OpenFlow DDoS Mitigation C. Dillon, M. Berkelaar February 9, 2014 - - PowerPoint PPT Presentation

openflow ddos mitigation
SMART_READER_LITE
LIVE PREVIEW

OpenFlow DDoS Mitigation C. Dillon, M. Berkelaar February 9, 2014 - - PowerPoint PPT Presentation

Feb 20, 2024 177 likes •363 views

OpenFlow DDoS Mitigation C. Dillon, M. Berkelaar February 9, 2014 University of Amsterdam Quanza Engineering C. Dillon, M. Berkelaar OpenFlow DDoS Mitigation Introduction Distributed Denial of Service attacks Types of attacks Application

slide-1
SLIDE 1

OpenFlow DDoS Mitigation

  • C. Dillon, M. Berkelaar

February 9, 2014 University of Amsterdam Quanza Engineering

  • C. Dillon, M. Berkelaar

OpenFlow DDoS Mitigation

slide-2
SLIDE 2

Introduction

Distributed Denial of Service attacks Types of attacks

Application layer attacks (low volume) Network layer attacks (high volume)

Popular mitigation methods

BGP Remotely Triggered Black Hole (RTBH) In-line filtering appliances Scrubbing center

OpenFlow DDoS mitigation

While keeping the target online

  • C. Dillon, M. Berkelaar

OpenFlow DDoS Mitigation

slide-3
SLIDE 3

Research Question

How can Openflow be used in DDoS mitigation? How can flow statistics be analyzed to detect DDoS attacks? Can packet symmetry in sample traffic be analyzed to detect malicious traffic sources? Can malicious traffic sources be detected by temporarily dropping outgoing traffic? Can OpenFlow be used to efficiently block malicious sources while allowing legitimate traffic?

  • C. Dillon, M. Berkelaar

OpenFlow DDoS Mitigation

slide-4
SLIDE 4

OpenFlow

Separation between control- and data plane Controller creates and pushes flows to data plane TCAM table

0http://yuba.stanford.edu/cs244wiki/index.php/Overview

  • C. Dillon, M. Berkelaar

OpenFlow DDoS Mitigation

slide-5
SLIDE 5

OpenFlow: Flow Statistics

Per flow:

Duration Byte counters Packet counters

Polled by controller Network load overview

  • C. Dillon, M. Berkelaar

OpenFlow DDoS Mitigation

slide-6
SLIDE 6

OpenFlow: Traffic Sampling

Packet-in channel

Samples to controller Strip payload Encapsulation by switch TCP stream

Mirroring

Multiple output ports for a flow To any IDS on the network

  • C. Dillon, M. Berkelaar

OpenFlow DDoS Mitigation

slide-7
SLIDE 7

OpenFlow: Traffic Dropping

Flexibility in dropping traffic:

Source based blocking Destination based filtering

Only block TCP/UDP destination port

Limited by capacity of TCAM table

  • C. Dillon, M. Berkelaar

OpenFlow DDoS Mitigation

slide-8
SLIDE 8

Proposed Solution

1 Initial detection

Monitoring flow statistics Detect traffic spikes

2 Identification of attackers

Traffic sampling Packet symmetry Block outgoing traffic

3 Blocking the attack

Drop traffic from malicious sources

  • C. Dillon, M. Berkelaar

OpenFlow DDoS Mitigation

slide-9
SLIDE 9

Proposed Solution: Initial Detection

Detection of traffic spikes in flow statistics

Detection based on the standard deviation Lightweight Initial detection: Used to trigger further detection mechanisms

  • C. Dillon, M. Berkelaar

OpenFlow DDoS Mitigation

slide-10
SLIDE 10

Proposed Solution: Packet Symmetry

Mirror traffic from and to DDoS target Distinguish attackers with packet count symmetry analysis

Legitimate traffic shows typical ratios between 1:1 and 8:1.

  • C. Dillon, M. Berkelaar

OpenFlow DDoS Mitigation

slide-11
SLIDE 11

Proposed Solution: Block Outgoing Traffic

A short interruption of the outgoing flow could distinguish bad sources.

TCP retransmit interval should increases Typical request-response protocols may show equal behaviour

Expecting a declining rate of packets OpenFlow can easily and rapidly modify flows that enable this

  • C. Dillon, M. Berkelaar

OpenFlow DDoS Mitigation

slide-12
SLIDE 12

Proposed Solution: Block Outgoing Traffic

1 Sample 2 Block + sample 3 Analyse

  • C. Dillon, M. Berkelaar

OpenFlow DDoS Mitigation

slide-13
SLIDE 13

Proposed Solution: Drop Malicious Traffic

Explicit drop flows using OpenFlow

Source-based blocking explored Idle drop flows expire automatically

  • C. Dillon, M. Berkelaar

OpenFlow DDoS Mitigation

slide-14
SLIDE 14

Proof of Concept: Experimentation setup

Ryu SDN framework

Python based OpenFlow controller Detection mechanisms in the controller

Software environment

KVM + OpenVswitch

Hardware environment

Arista 7050 OpenFlow switch 10Gbit simulations Not as flexible as OpenVswitch

Traffic simulation

Victim and Attacker machines Legitimate + DDoS traffic

  • C. Dillon, M. Berkelaar

OpenFlow DDoS Mitigation

slide-15
SLIDE 15

Proof of Concept: Packet Symmetry

Hping3 flood stalls the Curl

  • C. Dillon, M. Berkelaar

OpenFlow DDoS Mitigation

slide-16
SLIDE 16

Proof of Concept: Block Outgoing Traffic

Timing issues with hardware. Flood never stopped. Curl retransmitted at a declining rate.

  • C. Dillon, M. Berkelaar

OpenFlow DDoS Mitigation

slide-17
SLIDE 17

Conclusion

Using the OpenFlow infrastructure to mitigate high volume attacks shows potential. Hardware currently shows limitations:

TCAM table size Timing of OpenFlow operations in our experiment caused issues

  • C. Dillon, M. Berkelaar

OpenFlow DDoS Mitigation

slide-18
SLIDE 18

Questions

Questions?

  • C. Dillon, M. Berkelaar

OpenFlow DDoS Mitigation