CC
Uploaded byChao Chen
8,188 views

DDoS Attack Detection & Mitigation in SDN

This document summarizes a presentation on detecting and mitigating distributed denial of service (DDoS) attacks in software-defined networks. It discusses using sFlow and the Floodlight controller to detect common DDoS attack types like ICMP floods, SYN floods, and DNS amplification. An application was developed in Python to classify attacks and push static flow entries to direct attack traffic to the sFlow collector for analysis. The scheme was tested in a Mininet virtual network and shown to successfully mitigate ICMP and SYN flood attacks. Future work includes testing DNS amplification and UDP floods, implementing adaptive sampling rates and thresholds, and designing an unblocking mechanism.

Embed presentation

Downloaded 400 times
DDoS Attack Detection & Mitigation in SDN FINAL VIVA PRESENTATION 2014-12-08 COMSE-6998 Presented by Chao CHEN (cc3736)
Key Words DDoS Attack Detection and Mitigation Type: ICMP Flood SYN Flood DNS Amplification UDP Flood InMon sFlow-RT + Floodlight controller + Mininet SDN Application to perform DDoS Protection
RESEARCH BACKGROUND SCHEME DESIGN APPLICATION DEVELOPMENT ENVIRONMENT ESTABLISHMENT TEST & EVALUATION
RESEARCH BACKGROUND
Research Background Real Time detection and mitigation with lowest cost of device deployment
Research Background sFlow = sampled Flow Device Capability → Easy Deployment Physical Device: Cisco Nexus 3000/3100 series IBM c/g/m/r/s/x/y series Juniper EX 2200/3200/3300/4200/6200 series …… Virtual Device: OpenVSwitch Apache Nginx …… sFlow Collectors: InMon sFlow-RT Brocade Network Advisor …… SDN analytics and control using sFlow standard
Research Background sFlow + Openflow 1. switch samples packets 2. switch sends the header of sampled packets to sFlow-RT 3. sFlow-RT maps it into fine-grained flow(e.g. tcpflags=SYN, icmptype=3…) 4. if exceed the threshold, trigger an event 5. events accessible from external apps through REST API
Research Background sFlow + Openflow 1. switch samples packets 2. switch sends the header of sampled packets to sFlow-RT 3. sFlow-RT maps it into fine-grained flow(e.g. tcpflags=SYN, icmptype=3…) 4. if exceed the threshold, trigger an event 5. events accessible from external apps through REST API detection mitigation processing
SCHEME DESIGN
Scheme Design Yes No Overall Flowchart of Application need to be specified for different kinds of attacks
Scheme Design ICMP Flood Attack Mechanism: Each device in the botnet ping the server at a high rate. Flow Definition: ipsource=0.0.0.0/0, ipdestination=10.0.0.2/32, #suppose h2 is the server outputifindex!=discard, #packet is not discarded ipprotocol=1 #ICMP Match Field in blocking flow entry: ether-type, protocol, src-ip, dst-ip
Scheme Design SYN Flood Attack Mechanism: Each device in the botnet sends TCP SYN packets to the server at a high rate. Flow Definition: ipsource=0.0.0.0/0, ipdestination=10.0.0.2/32, #suppose h2 is the server outputifindex!=discard, #packet is not discarded tcpflags~…….1.=1 #TCP SYN packet Match Field in blocking flow entry: ether-type, protocol, src-ip, dst-ip
Scheme Design DNS Amplification Attack Mechanism: Each device in the botnet sends DNS query to several DNS servers with src-ip=victim’s ip. (take ANY(15) for example)
Scheme Design DNS Amplification Attack Flow Definition: ipsource=0.0.0.0/0, ipdestination=[10.0.0.1/32, 10.0.0.2/32], #suppose h1 and h2 are the DNS servers outputifindex!=discard, #packet is not discarded dnsqr=false, dnsqtype=255 Match Field in blocking flow entry: ether-type, protocol, src-ip, dst-ip Protect at the DNS servers (instead of the victim)
Scheme Design UDP Flood Attack Mechanism: Each device in the botnet sends UDP packets to all the ports if the server Attacker botnet/compromised system target server Command Command Command 1 5 7 9 11 13 15 … UDP port list UDP Packets ICMP Destination Unreachable
Scheme Design UDP Flood Attack Flow Definition: ipsource=10.0.0.2/32, #reversed ipdestination=0.0.0.0/0, outputifindex!=discard, #packet is not discarded ipprotocol=1, #ICMP icmptype=3, #Destination Unreachable Match Field in blocking flow entry: ether-type, protocol, src-ip=dst-ip_in_flow, dst-ip=server-ip Protect by monitoring ICMP Destination Unreachable packets
APPLICATION DEVELOPMENT
Application Development python Import requests & json to perform GET/PUT/POST via REST API Different attacks are implemented similarly. Take ICMP Flood attack as example. Definition of flows, thresholds,…: POST the definition to sFlow-RT:
Application Development Attack classification & Static Flow Entry Push:
ENVIRONMENT ESTABLISHMENT
Environment Establishment Laptop Ubuntu VM App Mininet 10.0.0.1 10.0.0.2 10.0.0.3 10.0.0.4 10.0.0.5 10.0.0.6 10.10.10.2:6633 10.10.10.2:8080 10.10.10.2:8008 10.10.10.2:6343
TEST & EVALUATION
Test & Evaluation Launch floodlight: ./floodlight.sh Launch InMon sFlow-RT: ./start.sh Launch InMon sFlow-RT: sudo ./topo.sh set s1 is a sFlow agent, and set up bridge between s1 and sFlow-RT
Test & Evaluation Without mitigation: h1 ICMP attack on h2 with: ping -f 10.0.0.2 network traffic flow attack from h4 ICMP Flood Attack
Test & Evaluation With mitigation: h4 ICMP attack on h2 network traffic flow attack from h4 is mitigated ICMP Flood Attack
Test & Evaluation Continue: h5 ICMP attack on h2 network traffic flow attack from h5 is mitigated ICMP Flood Attack
Test & Evaluation ICMP Flood Attack ‘subflows’ in ICMP Attack Flow Events triggered in this case Flowtable of s1 (attacked by h3, h4, h6)
Test & Evaluation SYN Flood Attack Without mitigation: h1 SYN attack on h2 with: ping —tcp -p 80 —flag syn -rate 2000 —count 20000000 —no-capture —quiet 10.0.0.2 network traffic flow
Test & Evaluation SYN Flood Attack With mitigation: h6 and h4 SYN attack on h2 SYN Flood Traffic Flowtable of s1 (attacked by h3, h4, h5, h6) attacks from h6 and h4 are mitigated
Test & Evaluation DNS Amplification Attack & UDP Flood Attack: Cannot simulate attacks → No test result yet
Test & Evaluation Future Work: 1. Test on DNS Amplification Attack & UDP Flood Attack 2. {new_sample_rate, new_threshold} =update(old_sample_rate, old_threshold, network_congestion, server_status,…) 3. Sample Theory is efficient on large flows. Think about {tiny flows x n} 4. Reasonable unblock mechanism
Q&A

More Related Content

PPTX
Intrusion prevention system(ips)
byPapun Papun
 
PPTX
DNS spoofing/poisoning Attack
byFatima Qayyum
 
PPTX
Intrusion Detection Systems (IDS)
byHachmdhmdzad
 
PPTX
Packet sniffing
byShyama Bhuvanendran
 
PPTX
Intrusion prevention systems
bysamis
 
PPT
Intrusion Detection Systems and Intrusion Prevention Systems
byCleverence Kombe
 
PPTX
Intrusion detection and prevention system
byNikhil Raj
 
PPTX
Network packet analysis -capture and Analysis
byManjushree Mashal
 
Intrusion prevention system(ips)
byPapun Papun
 
DNS spoofing/poisoning Attack
byFatima Qayyum
 
Intrusion Detection Systems (IDS)
byHachmdhmdzad
 
Packet sniffing
byShyama Bhuvanendran
 
Intrusion prevention systems
bysamis
 
Intrusion Detection Systems and Intrusion Prevention Systems
byCleverence Kombe
 
Intrusion detection and prevention system
byNikhil Raj
 
Network packet analysis -capture and Analysis
byManjushree Mashal
 

What's hot

PDF
Network Security Fundamentals
byRahmat Suhatman
 
PPT
Network Security
byMAJU
 
PPTX
Honeypot
bySushan Sharma
 
PPT
Intrusion detection system ppt
bySheetal Verma
 
PPTX
Network intrusion detection system and analysis
byBikrant Gautam
 
PPTX
Wireshark
bySourav Roy
 
PPTX
IPSec and VPN
byAbdullaziz Tagawy
 
PPT
IDS and IPS
bySantosh Khadsare
 
PPTX
Network attacks
byManjushree Mashal
 
PPTX
IDS, IPS, IDPS
byMinhaz A V
 
PPTX
Firewall and Types of firewall
byCoder Tech
 
PDF
IPS (intrusion prevention system)
byNetwax Lab
 
PPTX
Denial of service attack
byKaustubh Padwad
 
PPTX
Packet Sniffer
byvilss
 
PPTX
Network security
byhajra azam
 
PDF
Cloud security
byBikashPokharel3
 
PDF
Introduction IDS
byHitesh Mohapatra
 
PPT
intrusion detection system (IDS)
byAj Maurya
 
PPTX
Ddos attacks
bycommunication-eg
 
PPTX
Understanding Application Threat Modelling & Architecture
byPriyanka Aash
 
Network Security Fundamentals
byRahmat Suhatman
 
Network Security
byMAJU
 
Honeypot
bySushan Sharma
 
Intrusion detection system ppt
bySheetal Verma
 
Network intrusion detection system and analysis
byBikrant Gautam
 
Wireshark
bySourav Roy
 
IPSec and VPN
byAbdullaziz Tagawy
 
IDS and IPS
bySantosh Khadsare
 
Network attacks
byManjushree Mashal
 
IDS, IPS, IDPS
byMinhaz A V
 
Firewall and Types of firewall
byCoder Tech
 
IPS (intrusion prevention system)
byNetwax Lab
 
Denial of service attack
byKaustubh Padwad
 
Packet Sniffer
byvilss
 
Network security
byhajra azam
 
Cloud security
byBikashPokharel3
 
Introduction IDS
byHitesh Mohapatra
 
intrusion detection system (IDS)
byAj Maurya
 
Ddos attacks
bycommunication-eg
 
Understanding Application Threat Modelling & Architecture
byPriyanka Aash
 

Similar to DDoS Attack Detection & Mitigation in SDN

PPTX
Denial of Service Threats: Analysis of DoS and DDoS Attacks with Mitigation T...
bysu92bssemf220701
 
PDF
Implementation of ICMP flood detection and mitigation system based on softwar...
byTELKOMNIKA JOURNAL
 
PDF
DDoS Attack
byGopi Krishnan S
 
PDF
Common Dos and DDoS
byJayesh Patel
 
PDF
ECE560 Denial of Service Attacks Fall2020.pdf
byTuulTriyason
 
PDF
Azure DDoS Protection Standard
byarnaudlh
 
PPT
D do s
bysunilkumar021
 
PDF
DDoS Threat Landscape - Ron Winward CHINOG16
byRadware
 
PDF
12 types of DDoS attacks
byHaltdos
 
PPTX
BADCamp 2017 - Anatomy of DDoS
bySuzanne Aldrich
 
PPTX
Anatomy of DDoS - Builderscon Tokyo 2017
bySuzanne Aldrich
 
PPTX
SCE11-0315
byJonathan Lee
 
PDF
A10 issa d do s 5-2014
byRaleigh ISSA
 
DOCX
Entropy based DDos Detection in SDN
byVishal Vasudev
 
PPT
Floodlight OpenFlow DDoS
byYoav Francis
 
PDF
Fortinet_FortiDDoS_Introduction
byswang2010
 
PDF
Common Types of DDoS Attacks | MazeBolt Technologies
byMazeBolt Technologies
 
PDF
MS_ISAC__DDoS_Attacks_Guide__2023_05.pdf
byssuser262297
 
PPTX
Unleash the Hammer on Denial-of-Service: Conquer DDos Attacks!
byPriyadharshiniHemaku
 
PPT
透视消费者.ppt
bywei mingyang
 
Denial of Service Threats: Analysis of DoS and DDoS Attacks with Mitigation T...
bysu92bssemf220701
 
Implementation of ICMP flood detection and mitigation system based on softwar...
byTELKOMNIKA JOURNAL
 
DDoS Attack
byGopi Krishnan S
 
Common Dos and DDoS
byJayesh Patel
 
ECE560 Denial of Service Attacks Fall2020.pdf
byTuulTriyason
 
Azure DDoS Protection Standard
byarnaudlh
 
D do s
bysunilkumar021
 
DDoS Threat Landscape - Ron Winward CHINOG16
byRadware
 
12 types of DDoS attacks
byHaltdos
 
BADCamp 2017 - Anatomy of DDoS
bySuzanne Aldrich
 
Anatomy of DDoS - Builderscon Tokyo 2017
bySuzanne Aldrich
 
SCE11-0315
byJonathan Lee
 
A10 issa d do s 5-2014
byRaleigh ISSA
 
Entropy based DDos Detection in SDN
byVishal Vasudev
 
Floodlight OpenFlow DDoS
byYoav Francis
 
Fortinet_FortiDDoS_Introduction
byswang2010
 
Common Types of DDoS Attacks | MazeBolt Technologies
byMazeBolt Technologies
 
MS_ISAC__DDoS_Attacks_Guide__2023_05.pdf
byssuser262297
 
Unleash the Hammer on Denial-of-Service: Conquer DDos Attacks!
byPriyadharshiniHemaku
 
透视消费者.ppt
bywei mingyang
 

Recently uploaded

PPT
Integer , Goal and Non linear Programming Model
byOcheriCyril2
 
PDF
Chad Ayach - An Accomplished Mechanical Engineer
byChad Ayach
 
PPTX
Why TPM Succeeds in Some Plants and Struggles in Others | MaintWiz
byMaintWiz Technologies Private Limited
 
PDF
Model QP 2025 scheme Q &A- Module 1 and 2.pdf
bySURESHA V
 
PPT
Ceramic Matrix Composites Slide from Composite Materials
byUsman635773
 
PDF
Soil Compressibility (Elastic Settlement).pdf
byMahmoodKhalid11
 
PDF
Shear Strength of Soil (Direct shear test).pdf
byMahmoodKhalid11
 
PDF
Computer Network Lab Manual ssit -kavya r.pdf or Computer Network Lab Manual ...
bykavya R
 
PPT
Cloud computing-1.ppt presentation preview
byMohanaPriya780617
 
PDF
Rajesh Prasad- Brief Profile with educational, professional highlights
byRajesh Prasad
 
PPTX
1.Module 4-Clamping of jigs and fixtures for manufacturing.pptx
bycondieki
 
PPTX
GET 211- Computing and Software Engineering (1).pptx
byfestusdaniel142
 
PPTX
A professional presentation on Cosmos Bank Heist
byssuser7f0075
 
PDF
Chemical Hazards at Workplace – Types, Properties & Exposure Routes, CORE-EHS
byCORE EHS
 
PDF
engineering management chapter 5 ppt presentation
byericaangelatoledo06
 
PDF
Infinite Sequence and Series: It Includes basic Sequence and Series
byDynamicDomain1
 
PDF
Computer Graphics Fundamentals (v0p1) - DannyJiang
byDanny Jiang
 
PDF
Applications of AI in Civil Engineering - Dr. Rohan Dasgupta
byRohan Dasgupta
 
PDF
Basics of Electronics Task by Vivaan Jo Varghese.pdf
byVivaan Jo Varghese
 
PPTX
traffic safety section seven (Traffic Control and Management) of Act
byazeRakeshSunariMagar
 
Integer , Goal and Non linear Programming Model
byOcheriCyril2
 
Chad Ayach - An Accomplished Mechanical Engineer
byChad Ayach
 
Why TPM Succeeds in Some Plants and Struggles in Others | MaintWiz
byMaintWiz Technologies Private Limited
 
Model QP 2025 scheme Q &A- Module 1 and 2.pdf
bySURESHA V
 
Ceramic Matrix Composites Slide from Composite Materials
byUsman635773
 
Soil Compressibility (Elastic Settlement).pdf
byMahmoodKhalid11
 
Shear Strength of Soil (Direct shear test).pdf
byMahmoodKhalid11
 
Computer Network Lab Manual ssit -kavya r.pdf or Computer Network Lab Manual ...
bykavya R
 
Cloud computing-1.ppt presentation preview
byMohanaPriya780617
 
Rajesh Prasad- Brief Profile with educational, professional highlights
byRajesh Prasad
 
1.Module 4-Clamping of jigs and fixtures for manufacturing.pptx
bycondieki
 
GET 211- Computing and Software Engineering (1).pptx
byfestusdaniel142
 
A professional presentation on Cosmos Bank Heist
byssuser7f0075
 
Chemical Hazards at Workplace – Types, Properties & Exposure Routes, CORE-EHS
byCORE EHS
 
engineering management chapter 5 ppt presentation
byericaangelatoledo06
 
Infinite Sequence and Series: It Includes basic Sequence and Series
byDynamicDomain1
 
Computer Graphics Fundamentals (v0p1) - DannyJiang
byDanny Jiang
 
Applications of AI in Civil Engineering - Dr. Rohan Dasgupta
byRohan Dasgupta
 
Basics of Electronics Task by Vivaan Jo Varghese.pdf
byVivaan Jo Varghese
 
traffic safety section seven (Traffic Control and Management) of Act
byazeRakeshSunariMagar
 

DDoS Attack Detection & Mitigation in SDN

  • 1.
    DDoS Attack Detection &Mitigation in SDN FINAL VIVA PRESENTATION 2014-12-08 COMSE-6998 Presented by Chao CHEN (cc3736)
  • 2.
    Key Words DDoS AttackDetection and Mitigation Type: ICMP Flood SYN Flood DNS Amplification UDP Flood InMon sFlow-RT + Floodlight controller + Mininet SDN Application to perform DDoS Protection
  • 3.
    RESEARCH BACKGROUND SCHEME DESIGN APPLICATIONDEVELOPMENT ENVIRONMENT ESTABLISHMENT TEST & EVALUATION
  • 4.
  • 5.
    Research Background Real Timedetection and mitigation with lowest cost of device deployment
  • 6.
    Research Background sFlow =sampled Flow Device Capability → Easy Deployment Physical Device: Cisco Nexus 3000/3100 series IBM c/g/m/r/s/x/y series Juniper EX 2200/3200/3300/4200/6200 series …… Virtual Device: OpenVSwitch Apache Nginx …… sFlow Collectors: InMon sFlow-RT Brocade Network Advisor …… SDN analytics and control using sFlow standard
  • 7.
    Research Background sFlow +Openflow 1. switch samples packets 2. switch sends the header of sampled packets to sFlow-RT 3. sFlow-RT maps it into fine-grained flow(e.g. tcpflags=SYN, icmptype=3…) 4. if exceed the threshold, trigger an event 5. events accessible from external apps through REST API
  • 8.
    Research Background sFlow +Openflow 1. switch samples packets 2. switch sends the header of sampled packets to sFlow-RT 3. sFlow-RT maps it into fine-grained flow(e.g. tcpflags=SYN, icmptype=3…) 4. if exceed the threshold, trigger an event 5. events accessible from external apps through REST API detection mitigation processing
  • 9.
  • 10.
    Scheme Design Yes No Overall Flowchartof Application need to be specified for different kinds of attacks
  • 11.
    Scheme Design ICMPFlood Attack Mechanism: Each device in the botnet ping the server at a high rate. Flow Definition: ipsource=0.0.0.0/0, ipdestination=10.0.0.2/32, #suppose h2 is the server outputifindex!=discard, #packet is not discarded ipprotocol=1 #ICMP Match Field in blocking flow entry: ether-type, protocol, src-ip, dst-ip
  • 12.
    Scheme Design SYNFlood Attack Mechanism: Each device in the botnet sends TCP SYN packets to the server at a high rate. Flow Definition: ipsource=0.0.0.0/0, ipdestination=10.0.0.2/32, #suppose h2 is the server outputifindex!=discard, #packet is not discarded tcpflags~…….1.=1 #TCP SYN packet Match Field in blocking flow entry: ether-type, protocol, src-ip, dst-ip
  • 13.
    Scheme Design DNSAmplification Attack Mechanism: Each device in the botnet sends DNS query to several DNS servers with src-ip=victim’s ip. (take ANY(15) for example)
  • 14.
    Scheme Design DNSAmplification Attack Flow Definition: ipsource=0.0.0.0/0, ipdestination=[10.0.0.1/32, 10.0.0.2/32], #suppose h1 and h2 are the DNS servers outputifindex!=discard, #packet is not discarded dnsqr=false, dnsqtype=255 Match Field in blocking flow entry: ether-type, protocol, src-ip, dst-ip Protect at the DNS servers (instead of the victim)
  • 15.
    Scheme Design UDPFlood Attack Mechanism: Each device in the botnet sends UDP packets to all the ports if the server Attacker botnet/compromised system target server Command Command Command 1 5 7 9 11 13 15 … UDP port list UDP Packets ICMP Destination Unreachable
  • 16.
    Scheme Design UDPFlood Attack Flow Definition: ipsource=10.0.0.2/32, #reversed ipdestination=0.0.0.0/0, outputifindex!=discard, #packet is not discarded ipprotocol=1, #ICMP icmptype=3, #Destination Unreachable Match Field in blocking flow entry: ether-type, protocol, src-ip=dst-ip_in_flow, dst-ip=server-ip Protect by monitoring ICMP Destination Unreachable packets
  • 17.
  • 18.
    Application Development python Import requests& json to perform GET/PUT/POST via REST API Different attacks are implemented similarly. Take ICMP Flood attack as example. Definition of flows, thresholds,…: POST the definition to sFlow-RT:
  • 19.
  • 20.
  • 21.
    Environment Establishment Laptop Ubuntu VM App Mininet 10.0.0.110.0.0.2 10.0.0.3 10.0.0.4 10.0.0.5 10.0.0.6 10.10.10.2:6633 10.10.10.2:8080 10.10.10.2:8008 10.10.10.2:6343
  • 22.
  • 23.
    Test & Evaluation Launchfloodlight: ./floodlight.sh Launch InMon sFlow-RT: ./start.sh Launch InMon sFlow-RT: sudo ./topo.sh set s1 is a sFlow agent, and set up bridge between s1 and sFlow-RT
  • 24.
    Test & Evaluation Withoutmitigation: h1 ICMP attack on h2 with: ping -f 10.0.0.2 network traffic flow attack from h4 ICMP Flood Attack
  • 25.
    Test & Evaluation Withmitigation: h4 ICMP attack on h2 network traffic flow attack from h4 is mitigated ICMP Flood Attack
  • 26.
    Test & Evaluation Continue:h5 ICMP attack on h2 network traffic flow attack from h5 is mitigated ICMP Flood Attack
  • 27.
    Test & EvaluationICMP Flood Attack ‘subflows’ in ICMP Attack Flow Events triggered in this case Flowtable of s1 (attacked by h3, h4, h6)
  • 28.
    Test & EvaluationSYN Flood Attack Without mitigation: h1 SYN attack on h2 with: ping —tcp -p 80 —flag syn -rate 2000 —count 20000000 —no-capture —quiet 10.0.0.2 network traffic flow
  • 29.
    Test & EvaluationSYN Flood Attack With mitigation: h6 and h4 SYN attack on h2 SYN Flood Traffic Flowtable of s1 (attacked by h3, h4, h5, h6) attacks from h6 and h4 are mitigated
  • 30.
    Test & Evaluation DNSAmplification Attack & UDP Flood Attack: Cannot simulate attacks → No test result yet
  • 31.
    Test & Evaluation FutureWork: 1. Test on DNS Amplification Attack & UDP Flood Attack 2. {new_sample_rate, new_threshold} =update(old_sample_rate, old_threshold, network_congestion, server_status,…) 3. Sample Theory is efficient on large flows. Think about {tiny flows x n} 4. Reasonable unblock mechanism
  • 32.