sdn based defense against known ipv6 link layer attacks
play

SDN-based defense against known IPv6 link-layer attacks Bachelors - PowerPoint PPT Presentation

Mar 02, 2024 •141 likes •402 views

Fakultt fr Informatik Technische Universitt Mnchen SDN-based defense against known IPv6 link-layer attacks Bachelors thesis final talk Andres Rauschecker Advisor: Lukas Schwaighofer Supervisor: Prof. Dr.-Ing. Georg Carle Chair of

  1. Fakultät für Informatik Technische Universität München SDN-based defense against known IPv6 link-layer attacks Bachelor’s thesis final talk Andres Rauschecker Advisor: Lukas Schwaighofer Supervisor: Prof. Dr.-Ing. Georg Carle Chair of Network Architectures and Services Department of Informatics Technical University of Munich (TUM)

  2. Overview • Introduction • Related work: NDPMon, Snort & defensive switches • Attack analysis: ICMP • Controller design: Flow Tables, address reuse • Evaluation: attack defense, new threats • Attack vectors on the controller & further issues • Conclusion & future work Andres Rauschecker - SDN-based defense against known IPv6 link-layer attacks - BA final talk 2

  3. Introduction • IPv4 replaced by new v6, but: - similar mechanisms in addressing & host communication - similar attacks on the new protocol, esp. ICMPv6 ➡ link-layer security problematic - Related Work: NDPMon, Snort, defensive switches - active defense? Andres Rauschecker - SDN-based defense against known IPv6 link-layer attacks - BA final talk 3

  4. Related work - NDPMon • Monitoring tool for ND related traffic • two modes: - learn : recognize hosts by analyzing normal traffic ➡ generates XML topology file - monitor : recognize malicious behavior ➡ logging to file/mail ➡ countermeasures limited to simple custom packets Andres Rauschecker - SDN-based defense against known IPv6 link-layer attacks - BA final talk 4

  5. Related work - Snort IDS • rule-set based: monitor every packet for matching patterns • Internal mode: - virtual bridge between two network segments - filter for internal <-> external traffic ➡ limited defense: drop packets between segments, send custom packets Andres Rauschecker - SDN-based defense against known IPv6 link-layer attacks - BA final talk 5

  6. Related work - Defensive switches • CISCO, HP & H3C: IPv6 „Source Guard“ mechanism: - IP-MAC-VLAN table: • learn legitimate hosts from DHCP traffic • CISCO only: learning from ND traffic ➡ drop all packets, that do not match the table Andres Rauschecker - SDN-based defense against known IPv6 link-layer attacks - BA final talk 6

  7. Attack analysis: ICMP Andres Rauschecker - SDN-based defense against known IPv6 link-layer attacks - BA final talk 7

  8. Attack analysis: ICMP • ICMP protocol used for address registration and link-local communication ➔ several attack vectors exist: 
 - Router Advertisement & Solicitation - Echo Request & Reply pair - Neighbor Advertisement & Solicitation Andres Rauschecker - SDN-based defense against known IPv6 link-layer attacks - BA final talk 8

  9. Attack analysis: ICMP • Router Advertisement & Solicitation: - becoming the default router ➔ MitM, DoS - recognizing malicious behavior is complex (rogue RAs are homogenous to legal ones) 
 - idea: white-list approach (not implemented) Andres Rauschecker - SDN-based defense against known IPv6 link-layer attacks - BA final talk 9

  10. Attack analysis: ICMP • Echo Request & Reply pair: - ICMP Ping Smurfing: 
 Attacker sends forged ERq - with Host 1 as source Andres Rauschecker - SDN-based defense against known IPv6 link-layer attacks - BA final talk 10

  11. Attack analysis: ICMP • Echo Request & Reply pair: - ICMP Ping Smurfing: 
 Hosts send back ERp to Host 1 ➔ Distributed DoS Andres Rauschecker - SDN-based defense against known IPv6 link-layer attacks - BA final talk 11

  12. Attack analysis: ICMP • Neighbor Advertisement & Solicitation: - before registering IP - send a Neighbor Solicitation - no answer within interval ➔ we can use the IP Andres Rauschecker - SDN-based defense against known IPv6 link-layer attacks - BA final talk 12

  13. Attack analysis: ICMP • Neighbor Advertisement & Solicitation: - DAD Denial-of-Service: fake Neighbor Advertisement - attacker forges reply ➔ we can not use the IP Andres Rauschecker - SDN-based defense against known IPv6 link-layer attacks - BA final talk 13

  14. Attack analysis: ICMP • Neighbor Advertisement & Solicitation: - Man-in-the-Middle attacks: fake NAs Andres Rauschecker - SDN-based defense against known IPv6 link-layer attacks - BA final talk 14

  15. Attack analysis: ICMP • Neighbor Advertisement & Solicitation: - Man-in-the-Middle attacks: fake NAs Andres Rauschecker - SDN-based defense against known IPv6 link-layer attacks - BA final talk 15

  16. Controller design • Main security problem: packets from forged sources • Idea: Keep track of all legitimate IP registrations • Via: Software Defined Networking Andres Rauschecker - SDN-based defense against known IPv6 link-layer attacks - BA final talk 16

  17. Controller design: Flow Tables • Controller checks for legality of NS • Sends OpenFlow message to all switches to allow IP Andres Rauschecker - SDN-based defense against known IPv6 link-layer attacks - BA final talk 17

  18. Controller design: Flow Tables • OpenFlow table concept: Table forwarding IN PT DST MAC IN PORT SRC MAC SRC IP 2 00:11:22:33:44:55 2 00:11:22:33:44:55 fc00::1:2 4 AA:11:CC:22:EE:55 4 AA:BB:CC:DD:EE:FF fc00::1:3 IP Match Table Mac/Port Table Andres Rauschecker - SDN-based defense against known IPv6 link-layer attacks - BA final talk 18

  19. Controller design: Address reuse • So far: IPs once registered can not be changed ➡ Check IP usage, if new NS requests it Andres Rauschecker - SDN-based defense against known IPv6 link-layer attacks - BA final talk 19

  20. Controller design: Address reuse • Original Host sends back NA ➔ still online, no reuse • No NA from original Host ➔ offline, IP reuse Andres Rauschecker - SDN-based defense against known IPv6 link-layer attacks - BA final talk 20

  21. Evaluation • Selected attacks on Echo and ND messages - successfully defended • Memorizing network states enables a new layer of security! • Keeping track of all NS packets on the controller - attack vectors targeting the controller? Andres Rauschecker - SDN-based defense against known IPv6 link-layer attacks - BA final talk 21

  22. Attack vectors on the controller • Flood of NS, with mutating src MAC & src IP - Fills internal cache dictionaries - Slows down registration of legitimate packets • Possible solution: - Supply exact topology to controller - Controller knows how many IPs per port - Limit packets per port & block port in attack Andres Rauschecker - SDN-based defense against known IPv6 link-layer attacks - BA final talk 22

  23. Further issues • Mininet network initialization race-condition - After network startup: not all NS registered in FTs ➡ Internal problem in the topology startup: 
 Switch-handshake executed during host initializations • Lost switch connection after controller shutdown - restarting the controller and reestablishing switch datapath objects not possible ➡ Loading controller & switch states from file currently not possible Andres Rauschecker - SDN-based defense against known IPv6 link-layer attacks - BA final talk 23

  24. Conclusion • link-layer protection for established hosts • against Ping Smurfing and ND Spoofing • alternative to (costly) proprietary solutions • attack vector on the controller: • problematic for newly registering hosts only • defense dependent on the network infrastructure Andres Rauschecker - SDN-based defense against known IPv6 link-layer attacks - BA final talk 24

  25. Future work • Implementation of router white-list • Incorporating IP registrations from DHCP • Limiting ND propagation • Advanced, scheduled table cleanup • Defending controller attacks Andres Rauschecker - SDN-based defense against known IPv6 link-layer attacks - BA final talk 25

  26. Thank you for your attention. Andres Rauschecker - SDN-based defense against known IPv6 link-layer attacks - BA final talk 26

Download Presentation
Download Policy: The content available on the website is offered to you 'AS IS' for your personal information and use only. It cannot be commercialized, licensed, or distributed on other websites without prior consent from the author. To download a presentation, simply click this link. If you encounter any difficulties during the download process, it's possible that the publisher has removed the file from their server.

Recommend

CoDef: Collaborative Defense against Large-Scale Link-Flooding Attacks Soo Bum Lee * , Min Suk

CoDef: Collaborative Defense against Large-Scale Link-Flooding Attacks Soo Bum Lee * , Min Suk

CoDef: Collaborative Defense against Large-Scale Link-Flooding Attacks Soo Bum Lee * , Min Suk Kang , Virgil D. Gligor CyLab, Carnegie Mellon University * Qualcomm Dec. 12, 2013 Large Scale Link-Flooding Attacks Massive DDoS attacks against

487 views • 27 slides
5 Data Link Layer Data Link Layer Self-learning, Interconnecting switches Source: A Dest:

5 Data Link Layer Data Link Layer Self-learning, Interconnecting switches Source: A Dest:

Data Link Layer Data Link Layer Hubs Switch physical- layer (dumb) repeaters: bits coming in one link go out all other links at same link-layer device: smarter than hubs, take rate active role all nodes connected to hub can

442 views • 5 slides
Networking Attacks: Link-, IP-, and TCP-layer attacks Network Security Prof. Haojin Zhu

Networking Attacks: Link-, IP-, and TCP-layer attacks Network Security Prof. Haojin Zhu

Networking Attacks: Link-, IP-, and TCP-layer attacks Network Security Prof. Haojin Zhu Materials adopted from Prof. David Wagner 2019 General Communication Security Goals: CIA Confidentiality: No one can read our data / communication

876 views • 60 slides
NETWORKING ATTACKS NETWORKING ATTACKS NOTICES Lab #2 extended to Feb. 17 @ 23:59 HW #3

NETWORKING ATTACKS NETWORKING ATTACKS NOTICES Lab #2 extended to Feb. 17 @ 23:59 HW #3

CMPS122: COMPUTER SECURITY NETWORKING ATTACKS NETWORKING ATTACKS NOTICES Lab #2 extended to Feb. 17 @ 23:59 HW #3 due tonight NETWORKING ATTACKS LAST TIME TCP/IP networking stack Physical layer Data link layer Network

1.1k views • 61 slides
Networking Attacks: Link-, IP-, and TCP-layer attacks CS 161: Computer Security Prof. David Wagner

Networking Attacks: Link-, IP-, and TCP-layer attacks CS 161: Computer Security Prof. David Wagner

Networking Attacks: Link-, IP-, and TCP-layer attacks CS 161: Computer Security Prof. David Wagner February 28, 2013 General Communication Security Goals: CIA Confidentiality: No one can read our data / communication unless we want

1.03k views • 58 slides
Order of Presentations Team Topic 206-2 Evil neighbors - Securing the IPv6 Link-Layer 206-1

Order of Presentations Team Topic 206-2 Evil neighbors - Securing the IPv6 Link-Layer 206-1

Order of Presentations Team Topic 206-2 Evil neighbors - Securing the IPv6 Link-Layer 206-1 IPFS - Interplanetary Filesystem 205-1 BlockCars 205-2 SSL Strip Attack - Downgrade HTTPS to HTTP 201-1 CoAP - 8-Bit uCs also deserve to REST

1.41k views • 117 slides
Link Layer Where we are in the Course Moving on up to the Link Layer! Application Transport

Link Layer Where we are in the Course Moving on up to the Link Layer! Application Transport

Link Layer Where we are in the Course Moving on up to the Link Layer! Application Transport Network Link Physical CSE 461 University of Washington 2 Scope of the Link Layer Concerns how to transfer messages over one or more

629 views • 23 slides
Chapter 5: The Data Link Layer Chapter 5 Link Layer and LANs Our goals: understand

Chapter 5: The Data Link Layer Chapter 5 Link Layer and LANs Our goals: understand

Chapter 5: The Data Link Layer Chapter 5 Link Layer and LANs Our goals: understand principles behind data link layer services: error detection, correction sharing a broadcast channel: multiple access link layer addressing link

598 views • 26 slides
Chapter 5: The Data Link Layer Chapter 5 Link Layer and LANs Our goals: understand

Chapter 5: The Data Link Layer Chapter 5 Link Layer and LANs Our goals: understand

Chapter 5: The Data Link Layer Chapter 5 Link Layer and LANs Our goals: understand principles behind data link layer services: error detection, correction sharing a broadcast channel: multiple access link layer addressing link

591 views • 18 slides
1 Switch link-layer device: smarter than hubs, take active role store, forward Ethernet

1 Switch link-layer device: smarter than hubs, take active role store, forward Ethernet

The Data Link Layer Last time Our goals: link layer services understand principles error detection, correction behind data link layer services: multiple access protocols and LANs error detection, correction link layer

302 views • 18 slides
Data-link layer Da Data ta-link link layer er Referred to as layer 2 Physical

Data-link layer Da Data ta-link link layer er Referred to as layer 2 Physical

Data-link layer Da Data ta-link link layer er Referred to as layer 2 Physical layer is layer 1 Transferring datagram from one node to adjacent node over a physical link wired links (Ethernet) wireless links

721 views • 26 slides
Chapter 5: The Data Link Layer Our goals: r understand principles behind data link layer

Chapter 5: The Data Link Layer Our goals: r understand principles behind data link layer

Chapter 5: The Data Link Layer Our goals: r understand principles behind data link layer services: m error detection, correction m sharing a broadcast channel: multiple access m link layer addressing m reliable data transfer, flow control: done! r

603 views • 37 slides
Chapter 5: The Data Link Layer Our goals: understand principles behind data link layer 1.

Chapter 5: The Data Link Layer Our goals: understand principles behind data link layer 1.

Chapter 5: The Data Link Layer Our goals: understand principles behind data link layer 1. services: error detection, correction sharing a broadcast channel: multiple access link layer addressing reliable data transfer, flow

541 views • 43 slides
Lecture 6: Wireless Link Layer, Lecture 6: Wireless Link Layer, MAC protocols, CSMA MAC

Lecture 6: Wireless Link Layer, Lecture 6: Wireless Link Layer, MAC protocols, CSMA MAC

Lecture 6: Wireless Link Layer, Lecture 6: Wireless Link Layer, MAC protocols, CSMA MAC protocols, CSMA Mythili Vutukuru CS 653 Spring 2014 Jan 23, Thursday Wireless Link Layer Link layer (layer 2) is above physical layer Link layer

720 views • 12 slides
3 Data Link Layer Data Link Layer Internet checksum (review) Next talk about CRC Goal: detect

3 Data Link Layer Data Link Layer Internet checksum (review) Next talk about CRC Goal: detect

Data Link Layer Data Link Layer How much redundancy? Hamming Distance In information theory, the Hamming distance between two strings of equal length Given a K-bit string data, how many is the number of positions at which the redundant bits

830 views • 6 slides
Link Layer Link Layer Transfer frames over one or more connected links Frames are messages

Link Layer Link Layer Transfer frames over one or more connected links Frames are messages

Link Layer Link Layer Transfer frames over one or more connected links Frames are messages of limited size Builds on the physical layer which moves stream of bits Frame CSE 461 University of Washington 2 In terms of layers

439 views • 20 slides
Denial-of-Service (DoS) &amp; Web Attacks CS 161: Computer Security Prof. Vern Paxson TAs:

Denial-of-Service (DoS) &amp; Web Attacks CS 161: Computer Security Prof. Vern Paxson TAs:

Denial-of-Service (DoS) &amp; Web Attacks CS 161: Computer Security Prof. Vern Paxson TAs: Devdatta Akhawe, Mobin Javed &amp; Matthias Vallentin http://inst.eecs.berkeley.edu/~cs161/ February 17, 2011 Goals For Today Continue our

902 views • 52 slides
CM40212 HTTP/SMTP Primer Terminal access The examples are best run from a unix (linux) machine:

CM40212 HTTP/SMTP Primer Terminal access The examples are best run from a unix (linux) machine:

CM40212 HTTP/SMTP Primer Terminal access The examples are best run from a unix (linux) machine: From the windows desktop open Putty Connect to lcpu.bath.ac.uk Log in with your BUCS username and password. Simple HTTP 1.0 get We

779 views • 5 slides
Other Forms of Injection Attack Professor Larry Heimann Web Application Security Information

Other Forms of Injection Attack Professor Larry Heimann Web Application Security Information

Other Forms of Injection Attack Professor Larry Heimann Web Application Security Information Systems Course exam scheduled on October 19 th There is an alternative exam on October 17 th at 6:00pm In Wean 5310 Lab 5 key lessons Lab was a form

300 views • 19 slides
802.1X and Faucet Michael Baird Michael.Baird@ecs.vuw.ac.nz 19-10-2017 FAUCET Conference

802.1X and Faucet Michael Baird Michael.Baird@ecs.vuw.ac.nz 19-10-2017 FAUCET Conference

802.1X and Faucet Michael Baird Michael.Baird@ecs.vuw.ac.nz 19-10-2017 FAUCET Conference Outline Introductjon to 802.1X Design Implementatjon Example confjgs/demo Future work 2 Introduction IEEE 802.1X Port-Based

678 views • 35 slides
Denial of Service Last Class Fault tolerance Concurrency Naming This Class

Denial of Service Last Class Fault tolerance Concurrency Naming This Class

Denial of Service Last Class Fault tolerance Concurrency Naming This Class Networking How DDoS works UDP Data Client Server Response TCP DDoS Distributed denial-of-service attack Attacker targets a victim from a

436 views • 28 slides
Recent Attack Technologies Neil Long OxCert Introduction Hope for audience participation!

Recent Attack Technologies Neil Long OxCert Introduction Hope for audience participation!

Recent Attack Technologies Neil Long OxCert Introduction Hope for audience participation! At least two aspects Target payloads Attack origins Future? arenas Attack Payloads Buffer overflow Format strings

535 views • 18 slides
Star-formation in the (Early) Universe a.k.a. My Decade-long Quest to Learn about SMGs Attila

Star-formation in the (Early) Universe a.k.a. My Decade-long Quest to Learn about SMGs Attila

Star-formation in the (Early) Universe a.k.a. My Decade-long Quest to Learn about SMGs Attila Kovcs University of Minnesota Groningen, 28 Feb 2011 Appetizer Submillimeter Galaxies Mezze Innovations Entree Interperting SMG Surveys

732 views • 54 slides
Recap and overview Looking at security of TCP/IP IP, Ethernet, ARP TCP/IP: ICMP, UDP

Recap and overview Looking at security of TCP/IP IP, Ethernet, ARP TCP/IP: ICMP, UDP

1/24/2012 Recap and overview Looking at security of TCP/IP IP, Ethernet, ARP TCP/IP: ICMP, UDP Sniffing the network and forging packets tcpdump, wireshark Today: ICMP and UDP Network Security Lecture 5 Eike Ritter Network

281 views • 7 slides

More recommend