Early Detection of DDoS Attacks against SDN Controllers

Slides:

Advertisements

Similar presentations

Deep Packet Inspection with DFA-trees and Parametrized Language Overapproximation Author: Daniel Luchaup, Lorenzo De Carli, Somesh Jha, Eric Bach Publisher:

Advertisements

Scalable Packet Classification Using Hybrid and Dynamic Cuttings Authors : Wenjun Li,Xianfeng Li Publisher : Engineering Lab on Intelligent Perception.

OpenFlow-Based Server Load Balancing GoneWild Author : Richard Wang, Dana Butnariu, Jennifer Rexford Publisher : Hot-ICE'11 Proceedings of the 11th USENIX.

HybridCuts: A Scheme Combining Decomposition and Cutting for Packet Classification Authors : Wenjun Li, Xianfeng Li Publisher : 2013 IEEE 21st Annual Symposium.

Packet Classification using Rule Caching Author: Nitesh B. Guinde, Roberto Rojas-Cessa, Sotirios G. Ziavras Publisher: IISA, 2013 Fourth International.

Fast forwarding table lookup exploiting GPU memory architecture Author : Youngjun Lee,Minseon Jeong,Sanghwan Lee,Eun-Jin Im Publisher : Information and.

Packet Classification Using Multi-Iteration RFC Author: Chun-Hui Tsai, Hung-Mao Chu, Pi-Chung Wang Publisher: COMPSACW, 2013 IEEE 37th Annual (Computer.

A Regular Expression Matching Algorithm Using Transition Merging Department of Computer Science and Information Engineering National Cheng Kung University,

A Hybrid IP Lookup Architecture with Fast Updates Author : Layong Luo, Gaogang Xie, Yingke Xie, Laurent Mathy, Kavé Salamatian Conference: IEEE INFOCOM,

EQC16: An Optimized Packet Classification Algorithm For Large Rule-Sets Author: Uday Trivedi, Mohan Lal Jangir Publisher: 2014 International Conference.

Scalable Many-field Packet Classification on Multi-core Processors Authors : Yun R. Qu, Shijie Zhou, Viktor K. Prasanna Publisher : International Symposium.

Deterministic Finite Automaton for Scalable Traffic Identification: the Power of Compressing by Range Authors: Rafael Antonello, Stenio Fernandes, Djamel.

2017/4/25 INDOOR LOCALIZATION SYSTEM USING RSSI MEASUREMENT OF WIRELESS SENSOR NETWORK BASED ON ZIGBEE STANDARD Authors：Masashi Sugano, Tomonori Kawazoe,

DBS A Bit-level Heuristic Packet Classification Algorithm for High Speed Network Author : Baohua Yang, Xiang Wang, Yibo Xue, Jun Li Publisher : th.

Memory-Efficient Regular Expression Search Using State Merging Author: Michela Becchi, Srihari Cadambi Publisher: INFOCOM th IEEE International.

SwinTop: Optimizing Memory Efficiency of Packet Classification in Network Author: Chen, Chang; Cai, Liangwei; Xiang, Yang; Li, Jun Conference: Communication.

Research on TCAM-based OpenFlow Switch Author: Fei Long, Zhigang Sun, Ziwen Zhang, Hui Chen, Longgen Liao Conference: 2012 International Conference on.

Selective Packet Inspection to Detect DoS Flooding Using Software Defined Networking Author : Tommy Chin Jr., Xenia Mountrouidou, Xiangyang Li and Kaiqi.

2017/4/26 Rethinking Packet Classification for Global Network View of Software-Defined Networking Author: Takeru Inoue, Toru Mano, Kimihiro Mizutani, Shin-ichi.

FlowTags: Enforcing Network-Wide Policies in the Presence of Dynamic Middlebox Actions Author: Seyed Kaveh Fayazbakhsh, Vyas Sekar, Minlan Yu and Jeffrey.

Shadow MACs: Scalable Label- switching for Commodity Ethernet Author: Kanak Agarwal, John Carter, Eric Rozner and Colin Dixon Publisher: HotSDN 2014 Presenter:

Updating Designed for Fast IP Lookup Author : Natasa Maksic, Zoran Chicha and Aleksandra Smiljani´c Conference: IEEE High Performance Switching and Routing.

Binary-tree-based high speed packet classification system on FPGA Author: Jingjiao Li*, Yong Chen*, Cholman HO**, Zhenlin Lu* Publisher: 2013 ICOIN Presenter:

Boundary Cutting for Packet Classification Author: Hyesook Lim, Nara Lee, Geumdan Jin, Jungwon Lee, Youngju Choi, Changhoon Yim Publisher: Networking,

Lightweight Traffic-Aware Packet Classification for Continuous Operation Author: Shariful Hasan Shaikot, Min Sik Kim Presenter: Yen-Chun Tseng Date: 2014/11/26.

PC-TRIO: A Power Efficient TACM Architecture for Packet Classifiers Author: Tania Banerjee, Sartaj Sahni, Gunasekaran Seetharaman Publisher: IEEE Computer.

Investigating the Prefix-level Characteristics A Case Study in an IPv6 Network Department of Computer Science and Information Engineering, National Cheng.

Lossy Compression of Packet Classifiers Author: Ori Rottenstreich, J’anos Tapolcai Publisher: 2015 IEEE International Conference on Communications Presenter:

Packet Classification Using Dynamically Generated Decision Trees

GFlow: Towards GPU-based High- Performance Table Matching in OpenFlow Switches Author : Kun Qiu, Zhe Chen, Yang Chen, Jin Zhao, Xin Wang Publisher : Information.

LOP_RE: Range Encoding for Low Power Packet Classification Author: Xin He, Jorgen Peddersen and Sri Parameswaran Conference : IEEE 34th Conference on Local.

Stochastic Pre-Classification for SDN Data Plane Matching Author : Luke McHale, C. Jasson Casey, Paul V. Gratz, Alex Sprintson Conference: 2014 IEEE 22nd.

SRD-DFA Achieving Sub-Rule Distinguishing with Extended DFA Structure Author: Gao Xia, Xiaofei Wang, Bin Liu Publisher: IEEE DASC (International Conference.

Series DFA for Memory- Efficient Regular Expression Matching Author: Tingwen Liu, Yong Sun, Li Guo, and Binxing Fang Publisher: CIAA 2012( International.

Practical Multituple Packet Classification Using Dynamic Discrete Bit Selection Author: Baohua Yang, Fong J., Weirong Jiang, Yibo Xue, Jun Li Publisher:

Hierarchical Hybrid Search Structure for High Performance Packet Classification Authors : O˜guzhan Erdem, Hoang Le, Viktor K. Prasanna Publisher : INFOCOM,

Deep Packet Inspection as a Service Author : Anat Bremler-Barr, Yotam Harchol, David Hay and Yaron Koral Conference: ACM 10th International Conference.

LightFlow : Speeding Up GPU-based Flow Switching and Facilitating Maintenance of Flow Table Author : Nobutaka Matsumoto and Michiaki Hayashi Conference:

JA-trie: Entropy-Based Packet Classiﬁcation Author: Gianni Antichi, Christian Callegari, Andrew W. Moore, Stefano Giordano, Enrico Anastasi Conference.

A Multi-dimensional Packet Classification Algorithm Based on Hierarchical All-match B+ Tree Author: Gang Wang, Yaping Lin*, Jinguo Li, Xin Yao Publisher:

2018/4/23 Dynamic Load-balanced Path Optimization in SDN-based Data Center Networks Author: Yuan-Liang Lan , Kuochen Wang and Yi-Huai Hsu Presenter: Yi-Hsien.

Minimizing latency of critical traffic through SDN

2018/6/5 Centralized Retransmission Management with SDN in Multihop Wireless Access Network Author: Bong-Hwan Oh , Jaiyoung Lee Presenter: Yi-Hsien Wu.

2018/6/26 An Energy-efficient TCAM-based Packet Classification with Decision-tree Mapping Author: Zhao Ruan, Xianfeng Li , Wenjun Li Publisher: 2013.

Statistical Optimal Hash-based Longest Prefix Match

2018/11/19 Source Routing with Protocol-oblivious Forwarding to Enable Efficient e-Health Data Transfer Author: Shengru Li, Daoyun Hu, Wenjian Fang and.

Parallel Processing Priority Trie-based IP Lookup Approach

2018/12/10 Energy Efficient SDN Commodity Switch based Practical Flow Forwarding Method Author: Amer AlGhadhban and Basem Shihada Publisher: 2016 IEEE/IFIP.

2018/12/29 A Novel Approach for Prefix Minimization using Ternary trie (PMTT) for Packet Classification Author: Sanchita Saha Ray, Abhishek Chatterjee,

2019/1/1 High Performance Intrusion Detection Using HTTP-Based Payload Aggregation 2017 IEEE 42nd Conference on Local Computer Networks (LCN) Author: Felix.

Memory-Efficient Regular Expression Search Using State Merging

Virtual TCAM for Data Center Switches

A New String Matching Algorithm Based on Logical Indexing

2019/5/2 Using Path Label Routing in Wide Area Software-Defined Networks with OpenFlow ICNP = International Conference on Network Protocols Presenter：Hung-Yen.

Online NetFPGA decision tree statistical traffic classifier

2019/5/8 BitCoding Network Traffic Classification Through Encoded Bit Level Signatures Author: Neminath Hubballi, Mayank Swarnkar Publisher/Conference:

2019/5/13 A Weighted ECMP Load Balancing Scheme for Data Centers Using P4 Switches Presenter：Hung-Yen Wang Authors：Peng Wang, George Trimponias, Hong Xu,

SDN-Guard: DoS Attacks Mitigation in SDN Networks

Power-efficient range-match-based packet classification on FPGA

Fast Network Congestion Detection And Avoidance Using P4

Large-scale Packet Classification on FPGA

OpenSec：Policy-Based Security Using Software-Defined Networking

A Hybrid IP Lookup Architecture with Fast Updates

2019/7/26 OpenFlow-Enabled User Traffic Profiling in Campus Software Defined Networks Presenter: Wei-Li,Wang Date: 2016/1/4 Author: Taimur Bakhshi and.

2019/8/7 Performance Comparison between The Click Modular Router and the NetFPGA Router Author: Leonardo Linguaglossa, Alfio Lombardo, Diego Reforgiato,

Pattern Based Packet Filtering using NetFPGA in DETER Infrastructure

2019/9/3 Adaptive Hashing Based Multiple Variable Length Pattern Search Algorithm for Large Data Sets 比對 Simple Pattern 的方法是基於 Hash 並且可以比對不同長度的 Pattern。

2019/10/9 A Weighted ECMP Load Balancing Scheme for Data Centers Using P4 Switches Presenter：Hung-Yen Wang Authors：Jin-Li Ye, Yu-Huang Chu, Chien Chen.

MEET-IP Memory and Energy Efficient TCAM-based IP Lookup

2019/11/12 Efficient Measurement on Programmable Switches Using Probabilistic Recirculation Presenter：Hung-Yen Wang Authors：Ran Ben Basat, Xiaoqi Chen,

Presentation transcript:

Early Detection of DDoS Attacks against SDN Controllers 2017/4/26 Early Detection of DDoS Attacks against SDN Controllers Author: Seyed Mohammad Mousavi, Marc St-Hilaire Conference: 2015 International Conference on Computing, Networking and Communications (ICNC) Presenter: Chih-Hsun Wang Date: 2015/08/05 Department of Computer Science and Information Engineering National Cheng Kung University, Taiwan R.O.C. CSIE CIAL Lab 1

2017/4/26 Introduction A Software Defined Network (SDN) is a new network architecture that provides central control over the network. The main goal of this paper is to detect a DDoS attack in its early stages. This paper provides a solution to detect DDoS attacks based on the entropy variation of the destination IP address. This method is able to detect DDoS within the first five hundred packets of the attack traffic. National Cheng Kung University CSIE Computer & Internet Architecture Lab CSIE CIAL Lab

DDoS Detection Using Entropy 2017/4/26 DDoS Detection Using Entropy The main reason entropy is used for DDoS detection is its ability to measure randomness in the packets that are coming to a network. The higher the randomness the higher is the entropy. There are two essential components to DDoS detection using entropy: i) window size ii) threshold Window size is either based on a time period or a number of packets. Entropy is calculated within this window to measure uncertainty in the coming packets. To detect an attack, a threshold is needed. If the calculated entropy passes a threshold or is below it, depending on the scheme, an attack is detected. National Cheng Kung University CSIE Computer & Internet Architecture Lab CSIE CIAL Lab

Proposed Method Utilizing SDN Capabilities 2017/4/26 Proposed Method Utilizing SDN Capabilities Knowing that the packet is new and that the destination is in the network, the level of randomness can be quantified by calculating the entropy based on a window size. Using entropy, it is possible to see its value drop when a large number of packets are attacking one host or a subnet of hosts. National Cheng Kung University CSIE Computer & Internet Architecture Lab CSIE CIAL Lab

Proposed Method Statistics Collection for Entropy 2017/4/26 Proposed Method Statistics Collection for Entropy One of the functions of the controller is collecting statistics from the switch tables. The entropy of each window is calculated and compared to an experimental threshold. If the entropy is lower than the threshold, an attack is detected. National Cheng Kung University CSIE Computer & Internet Architecture Lab CSIE CIAL Lab

Proposed Method Window Size 2017/4/26 Proposed Method Window Size The window size should be set to be smaller or equal to the number of hosts. The main reason for choosing 50 is the limited number of incoming new connection to each host in the network. Considering the limited resources of the controller, this window size is ideal for networks with one controller and few hundred hosts. Here, window size = 50 National Cheng Kung University CSIE Computer & Internet Architecture Lab CSIE CIAL Lab

Proposed Method Attack detection 2017/4/26 Proposed Method Attack detection To detect an attack in the controller, we monitor the destination IP address of the incoming packets. A function was added to the controller to create a hash table of the incoming packets. W is hash table, Xi is des ip, Yi is 出現次數 Pi is the probability of each IP address. If an IP address is new in the table, it will be added with count one. After 50 packets, the entropy of the window will be calculated. National Cheng Kung University CSIE Computer & Internet Architecture Lab CSIE CIAL Lab

Proposed Method Attack detection 2017/4/26 Proposed Method Attack detection If an attack is directed towards a host, a large number of packets will be directed to it. These packets will fill most of the window and reduce the number of unique IPs in the windo, which in turn, reduces entropy. We made use of this fact and set an experimental threshold. If the entropy drops below this threshold and that five consecutive windows have lower than threshold entropy, then an attack is in progress. National Cheng Kung University CSIE Computer & Internet Architecture Lab CSIE CIAL Lab

Simulation Results Experiment Environment Controller POX Language 2017/4/26 Simulation Results Experiment Environment Controller POX Language Python Network Emulator Mininet Traffic Generation Scapy National Cheng Kung University CSIE Computer & Internet Architecture Lab CSIE CIAL Lab

Simulation Results Choosing a Threshold 2017/4/26 Simulation Results Choosing a Threshold To find the range for an optimal threshold, we ran a series of experiments to see the effect of an attack on the entropy. We ran a 25% rate attack on one host for 25 times to find a suitable threshold. This threshold is the highest entropy of all cases so it will enable the controller to detect any attack with packets occupying 25% of the incoming traffic or more. National Cheng Kung University CSIE Computer & Internet Architecture Lab CSIE CIAL Lab

2017/4/26 Simulation Results National Cheng Kung University CSIE Computer & Internet Architecture Lab CSIE CIAL Lab

2017/4/26 Simulation Results National Cheng Kung University CSIE Computer & Internet Architecture Lab CSIE CIAL Lab