SSG - A solution to prevent saturation attack on the data plane and control plane in SDN/Openflow networks

Abstract: The SDN/Openflow architecture opens new opportunities for effective solutions to address network security problems; however, it also brings new security challenges compared to the traditional network architectures. One of these challenges is that the mechanism of reactive installation for new flow entries can make the data plane and control plane easily become a target for resource saturation attacks with spoofing techniques such as SYN flood. There are a number of solutions to this problem, e.g., the Connection Migration (CM) mechanism in Avant-Guard solution. Nevertheless, most of the solutions increase the load at commodity switches and/or split benign TCP connections, which can increase the packet latency and disable some features of the TCP protocol. This paper presents a solution, referred to as SDNbased SYN Flood Guard (SSG), which takes advantages of the OpenFlow’s abilities to match TCP Flags fields and the RST Cookie technique to authenticate the three-way handshake process of TCP connections in a separated device from SDN/Openflow switches. Experiment results reveal that SSG solves the aforementioned problems and improves the SYN Flood attack tolerance compared to the existing solutions

SSG - A solution to prevent saturation attack on the data plane and control plane in SDN/Openflow networks trang 1

Trang 1

SSG - A solution to prevent saturation attack on the data plane and control plane in SDN/Openflow networks trang 2

Trang 2

SSG - A solution to prevent saturation attack on the data plane and control plane in SDN/Openflow networks trang 3

Trang 3

SSG - A solution to prevent saturation attack on the data plane and control plane in SDN/Openflow networks trang 4

Trang 4

SSG - A solution to prevent saturation attack on the data plane and control plane in SDN/Openflow networks trang 5

Trang 5

SSG - A solution to prevent saturation attack on the data plane and control plane in SDN/Openflow networks trang 6

Trang 6

SSG - A solution to prevent saturation attack on the data plane and control plane in SDN/Openflow networks trang 7

Trang 7

SSG - A solution to prevent saturation attack on the data plane and control plane in SDN/Openflow networks trang 8

Trang 8

SSG - A solution to prevent saturation attack on the data plane and control plane in SDN/Openflow networks trang 9

Trang 9

SSG - A solution to prevent saturation attack on the data plane and control plane in SDN/Openflow networks trang 10

Trang 10

Tải về để xem bản đầy đủ

pdf 15 trang xuanhieu 3800
Bạn đang xem 10 trang mẫu của tài liệu "SSG - A solution to prevent saturation attack on the data plane and control plane in SDN/Openflow networks", để tải tài liệu gốc về máy hãy click vào nút Download ở trên

Tóm tắt nội dung tài liệu: SSG - A solution to prevent saturation attack on the data plane and control plane in SDN/Openflow networks

SSG - A solution to prevent saturation attack on the data plane and control plane in SDN/Openflow networks
,7 %
0
0.5
1
1.5
2
2.5
3
0
10
0
20
0
30
0
40
0
50
0
60
0
70
0
80
0
90
0
1,
00
0
1,
50
0
2,
00
0
2,
50
0
3,
00
0
3,
50
0
4,
00
0
4,
50
0
5,
00
0
5,
50
0
R
at
e 
of
 tr
af
fic
 in
cr
ea
se
 (%
)
Attack rate (SYN pps)
1/4 servers under attack 2/4 servers under attack
3/4 of servers under attack all servers under attack
Figure 16. Traffic increase rate of SSG in comparison with the CM
mechanism.
in Table III. The combined traffic is analyzed for four
cases: 1/4, 1/2, 3/4 and all of internal application servers
being attacked by SYN Flood with the source IP spoofing
technique. The analyzed result in Figure 16 shows that
when the system is attacked by SYN Flood, in comparison
with the CM mechanism, OFS traffic increases with a small
rate, just about 1.8% in case half of internal servers being
attacked and over 2.5% when all the servers in the system
are attacked with the rate of 5500 SYN pps each server.
4. Reduction in OpenFlow Traffic and Load on the
Controller
Both the Avant-Guard’s CM mechanism and the SSG
solution operate based on monitoring the 3HS process
of a TCP connection before requesting the controller to
install FEs on the OFS. This not only prevents the resource
consumption in the OFS by useless attack SYN packets
but also protects the controller from being overloaded by
messages of those attack TCP connections and reduces the
OpenFlow traffic between the OFS and the controller.
19
Research and Development on Information and Communication Technology
Comparing the interaction between the controller and
system entities in CM shown as Figure 1 and in SSG
described as in Figures 5 and 14, it can be seen that
for each TCP connection, SSG needs only one request to
the controller but this figure is two in CM. With such a
difference, the total number of messages exchanged with
the controller to install FEs for legitimate TCP connections
in SSG solution would be a half of the number in CM
mechanism. This enhancement diminishes the load on the
controller and so makes SSG more resistant to SYN Flood
attacks than the Avant-Guard CM mechanism.
VI. CONCLUSION
Inspired by the CM mechanism in Avant-Guard scheme,
the proposed SSG solution moves the SYN proxy, which
monitors TCP 3HS connection processes, inside the OFS to
locate it in a separated device, termed the SD. The ability
to match the TCP Flag fields specified in OpenFlow 1.5 is
applied to filter related packets in the OFS and forward
them to the SD for monitoring the 3HS process. SSG
uses the RST Cookie technique to authenticate Source
IP address instead of SYN Cookie as in CM. Besides,
by integrating SYN-Flood attack detection module, SSG
processes incoming SYN packets depending on the attack
state of the destination application server. Thanks to these
improvements, SSG overcomes the shortcomings of the CM
mechanism and can be used as an alternative solution that
can be applied to all OpenFlow 1.5 supported switches
without any modification. The experiment results show
that during attack-free state, SSG does not affect packet
exchange between the external clients and the internal
application servers. When an internal server is under SYN
Flood attack, SSG consumes less resources than CM with a
negligible total traffic increase at the OFS interfaces. This
shows that SSG is more resistant than CM under saturation
attack by SYN Flooding on the data and control planes.
REFERENCES
[1] Open Networking Foundation, “SDN architecture overview
Version 1.0,” 2013. [Online]. Available: https://www.
opennetworking.org/images/stories/downloads/sdn-resources/
technical-reports/SDN-architecture-overview-1.0.pdf
[2] ——, “OpenFlow switch specification version 1.3.0 (Wire
protocol 0x04),” 2012. [Online]. Available: https://www.
opennetworking.org/wp-content/uploads/2014/10/openflow-
spec-v1.3.0.pdf
[3] ——, “OpenFlow switch specification version 1.5.1 (Proto-
col Version 0x06),” 2015. [Online]. Available: https://www.
opennetworking.org/wp-content/uploads/2014/10/openflow-
switch-v1.5.1.pdf
[4] T. Peng, C. Leckie, and K. Ramamohanarao, “Survey of
network-based defense mechanisms countering the DoS and
DDoS problems,” ACM Computer Survey, vol. 39, no. 1,
Article 3, 2007.
[5] S. Scott-Hayward, G. O’Callaghan, and S. Sezer, “SDN
security: A survey,” in Proceedings of the IEEE SDN for
Future Networks and Services (SDN 4FNS), Trento, Italy,
Nov. 11-13 2013, pp. 1–7.
[6] S. Shin and G. Gu, “Attacking software-defined networks:
A first feasibility study,” in Proceedings of the Second ACM
SIGCOMM Workshop on Hot Topics in Software Defined
Networking (HotSDN’13), Hong Kong, China, Aug. 16 2013,
pp. 165–166.
[7] R. Kandoi and M. Antikainen, “Denial-of-service attacks in
OpenFlow SDN networks,” in Proceedings of the IFIP/IEEE
International Symposium on Integrated Network Manage-
ment (IM), Ottawa, ON, Canada, May 11-15 2015, pp. 1322–
1326.
[8] S. Shin, V. Yegneswaran, P. Porras, and G. Gu, “AVANT-
GUARD: scalable and vigilant switch flow management
in software-defined networks,” in Proceedings of the ACM
SIGSAC Conference on Computer & Communications se-
curity (CCS’13), Berlin, Germany, Nov. 04 - 08, 2013, pp.
413–424.
[9] Daniel J. Bernstein, “SYN cookies.” [Online]. Available:
https://cr.yp.to/syncookies.html
[10] M. Ambrosin, M. Conti, F. De Gaspari, and R. Poovendran,
“LineSwitch: Tackling control plane saturation attacks in
software-defined networking,” IEEE/ACM Transactions on
Networking, vol. 25, no. 2, pp. 1206 – 1219, 2017.
[11] CAIDA: Center for Applied Internet Data Analysis, “The
CAIDA anonymized internet traces 2013 dataset.” [On-
line]. Available: 
2013 dataset.xml
[12] P. Porras, S. Shin, V. Yegneswaran, M. Fong, M. Tyson,
and G. Gu, “A security enforcement kernel for OpenFlow
networks,” in Proceedings of the first workshop on Hot
topics in software defined networks (HotSDN ’12), Helsinki,
Finland, Aug. 13 2012, pp. 121–126.
[13] L. Wei and C. Fung, “FlowRanger: A request prioritizing
algorithm for controller DoS attacks in software defined net-
works,” in Proceedings of the IEEE International Conference
on Communications (ICC), London, UK, Jun. 8-12, 2015,
pp. 5254–5259.
[14] N.-N. Dao, J. Park, M. Park, and S. Cho, “A feasible
method to combat against DDoS attack in SDN network,” in
Proceedings of the International Conference on Information
Networking (ICOIN), Siem Reap, Cambodia, Jan. 12-14
2015, pp. 309–311.
[15] R. Sahay, G. Blanc, Z. Zhang, and H. Debar, “Towards auto-
nomic DDoS mitigation using software defined networking,”
in Proceedings of the Workshop on Security of Emerging
Networking Technologies, San Diego, CA, Feb. 8 2015, p. 7
pages.
[16] S. Shin, Y. Song, T. Lee, S. Lee, J. Chung, P. Porras,
V. Yegneswaran, J. Noh, and B. B. Kang, “Rosemary:
A robust, secure, and high-performance network operating
system,” in Proceedings of the ACM SIGSAC Conference on
Computer and Communications Security (CCS’14), Scotts-
dale, Arizona, USA, Nov. 03 - 07 2014, pp. 78–89.
[17] S. Hong, L. Xu, H. Wang, and G. Gu, “Poisoning network
visibility in software-defined networks: New attacks and
countermeasures,” in Proceedings of the Network and Dis-
tributed System Security Symposium, San Diego, CA, Feb.
8-11 2015, p. 15 pages.
[18] M. Dhawan, R. Poddar, K. Mahajan, and V. Mann,
“SPHINX: Detecting security attacks in software-defined
networks,” in Proceedings of the Network and Distributed
System Security Symposium, San Diego, CA, Feb. 8-11 2015,
p. 15 pages.
[19] D. Kreutz, F. M. Ramos, and P. Verissimo, “Towards secure
20
Vol. 2019, No. 1, September
and dependable software-defined networks,” in Proceedings
of the second ACM SIGCOMM workshop on Hot topics
in software defined networking (HotSDN ’13), Hong Kong,
China, Aug. 16 2013, pp. 55–60.
[20] R. Kloti, V. Kotronis, and P. Smith, “OpenFlow: A security
analysis,” in Proceedings of the 21st IEEE International
Conference on Network Protocols (ICNP), Goettingen, Ger-
many, Oct. 07-10 2013, pp. 1–6.
[21] T. Koponen, M. Casado, N. Gude, J. Stribling, L. Poutievski,
M. Zhu, R. Ramanathan, Y. Iwata, H. Inoue, T. Hama,
and S. Shenker, “Onix: A distributed control platform for
large-scale production networks,” in Proceedings of the
9th USENIX Conference on Operating Systems Design and
Implementation (OSDI’10), Vancouver, BC, Canada, Oct. 4–
6 2010, pp. 351–364.
[22] A. Tootoonchian and Y. Ganjali, “HyperFlow: A distributed
control plane for OpenFlow,” in Proceedings of the Internet
Network Management Conference on Research on Enterprise
Networking (INM/WREN’10), San Jose, CA, Apr. 28-30
2010, p. 6 pages.
[23] P. Berde, W. Snow, G. Parulkar, M. Gerola, J. Hart,
Y. Higuchi, M. Kobayashi, T. Koide, B. Lantz, B. O’Connor,
and P. Radoslavov, “ONOS: towards an open, distributed
SDN OS,” in Proceedings of the Third Workshop on Hot Top-
ics in Software Defined Networking (HotSDN’14), Chicago,
Illinois, USA, Aug. 22 2014, pp. 1–6.
[24] A. Vishnoi, R. Poddar, V. Mann, and S. Bhattacharya, “Ef-
fective switch memory management in OpenFlow networks,”
in Proceedings of the 8th ACM International Conference
on Distributed Event-Based Systems (DEBS’14), Mumbai,
India, May 26-29 2014, pp. 177–188.
[25] L. Dridi and M. F. Zhani, “SDN-guard: DoS attacks miti-
gation in SDN networks,” in Proceedings of the 5th IEEE
International Conference on Cloud Networking (Cloudnet),
Pisa, Italy, Aug. 17 2016, pp. 212–217.
[26] H. Wang, L. Xu, and G. Gu, “FloodGuard: A DoS at-
tack prevention extension in software-defined networks,” in
Proceedings of the 45th Annual IEEE/IFIP International
Conference on Dependable Systems and Networks, Rio de
Janeiro, Brazil, Jun. 22-25 2015, pp. 239–250.
[27] M. Yu, J. Rexford, M. J. Freedman, and J. Wang, “Scalable
flow-based networking with DIFANE,” in Proceedings of the
ACM SIGCOMM 2010 Conference, New Delhi, India, Aug.
30 - Sep. 03 2010, pp. 351–362.
[28] A. R. Curtis, J. C. Mogul, J. Tourrilhes, P. Yalagandula,
P. Sharma, and S. Banerjee, “DevoFlow: Scaling flow man-
agement for high-performance networks,” in Proceedings of
the ACM SIGCOMM conference, Toronto, ON, Canada, Aug.
15 - 19 2011, pp. 254–265.
[29] H. Mekky, F. Hao, S. Mukherjee, Z.-L. Zhang, and T. Laksh-
man, “Application-aware data plane processing in SDN,” in
Proceedings of the Third Workshop on Hot Topics in Soft-
ware Defined Networking (HotSDN’14), Chicago, Illinois,
USA, Aug 2014, pp. 13–18.
[30] D. Kotani and Y. Okabe, “A packet-in message filtering
mechanism for protection of control plane in OpenFlow
switches,” IEICE Transactions on Information and Systems,
vol. E99.D, no. 3, pp. 695–707, 2016.
[31] C. Schuba, I. Krsul, M. Kuhn, E. Spafford, A. Sundaram,
and D. Zamboni, “Analysis of a denial of service attack on
TCP,” in Proceedings of the IEEE Symposium on Security
and Privacy, Oakland, CA, USA, May 04-07 1997, pp. 208–
223.
[32] C. Douligeris and A. Mitrokotsa, “DDoS attacks and defense
mechanisms: Classification and state-of-the-art,” Computer
Networks, vol. 44, pp. 643–666, 2004.
[33] Eddy Wesley M., “Defenses against TCP SYN flooding
attacks,” The Internet Protocol Journal, vol. 9, no. 4, pp.
2–16, 2006.
[34] Postel, J., “Transmission control protocol, DAPRA internet
program - protocol specification, rfc 793,” 1981. [Online].
Available: https://tools.ietf.org/html/rfc793
[35] D. V. Tuyen and T.T. Huong, “A multi-criteria based soft-
ware defined networking system architecture for DDoS-
attack mitigation,” REV Journal on Electronics and Com-
munications, vol. 6, no. 3, pp. 50–60, 2017.
[36] The Linux Foundation Projects, “Data plane development
kit (DPDK).” [Online]. Available: https://www.dpdk.org
[37] J. L. Deng, “Introduction to grey system theory,” The Journal
of Grey Systems, vol. 1, no. 1, pp. 1–24, 1989.
[38] T. Bohlin, Practical Grey-box Process Identification: Theory
and Applications (Advances in Industrial Control). Berlin,
Heidelberg, Germany: Springer-Verlag, 2006.
[39] E. Kayacan, B. Ulutas, and O. Kaynak, “Grey system theory-
based models in time series prediction,” Expert Systems with
Applications, vol. 37, no. 2, pp. 1784–1789, 2010.
[40] D. Zhang, H. Wang, and K. G. Shin, “Change-point moni-
toring for the detection of DoS attacks,” IEEE Transactions
on Dependable and Secure Computing, vol. 1, no. 4, pp.
193–208, 2004.
[41] J. L. Hellerstein, F. Zhang, and P. Shahabuddin, “A statis-
tical approach to predictive detection,” Computer Networks,
vol. 35, no. 1, pp. 77–95, 2001.
[42] S. Wang, Q. Sun, H. Zou, and F. Yang, “Detecting SYN
flooding attacks based on traffic prediction: A demonstration
of the security communication networks class file,” Security
and Communication Networks, vol. 5, no. 10, pp. 1131–
1140, 2012.
[43] The Linux Foundation Collaborative Project, “Open
vSwitch.” [Online]. Available: https://www.openvswitch.org
[44] Project Floodlight, “Floodlight OpenFlow controller.” [On-
line]. Available: 
[45] M. Goldstein, “BoNeSi: the DDoS botnet simulator.”
[Online]. Available: https://github.com/Markus-Go/bonesi
[46] W. Foundation, “Wireshark.” [Online]. Available: https://
www.wireshark.org
[47] Fred Klassen, “TCPreplay-PCAP editing and replaying
utilities.” [Online]. Available: https://tcpreplay.appneta.com
Dang Van Tuyen obtained his Bache-
lor degree in Electronics and Telecommu-
nications in 1999 and Master degree in
Telecommunication Engineering in 2008
from Hanoi University of Science and
Technology (HUST), Vietnam. He is a
lecturer at the Faculty of Electronics and
Telecommunications, People’s Police Uni-
versity of Technology and Logistics, Ministry of Public Security,
Vietnam. Currently, he is pursuing the PhD program in the field of
Telecommunication Engineering of HUST. His research interest
includes: network security, SDN network, quality of service,
wireless sensor network.
21
Research and Development on Information and Communication Technology
Truong Thu Huong is Associate Pro-
fessor of the School of Electronics and
Telecommunication, Hanoi University of
Science and Technology (HUST). She is
also Vice Director of Elitech, a project to
promote all elite education programs of
HUST. Truong’s educational, research, and
development work is oriented toward next
generation networks, protocols and mechanism, traffic analyses,
QoE/QoS measuring, green networking and deployment of new
integrated multimedia services into fixed and mobile networks,
network security and applications in the Internet of Things. She
has been serving various international research conferences in dif-
ferent roles such as TPC member, publicity chair, organizer, track
chair and serving international journals as reviewer. She is also
active in capacity building; research and education development.
22

File đính kèm:

  • pdfssg_a_solution_to_prevent_saturation_attack_on_the_data_plan.pdf