Network Anti-Spoofing with SDN Data plane Authors:Yehuda Afek et al.

Slides:

Advertisements

Similar presentations

Jennifer Rexford Princeton University MW 11:00am-12:20pm Logically-Centralized Control COS 597E: Software Defined Networking.

Advertisements

IP Router Architectures. Outline Basic IP Router Functionalities IP Router Architectures.

Interconnection Networks: Flow Control and Microarchitecture.

OpenFlow overview Joint Techs Baton Rouge. Classic Ethernet Originally a true broadcast medium Each end-system network interface card (NIC) received every.

OpenFlow-Based Server Load Balancing GoneWild

Ranges & Cross-Entrance Consistency with OpenFlow Liron Schiff (TAU) Joint work with Yehuda Afek (TAU) Anat Bremler-Barr (IDC) Israel Networking Day 2014.

IP Spoofing Defense On the State of IP Spoofing Defense TOBY EHRENKRANZ and JUN LI University of Oregon 1 IP Spoofing Defense.

DFence: Transparent Network-based Denial of Service Mitigation CSC7221 Advanced Topics in Internet Technology Presented by To Siu Sang Eric ( )

1 © 2005 Cisco Systems, Inc. All rights reserved. 111 © 2004, Cisco Systems, Inc. All rights reserved.

1 A Policy-aware Switching Layer for Data Centers Dilip Joseph Arsalan Tavakoli Ion Stoica University of California at Berkeley.

Towards a More Functional and Secure Network Infrastructure Dan Adkins, Karthik Lakshminarayanan, Adrian Perrig (CMU), and Ion Stoica.

Lecture 15 Denial of Service Attacks

Common forms and remedies Neeta Bhadane Raunaq Nilekani Sahasranshu.

Firewalls CS432. Overview  What are firewalls?  Types of firewalls Packet filtering firewalls Packet filtering firewalls Sateful firewalls Sateful firewalls.

1 Proceeding the Second Exercises on Computer and Systems Engineering Professor OKAMURA Laboratory. Othman Othman M.M.

Computer Security: Principles and Practice First Edition by William Stallings and Lawrie Brown Lecture slides by Lawrie Brown Chapter 8 – Denial of Service.

Workpackage 3 New security algorithm design ICS-FORTH Paris, 30 th June 2008.

Software-Defined Networks Jennifer Rexford Princeton University.

VeriFlow: Verifying Network-Wide Invariants in Real Time

Distributed Denial of Service CRyptography Applications Bistro Presented by Lingxuan Hu April 15, 2004.

Web Application Firewall (WAF) RSA ® Conference 2013.

Professor OKAMURA Laboratory. Othman Othman M.M. 1.

Othman Othman M.M., Koji Okamura Kyushu University 1.

INTERNATIONAL NETWORKS At Indiana University Hans Addleman TransPAC Engineer, International Networks University Information Technology Services Indiana.

Open networking w/ Marist College Software Defined Networks.

Firewall Fingerprinting Amir R. Khakpour 1, Joshua W. Hulst 1, Zhihui Ge 2, Alex X. Liu 1, Dan Pei 2, Jia Wang 2 1 Michigan State University 2 AT&T Labs.

Security Issues in Control, Management and Routing Protocols M.Baltatu, A.Lioy, F.Maino, D.Mazzocchi Computer and Network Security Group Politecnico di.

Othman Othman M.M., Koji Okamura Kyushu University 1.

Denial of Service Sharmistha Roy Adversarial challenges in Web Based Services.

Design and implementation of SIP-aware DDoS attack detection system By: Arif Iqbal.

Multimedia & Mobile Communications Lab.

Chapter 7 Denial-of-Service Attacks Denial-of-Service (DoS) Attack The NIST Computer Security Incident Handling Guide defines a DoS attack as: “An action.

Workpackage 3 New security algorithm design ICS-FORTH Ipswich 19 th December 2007.

Selective Packet Inspection to Detect DoS Flooding Using Software Defined Networking Author : Tommy Chin Jr., Xenia Mountrouidou, Xiangyang Li and Kaiqi.

Midterm Review Chapter 1: Introduction Chapter 2: Application Layer

Software Defined Networking and OpenFlow Geddings Barrineau Ryan Izard.

UNM SCIENCE DMZ Sean Taylor Senior Network Engineer.

Denial of Service Mitigation with OpenFlow using SciPass

SDN and Security Security as a service in the cloud

Gijeong Kim ,Junho Kim ,Sungwon Lee Kyunghee University

Denial of Service detection and mitigation on GENI

Instructor Materials Chapter 5: Network Security and Monitoring

Software defined networking: Experimental research on QoS

University of Maryland College Park

Heitor Moraes, Marcos Vieira, Italo Cunha, Dorgival Guedes

CS590B/690B Detecting Network Interference (Fall 2016)

ETHANE: TAKING CONTROL OF THE ENTERPRISE

Author: Ragalatha P, Manoj Challa, Sundeep Kumar. K

Error and Control Messages in the Internet Protocol

Defending Against DDoS

Introduction to Networking

Who should be responsible for risks to basic Internet infrastructure?

SDN Overview for UCAR IT meeting 19-March-2014

Chapter 5: Network Security and Monitoring

Stanford University Software Defined Networks and OpenFlow SDN CIO Summit 2010 Nick McKeown & Guru Parulkar In collaboration with Martin Casado and Scott.

Implementation of Lawful Interception and Malicious traffic Prevention based on software defined network Speaker: Muhammad Reza Zulman Advisor: Dr. Kai-Wei.

Lab 2: TCP IP Attacks ( Indirect)

Defending Against DDoS

CS 31006: Computer Networks – The Routers

DDoS Attack Detection under SDN Context

SPEAKER: Yu-Shan Chou ADVISOR: DR. Kai-Wei Ke

Exploring New Principals and Use-Cases in Linux XIA

Programmable Networks

Memento: Making Sliding Windows Efficient for Heavy Hitters

DDoS Attack and Its Defense

2019/5/2 Using Path Label Routing in Wide Area Software-Defined Networks with OpenFlow ICNP = International Conference on Network Protocols Presenter：Hung-Yen.

SDN-Guard: DoS Attacks Mitigation in SDN Networks

Autonomous Network Alerting Systems and Programmable Networks

Intrusion Detection Systems

Control-Data Plane Separation

Presentation transcript:

Network Anti-Spoofing with SDN Data plane Authors:Yehuda Afek et al. Presenter : Soorya Ravichandran

Flow-table rules and Switch-controller messages. Introduction Traditional Middle box for anti-spoofing mitigation  CAPEX, Latency and Complexity. Anti-DDOS system with SDN  Implementing mitigations for both SDN and underlaying infrastructure. Flow-table rules and Switch-controller messages.

Technologies Used OpenFLow 1.5 and P4 P4 for flexible programming of the any protocol header. Open Vswitch Hping 3 tool  For generating SYN flood attack.

OVerVIew OF SDN Software Defined Networking  Segregation of Control and Data Plane. OpenFlow The interface between the Control Plane and Forwarding Plane is done through Open Flow Match and Action frame work.  Single Match Table (SMT), Multi Match Table (MMT), Reconfigurable Match Table (RMT – Used in this Paper)

Problems and SoLutions DDOS using Spoofed SYN attack. Statefull and Control Plane saturation attack in SDN controller. Flow-state congestion Solutions : Anti-Sync Spoofing. State –less challenge response. Distributed Network Solution.

Anti-Sync Spoofing Exhaustion of TCP on server and SDN Flow-table. Sync Cookie method HTTP Redirect with same server address. TCP reset

SYNC Cookie Method

Generation OF Cookie Controller Communication for Cookie Generation. Random + SYNC packet parameters Parameters used = source IP + Source PORT + 32 bit random number 8 bit portion spanned periodically.

Distributed Network Solution Flow table exhaustion due to increased legitimate traffic pin holes. Vertical Distribution  Resources of Switches are utilised along the bottleneck traffic path. Table for Space Di for path Pi for each switch. Threshold level is 80% of rules capacity and processing power. All switches involving in a saturated path are involved for load balancing.

Anti-Spoofing Performance Without mitigation –Http request fails at 2.7k pps With mitigation Successful rate is upto 206kpps Throughput decreases as the mitigation actions are implemented.

Anti-Spoofing Performance - cntd

Criticism Open vSwitch Security Vulnerability to be taken care  Buffer Over read Vulnerability. Open Flow Bypass Vulnerability : bypass of actions in pinholes Execute Code Open Flow Vulnerability : Allows unauth attacker to execute code Time stamp consideration in cookie generation.