denial of service in software defined netoworks
DESCRIPTION
TRANSCRIPT
Denial of Service in Software Defined Networks
Mohammad Faraji
Supervisor: Alberto Leon-Garcia
2
Cloud Computing
• Cloud computing is a model for– on-demand network access – shared pool of configurable computing resources– rapidly provisioned and – released with minimal management effort.
Extended Cloud Computing (ECC)
Cloud Security Challenges
• Old existing problems: – phishing – Downtime– Password weakness– botnet etc.
• New Research Challenges– Botnet ( DoS, Spamming etc.)– Shared Resources (side channel, covert channel)– Fate-sharing
Denial Of Service
• Denial of Service : explicit attempt by attackers to prevent legitimate users of a service from using that service. (CERT)
• Examples:– Flooding a network
• Denial Of Service is considered as the largest security threat
Problem
• Application is distributed throughout the network (ECC)
• Isolating application traffic reduce probability of denial of service significantly
• Network isolation through VLAN• Limitation:
– Scalability (4k VLAN id space)– Complicated Network Management – Per user policy control
Design Goal
• Isolation• Flexibility• Location independence• Easy policy control• Scalability• Cache-Coherent
Proposed Method
Max = 2 Gb
Policy Unit
OpenFlow Switch
FlowTableFlowTable
SecureChannelSecure
Channel
OpenFlow
Protocol
SSL
hw
sw
Architecture Elements
Virtual Resource 1Virtual Resource 2Virtual Resource 3
Methodology
• Identifying attack set• Setting up Implementation Platform• Selecting representative topologies• Modeling Policy Unit• Implementing Network Virtualization• Evaluation
Policy Unit model
Authentication Assertion (single sign-on)Authentication Assertion (single sign-on)
Attribute AssertionAttribute Assertion
Authorization and Access ControlAuthorization and Access Control
Policy EnforcementPolicy Enforcement
• Keystone (Openstack Identity Manager)• Attribute Based Access Control
Implementation Platform
Control (BPEL)
Data Store(BPEL)
Dynamic Link Generator(BPEL)
Storage Manager(BPEL)
Resource Manager(BPEL)
AAA(BPEL)
Storage(WS)Storage
(WS)Storage
Resource(WS,BPEL)
Resources(WS)Resources
(WS)Programmable
Resources(WS,BPEL)
DB(WS)
ResultProcessor
(WS)
QueryGenerator
(WS)
MySQL
SOAP/WS-API
ResourceResource
Resource
ResourceResourceFile
Servers
Fabric(WS)
FabricAgent
Resources
Fabric
SNMP
Outcome
• A software Platform on OpenFlow switches • It decreases chance of denial of service by:
– Application is able to define their network topology
– Each application can have its own policy– Policy control is fine-grained
• DoS does not affect other’s traffic• Attack can be easily interrupted
References
1. Karig, David and Ruby Lee. Remote Denial of Service Attacks and Countermeasures, Princeton University Department of Electrical Engineering Technical Report CE-L2001-002, October 2001.
2. M. Jensen, N. Gruschka, and N. Luttenberger, “The impact of flooding attacks on network-based services,” in Availability, Reliability and Security, 2008. ARES 08. Third International Conference on, march 2008, pp. 509 –513.
3. B. Kerns, “Amazon: Hey spammers, get off my cloud!” Jul. 2008. [Online]. Availabhttp://voices.washingtonpost.com/securityfix/2008/07/
4. P. Mell and T. Grance, “The nist definition of cloud computing,” National Institute of Standards and Technology, vol. 53, no. 6, p. 50, 2009. [Online]. Available: http://csrc.nist.gov/groups/SNS/cloud-computing/cloud-def-v15.doc
5. S. Shankland, “Hps hurd dings cloud computing, ibm,” Oct. 2009.
6. D. Catteddu and G. Hogben, “Cloud Computing Risk Assessment,” Nov. 2009. [Online]. Available: http://www.enisa.europa.eu/act/rm/files/deliverables/cloud-computing-risk-assessment
7. B. Kerns, “Amazon: Hey spammers, get off my cloud!” Jul. 2008. [Online]. Available: http://voices.washingtonpost.com/securityfix/2008/07/
8. M. C. Ferrer, “Zeus in-the-cloud,” CA Community Blog, Dec. 2009.
9. M. Price, “The paradox of security in virtual environments,” Computer, vol. 41, no. 11, pp. 22 –28, nov. 2008.
10. S. King and P. Chen, “Subvirt: implementing malware with virtual machines,” in Security and Privacy, 2006 IEEE Symposium on, may 2006, pp. 14 pp. –327.
THANKS FOR YOUR TIMEQUESTION ?
APPENDIX
The NIST Cloud Definition Framework
17
CommunityCloud
Private Cloud
Public Cloud
Hybrid Clouds
DeploymentModels
ServiceModels
EssentialCharacteristics
Common Characteristics
Software as a Service (SaaS)
Platform as a Service (PaaS)
Infrastructure as a Service (IaaS)
Resource Pooling
Broad Network Access Rapid Elasticity
Measured Service
On Demand Self-Service
Low Cost Software
Virtualization Service Orientation
Advanced Security
Homogeneity
Massive Scale Resilient Computing
Geographic Distribution
Based upon original chart created by Alex Dowbor - http://ornot.wordpress.com
Classification of DoS Attacks[1]
Attack Affected Area Example Description
Network Level Device
Routers, IP Switches, Firewalls
Ascend Kill II,“Christmas Tree Packets”
Attack attempts to exhaust hardware resources using multiple duplicate packets or a software bug.
OS Level Equipment Vendor OS, End-User Equipment.
Ping of Death,ICMP Echo Attacks,Teardrop
Attack takes advantage of the way operating systems implement protocols.
Application Level Attacks
Finger Bomb Finger Bomb,Windows NT RealServer G2 6.0
Attack a service or machine by using an application attack to exhaust resources.
Data Flood (Amplification, Oscillation, Simple Flooding)
Host computer or network
Smurf Attack (amplifier attack)UDP Echo (oscillation attack)
Attack in which massive quantities of data are sent to a target with the intention of using up bandwidth/processing resources.
Protocol Feature Attacks
Servers, Client PC, DNS Servers
SYN (connection depletion)
Attack in which “bugs” in protocol are utilized to take down network resources. Methods of attack include: IP address spoofing, and corrupting DNS server cache.