[PPT] - SDN-based defense against known IPv6 link-layer attacks Bachelors PowerPoint Presentation

SLIDE 1

Fakultät für Informatik

Technische Universität München

SDN-based defense against known IPv6 link-layer attacks

Bachelor’s thesis final talk

Andres Rauschecker

Advisor: Lukas Schwaighofer Supervisor: Prof. Dr.-Ing. Georg Carle Chair of Network Architectures and Services Department of Informatics Technical University of Munich (TUM)

SLIDE 2

2

Overview

Introduction
Related work: NDPMon, Snort & defensive switches
Attack analysis: ICMP
Controller design: Flow Tables, address reuse
Evaluation: attack defense, new threats
Attack vectors on the controller & further issues
Conclusion & future work

Andres Rauschecker - SDN-based defense against known IPv6 link-layer attacks - BA final talk

SLIDE 3

3

Introduction

Andres Rauschecker - SDN-based defense against known IPv6 link-layer attacks - BA final talk

IPv4 replaced by new v6, but:
similar mechanisms in addressing & host

communication

similar attacks on the new protocol, esp. ICMPv6

➡ link-layer security problematic

Related Work: NDPMon, Snort, defensive switches
active defense?

SLIDE 4

4

Related work - NDPMon

Andres Rauschecker - SDN-based defense against known IPv6 link-layer attacks - BA final talk

Monitoring tool for ND related traffic
two modes:
learn: recognize hosts by analyzing normal traffic

➡ generates XML topology file

monitor: recognize malicious behavior

➡ logging to file/mail ➡ countermeasures limited to simple custom packets

SLIDE 5

rule-set based: monitor every packet for matching patterns
Internal mode:
virtual bridge between two network segments
filter for internal <-> external traffic

➡ limited defense: drop packets between segments, send

custom packets

5

Related work - Snort IDS

Andres Rauschecker - SDN-based defense against known IPv6 link-layer attacks - BA final talk

SLIDE 6

6

Related work - Defensive switches

Andres Rauschecker - SDN-based defense against known IPv6 link-layer attacks - BA final talk

CISCO, HP & H3C: IPv6 „Source Guard“ mechanism:
IP-MAC-VLAN table:
learn legitimate hosts from DHCP traffic
CISCO only: learning from ND traffic

➡ drop all packets, that do not match the table

SLIDE 7

7

Attack analysis: ICMP

Andres Rauschecker - SDN-based defense against known IPv6 link-layer attacks - BA final talk

SLIDE 8

8

Attack analysis: ICMP

Andres Rauschecker - SDN-based defense against known IPv6 link-layer attacks - BA final talk

ICMP protocol used for address registration and link-local

communication ➔ several attack vectors exist: 

Router Advertisement & Solicitation
Echo Request & Reply pair
Neighbor Advertisement & Solicitation

SLIDE 9

9

Attack analysis: ICMP

Andres Rauschecker - SDN-based defense against known IPv6 link-layer attacks - BA final talk

Router Advertisement & Solicitation:
becoming the default router ➔ MitM, DoS
recognizing malicious behavior is complex (rogue RAs

are homogenous to legal ones) 

idea: white-list approach (not implemented)

SLIDE 10

10

Attack analysis: ICMP

Andres Rauschecker - SDN-based defense against known IPv6 link-layer attacks - BA final talk

Echo Request & Reply pair:
ICMP Ping Smurfing:

Attacker sends forged ERq - with Host 1 as source

SLIDE 11

11

Attack analysis: ICMP

Andres Rauschecker - SDN-based defense against known IPv6 link-layer attacks - BA final talk

Echo Request & Reply pair:
ICMP Ping Smurfing:

Hosts send back ERp to Host 1 ➔ Distributed DoS

SLIDE 12

12

Attack analysis: ICMP

Neighbor Advertisement & Solicitation:
before registering IP - send a Neighbor Solicitation
no answer within interval ➔ we can use the IP

Andres Rauschecker - SDN-based defense against known IPv6 link-layer attacks - BA final talk

SLIDE 13

13

Attack analysis: ICMP

Neighbor Advertisement & Solicitation:
DAD Denial-of-Service: fake Neighbor Advertisement
attacker forges reply ➔ we can not use the IP

Andres Rauschecker - SDN-based defense against known IPv6 link-layer attacks - BA final talk

SLIDE 14

14

Attack analysis: ICMP

Neighbor Advertisement & Solicitation:
Man-in-the-Middle attacks: fake NAs

Andres Rauschecker - SDN-based defense against known IPv6 link-layer attacks - BA final talk

SLIDE 15

15

Attack analysis: ICMP

Neighbor Advertisement & Solicitation:
Man-in-the-Middle attacks: fake NAs

Andres Rauschecker - SDN-based defense against known IPv6 link-layer attacks - BA final talk

SLIDE 16

16

Controller design

Main security problem: packets from forged sources
Idea: Keep track of all legitimate IP registrations
Via: Software Defined Networking

Andres Rauschecker - SDN-based defense against known IPv6 link-layer attacks - BA final talk

SLIDE 17

Controller checks for legality of NS
Sends OpenFlow message to all switches to allow IP

17

Controller design: Flow Tables

Andres Rauschecker - SDN-based defense against known IPv6 link-layer attacks - BA final talk

SLIDE 18

18

Controller design: Flow Tables

OpenFlow table concept: Table forwarding

IN PORT SRC MAC SRC IP

2 00:11:22:33:44:55 fc00::1:2 4 AA:BB:CC:DD:EE:FF fc00::1:3

IN PT DST MAC

2 00:11:22:33:44:55 4 AA:11:CC:22:EE:55

IP Match Table Mac/Port Table

Andres Rauschecker - SDN-based defense against known IPv6 link-layer attacks - BA final talk

SLIDE 19

19

Controller design: Address reuse

So far: IPs once registered can not be changed

➡ Check IP usage, if new NS requests it

Andres Rauschecker - SDN-based defense against known IPv6 link-layer attacks - BA final talk

SLIDE 20

20

Controller design: Address reuse

Original Host sends back NA ➔ still online, no reuse
No NA from original Host ➔ offline, IP reuse

Andres Rauschecker - SDN-based defense against known IPv6 link-layer attacks - BA final talk

SLIDE 21

21

Evaluation

Selected attacks on Echo and ND messages
successfully defended
Memorizing network states enables a new layer of security!
Keeping track of all NS packets on the controller
attack vectors targeting the controller?

Andres Rauschecker - SDN-based defense against known IPv6 link-layer attacks - BA final talk

SLIDE 22

22

Attack vectors on the controller

Flood of NS, with mutating src MAC & src IP
Fills internal cache dictionaries
Slows down registration of legitimate packets
Possible solution:
Supply exact topology to controller
Controller knows how many IPs per port
Limit packets per port & block port in attack

Andres Rauschecker - SDN-based defense against known IPv6 link-layer attacks - BA final talk

SLIDE 23

23

Further issues

Mininet network initialization race-condition
After network startup: not all NS registered in FTs

➡ Internal problem in the topology startup: 

Switch-handshake executed during host initializations

Lost switch connection after controller shutdown
restarting the controller and reestablishing switch

datapath objects not possible

➡ Loading controller & switch states from file currently

not possible

Andres Rauschecker - SDN-based defense against known IPv6 link-layer attacks - BA final talk

SLIDE 24

24

Conclusion

link-layer protection for established hosts
against Ping Smurfing and ND Spoofing
alternative to (costly) proprietary solutions
attack vector on the controller:
problematic for newly registering hosts only
defense dependent on the network infrastructure

Andres Rauschecker - SDN-based defense against known IPv6 link-layer attacks - BA final talk

SLIDE 25

25

Future work

Implementation of router white-list
Incorporating IP registrations from DHCP
Limiting ND propagation
Advanced, scheduled table cleanup
Defending controller attacks

Andres Rauschecker - SDN-based defense against known IPv6 link-layer attacks - BA final talk

SLIDE 26

26

Thank you for your attention.

Andres Rauschecker - SDN-based defense against known IPv6 link-layer attacks - BA final talk