Selective Packet Inspection to Detect DoS Flooding

Using Software Defined Networking

Author : Tommy Chin Jr. , Xenia Mountrouidou , Xiangyang Li and Kaiqi Xiong Conference: IEEE 35th International Conference on Distributed Computing Systems Workshops (ICDCSW), 2015Presenter: Kuan-Chieh FengDate: 2015/10/21

Department of Computer Science and Information Engineering National Cheng Kung University

Outline

Introduction Approach System Architecture Experiment

National Cheng Kung University CSIE Computer & Internet Architecture Lab

2

Introduction

In this paper, we discuss a novel attack detection approach that coordinates monitors distributed over a network and controllers centralized on an SDN Open Virtual Switch , selectively inspecting network packets on demand.

National Cheng Kung University CSIE Computer & Internet Architecture Lab

3

Introduction

Two studies are especially relevant to the challenges and solutions in this study.• The OrchSec architecture [3] uses decoupled

monitors and SDN correlators in order to mitigate different types of attacks.

• The NICE framework [4] is an IDS agent to monitor mirrored traffic and to propose potential countermeasures to attacks.

National Cheng Kung University CSIE Computer & Internet Architecture Lab

4

Introduction

A monitor is sensitive and lightweight to quickly detect anomalies in network traffic.

A correlator, upon receiving an alert from a monitor, verifies the suspicion by inspecting detailed evidence of network packets in its neighborhood for additional attack signatures.

National Cheng Kung University CSIE Computer & Internet Architecture Lab

5

Approach

DoS flooding attacks try to deplete the recourses that a victim device has, being the network bandwidth or host resources.

They utilize a variety of techniques of flooding, amplification, protocol exploiting, and malformed packets.

Recently SDN has been applied in several studies.

National Cheng Kung University CSIE Computer & Internet Architecture Lab

6

Approach

However, DoS still poses many significant challenges to current detection and correlation solutions:• The ability of Intrusion Detection Systems (IDS)

is limited by what they see in data and thus by their locations on a network.

• Even if a SDN correlator is able to get hold of every bit of data, it is impossible to do deep inspection on every network packet

National Cheng Kung University CSIE Computer & Internet Architecture Lab

7

Approach

There is always a tradeoff in handling each of these problems.• Ex: IDS location

The key is to consider how to best utilize different IDS elements together in a dynamic and adaptive way.• Solution : SDN

National Cheng Kung University CSIE Computer & Internet Architecture Lab

8

Approach

Consider the TCP SYN flood attack : A surge of traffic volume of SYN requests

• Setting up a control threshold over the baseline traffic in monitor can quickly recognize a surge of abnormal traffic.

Spoofed IP address in invalid SYN requests• Requires adequate knowledge to be able to tell

them apart from other legitimate IPs

National Cheng Kung University CSIE Computer & Internet Architecture Lab

9

Approach

National Cheng Kung University CSIE Computer & Internet Architecture Lab

10

System Architecture

System Design Algorithms Communication Protocol

National Cheng Kung University CSIE Computer & Internet Architecture Lab

11

System Architecture – system design

Server Client (normal user, attacker) Open Virtual Switch Monitor Correlator (SDN controller)

National Cheng Kung University CSIE Computer & Internet Architecture Lab

12

System Architecture - algorithm

The Monitor is running a real time communicator algorithm.

The Correlator, hosted on the SDN controller, runs another algorithm that maintains an open communication with the monitor and the OVS.• A hash table based on original flow table • Another hash table based on current flow table

National Cheng Kung University CSIE Computer & Internet Architecture Lab

13

System Architecture – communication protocol

National Cheng Kung University CSIE Computer & Internet Architecture Lab

14

Experiment

Environment• Implementation on GENI• Ubuntu Linux 64 bits• Normal traffic created by iperf• TCP SYN floods with IP spoofing by hping3• Correlator running correlation algorithm on POX• The IDS is implemented by Snort rule• Communication protocol between the monitor and

correlator are implement in Python using socket programming

National Cheng Kung University CSIE Computer & Internet Architecture Lab

15

Experiment - Result analysis

National Cheng Kung University CSIE Computer & Internet Architecture Lab

16

Experiment - Result analysis

National Cheng Kung University CSIE Computer & Internet Architecture Lab

17

Experiment - Result analysis

National Cheng Kung University CSIE Computer & Internet Architecture Lab

18

Experiment

The monitor is the bottleneck in our experimentation

The most time consuming part of the monitor implementation the time it takes for the monitor to receive the attack packets

To improve the performance, we will need to either increase the number of monitors or use more powerful machines.

National Cheng Kung University CSIE Computer & Internet Architecture Lab

19