1. Denial of Service in Software Defined
Networks
Mohammad Faraji
ms.faraji@mail.utoronto.ca
Supervisor: Alberto Leon-Garcia

2. Cloud Computing
• Cloud computing is a model for
– on-demand network access
– shared pool of configurable computing resources
– rapidly provisioned and
– released with minimal management effort.
2

3. Extended Cloud Computing (ECC)

4. Cloud Security Challenges
– phishing
– Downtime
– Password weakness
– botnet etc.
– Botnet ( DoS, Spamming etc.)
– Shared Resources (side channel, covert channel)
– Fate-sharing

5. Denial Of Service
• Denial of Service : explicit attempt by
attackers to prevent legitimate users of a
service from using that service. (CERT)
• Examples:
– Flooding a network
• Denial Of Service is considered as the
largest security threat

6. Problem
• Application is distributed throughout the
network (ECC)
• Isolating application traffic reduce
probability of denial of service significantly
• Network isolation through VLAN
• Limitation:
– Scalability (4k VLAN id space)
– Complicated Network Management
– Per user policy control

7. Design Goal
• Isolation
• Flexibility
• Location independence
• Easy policy control
• Scalability
• Cache-Coherent

8. Proposed Method
Max = 2 Gb

9. Architecture Elements
sw Secure
Channel
hw Flow Policy Unit
Table
Virtual Resource 3 Virtual Resource 2 Virtual Resource 1

10. Methodology
• Identifying attack set
• Setting up Implementation Platform
• Selecting representative topologies
• Modeling Policy Unit
• Implementing Network Virtualization
• Evaluation

11. Policy Unit model
• Keystone (Openstack Identity Manager)
• Attribute Based Access Control
Policy Enforcement
Authorization and Access Control
Attribute Assertion
Authentication Assertion (single sign-on)

12. Implementation Platform
SOAP/WS-API
Control (BPEL)
Resource Manager Storage Manager
AAA(BPEL) (BPEL)
(BPEL)
Dynamic Link Generator
(BPEL)
Data Store(BPEL) Resources
Resources Storage
Resources
(WS) Storage
Query
DB Result Fabric Programmable
(WS)
(WS)Storage
Generator
(WS)
Processor (WS) Resources (WS)
Resource
(WS) (WS) (WS,BPEL) (WS,BPEL)
Fabric
MySQ Agent
L Resource Resource
SNMP Resource Resource
File
Resource Servers
Fabric

13. Outcome
• A software Platform on OpenFlow switches
• It decreases chance of denial of service by:
– Application is able to define their network
topology
– Each application can have its own policy
– Policy control is fine-grained
• DoS does not affect other’s traffic
• Attack can be easily interrupted

14. References
1. Karig, David and Ruby Lee. Remote Denial of Service Attacks and Countermeasures, Princeton
University Department of Electrical Engineering Technical Report CE-L2001-002, October 2001.
2. M. Jensen, N. Gruschka, and N. Luttenberger, “The impact of flooding attacks on network-based
services,” in Availability, Reliability and Security, 2008. ARES 08. Third International Conference
on, march 2008, pp. 509 –513.
3. B. Kerns, “Amazon: Hey spammers, get off my cloud!” Jul. 2008. [Online].
Availabhttp://voices.washingtonpost.com/securityfix/2008/07/
4. P. Mell and T. Grance, “The nist definition of cloud computing,” National Institute of Standards and
Technology, vol. 53, no. 6, p. 50, 2009. [Online]. Available: http://csrc.nist.gov/groups/SNS/cloud-
computing/cloud-def-v15.doc
5. S. Shankland, “Hps hurd dings cloud computing, ibm,” Oct. 2009.
6. D. Catteddu and G. Hogben, “Cloud Computing Risk Assessment,” Nov. 2009. [Online]. Available:
http://www.enisa.europa.eu/act/rm/files/deliverables/cloud-computing-risk-assessment
7. B. Kerns, “Amazon: Hey spammers, get off my cloud!” Jul. 2008. [Online]. Available:
http://voices.washingtonpost.com/securityfix/2008/07/
8. M. C. Ferrer, “Zeus in-the-cloud,” CA Community Blog, Dec. 2009.
9. M. Price, “The paradox of security in virtual environments,” Computer, vol. 41, no. 11, pp. 22 –
28, nov. 2008.
10. S. King and P. Chen, “Subvirt: implementing malware with virtual machines,” in Security and
Privacy, 2006 IEEE Symposium on, may 2006, pp. 14 pp. –327.

15. THANKS FOR YOUR TIME
QUESTION ?

16. APPENDIX

17. The NIST Cloud Definition Framework
Hybrid Clouds
Deployment
Models Private Community
Public Cloud
Cloud Cloud
Service Software as a Platform as a Infrastructure as a
Models Service (SaaS) Service (PaaS) Service (IaaS)
On Demand Self-Service
Essential
Broad Network Access Rapid Elasticity
Characteristics
Resource Pooling Measured Service
Massive Scale Resilient Computing
Common Homogeneity Geographic Distribution
Characteristics Virtualization Service Orientation
Low Cost Software Advanced Security
Based upon original chart created by Alex Dowbor - http://ornot.wordpress.com
17

18. Classification of DoS Attacks[1]
Attack Affected Area Example Description
Network Level Routers, IP Ascend Kill II, Attack attempts to exhaust hardware
Device Switches, “Christmas Tree Packets” resources using multiple duplicate packets
Firewalls or a software bug.
OS Level Equipment Ping of Death, Attack takes advantage of the way operating
Vendor OS, End- ICMP Echo Attacks, systems implement protocols.
User Equipment. Teardrop
Application Finger Bomb Finger Bomb, Attack a service or machine by using an
Level Attacks Windows NT RealServer application attack to exhaust resources.
G2 6.0
Data Flood Host computer or Smurf Attack (amplifier Attack in which massive quantities of data
(Amplification, network attack) are sent to a target with the intention of
Oscillation, Simple using up bandwidth/processing resources.
Flooding)
UDP Echo (oscillation
attack)
Protocol Feature Servers, Client SYN (connection Attack in which “bugs” in protocol are
Attacks PC, DNS Servers depletion) utilized to take down network resources.
Methods of attack include: IP address
spoofing, and corrupting DNS server cache.