32
DDoS Attack Detection & Mitigation in SDN FINAL VIVA PRESENTATION 2014-12-08 COMSE-6998 Presented by Chao CHEN (cc3736)

DDoS Attack Detection & Mitigation in SDN

Embed Size (px)

Citation preview

Page 1: DDoS Attack Detection & Mitigation in SDN

DDoS Attack Detection & Mitigation in SDNFINAL VIVA PRESENTATION 2014-12-08

COMSE-6998

Presented by Chao CHEN (cc3736)

Page 2: DDoS Attack Detection & Mitigation in SDN

Key WordsDDoS Attack Detection and Mitigation

Type: ICMP Flood SYN Flood DNS Amplification UDP Flood

InMon sFlow-RT + Floodlight controller + Mininet

SDN Application to perform DDoS Protection

Page 3: DDoS Attack Detection & Mitigation in SDN

RESEARCH BACKGROUNDSCHEME DESIGN

APPLICATION DEVELOPMENTENVIRONMENT ESTABLISHMENT

TEST & EVALUATION

Page 4: DDoS Attack Detection & Mitigation in SDN

RESEARCH BACKGROUND

Page 5: DDoS Attack Detection & Mitigation in SDN

Research Background

Real Time detection and mitigation with lowest cost of device deployment

Page 6: DDoS Attack Detection & Mitigation in SDN

Research Background

sFlow = sampled Flow

Device Capability → Easy Deployment Physical Device: Cisco Nexus 3000/3100 series

IBM c/g/m/r/s/x/y series Juniper EX 2200/3200/3300/4200/6200 series ……

Virtual Device: OpenVSwitch Apache Nginx

…… sFlow Collectors: InMon sFlow-RT

Brocade Network Advisor ……

SDN analytics and control using sFlow standard

Page 7: DDoS Attack Detection & Mitigation in SDN

Research Background

sFlow + Openflow1. switch samples packets2. switch sends the header of sampled packets to sFlow-RT

3. sFlow-RT maps it into fine-grained flow(e.g. tcpflags=SYN, icmptype=3…)

4. if exceed the threshold, trigger an event5. events accessible from external apps through REST API

Page 8: DDoS Attack Detection & Mitigation in SDN

Research Background

sFlow + Openflow1. switch samples packets2. switch sends the header of sampled packets to sFlow-RT

3. sFlow-RT maps it into fine-grained flow(e.g. tcpflags=SYN, icmptype=3…)

4. if exceed the threshold, trigger an event5. events accessible from external apps through REST API

detection mitigation

processing

Page 9: DDoS Attack Detection & Mitigation in SDN

SCHEME DESIGN

Page 10: DDoS Attack Detection & Mitigation in SDN

Scheme Design

Yes

No

Overall Flowchart of Application

need to be specified for different kinds of attacks

Page 11: DDoS Attack Detection & Mitigation in SDN

Scheme Design ICMP Flood Attack

Mechanism:Each device in the botnet ping the server at a high rate.

Flow Definition:ipsource=0.0.0.0/0, ipdestination=10.0.0.2/32, #suppose h2 is the serveroutputifindex!=discard, #packet is not discardedipprotocol=1 #ICMP

Match Field in blocking flow entry:ether-type, protocol, src-ip, dst-ip

Page 12: DDoS Attack Detection & Mitigation in SDN

Scheme Design SYN Flood Attack

Mechanism:Each device in the botnet sends TCP SYN packets to the server at a high rate.

Flow Definition:ipsource=0.0.0.0/0, ipdestination=10.0.0.2/32, #suppose h2 is the serveroutputifindex!=discard, #packet is not discardedtcpflags~…….1.=1 #TCP SYN packet

Match Field in blocking flow entry:ether-type, protocol, src-ip, dst-ip

Page 13: DDoS Attack Detection & Mitigation in SDN

Scheme Design DNS Amplification Attack

Mechanism:Each device in the botnet sends DNS query to several DNS servers with src-ip=victim’s ip. (take ANY(15) for example)

Page 14: DDoS Attack Detection & Mitigation in SDN

Scheme Design DNS Amplification Attack

Flow Definition:ipsource=0.0.0.0/0, ipdestination=[10.0.0.1/32, 10.0.0.2/32], #suppose h1 and h2 are the DNS serversoutputifindex!=discard, #packet is not discardeddnsqr=false,dnsqtype=255

Match Field in blocking flow entry:ether-type, protocol, src-ip, dst-ip

Protect at the DNS servers (instead of the victim)

Page 15: DDoS Attack Detection & Mitigation in SDN

Scheme Design UDP Flood Attack

Mechanism:Each device in the botnet sends UDP packets to all the ports if the server

Attacker

botnet/compromised system

target server

Command

CommandCommand

1579111315…

UDP port list

UDP Packets

ICMP Destination Unreachable

Page 16: DDoS Attack Detection & Mitigation in SDN

Scheme Design UDP Flood Attack

Flow Definition:ipsource=10.0.0.2/32, #reversedipdestination=0.0.0.0/0, outputifindex!=discard, #packet is not discardedipprotocol=1, #ICMP icmptype=3, #Destination Unreachable

Match Field in blocking flow entry:ether-type, protocol, src-ip=dst-ip_in_flow, dst-ip=server-ip

Protect by monitoring ICMP Destination Unreachable packets

Page 17: DDoS Attack Detection & Mitigation in SDN

APPLICATION DEVELOPMENT

Page 18: DDoS Attack Detection & Mitigation in SDN

Application Development

pythonImport requests & json to perform GET/PUT/POST via REST APIDifferent attacks are implemented similarly.Take ICMP Flood attack as example.

Definition of flows, thresholds,…:

POST the definition to sFlow-RT:

Page 19: DDoS Attack Detection & Mitigation in SDN

Application Development

Attack classification & Static Flow Entry Push:

Page 20: DDoS Attack Detection & Mitigation in SDN

ENVIRONMENT ESTABLISHMENT

Page 21: DDoS Attack Detection & Mitigation in SDN

Environment Establishment

Laptop

Ubuntu VM

App

Mininet

10.0.0.1 10.0.0.210.0.0.3

10.0.0.4

10.0.0.510.0.0.6

10.10.10.2:6633

10.10.10.2:8080

10.10.10.2:8008

10.10.10.2:6343

Page 22: DDoS Attack Detection & Mitigation in SDN

TEST & EVALUATION

Page 23: DDoS Attack Detection & Mitigation in SDN

Test & Evaluation

Launch floodlight: ./floodlight.sh

Launch InMon sFlow-RT: ./start.sh

Launch InMon sFlow-RT: sudo ./topo.sh

set s1 is a sFlow agent, and set up bridge between s1 and sFlow-RT

Page 24: DDoS Attack Detection & Mitigation in SDN

Test & EvaluationWithout mitigation:

h1 ICMP attack on h2 with: ping -f 10.0.0.2

network traffic flow

attack from h4

ICMP Flood Attack

Page 25: DDoS Attack Detection & Mitigation in SDN

Test & EvaluationWith mitigation:h4 ICMP attack on h2

network traffic flow

attack from h4 is mitigated

ICMP Flood Attack

Page 26: DDoS Attack Detection & Mitigation in SDN

Test & Evaluation

Continue: h5 ICMP attack on h2

network traffic flow

attack from h5 is mitigated

ICMP Flood Attack

Page 27: DDoS Attack Detection & Mitigation in SDN

Test & Evaluation ICMP Flood Attack‘subflows’ in ICMP Attack Flow

Events triggered in this case

Flowtable of s1 (attacked by h3, h4, h6)

Page 28: DDoS Attack Detection & Mitigation in SDN

Test & Evaluation SYN Flood AttackWithout mitigation:

h1 SYN attack on h2 with: ping —tcp -p 80 —flag syn -rate 2000 —count 20000000 —no-capture —quiet 10.0.0.2

network traffic flow

Page 29: DDoS Attack Detection & Mitigation in SDN

Test & Evaluation SYN Flood AttackWith mitigation:h6 and h4 SYN attack on h2SYN Flood Traffic

Flowtable of s1 (attacked by h3, h4, h5, h6)

attacks from h6 and h4 are mitigated

Page 30: DDoS Attack Detection & Mitigation in SDN

Test & Evaluation

DNS Amplification Attack & UDP Flood Attack:Cannot simulate attacks → No test result yet

Page 31: DDoS Attack Detection & Mitigation in SDN

Test & Evaluation

Future Work:1. Test on DNS Amplification Attack & UDP Flood Attack2. {new_sample_rate, new_threshold}

=update(old_sample_rate, old_threshold, network_congestion, server_status,…)

3. Sample Theory is efficient on large flows. Think about {tiny flows x n}

4. Reasonable unblock mechanism

Page 32: DDoS Attack Detection & Mitigation in SDN

Q&A