, trigger an event5. events accessible from external apps through REST API
detection mitigation
processing
![Page 9: DDoS Attack Detection & Mitigation in SDN](https://reader033.vdocument.in/reader033/viewer/2022052308/58707af21a28ab57368b506f/html5/thumbnails/9.jpg)
SCHEME DESIGN
![Page 10: DDoS Attack Detection & Mitigation in SDN](https://reader033.vdocument.in/reader033/viewer/2022052308/58707af21a28ab57368b506f/html5/thumbnails/10.jpg)
Scheme Design
Yes
No
Overall Flowchart of Application
need to be specified for different kinds of attacks
![Page 11: DDoS Attack Detection & Mitigation in SDN](https://reader033.vdocument.in/reader033/viewer/2022052308/58707af21a28ab57368b506f/html5/thumbnails/11.jpg)
Scheme Design ICMP Flood Attack
Mechanism:Each device in the botnet ping the server at a high rate.
Flow Definition:ipsource=0.0.0.0/0, ipdestination=10.0.0.2/32, #suppose h2 is the serveroutputifindex!=discard, #packet is not discardedipprotocol=1 #ICMP
Match Field in blocking flow entry:ether-type, protocol, src-ip, dst-ip
![Page 12: DDoS Attack Detection & Mitigation in SDN](https://reader033.vdocument.in/reader033/viewer/2022052308/58707af21a28ab57368b506f/html5/thumbnails/12.jpg)
Scheme Design SYN Flood Attack
Mechanism:Each device in the botnet sends TCP SYN packets to the server at a high rate.
Flow Definition:ipsource=0.0.0.0/0, ipdestination=10.0.0.2/32, #suppose h2 is the serveroutputifindex!=discard, #packet is not discardedtcpflags~…….1.=1 #TCP SYN packet
Match Field in blocking flow entry:ether-type, protocol, src-ip, dst-ip
![Page 13: DDoS Attack Detection & Mitigation in SDN](https://reader033.vdocument.in/reader033/viewer/2022052308/58707af21a28ab57368b506f/html5/thumbnails/13.jpg)
Scheme Design DNS Amplification Attack
Mechanism:Each device in the botnet sends DNS query to several DNS servers with src-ip=victim’s ip. (take ANY(15) for example)
![Page 14: DDoS Attack Detection & Mitigation in SDN](https://reader033.vdocument.in/reader033/viewer/2022052308/58707af21a28ab57368b506f/html5/thumbnails/14.jpg)
Scheme Design DNS Amplification Attack
Flow Definition:ipsource=0.0.0.0/0, ipdestination=[10.0.0.1/32, 10.0.0.2/32], #suppose h1 and h2 are the DNS serversoutputifindex!=discard, #packet is not discardeddnsqr=false,dnsqtype=255
Match Field in blocking flow entry:ether-type, protocol, src-ip, dst-ip
Protect at the DNS servers (instead of the victim)
![Page 15: DDoS Attack Detection & Mitigation in SDN](https://reader033.vdocument.in/reader033/viewer/2022052308/58707af21a28ab57368b506f/html5/thumbnails/15.jpg)
Scheme Design UDP Flood Attack
Mechanism:Each device in the botnet sends UDP packets to all the ports if the server
Attacker
botnet/compromised system
target server
Command
CommandCommand
1579111315…
UDP port list
UDP Packets
ICMP Destination Unreachable
![Page 16: DDoS Attack Detection & Mitigation in SDN](https://reader033.vdocument.in/reader033/viewer/2022052308/58707af21a28ab57368b506f/html5/thumbnails/16.jpg)
Scheme Design UDP Flood Attack
Flow Definition:ipsource=10.0.0.2/32, #reversedipdestination=0.0.0.0/0, outputifindex!=discard, #packet is not discardedipprotocol=1, #ICMP icmptype=3, #Destination Unreachable
Match Field in blocking flow entry:ether-type, protocol, src-ip=dst-ip_in_flow, dst-ip=server-ip
Protect by monitoring ICMP Destination Unreachable packets
![Page 17: DDoS Attack Detection & Mitigation in SDN](https://reader033.vdocument.in/reader033/viewer/2022052308/58707af21a28ab57368b506f/html5/thumbnails/17.jpg)
APPLICATION DEVELOPMENT
![Page 18: DDoS Attack Detection & Mitigation in SDN](https://reader033.vdocument.in/reader033/viewer/2022052308/58707af21a28ab57368b506f/html5/thumbnails/18.jpg)
Application Development
pythonImport requests & json to perform GET/PUT/POST via REST APIDifferent attacks are implemented similarly.Take ICMP Flood attack as example.
Definition of flows, thresholds,…:
POST the definition to sFlow-RT:
![Page 19: DDoS Attack Detection & Mitigation in SDN](https://reader033.vdocument.in/reader033/viewer/2022052308/58707af21a28ab57368b506f/html5/thumbnails/19.jpg)
Application Development
Attack classification & Static Flow Entry Push:
![Page 20: DDoS Attack Detection & Mitigation in SDN](https://reader033.vdocument.in/reader033/viewer/2022052308/58707af21a28ab57368b506f/html5/thumbnails/20.jpg)
ENVIRONMENT ESTABLISHMENT
![Page 21: DDoS Attack Detection & Mitigation in SDN](https://reader033.vdocument.in/reader033/viewer/2022052308/58707af21a28ab57368b506f/html5/thumbnails/21.jpg)
Environment Establishment
Laptop
Ubuntu VM
App
Mininet
10.0.0.1 10.0.0.210.0.0.3
10.0.0.4
10.0.0.510.0.0.6
10.10.10.2:6633
10.10.10.2:8080
10.10.10.2:8008
10.10.10.2:6343
![Page 22: DDoS Attack Detection & Mitigation in SDN](https://reader033.vdocument.in/reader033/viewer/2022052308/58707af21a28ab57368b506f/html5/thumbnails/22.jpg)
TEST & EVALUATION
![Page 23: DDoS Attack Detection & Mitigation in SDN](https://reader033.vdocument.in/reader033/viewer/2022052308/58707af21a28ab57368b506f/html5/thumbnails/23.jpg)
Test & Evaluation
Launch floodlight: ./floodlight.sh
Launch InMon sFlow-RT: ./start.sh
Launch InMon sFlow-RT: sudo ./topo.sh
set s1 is a sFlow agent, and set up bridge between s1 and sFlow-RT
![Page 24: DDoS Attack Detection & Mitigation in SDN](https://reader033.vdocument.in/reader033/viewer/2022052308/58707af21a28ab57368b506f/html5/thumbnails/24.jpg)
Test & EvaluationWithout mitigation:
h1 ICMP attack on h2 with: ping -f 10.0.0.2
network traffic flow
attack from h4
ICMP Flood Attack
![Page 25: DDoS Attack Detection & Mitigation in SDN](https://reader033.vdocument.in/reader033/viewer/2022052308/58707af21a28ab57368b506f/html5/thumbnails/25.jpg)
Test & EvaluationWith mitigation:h4 ICMP attack on h2
network traffic flow
attack from h4 is mitigated
ICMP Flood Attack
![Page 26: DDoS Attack Detection & Mitigation in SDN](https://reader033.vdocument.in/reader033/viewer/2022052308/58707af21a28ab57368b506f/html5/thumbnails/26.jpg)
Test & Evaluation
Continue: h5 ICMP attack on h2
network traffic flow
attack from h5 is mitigated
ICMP Flood Attack
![Page 27: DDoS Attack Detection & Mitigation in SDN](https://reader033.vdocument.in/reader033/viewer/2022052308/58707af21a28ab57368b506f/html5/thumbnails/27.jpg)
Test & Evaluation ICMP Flood Attack‘subflows’ in ICMP Attack Flow
Events triggered in this case
Flowtable of s1 (attacked by h3, h4, h6)
![Page 28: DDoS Attack Detection & Mitigation in SDN](https://reader033.vdocument.in/reader033/viewer/2022052308/58707af21a28ab57368b506f/html5/thumbnails/28.jpg)
Test & Evaluation SYN Flood AttackWithout mitigation:
h1 SYN attack on h2 with: ping —tcp -p 80 —flag syn -rate 2000 —count 20000000 —no-capture —quiet 10.0.0.2
network traffic flow
![Page 29: DDoS Attack Detection & Mitigation in SDN](https://reader033.vdocument.in/reader033/viewer/2022052308/58707af21a28ab57368b506f/html5/thumbnails/29.jpg)
Test & Evaluation SYN Flood AttackWith mitigation:h6 and h4 SYN attack on h2SYN Flood Traffic
Flowtable of s1 (attacked by h3, h4, h5, h6)
attacks from h6 and h4 are mitigated
![Page 30: DDoS Attack Detection & Mitigation in SDN](https://reader033.vdocument.in/reader033/viewer/2022052308/58707af21a28ab57368b506f/html5/thumbnails/30.jpg)
Test & Evaluation
DNS Amplification Attack & UDP Flood Attack:Cannot simulate attacks → No test result yet
![Page 31: DDoS Attack Detection & Mitigation in SDN](https://reader033.vdocument.in/reader033/viewer/2022052308/58707af21a28ab57368b506f/html5/thumbnails/31.jpg)
Test & Evaluation
Future Work:1. Test on DNS Amplification Attack & UDP Flood Attack2. {new_sample_rate, new_threshold}
=update(old_sample_rate, old_threshold, network_congestion, server_status,…)
3. Sample Theory is efficient on large flows. Think about {tiny flows x n}
4. Reasonable unblock mechanism
![Page 32: DDoS Attack Detection & Mitigation in SDN](https://reader033.vdocument.in/reader033/viewer/2022052308/58707af21a28ab57368b506f/html5/thumbnails/32.jpg)
Q&A