Presentation is loading. Please wait.

Presentation is loading. Please wait.

Early Detection of DDoS Attacks against SDN Controllers

Published byTrevor Cook Modified over 8 years ago

Similar presentations

Presentation on theme: "Early Detection of DDoS Attacks against SDN Controllers"— Presentation transcript:

1 Early Detection of DDoS Attacks against SDN Controllers
2017/4/26 Early Detection of DDoS Attacks against SDN Controllers Author: Seyed Mohammad Mousavi, Marc St-Hilaire Conference: 2015 International Conference on Computing, Networking and Communications (ICNC) Presenter: Chih-Hsun Wang Date: 2015/08/05 Department of Computer Science and Information Engineering National Cheng Kung University, Taiwan R.O.C. CSIE CIAL Lab 1

2 2017/4/26 Introduction A Software Defined Network (SDN) is a new network architecture that provides central control over the network. The main goal of this paper is to detect a DDoS attack in its early stages. This paper provides a solution to detect DDoS attacks based on the entropy variation of the destination IP address. This method is able to detect DDoS within the first five hundred packets of the attack traffic. National Cheng Kung University CSIE Computer & Internet Architecture Lab CSIE CIAL Lab

3 DDoS Detection Using Entropy
2017/4/26 DDoS Detection Using Entropy The main reason entropy is used for DDoS detection is its ability to measure randomness in the packets that are coming to a network. The higher the randomness the higher is the entropy. There are two essential components to DDoS detection using entropy: i) window size ii) threshold Window size is either based on a time period or a number of packets. Entropy is calculated within this window to measure uncertainty in the coming packets. To detect an attack, a threshold is needed. If the calculated entropy passes a threshold or is below it, depending on the scheme, an attack is detected. National Cheng Kung University CSIE Computer & Internet Architecture Lab CSIE CIAL Lab

4 Proposed Method Utilizing SDN Capabilities
2017/4/26 Proposed Method Utilizing SDN Capabilities Knowing that the packet is new and that the destination is in the network, the level of randomness can be quantified by calculating the entropy based on a window size. Using entropy, it is possible to see its value drop when a large number of packets are attacking one host or a subnet of hosts. National Cheng Kung University CSIE Computer & Internet Architecture Lab CSIE CIAL Lab

5 Proposed Method Statistics Collection for Entropy
2017/4/26 Proposed Method Statistics Collection for Entropy One of the functions of the controller is collecting statistics from the switch tables. The entropy of each window is calculated and compared to an experimental threshold. If the entropy is lower than the threshold, an attack is detected. National Cheng Kung University CSIE Computer & Internet Architecture Lab CSIE CIAL Lab

6 Proposed Method Window Size
2017/4/26 Proposed Method Window Size The window size should be set to be smaller or equal to the number of hosts. The main reason for choosing 50 is the limited number of incoming new connection to each host in the network. Considering the limited resources of the controller, this window size is ideal for networks with one controller and few hundred hosts. Here, window size = 50 National Cheng Kung University CSIE Computer & Internet Architecture Lab CSIE CIAL Lab

7 Proposed Method Attack detection
2017/4/26 Proposed Method Attack detection To detect an attack in the controller, we monitor the destination IP address of the incoming packets. A function was added to the controller to create a hash table of the incoming packets. W is hash table, Xi is des ip, Yi is 出現次數 Pi is the probability of each IP address. If an IP address is new in the table, it will be added with count one. After 50 packets, the entropy of the window will be calculated. National Cheng Kung University CSIE Computer & Internet Architecture Lab CSIE CIAL Lab

8 Proposed Method Attack detection
2017/4/26 Proposed Method Attack detection If an attack is directed towards a host, a large number of packets will be directed to it. These packets will fill most of the window and reduce the number of unique IPs in the windo, which in turn, reduces entropy. We made use of this fact and set an experimental threshold. If the entropy drops below this threshold and that five consecutive windows have lower than threshold entropy, then an attack is in progress. National Cheng Kung University CSIE Computer & Internet Architecture Lab CSIE CIAL Lab

9 Simulation Results Experiment Environment Controller POX Language
2017/4/26 Simulation Results Experiment Environment Controller POX Language Python Network Emulator Mininet Traffic Generation Scapy National Cheng Kung University CSIE Computer & Internet Architecture Lab CSIE CIAL Lab

10 Simulation Results Choosing a Threshold
2017/4/26 Simulation Results Choosing a Threshold To find the range for an optimal threshold, we ran a series of experiments to see the effect of an attack on the entropy. We ran a 25% rate attack on one host for 25 times to find a suitable threshold. This threshold is the highest entropy of all cases so it will enable the controller to detect any attack with packets occupying 25% of the incoming traffic or more. National Cheng Kung University CSIE Computer & Internet Architecture Lab CSIE CIAL Lab

11 2017/4/26 Simulation Results National Cheng Kung University CSIE Computer & Internet Architecture Lab CSIE CIAL Lab

12 2017/4/26 Simulation Results National Cheng Kung University CSIE Computer & Internet Architecture Lab CSIE CIAL Lab

Download ppt "Early Detection of DDoS Attacks against SDN Controllers"

Similar presentations

Deep Packet Inspection with DFA-trees and Parametrized Language Overapproximation Author: Daniel Luchaup, Lorenzo De Carli, Somesh Jha, Eric Bach Publisher:

Deep Packet Inspection with DFA-trees and Parametrized Language Overapproximation Author: Daniel Luchaup, Lorenzo De Carli, Somesh Jha, Eric Bach Publisher:
Scalable Packet Classification Using Hybrid and Dynamic Cuttings Authors : Wenjun Li,Xianfeng Li Publisher : Engineering Lab on Intelligent Perception.

Scalable Packet Classification Using Hybrid and Dynamic Cuttings Authors : Wenjun Li,Xianfeng Li Publisher : Engineering Lab on Intelligent Perception.
OpenFlow-Based Server Load Balancing GoneWild Author : Richard Wang, Dana Butnariu, Jennifer Rexford Publisher : Hot-ICE'11 Proceedings of the 11th USENIX.

OpenFlow-Based Server Load Balancing GoneWild Author : Richard Wang, Dana Butnariu, Jennifer Rexford Publisher : Hot-ICE'11 Proceedings of the 11th USENIX.
HybridCuts: A Scheme Combining Decomposition and Cutting for Packet Classification Authors : Wenjun Li, Xianfeng Li Publisher : 2013 IEEE 21st Annual Symposium.

HybridCuts: A Scheme Combining Decomposition and Cutting for Packet Classification Authors : Wenjun Li, Xianfeng Li Publisher : 2013 IEEE 21st Annual Symposium.
Packet Classification using Rule Caching Author: Nitesh B. Guinde, Roberto Rojas-Cessa, Sotirios G. Ziavras Publisher: IISA, 2013 Fourth International.

Packet Classification using Rule Caching Author: Nitesh B. Guinde, Roberto Rojas-Cessa, Sotirios G. Ziavras Publisher: IISA, 2013 Fourth International.
Fast forwarding table lookup exploiting GPU memory architecture Author : Youngjun Lee,Minseon Jeong,Sanghwan Lee,Eun-Jin Im Publisher : Information and.

Fast forwarding table lookup exploiting GPU memory architecture Author : Youngjun Lee,Minseon Jeong,Sanghwan Lee,Eun-Jin Im Publisher : Information and.
Packet Classification Using Multi-Iteration RFC Author: Chun-Hui Tsai, Hung-Mao Chu, Pi-Chung Wang Publisher: COMPSACW, 2013 IEEE 37th Annual (Computer.

Packet Classification Using Multi-Iteration RFC Author: Chun-Hui Tsai, Hung-Mao Chu, Pi-Chung Wang Publisher: COMPSACW, 2013 IEEE 37th Annual (Computer.
A Regular Expression Matching Algorithm Using Transition Merging Department of Computer Science and Information Engineering National Cheng Kung University,

A Regular Expression Matching Algorithm Using Transition Merging Department of Computer Science and Information Engineering National Cheng Kung University,
A Hybrid IP Lookup Architecture with Fast Updates Author : Layong Luo, Gaogang Xie, Yingke Xie, Laurent Mathy, Kavé Salamatian Conference: IEEE INFOCOM,

A Hybrid IP Lookup Architecture with Fast Updates Author : Layong Luo, Gaogang Xie, Yingke Xie, Laurent Mathy, Kavé Salamatian Conference: IEEE INFOCOM,
EQC16: An Optimized Packet Classification Algorithm For Large Rule-Sets Author: Uday Trivedi, Mohan Lal Jangir Publisher: 2014 International Conference.

EQC16: An Optimized Packet Classification Algorithm For Large Rule-Sets Author: Uday Trivedi, Mohan Lal Jangir Publisher: 2014 International Conference.
Scalable Many-field Packet Classification on Multi-core Processors Authors : Yun R. Qu, Shijie Zhou, Viktor K. Prasanna Publisher : International Symposium.

Scalable Many-field Packet Classification on Multi-core Processors Authors : Yun R. Qu, Shijie Zhou, Viktor K. Prasanna Publisher : International Symposium.
Deterministic Finite Automaton for Scalable Traffic Identification: the Power of Compressing by Range Authors: Rafael Antonello, Stenio Fernandes, Djamel.

Deterministic Finite Automaton for Scalable Traffic Identification: the Power of Compressing by Range Authors: Rafael Antonello, Stenio Fernandes, Djamel.
2017/4/25 INDOOR LOCALIZATION SYSTEM USING RSSI MEASUREMENT OF WIRELESS SENSOR NETWORK BASED ON ZIGBEE STANDARD Authors:Masashi Sugano, Tomonori Kawazoe,

2017/4/25 INDOOR LOCALIZATION SYSTEM USING RSSI MEASUREMENT OF WIRELESS SENSOR NETWORK BASED ON ZIGBEE STANDARD Authors:Masashi Sugano, Tomonori Kawazoe,
DBS A Bit-level Heuristic Packet Classification Algorithm for High Speed Network Author : Baohua Yang, Xiang Wang, Yibo Xue, Jun Li Publisher : 2009 15th.

DBS A Bit-level Heuristic Packet Classification Algorithm for High Speed Network Author : Baohua Yang, Xiang Wang, Yibo Xue, Jun Li Publisher : th.
Memory-Efficient Regular Expression Search Using State Merging Author: Michela Becchi, Srihari Cadambi Publisher: INFOCOM 2007. 26th IEEE International.

Memory-Efficient Regular Expression Search Using State Merging Author: Michela Becchi, Srihari Cadambi Publisher: INFOCOM th IEEE International.
SwinTop: Optimizing Memory Efficiency of Packet Classification in Network Author: Chen, Chang; Cai, Liangwei; Xiang, Yang; Li, Jun Conference: Communication.

SwinTop: Optimizing Memory Efficiency of Packet Classification in Network Author: Chen, Chang; Cai, Liangwei; Xiang, Yang; Li, Jun Conference: Communication.
Research on TCAM-based OpenFlow Switch Author: Fei Long, Zhigang Sun, Ziwen Zhang, Hui Chen, Longgen Liao Conference: 2012 International Conference on.

Research on TCAM-based OpenFlow Switch Author: Fei Long, Zhigang Sun, Ziwen Zhang, Hui Chen, Longgen Liao Conference: 2012 International Conference on.
Selective Packet Inspection to Detect DoS Flooding Using Software Defined Networking Author : Tommy Chin Jr., Xenia Mountrouidou, Xiangyang Li and Kaiqi.

Selective Packet Inspection to Detect DoS Flooding Using Software Defined Networking Author : Tommy Chin Jr., Xenia Mountrouidou, Xiangyang Li and Kaiqi.
2017/4/26 Rethinking Packet Classification for Global Network View of Software-Defined Networking Author: Takeru Inoue, Toru Mano, Kimihiro Mizutani, Shin-ichi.

2017/4/26 Rethinking Packet Classification for Global Network View of Software-Defined Networking Author: Takeru Inoue, Toru Mano, Kimihiro Mizutani, Shin-ichi.
FlowTags: Enforcing Network-Wide Policies in the Presence of Dynamic Middlebox Actions Author: Seyed Kaveh Fayazbakhsh, Vyas Sekar, Minlan Yu and Jeffrey.

FlowTags: Enforcing Network-Wide Policies in the Presence of Dynamic Middlebox Actions Author: Seyed Kaveh Fayazbakhsh, Vyas Sekar, Minlan Yu and Jeffrey.

Similar presentations

Ads by Google