SlideShare uma empresa Scribd logo

DDoS Attack Detection & Mitigation in SDN

C
Chao Chen

project of Software Defined Networks course

Engenharia
1 de 32
Baixar para ler offline
DDoS Attack Detection & Mitigation in SDN FINAL VIVA PRESENTATION 2014-12-08 COMSE-6998 Presented by Chao CHEN (cc3736)
Key Words DDoS Attack Detection and Mitigation Type: ICMP Flood SYN Flood DNS Amplification UDP Flood InMon sFlow-RT + Floodlight controller + Mininet SDN Application to perform DDoS Protection
RESEARCH BACKGROUND SCHEME DESIGN APPLICATION DEVELOPMENT ENVIRONMENT ESTABLISHMENT TEST & EVALUATION
RESEARCH BACKGROUND
Research Background Real Time detection and mitigation with lowest cost of device deployment
Research Background sFlow = sampled Flow Device Capability → Easy Deployment Physical Device: Cisco Nexus 3000/3100 series IBM c/g/m/r/s/x/y series Juniper EX 2200/3200/3300/4200/6200 series …… Virtual Device: OpenVSwitch Apache Nginx …… sFlow Collectors: InMon sFlow-RT Brocade Network Advisor …… SDN analytics and control using sFlow standard
Research Background sFlow + Openflow 1. switch samples packets 2. switch sends the header of sampled packets to sFlow-RT 3. sFlow-RT maps it into fine-grained flow(e.g. tcpflags=SYN, icmptype=3…) 4. if exceed the threshold, trigger an event 5. events accessible from external apps through REST API
Research Background sFlow + Openflow 1. switch samples packets 2. switch sends the header of sampled packets to sFlow-RT 3. sFlow-RT maps it into fine-grained flow(e.g. tcpflags=SYN, icmptype=3…) 4. if exceed the threshold, trigger an event 5. events accessible from external apps through REST API detection mitigation processing
SCHEME DESIGN
Scheme Design Yes No Overall Flowchart of Application need to be specified for different kinds of attacks
Scheme Design ICMP Flood Attack Mechanism: Each device in the botnet ping the server at a high rate. Flow Definition: ipsource=0.0.0.0/0, ipdestination=10.0.0.2/32, #suppose h2 is the server outputifindex!=discard, #packet is not discarded ipprotocol=1 #ICMP Match Field in blocking flow entry: ether-type, protocol, src-ip, dst-ip
Scheme Design SYN Flood Attack Mechanism: Each device in the botnet sends TCP SYN packets to the server at a high rate. Flow Definition: ipsource=0.0.0.0/0, ipdestination=10.0.0.2/32, #suppose h2 is the server outputifindex!=discard, #packet is not discarded tcpflags~…….1.=1 #TCP SYN packet Match Field in blocking flow entry: ether-type, protocol, src-ip, dst-ip
Scheme Design DNS Amplification Attack Mechanism: Each device in the botnet sends DNS query to several DNS servers with src-ip=victim’s ip. (take ANY(15) for example)
Scheme Design DNS Amplification Attack Flow Definition: ipsource=0.0.0.0/0, ipdestination=[10.0.0.1/32, 10.0.0.2/32], #suppose h1 and h2 are the DNS servers outputifindex!=discard, #packet is not discarded dnsqr=false, dnsqtype=255 Match Field in blocking flow entry: ether-type, protocol, src-ip, dst-ip Protect at the DNS servers (instead of the victim)
Scheme Design UDP Flood Attack Mechanism: Each device in the botnet sends UDP packets to all the ports if the server Attacker botnet/compromised system target server Command Command Command 1 5 7 9 11 13 15 … UDP port list UDP Packets ICMP Destination Unreachable
Scheme Design UDP Flood Attack Flow Definition: ipsource=10.0.0.2/32, #reversed ipdestination=0.0.0.0/0, outputifindex!=discard, #packet is not discarded ipprotocol=1, #ICMP icmptype=3, #Destination Unreachable Match Field in blocking flow entry: ether-type, protocol, src-ip=dst-ip_in_flow, dst-ip=server-ip Protect by monitoring ICMP Destination Unreachable packets
APPLICATION DEVELOPMENT
Application Development python Import requests & json to perform GET/PUT/POST via REST API Different attacks are implemented similarly. Take ICMP Flood attack as example. Definition of flows, thresholds,…: POST the definition to sFlow-RT:
Application Development Attack classification & Static Flow Entry Push:
ENVIRONMENT ESTABLISHMENT
Environment Establishment Laptop Ubuntu VM App Mininet 10.0.0.1 10.0.0.2 10.0.0.3 10.0.0.4 10.0.0.5 10.0.0.6 10.10.10.2:6633 10.10.10.2:8080 10.10.10.2:8008 10.10.10.2:6343
TEST & EVALUATION
Test & Evaluation Launch floodlight: ./floodlight.sh Launch InMon sFlow-RT: ./start.sh Launch InMon sFlow-RT: sudo ./topo.sh set s1 is a sFlow agent, and set up bridge between s1 and sFlow-RT
Test & Evaluation Without mitigation: h1 ICMP attack on h2 with: ping -f 10.0.0.2 network traffic flow attack from h4 ICMP Flood Attack
Test & Evaluation With mitigation: h4 ICMP attack on h2 network traffic flow attack from h4 is mitigated ICMP Flood Attack
Test & Evaluation Continue: h5 ICMP attack on h2 network traffic flow attack from h5 is mitigated ICMP Flood Attack
Test & Evaluation ICMP Flood Attack ‘subflows’ in ICMP Attack Flow Events triggered in this case Flowtable of s1 (attacked by h3, h4, h6)
Test & Evaluation SYN Flood Attack Without mitigation: h1 SYN attack on h2 with: ping —tcp -p 80 —flag syn -rate 2000 —count 20000000 —no-capture —quiet 10.0.0.2 network traffic flow
Test & Evaluation SYN Flood Attack With mitigation: h6 and h4 SYN attack on h2 SYN Flood Traffic Flowtable of s1 (attacked by h3, h4, h5, h6) attacks from h6 and h4 are mitigated
Test & Evaluation DNS Amplification Attack & UDP Flood Attack: Cannot simulate attacks → No test result yet
Test & Evaluation Future Work: 1. Test on DNS Amplification Attack & UDP Flood Attack 2. {new_sample_rate, new_threshold} =update(old_sample_rate, old_threshold, network_congestion, server_status,…) 3. Sample Theory is efficient on large flows. Think about {tiny flows x n} 4. Reasonable unblock mechanism
Q&A

Recomendados

DDoS ATTACKS
DDoS ATTACKSDDoS ATTACKS
DDoS ATTACKSAnil Antony
 
Intrusion prevention system(ips)
Intrusion prevention system(ips)Intrusion prevention system(ips)
Intrusion prevention system(ips)Papun Papun
 
Intrusion detection and prevention system
Intrusion detection and prevention systemIntrusion detection and prevention system
Intrusion detection and prevention systemNikhil Raj
 
Firewall security in computer network
Firewall security in computer networkFirewall security in computer network
Firewall security in computer networkpoorvavyas4
 
security in wireless sensor networks
security in wireless sensor networkssecurity in wireless sensor networks
security in wireless sensor networksVishnu Kudumula
 
Dmz
Dmz Dmz
Dmz أحلام انصارى
 
Denial of Service Attacks (DoS/DDoS)
Denial of Service Attacks (DoS/DDoS)Denial of Service Attacks (DoS/DDoS)
Denial of Service Attacks (DoS/DDoS)Gaurav Sharma
 
OpenFlow
OpenFlowOpenFlow
OpenFlowKingston Smiler
 

Recomendados

DDoS ATTACKS
DDoS ATTACKSDDoS ATTACKS
DDoS ATTACKSAnil Antony
 
Intrusion prevention system(ips)
Intrusion prevention system(ips)Intrusion prevention system(ips)
Intrusion prevention system(ips)Papun Papun
 
Intrusion detection and prevention system
Intrusion detection and prevention systemIntrusion detection and prevention system
Intrusion detection and prevention systemNikhil Raj
 
Firewall security in computer network
Firewall security in computer networkFirewall security in computer network
Firewall security in computer networkpoorvavyas4
 
security in wireless sensor networks
security in wireless sensor networkssecurity in wireless sensor networks
security in wireless sensor networksVishnu Kudumula
 
Dmz
Dmz Dmz
Dmz أحلام انصارى
 
Denial of Service Attacks (DoS/DDoS)
Denial of Service Attacks (DoS/DDoS)Denial of Service Attacks (DoS/DDoS)
Denial of Service Attacks (DoS/DDoS)Gaurav Sharma
 
OpenFlow
OpenFlowOpenFlow
OpenFlowKingston Smiler
 
Introduction to SDN: Software Defined Networking
Introduction to SDN: Software Defined NetworkingIntroduction to SDN: Software Defined Networking
Introduction to SDN: Software Defined NetworkingAnkita Mahajan
 
Introduction to Software Defined Networking (SDN)
Introduction to Software Defined Networking (SDN)Introduction to Software Defined Networking (SDN)
Introduction to Software Defined Networking (SDN)Bangladesh Network Operators Group
 
DDoS Attack PPT by Nitin Bisht
DDoS Attack PPT by Nitin BishtDDoS Attack PPT by Nitin Bisht
DDoS Attack PPT by Nitin BishtNitin Bisht
 
Sdn ppt
Sdn pptSdn ppt
Sdn pptPallavi Chhikara
 
DDoS - Distributed Denial of Service
DDoS - Distributed Denial of ServiceDDoS - Distributed Denial of Service
DDoS - Distributed Denial of ServiceEr. Shiva K. Shrestha
 
IPS (intrusion prevention system)
IPS (intrusion prevention system)IPS (intrusion prevention system)
IPS (intrusion prevention system)Netwax Lab
 
Introduction to SDN and NFV
Introduction to SDN and NFVIntroduction to SDN and NFV
Introduction to SDN and NFVCoreStack
 
Cyber Threat Intel : Overview
Cyber Threat Intel : OverviewCyber Threat Intel : Overview
Cyber Threat Intel : OverviewDeepak Kumar (D3)
 
Software Defined Network (SDN)
Software Defined Network (SDN)Software Defined Network (SDN)
Software Defined Network (SDN)Ahmed Ayman
 
Introduction to OpenFlow
Introduction to OpenFlowIntroduction to OpenFlow
Introduction to OpenFlowJoel W. King
 
IDS and IPS
IDS and IPSIDS and IPS
IDS and IPSSantosh Khadsare
 
Introduction to Network Function Virtualization (NFV)
Introduction to Network Function Virtualization (NFV)Introduction to Network Function Virtualization (NFV)
Introduction to Network Function Virtualization (NFV)rjain51
 
Palo alto networks next generation firewalls
Palo alto networks next generation firewallsPalo alto networks next generation firewalls
Palo alto networks next generation firewallsCastleforce
 
Firewall in Network Security
Firewall in Network SecurityFirewall in Network Security
Firewall in Network Securitylalithambiga kamaraj
 
Ethical Hacking - sniffing
Ethical Hacking - sniffingEthical Hacking - sniffing
Ethical Hacking - sniffingBhavya Chawla
 
SDN & NFV Introduction - Open Source Data Center Networking
SDN & NFV Introduction - Open Source Data Center NetworkingSDN & NFV Introduction - Open Source Data Center Networking
SDN & NFV Introduction - Open Source Data Center NetworkingThomas Graf
 
Endpoint Detection & Response - FireEye
Endpoint Detection & Response - FireEyeEndpoint Detection & Response - FireEye
Endpoint Detection & Response - FireEyePrime Infoserv
 
Firewall and Types of firewall
Firewall and Types of firewallFirewall and Types of firewall
Firewall and Types of firewallCoder Tech
 
Trojan virus & backdoors
Trojan virus & backdoorsTrojan virus & backdoors
Trojan virus & backdoorsShrey Vyas
 
SNMP
SNMPSNMP
SNMPOECLIB Odisha Electronics Control Library
 
Hacking Cisco
Hacking CiscoHacking Cisco
Hacking Ciscoguestd05b31
 
Practical steps to mitigate DDoS attacks
Practical steps to mitigate DDoS attacksPractical steps to mitigate DDoS attacks
Practical steps to mitigate DDoS attacksMartin Holovský
 

Mais conteúdo relacionado

Mais procurados

Introduction to SDN: Software Defined Networking
Introduction to SDN: Software Defined NetworkingIntroduction to SDN: Software Defined Networking
Introduction to SDN: Software Defined NetworkingAnkita Mahajan
 
DDoS Attack PPT by Nitin Bisht
DDoS Attack PPT by Nitin BishtDDoS Attack PPT by Nitin Bisht
DDoS Attack PPT by Nitin BishtNitin Bisht
 
DDoS - Distributed Denial of Service
DDoS - Distributed Denial of ServiceDDoS - Distributed Denial of Service
DDoS - Distributed Denial of ServiceEr. Shiva K. Shrestha
 
IPS (intrusion prevention system)
IPS (intrusion prevention system)IPS (intrusion prevention system)
IPS (intrusion prevention system)Netwax Lab
 
Introduction to SDN and NFV
Introduction to SDN and NFVIntroduction to SDN and NFV
Introduction to SDN and NFVCoreStack
 
Software Defined Network (SDN)
Software Defined Network (SDN)Software Defined Network (SDN)
Software Defined Network (SDN)Ahmed Ayman
 
Introduction to OpenFlow
Introduction to OpenFlowIntroduction to OpenFlow
Introduction to OpenFlowJoel W. King
 
Introduction to Network Function Virtualization (NFV)
Introduction to Network Function Virtualization (NFV)Introduction to Network Function Virtualization (NFV)
Introduction to Network Function Virtualization (NFV)rjain51
 
Palo alto networks next generation firewalls
Palo alto networks next generation firewallsPalo alto networks next generation firewalls
Palo alto networks next generation firewallsCastleforce
 
Ethical Hacking - sniffing
Ethical Hacking - sniffingEthical Hacking - sniffing
Ethical Hacking - sniffingBhavya Chawla
 
SDN & NFV Introduction - Open Source Data Center Networking
SDN & NFV Introduction - Open Source Data Center NetworkingSDN & NFV Introduction - Open Source Data Center Networking
SDN & NFV Introduction - Open Source Data Center NetworkingThomas Graf
 
Endpoint Detection & Response - FireEye
Endpoint Detection & Response - FireEyeEndpoint Detection & Response - FireEye
Endpoint Detection & Response - FireEyePrime Infoserv
 
Firewall and Types of firewall
Firewall and Types of firewallFirewall and Types of firewall
Firewall and Types of firewallCoder Tech
 
Trojan virus & backdoors
Trojan virus & backdoorsTrojan virus & backdoors
Trojan virus & backdoorsShrey Vyas
 

Mais procurados (20)

Introduction to SDN: Software Defined Networking
Introduction to SDN: Software Defined NetworkingIntroduction to SDN: Software Defined Networking
Introduction to SDN: Software Defined Networking
 
Introduction to Software Defined Networking (SDN)
Introduction to Software Defined Networking (SDN)Introduction to Software Defined Networking (SDN)
Introduction to Software Defined Networking (SDN)
 
DDoS Attack PPT by Nitin Bisht
DDoS Attack PPT by Nitin BishtDDoS Attack PPT by Nitin Bisht
DDoS Attack PPT by Nitin Bisht
 
Sdn ppt
Sdn pptSdn ppt
Sdn ppt
 
DDoS - Distributed Denial of Service
DDoS - Distributed Denial of ServiceDDoS - Distributed Denial of Service
DDoS - Distributed Denial of Service
 
IPS (intrusion prevention system)
IPS (intrusion prevention system)IPS (intrusion prevention system)
IPS (intrusion prevention system)
 
Introduction to SDN and NFV
Introduction to SDN and NFVIntroduction to SDN and NFV
Introduction to SDN and NFV
 
Cyber Threat Intel : Overview
Cyber Threat Intel : OverviewCyber Threat Intel : Overview
Cyber Threat Intel : Overview
 
Software Defined Network (SDN)
Software Defined Network (SDN)Software Defined Network (SDN)
Software Defined Network (SDN)
 
Introduction to OpenFlow
Introduction to OpenFlowIntroduction to OpenFlow
Introduction to OpenFlow
 
IDS and IPS
IDS and IPSIDS and IPS
IDS and IPS
 
Introduction to Network Function Virtualization (NFV)
Introduction to Network Function Virtualization (NFV)Introduction to Network Function Virtualization (NFV)
Introduction to Network Function Virtualization (NFV)
 
Palo alto networks next generation firewalls
Palo alto networks next generation firewallsPalo alto networks next generation firewalls
Palo alto networks next generation firewalls
 
Firewall in Network Security
Firewall in Network SecurityFirewall in Network Security
Firewall in Network Security
 
Ethical Hacking - sniffing
Ethical Hacking - sniffingEthical Hacking - sniffing
Ethical Hacking - sniffing
 
SDN & NFV Introduction - Open Source Data Center Networking
SDN & NFV Introduction - Open Source Data Center NetworkingSDN & NFV Introduction - Open Source Data Center Networking
SDN & NFV Introduction - Open Source Data Center Networking
 
Endpoint Detection & Response - FireEye
Endpoint Detection & Response - FireEyeEndpoint Detection & Response - FireEye
Endpoint Detection & Response - FireEye
 
Firewall and Types of firewall
Firewall and Types of firewallFirewall and Types of firewall
Firewall and Types of firewall
 
Trojan virus & backdoors
Trojan virus & backdoorsTrojan virus & backdoors
Trojan virus & backdoors
 
SNMP
SNMPSNMP
SNMP
 

Semelhante a DDoS Attack Detection & Mitigation in SDN

Practical steps to mitigate DDoS attacks
Practical steps to mitigate DDoS attacksPractical steps to mitigate DDoS attacks
Practical steps to mitigate DDoS attacksMartin Holovský
 
Type of DDoS attacks with hping3 example
Type of DDoS attacks with hping3 exampleType of DDoS attacks with hping3 example
Type of DDoS attacks with hping3 exampleHimani Singh
 
HACKING THE BRAIN: Customize Evil Protocol to Pwn an SDN Controller
HACKING THE BRAIN: Customize Evil Protocol to Pwn an SDN ControllerHACKING THE BRAIN: Customize Evil Protocol to Pwn an SDN Controller
HACKING THE BRAIN: Customize Evil Protocol to Pwn an SDN ControllerPriyanka Aash
 
Azure DDoS Protection Standard
Azure DDoS Protection StandardAzure DDoS Protection Standard
Azure DDoS Protection Standardarnaudlh
 
PLNOG 9: Paweł Wachelka - Network protection against DoS/DDoS attacks
PLNOG 9: Paweł Wachelka - Network protection against DoS/DDoS attacks PLNOG 9: Paweł Wachelka - Network protection against DoS/DDoS attacks
PLNOG 9: Paweł Wachelka - Network protection against DoS/DDoS attacks PROIDEA
 
Incident response: Advanced Network Forensics
Incident response: Advanced Network ForensicsIncident response: Advanced Network Forensics
Incident response: Advanced Network ForensicsNapier University
 
Practical steps to mitigate DDoS attacks
Practical steps to mitigate DDoS attacksPractical steps to mitigate DDoS attacks
Practical steps to mitigate DDoS attacksSecurity Session
 
Layer one 2011-gh0stwood-d-dos-attacks
Layer one 2011-gh0stwood-d-dos-attacksLayer one 2011-gh0stwood-d-dos-attacks
Layer one 2011-gh0stwood-d-dos-attacksfangjiafu
 
Hunting for APT in network logs workshop presentation
Hunting for APT in network logs workshop presentationHunting for APT in network logs workshop presentation
Hunting for APT in network logs workshop presentationOlehLevytskyi1
 
Floodlight OpenFlow DDoS
Floodlight OpenFlow DDoSFloodlight OpenFlow DDoS
Floodlight OpenFlow DDoSYoav Francis
 
Networking @Scale'19 - Getting a Taste of Your Network - Sergey Fedorov
Networking @Scale'19 - Getting a Taste of Your Network - Sergey FedorovNetworking @Scale'19 - Getting a Taste of Your Network - Sergey Fedorov
Networking @Scale'19 - Getting a Taste of Your Network - Sergey FedorovSergey Fedorov
 
Attacks and their mitigations
Attacks and their mitigationsAttacks and their mitigations
Attacks and their mitigationsMukesh Chaudhari
 
Topology Service Injection using Dragonflow & Kuryr
Topology Service Injection using Dragonflow & KuryrTopology Service Injection using Dragonflow & Kuryr
Topology Service Injection using Dragonflow & KuryrEshed Gal-Or
 
Ntp in Amplification Inferno
Ntp in Amplification InfernoNtp in Amplification Inferno
Ntp in Amplification InfernoSriram Krishnan
 

Semelhante a DDoS Attack Detection & Mitigation in SDN (20)

Hacking Cisco
Hacking CiscoHacking Cisco
Hacking Cisco
 
Practical steps to mitigate DDoS attacks
Practical steps to mitigate DDoS attacksPractical steps to mitigate DDoS attacks
Practical steps to mitigate DDoS attacks
 
Type of DDoS attacks with hping3 example
Type of DDoS attacks with hping3 exampleType of DDoS attacks with hping3 example
Type of DDoS attacks with hping3 example
 
HACKING THE BRAIN: Customize Evil Protocol to Pwn an SDN Controller
HACKING THE BRAIN: Customize Evil Protocol to Pwn an SDN ControllerHACKING THE BRAIN: Customize Evil Protocol to Pwn an SDN Controller
HACKING THE BRAIN: Customize Evil Protocol to Pwn an SDN Controller
 
DDoS-bdNOG
DDoS-bdNOGDDoS-bdNOG
DDoS-bdNOG
 
Azure DDoS Protection Standard
Azure DDoS Protection StandardAzure DDoS Protection Standard
Azure DDoS Protection Standard
 
R bernardino hand_in_assignment_week_1
R bernardino hand_in_assignment_week_1R bernardino hand_in_assignment_week_1
R bernardino hand_in_assignment_week_1
 
PLNOG 9: Paweł Wachelka - Network protection against DoS/DDoS attacks
PLNOG 9: Paweł Wachelka - Network protection against DoS/DDoS attacks PLNOG 9: Paweł Wachelka - Network protection against DoS/DDoS attacks
PLNOG 9: Paweł Wachelka - Network protection against DoS/DDoS attacks
 
Incident response: Advanced Network Forensics
Incident response: Advanced Network ForensicsIncident response: Advanced Network Forensics
Incident response: Advanced Network Forensics
 
Practical steps to mitigate DDoS attacks
Practical steps to mitigate DDoS attacksPractical steps to mitigate DDoS attacks
Practical steps to mitigate DDoS attacks
 
DDoS.ppt
DDoS.pptDDoS.ppt
DDoS.ppt
 
Layer one 2011-gh0stwood-d-dos-attacks
Layer one 2011-gh0stwood-d-dos-attacksLayer one 2011-gh0stwood-d-dos-attacks
Layer one 2011-gh0stwood-d-dos-attacks
 
Hunting for APT in network logs workshop presentation
Hunting for APT in network logs workshop presentationHunting for APT in network logs workshop presentation
Hunting for APT in network logs workshop presentation
 
Network Sniffing
Network SniffingNetwork Sniffing
Network Sniffing
 
Floodlight OpenFlow DDoS
Floodlight OpenFlow DDoSFloodlight OpenFlow DDoS
Floodlight OpenFlow DDoS
 
Networking @Scale'19 - Getting a Taste of Your Network - Sergey Fedorov
Networking @Scale'19 - Getting a Taste of Your Network - Sergey FedorovNetworking @Scale'19 - Getting a Taste of Your Network - Sergey Fedorov
Networking @Scale'19 - Getting a Taste of Your Network - Sergey Fedorov
 
3-sdn-lab.pdf
3-sdn-lab.pdf3-sdn-lab.pdf
3-sdn-lab.pdf
 
Attacks and their mitigations
Attacks and their mitigationsAttacks and their mitigations
Attacks and their mitigations
 
Topology Service Injection using Dragonflow & Kuryr
Topology Service Injection using Dragonflow & KuryrTopology Service Injection using Dragonflow & Kuryr
Topology Service Injection using Dragonflow & Kuryr
 
Ntp in Amplification Inferno
Ntp in Amplification InfernoNtp in Amplification Inferno
Ntp in Amplification Inferno
 

Último

Unit 2- Effective stress & Permeability.pdf
Unit 2- Effective stress & Permeability.pdfUnit 2- Effective stress & Permeability.pdf
Unit 2- Effective stress & Permeability.pdfRagavanV2
 
Unleashing the Power of the SORA AI lastest leap
Unleashing the Power of the SORA AI lastest leapUnleashing the Power of the SORA AI lastest leap
Unleashing the Power of the SORA AI lastest leapRishantSharmaFr
 
Hostel management system project report..pdf
Hostel management system project report..pdfHostel management system project report..pdf
Hostel management system project report..pdfKamal Acharya
 
Introduction to Serverless with AWS Lambda
Introduction to Serverless with AWS LambdaIntroduction to Serverless with AWS Lambda
Introduction to Serverless with AWS LambdaOmar Fathy
 
University management System project report..pdf
University management System project report..pdfUniversity management System project report..pdf
University management System project report..pdfKamal Acharya
 
Hazard Identification (HAZID) vs. Hazard and Operability (HAZOP): A Comparati...
Hazard Identification (HAZID) vs. Hazard and Operability (HAZOP): A Comparati...Hazard Identification (HAZID) vs. Hazard and Operability (HAZOP): A Comparati...
Hazard Identification (HAZID) vs. Hazard and Operability (HAZOP): A Comparati...soginsider
 
data_management_and _data_science_cheat_sheet.pdf
data_management_and _data_science_cheat_sheet.pdfdata_management_and _data_science_cheat_sheet.pdf
data_management_and _data_science_cheat_sheet.pdfJiananWang21
 
Double Revolving field theory-how the rotor develops torque
Double Revolving field theory-how the rotor develops torqueDouble Revolving field theory-how the rotor develops torque
Double Revolving field theory-how the rotor develops torqueBhangaleSonal
 
ONLINE FOOD ORDER SYSTEM PROJECT REPORT.pdf
ONLINE FOOD ORDER SYSTEM PROJECT REPORT.pdfONLINE FOOD ORDER SYSTEM PROJECT REPORT.pdf
ONLINE FOOD ORDER SYSTEM PROJECT REPORT.pdfKamal Acharya
 
notes on Evolution Of Analytic Scalability.ppt
notes on Evolution Of Analytic Scalability.pptnotes on Evolution Of Analytic Scalability.ppt
notes on Evolution Of Analytic Scalability.pptMsecMca
 
Employee leave management system project.
Employee leave management system project.Employee leave management system project.
Employee leave management system project.Kamal Acharya
 
XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXssuser89054b
 
Minimum and Maximum Modes of microprocessor 8086
Minimum and Maximum Modes of microprocessor 8086Minimum and Maximum Modes of microprocessor 8086
Minimum and Maximum Modes of microprocessor 8086anil_gaur
 
Call Girls In Bangalore ☎ 7737669865 🥵 Book Your One night Stand
Call Girls In Bangalore ☎ 7737669865 🥵 Book Your One night StandCall Girls In Bangalore ☎ 7737669865 🥵 Book Your One night Stand
Call Girls In Bangalore ☎ 7737669865 🥵 Book Your One night Standamitlee9823
 
COST-EFFETIVE and Energy Efficient BUILDINGS ptx
COST-EFFETIVE and Energy Efficient BUILDINGS ptxCOST-EFFETIVE and Energy Efficient BUILDINGS ptx
COST-EFFETIVE and Energy Efficient BUILDINGS ptxJIT KUMAR GUPTA
 
KubeKraft presentation @CloudNativeHooghly
KubeKraft presentation @CloudNativeHooghlyKubeKraft presentation @CloudNativeHooghly
KubeKraft presentation @CloudNativeHooghlysanyuktamishra911
 

Último (20)

Unit 2- Effective stress & Permeability.pdf
Unit 2- Effective stress & Permeability.pdfUnit 2- Effective stress & Permeability.pdf
Unit 2- Effective stress & Permeability.pdf
 
Unleashing the Power of the SORA AI lastest leap
Unleashing the Power of the SORA AI lastest leapUnleashing the Power of the SORA AI lastest leap
Unleashing the Power of the SORA AI lastest leap
 
Hostel management system project report..pdf
Hostel management system project report..pdfHostel management system project report..pdf
Hostel management system project report..pdf
 
Introduction to Serverless with AWS Lambda
Introduction to Serverless with AWS LambdaIntroduction to Serverless with AWS Lambda
Introduction to Serverless with AWS Lambda
 
University management System project report..pdf
University management System project report..pdfUniversity management System project report..pdf
University management System project report..pdf
 
Hazard Identification (HAZID) vs. Hazard and Operability (HAZOP): A Comparati...
Hazard Identification (HAZID) vs. Hazard and Operability (HAZOP): A Comparati...Hazard Identification (HAZID) vs. Hazard and Operability (HAZOP): A Comparati...
Hazard Identification (HAZID) vs. Hazard and Operability (HAZOP): A Comparati...
 
data_management_and _data_science_cheat_sheet.pdf
data_management_and _data_science_cheat_sheet.pdfdata_management_and _data_science_cheat_sheet.pdf
data_management_and _data_science_cheat_sheet.pdf
 
Double Revolving field theory-how the rotor develops torque
Double Revolving field theory-how the rotor develops torqueDouble Revolving field theory-how the rotor develops torque
Double Revolving field theory-how the rotor develops torque
 
ONLINE FOOD ORDER SYSTEM PROJECT REPORT.pdf
ONLINE FOOD ORDER SYSTEM PROJECT REPORT.pdfONLINE FOOD ORDER SYSTEM PROJECT REPORT.pdf
ONLINE FOOD ORDER SYSTEM PROJECT REPORT.pdf
 
Cara Menggugurkan Sperma Yang Masuk Rahim Biyar Tidak Hamil
Cara Menggugurkan Sperma Yang Masuk Rahim Biyar Tidak HamilCara Menggugurkan Sperma Yang Masuk Rahim Biyar Tidak Hamil
Cara Menggugurkan Sperma Yang Masuk Rahim Biyar Tidak Hamil
 
notes on Evolution Of Analytic Scalability.ppt
notes on Evolution Of Analytic Scalability.pptnotes on Evolution Of Analytic Scalability.ppt
notes on Evolution Of Analytic Scalability.ppt
 
Employee leave management system project.
Employee leave management system project.Employee leave management system project.
Employee leave management system project.
 
XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
 
Minimum and Maximum Modes of microprocessor 8086
Minimum and Maximum Modes of microprocessor 8086Minimum and Maximum Modes of microprocessor 8086
Minimum and Maximum Modes of microprocessor 8086
 
Call Girls In Bangalore ☎ 7737669865 🥵 Book Your One night Stand
Call Girls In Bangalore ☎ 7737669865 🥵 Book Your One night StandCall Girls In Bangalore ☎ 7737669865 🥵 Book Your One night Stand
Call Girls In Bangalore ☎ 7737669865 🥵 Book Your One night Stand
 
Call Girls in Ramesh Nagar Delhi 💯 Call Us 🔝9953056974 🔝 Escort Service
Call Girls in Ramesh Nagar Delhi 💯 Call Us 🔝9953056974 🔝 Escort ServiceCall Girls in Ramesh Nagar Delhi 💯 Call Us 🔝9953056974 🔝 Escort Service
Call Girls in Ramesh Nagar Delhi 💯 Call Us 🔝9953056974 🔝 Escort Service
 
COST-EFFETIVE and Energy Efficient BUILDINGS ptx
COST-EFFETIVE and Energy Efficient BUILDINGS ptxCOST-EFFETIVE and Energy Efficient BUILDINGS ptx
COST-EFFETIVE and Energy Efficient BUILDINGS ptx
 
(INDIRA) Call Girl Bhosari Call Now 8617697112 Bhosari Escorts 24x7
(INDIRA) Call Girl Bhosari Call Now 8617697112 Bhosari Escorts 24x7(INDIRA) Call Girl Bhosari Call Now 8617697112 Bhosari Escorts 24x7
(INDIRA) Call Girl Bhosari Call Now 8617697112 Bhosari Escorts 24x7
 
KubeKraft presentation @CloudNativeHooghly
KubeKraft presentation @CloudNativeHooghlyKubeKraft presentation @CloudNativeHooghly
KubeKraft presentation @CloudNativeHooghly
 
Integrated Test Rig For HTFE-25 - Neometrix
Integrated Test Rig For HTFE-25 - NeometrixIntegrated Test Rig For HTFE-25 - Neometrix
Integrated Test Rig For HTFE-25 - Neometrix
 

DDoS Attack Detection & Mitigation in SDN

  • 1. DDoS Attack Detection & Mitigation in SDN FINAL VIVA PRESENTATION 2014-12-08 COMSE-6998 Presented by Chao CHEN (cc3736)
  • 2. Key Words DDoS Attack Detection and Mitigation Type: ICMP Flood SYN Flood DNS Amplification UDP Flood InMon sFlow-RT + Floodlight controller + Mininet SDN Application to perform DDoS Protection
  • 3. RESEARCH BACKGROUND SCHEME DESIGN APPLICATION DEVELOPMENT ENVIRONMENT ESTABLISHMENT TEST & EVALUATION
  • 5. Research Background Real Time detection and mitigation with lowest cost of device deployment
  • 6. Research Background sFlow = sampled Flow Device Capability → Easy Deployment Physical Device: Cisco Nexus 3000/3100 series IBM c/g/m/r/s/x/y series Juniper EX 2200/3200/3300/4200/6200 series …… Virtual Device: OpenVSwitch Apache Nginx …… sFlow Collectors: InMon sFlow-RT Brocade Network Advisor …… SDN analytics and control using sFlow standard
  • 7. Research Background sFlow + Openflow 1. switch samples packets 2. switch sends the header of sampled packets to sFlow-RT 3. sFlow-RT maps it into fine-grained flow(e.g. tcpflags=SYN, icmptype=3…) 4. if exceed the threshold, trigger an event 5. events accessible from external apps through REST API
  • 8. Research Background sFlow + Openflow 1. switch samples packets 2. switch sends the header of sampled packets to sFlow-RT 3. sFlow-RT maps it into fine-grained flow(e.g. tcpflags=SYN, icmptype=3…) 4. if exceed the threshold, trigger an event 5. events accessible from external apps through REST API detection mitigation processing
  • 10. Scheme Design Yes No Overall Flowchart of Application need to be specified for different kinds of attacks
  • 11. Scheme Design ICMP Flood Attack Mechanism: Each device in the botnet ping the server at a high rate. Flow Definition: ipsource=0.0.0.0/0, ipdestination=10.0.0.2/32, #suppose h2 is the server outputifindex!=discard, #packet is not discarded ipprotocol=1 #ICMP Match Field in blocking flow entry: ether-type, protocol, src-ip, dst-ip
  • 12. Scheme Design SYN Flood Attack Mechanism: Each device in the botnet sends TCP SYN packets to the server at a high rate. Flow Definition: ipsource=0.0.0.0/0, ipdestination=10.0.0.2/32, #suppose h2 is the server outputifindex!=discard, #packet is not discarded tcpflags~…….1.=1 #TCP SYN packet Match Field in blocking flow entry: ether-type, protocol, src-ip, dst-ip
  • 13. Scheme Design DNS Amplification Attack Mechanism: Each device in the botnet sends DNS query to several DNS servers with src-ip=victim’s ip. (take ANY(15) for example)
  • 14. Scheme Design DNS Amplification Attack Flow Definition: ipsource=0.0.0.0/0, ipdestination=[10.0.0.1/32, 10.0.0.2/32], #suppose h1 and h2 are the DNS servers outputifindex!=discard, #packet is not discarded dnsqr=false, dnsqtype=255 Match Field in blocking flow entry: ether-type, protocol, src-ip, dst-ip Protect at the DNS servers (instead of the victim)
  • 15. Scheme Design UDP Flood Attack Mechanism: Each device in the botnet sends UDP packets to all the ports if the server Attacker botnet/compromised system target server Command Command Command 1 5 7 9 11 13 15 … UDP port list UDP Packets ICMP Destination Unreachable
  • 16. Scheme Design UDP Flood Attack Flow Definition: ipsource=10.0.0.2/32, #reversed ipdestination=0.0.0.0/0, outputifindex!=discard, #packet is not discarded ipprotocol=1, #ICMP icmptype=3, #Destination Unreachable Match Field in blocking flow entry: ether-type, protocol, src-ip=dst-ip_in_flow, dst-ip=server-ip Protect by monitoring ICMP Destination Unreachable packets
  • 18. Application Development python Import requests & json to perform GET/PUT/POST via REST API Different attacks are implemented similarly. Take ICMP Flood attack as example. Definition of flows, thresholds,…: POST the definition to sFlow-RT:
  • 21. Environment Establishment Laptop Ubuntu VM App Mininet 10.0.0.1 10.0.0.2 10.0.0.3 10.0.0.4 10.0.0.5 10.0.0.6 10.10.10.2:6633 10.10.10.2:8080 10.10.10.2:8008 10.10.10.2:6343
  • 23. Test & Evaluation Launch floodlight: ./floodlight.sh Launch InMon sFlow-RT: ./start.sh Launch InMon sFlow-RT: sudo ./topo.sh set s1 is a sFlow agent, and set up bridge between s1 and sFlow-RT
  • 24. Test & Evaluation Without mitigation: h1 ICMP attack on h2 with: ping -f 10.0.0.2 network traffic flow attack from h4 ICMP Flood Attack
  • 25. Test & Evaluation With mitigation: h4 ICMP attack on h2 network traffic flow attack from h4 is mitigated ICMP Flood Attack
  • 26. Test & Evaluation Continue: h5 ICMP attack on h2 network traffic flow attack from h5 is mitigated ICMP Flood Attack
  • 27. Test & Evaluation ICMP Flood Attack ‘subflows’ in ICMP Attack Flow Events triggered in this case Flowtable of s1 (attacked by h3, h4, h6)
  • 28. Test & Evaluation SYN Flood Attack Without mitigation: h1 SYN attack on h2 with: ping —tcp -p 80 —flag syn -rate 2000 —count 20000000 —no-capture —quiet 10.0.0.2 network traffic flow
  • 29. Test & Evaluation SYN Flood Attack With mitigation: h6 and h4 SYN attack on h2 SYN Flood Traffic Flowtable of s1 (attacked by h3, h4, h5, h6) attacks from h6 and h4 are mitigated
  • 30. Test & Evaluation DNS Amplification Attack & UDP Flood Attack: Cannot simulate attacks → No test result yet
  • 31. Test & Evaluation Future Work: 1. Test on DNS Amplification Attack & UDP Flood Attack 2. {new_sample_rate, new_threshold} =update(old_sample_rate, old_threshold, network_congestion, server_status,…) 3. Sample Theory is efficient on large flows. Think about {tiny flows x n} 4. Reasonable unblock mechanism
  • 32. Q&A