Presentation is loading. Please wait.

Presentation is loading. Please wait.

SPEAKER: Yu-Shan Chou ADVISOR: DR. Kai-Wei Ke

Published byFanny Tan Modified over 5 years ago

Similar presentations

Presentation on theme: "SPEAKER: Yu-Shan Chou ADVISOR: DR. Kai-Wei Ke"— Presentation transcript:

1 SPEAKER: Yu-Shan Chou ADVISOR: DR. Kai-Wei Ke
LineSwitch: Tackling Control Plane Saturation Attacks in Software-Defined Networking SPEAKER: Yu-Shan Chou ADVISOR: DR. Kai-Wei Ke DATE:2018/01/05

2 Outline INTRODUCTION RELATED WORK LIMITATIONS OF THE RELATED WORK
SOLUTION: LINESWITCH EVALUATION CONCLUSION

3 INTRODUCTION Software Defined Networking (SDN)
SDN proposes a marked shift from the current network infrastructure by decoupling the network logic layer, called the control plane, and the data layer, called the data plane, into separate entities.

4 INTRODUCTION (Cont’d)
SDN also introduces a serious vulnerability which can be exploited to overload the controller with flow requests. This attack is called control plane saturation Control plane saturation can be easily performed, for example, through SYN flooding

5 RELATED WORK Avant-Guard
Avant-Guard modifies the standard OpenFlow protocol and adds two extensions: (1) a Connection Migration module (2) the Actuating Trigger module

6

7 LIMITATIONS OF THE RELATED WORK
Avant-Guard is indeed a valid solution against the control plane saturation attack. Unfortunately, it introduces new vulnerabilities too. the scheme of a possible attack for Avant-Guard of the above points: A. Proxying Requires State B. TCP Ports and Limit on Connections Number C. Connection Migration Transparency D. Consequences of Breaking End-to-End Semantics

8 consider a situation where a host A initiates a TCP connection with another host B. Let R be an intermediate OpenFlow switch Host A sends a SYN packet to host B with a sequence number ISNA. Switch R intercepts the incoming packet, and replies to host A with a SYN-ACK packet with a spoofed address,i.e., using host B address. The ACK number will be ISNA + 1 and the sequence number will be a random number ISNR. • Host A replies with an ACK packet with the acknowledgment number ISNR + 1. From now on, A will expect incoming packets from host B to have a sequence number ISN’ R = ISNR +payload bytes Upon receiving the permission to migrate the connection, switch R will start an handshake with host B by sending a SYN packet with sequence number ISNA.

9 Buffer Saturation Attack
the attacker just needs to open several complete TCP connections through the target OpenFlow switch to a given host. Note that each of these connections will need state to be stored on the switch for translation. Therefore, if the number of connections is large enough, the portion of memory dedicated to that data structure will be saturated.

10 SOLUTION: LINESWITCH LineSwitch
An OpenFlow module deployed on edge OpenFlow switches LineSwitch proxies all incoming TCP connections from a given IP until one is completed Subsequent connections are proxied only with a very small probability

11

12 Key Advantages Higher Resiliency to Buffer Saturation
Reduced Use of Proxy Reduced Overhead

13 EVALUATION all experiments using the Mininet network simulator in a virtual machine. Compare the performance of OpenFlow, Avant-Guard and LineSwitch : under regular use-case scenario under SYN flooding attack under buffer saturation attack

14 Figure 6 presents the setup of our simulation
includes : two client hosts an HTTP server an OpenFlow switch a local controller

15 Regular Traffic Scenario
Link 1, Link 2 and Link 3 are setup with a bandwidth = 10 Mbps a Round Trip Time (RTT) between nodes = 80 ms the probability for LineSwitch Pp = 0.05 time required to retrieve a web page size = 1 KByte average over 500 separate runs.

16 SYN Flooding Scenario Run the experiments varying the bandwidth of Link 2, i.e., the attacker’s link

17 Buffer Saturation Scenario
configure the system with different buffer sizes and run the attack at different rates. show that: The attack rate required to successfully incapacitate an OpenFlow switch running AVANT-GUARD grows linearly with the size of the buffer. Using AVANT-GUARD, it is easily successfully complete the attack achievable, even with larger buffers. LineSwitch offers an extremely high resiliency to the buffer saturation attack, and can be further configured through the Pp parameter to address the specific needs of the network.

18

19 Configuring the Proxy Probability
LineSwitch efficacy depends partially on the value assigned to the proxying parameter Pp estimate the average attack detection time dt as: v is the attack speed s is the size of each packet Pp is the adopted proxy probability s

20 CONCLUSION Analyzed the effects of the control plane saturation attack based on SYN flooding. considered AVANT-GUARD, which is, to the best of our knowledge. Proposed LineSwitch, a solution based on probability and blacklisting which offers both resiliency against SYN flooding- based control plane saturation attacks and protection from buffer saturation vulnerabilities.

21 REFERENCES M. Ambrosin, M. Conti, F. De Gaspari and R. Poovendran, "LineSwitch: Tackling Control Plane Saturation Attacks in Software-Defined Networking," in IEEE/ACM Transactions on Networking, vol. 25, no. 2, pp , April 2017.

Download ppt "SPEAKER: Yu-Shan Chou ADVISOR: DR. Kai-Wei Ke"

Similar presentations

An Improved TCP for transaction communications on Sensor Networks Tao Yu Tsinghua University 2/8/2010 1.

An Improved TCP for transaction communications on Sensor Networks Tao Yu Tsinghua University 2/8/
SCTP v/s TCP – A Comparison of Transport Protocols for Web Traffic CS740 Project Presentation by N. Gupta, S. Kumar, R. Rajamani.

SCTP v/s TCP – A Comparison of Transport Protocols for Web Traffic CS740 Project Presentation by N. Gupta, S. Kumar, R. Rajamani.
Camarillo / Schulzrinne / Kantola November 26th, 2001 SIP over SCTP performance analysis

Camarillo / Schulzrinne / Kantola November 26th, 2001 SIP over SCTP performance analysis
Transport Layer – TCP (Part2) Dr. Sanjay P. Ahuja, Ph.D. Fidelity National Financial Distinguished Professor of CIS School of Computing, UNF.

Transport Layer – TCP (Part2) Dr. Sanjay P. Ahuja, Ph.D. Fidelity National Financial Distinguished Professor of CIS School of Computing, UNF.
Transmission Control Protocol (TCP)

Transmission Control Protocol (TCP)
Intermediate TCP/IP TCP Operation.

Intermediate TCP/IP TCP Operation.
CISCO NETWORKING ACADEMY PROGRAM (CNAP)

CISCO NETWORKING ACADEMY PROGRAM (CNAP)
Fundamentals of Computer Networks ECE 478/578 Lecture #20: Transmission Control Protocol Instructor: Loukas Lazos Dept of Electrical and Computer Engineering.

Fundamentals of Computer Networks ECE 478/578 Lecture #20: Transmission Control Protocol Instructor: Loukas Lazos Dept of Electrical and Computer Engineering.
Improving TCP Performance over Mobile Ad Hoc Networks by Exploiting Cross- Layer Information Awareness Xin Yu Department Of Computer Science New York University,

Improving TCP Performance over Mobile Ad Hoc Networks by Exploiting Cross- Layer Information Awareness Xin Yu Department Of Computer Science New York University,
Performance Improvement of TCP in Wireless Cellular Network Based on Acknowledgement Control Osaka University Masahiro Miyoshi, Masashi Sugano, Masayuki.

Performance Improvement of TCP in Wireless Cellular Network Based on Acknowledgement Control Osaka University Masahiro Miyoshi, Masashi Sugano, Masayuki.
1 A Comparison of Load Balancing Techniques for Scalable Web Servers Haakon Bryhni, University of Oslo Espen Klovning and Øivind Kure, Telenor Reserch.

1 A Comparison of Load Balancing Techniques for Scalable Web Servers Haakon Bryhni, University of Oslo Espen Klovning and Øivind Kure, Telenor Reserch.
SYN Flooding: A Denial of Service Attack Shivani Hashia CS265.

SYN Flooding: A Denial of Service Attack Shivani Hashia CS265.
Aleksandar Kuzmanovic & Edward W. Knightly A Performance vs. Trust Perspective in the Design of End-Point Congestion Control Protocols.

Aleksandar Kuzmanovic & Edward W. Knightly A Performance vs. Trust Perspective in the Design of End-Point Congestion Control Protocols.
The Transport Layer Chapter 6. The Transport Service Services Provided to the Upper Layers Transport Service Primitives Berkeley Sockets An Example of.

The Transport Layer Chapter 6. The Transport Service Services Provided to the Upper Layers Transport Service Primitives Berkeley Sockets An Example of.
1 An Overlay Scheme for Streaming Media Distribution Using Minimum Spanning Tree Properties Journal of Internet Technology Volume 5(2004) No.4 Reporter.

1 An Overlay Scheme for Streaming Media Distribution Using Minimum Spanning Tree Properties Journal of Internet Technology Volume 5(2004) No.4 Reporter.
Department of Electronic Engineering City University of Hong Kong EE3900 Computer Networks Transport Protocols Slide 1 Transport Protocols.

Department of Electronic Engineering City University of Hong Kong EE3900 Computer Networks Transport Protocols Slide 1 Transport Protocols.
1 CCNA 2 v3.1 Module 10. 2 Intermediate TCP/IP CCNA 2 Module 10.

1 CCNA 2 v3.1 Module Intermediate TCP/IP CCNA 2 Module 10.
TCP. Learning objectives Reliable Transport in TCP TCP flow and Congestion Control.

TCP. Learning objectives Reliable Transport in TCP TCP flow and Congestion Control.
WXES2106 Network Technology Semester 1 2004/2005 Chapter 8 Intermediate TCP CCNA2: Module 10.

WXES2106 Network Technology Semester /2005 Chapter 8 Intermediate TCP CCNA2: Module 10.
Firewalls and VPNS Team 9 Keith Elliot David Snyder Matthew While.

Firewalls and VPNS Team 9 Keith Elliot David Snyder Matthew While.

Similar presentations

Ads by Google