selective packet inspection to detect dos flooding using software defined networking author : tommy...
DESCRIPTION
Introduction In this paper, we discuss a novel attack detection approach that coordinates monitors distributed over a network and controllers centralized on an SDN Open Virtual Switch, selectively inspecting network packets on demand. National Cheng Kung University CSIE Computer & Internet Architecture Lab 3TRANSCRIPT
![Page 1: Selective Packet Inspection to Detect DoS Flooding Using Software Defined Networking Author : Tommy Chin Jr., Xenia Mountrouidou, Xiangyang Li and Kaiqi](https://reader036.vdocuments.net/reader036/viewer/2022083119/5a4d1acd7f8b9ab0599700a8/html5/thumbnails/1.jpg)
Selective Packet Inspection to Detect DoS Flooding
Using Software Defined Networking
Author : Tommy Chin Jr. , Xenia Mountrouidou , Xiangyang Li and Kaiqi Xiong Conference: IEEE 35th International Conference on Distributed Computing Systems Workshops (ICDCSW), 2015Presenter: Kuan-Chieh FengDate: 2015/10/21
Department of Computer Science and Information Engineering National Cheng Kung University
![Page 2: Selective Packet Inspection to Detect DoS Flooding Using Software Defined Networking Author : Tommy Chin Jr., Xenia Mountrouidou, Xiangyang Li and Kaiqi](https://reader036.vdocuments.net/reader036/viewer/2022083119/5a4d1acd7f8b9ab0599700a8/html5/thumbnails/2.jpg)
Outline
Introduction Approach System Architecture Experiment
National Cheng Kung University CSIE Computer & Internet Architecture Lab
2
![Page 3: Selective Packet Inspection to Detect DoS Flooding Using Software Defined Networking Author : Tommy Chin Jr., Xenia Mountrouidou, Xiangyang Li and Kaiqi](https://reader036.vdocuments.net/reader036/viewer/2022083119/5a4d1acd7f8b9ab0599700a8/html5/thumbnails/3.jpg)
Introduction
In this paper, we discuss a novel attack detection approach that coordinates monitors distributed over a network and controllers centralized on an SDN Open Virtual Switch , selectively inspecting network packets on demand.
National Cheng Kung University CSIE Computer & Internet Architecture Lab
3
![Page 4: Selective Packet Inspection to Detect DoS Flooding Using Software Defined Networking Author : Tommy Chin Jr., Xenia Mountrouidou, Xiangyang Li and Kaiqi](https://reader036.vdocuments.net/reader036/viewer/2022083119/5a4d1acd7f8b9ab0599700a8/html5/thumbnails/4.jpg)
Introduction
Two studies are especially relevant to the challenges and solutions in this study.• The OrchSec architecture [3] uses decoupled
monitors and SDN correlators in order to mitigate different types of attacks.
• The NICE framework [4] is an IDS agent to monitor mirrored traffic and to propose potential countermeasures to attacks.
National Cheng Kung University CSIE Computer & Internet Architecture Lab
4
![Page 5: Selective Packet Inspection to Detect DoS Flooding Using Software Defined Networking Author : Tommy Chin Jr., Xenia Mountrouidou, Xiangyang Li and Kaiqi](https://reader036.vdocuments.net/reader036/viewer/2022083119/5a4d1acd7f8b9ab0599700a8/html5/thumbnails/5.jpg)
Introduction
A monitor is sensitive and lightweight to quickly detect anomalies in network traffic.
A correlator, upon receiving an alert from a monitor, verifies the suspicion by inspecting detailed evidence of network packets in its neighborhood for additional attack signatures.
National Cheng Kung University CSIE Computer & Internet Architecture Lab
5
![Page 6: Selective Packet Inspection to Detect DoS Flooding Using Software Defined Networking Author : Tommy Chin Jr., Xenia Mountrouidou, Xiangyang Li and Kaiqi](https://reader036.vdocuments.net/reader036/viewer/2022083119/5a4d1acd7f8b9ab0599700a8/html5/thumbnails/6.jpg)
Approach
DoS flooding attacks try to deplete the recourses that a victim device has, being the network bandwidth or host resources.
They utilize a variety of techniques of flooding, amplification, protocol exploiting, and malformed packets.
Recently SDN has been applied in several studies.
National Cheng Kung University CSIE Computer & Internet Architecture Lab
6
![Page 7: Selective Packet Inspection to Detect DoS Flooding Using Software Defined Networking Author : Tommy Chin Jr., Xenia Mountrouidou, Xiangyang Li and Kaiqi](https://reader036.vdocuments.net/reader036/viewer/2022083119/5a4d1acd7f8b9ab0599700a8/html5/thumbnails/7.jpg)
Approach
However, DoS still poses many significant challenges to current detection and correlation solutions:• The ability of Intrusion Detection Systems (IDS)
is limited by what they see in data and thus by their locations on a network.
• Even if a SDN correlator is able to get hold of every bit of data, it is impossible to do deep inspection on every network packet
National Cheng Kung University CSIE Computer & Internet Architecture Lab
7
![Page 8: Selective Packet Inspection to Detect DoS Flooding Using Software Defined Networking Author : Tommy Chin Jr., Xenia Mountrouidou, Xiangyang Li and Kaiqi](https://reader036.vdocuments.net/reader036/viewer/2022083119/5a4d1acd7f8b9ab0599700a8/html5/thumbnails/8.jpg)
Approach
There is always a tradeoff in handling each of these problems.• Ex: IDS location
The key is to consider how to best utilize different IDS elements together in a dynamic and adaptive way.• Solution : SDN
National Cheng Kung University CSIE Computer & Internet Architecture Lab
8
![Page 9: Selective Packet Inspection to Detect DoS Flooding Using Software Defined Networking Author : Tommy Chin Jr., Xenia Mountrouidou, Xiangyang Li and Kaiqi](https://reader036.vdocuments.net/reader036/viewer/2022083119/5a4d1acd7f8b9ab0599700a8/html5/thumbnails/9.jpg)
Approach
Consider the TCP SYN flood attack : A surge of traffic volume of SYN requests
• Setting up a control threshold over the baseline traffic in monitor can quickly recognize a surge of abnormal traffic.
Spoofed IP address in invalid SYN requests• Requires adequate knowledge to be able to tell
them apart from other legitimate IPs
National Cheng Kung University CSIE Computer & Internet Architecture Lab
9
![Page 10: Selective Packet Inspection to Detect DoS Flooding Using Software Defined Networking Author : Tommy Chin Jr., Xenia Mountrouidou, Xiangyang Li and Kaiqi](https://reader036.vdocuments.net/reader036/viewer/2022083119/5a4d1acd7f8b9ab0599700a8/html5/thumbnails/10.jpg)
Approach
National Cheng Kung University CSIE Computer & Internet Architecture Lab
10
![Page 11: Selective Packet Inspection to Detect DoS Flooding Using Software Defined Networking Author : Tommy Chin Jr., Xenia Mountrouidou, Xiangyang Li and Kaiqi](https://reader036.vdocuments.net/reader036/viewer/2022083119/5a4d1acd7f8b9ab0599700a8/html5/thumbnails/11.jpg)
System Architecture
System Design Algorithms Communication Protocol
National Cheng Kung University CSIE Computer & Internet Architecture Lab
11
![Page 12: Selective Packet Inspection to Detect DoS Flooding Using Software Defined Networking Author : Tommy Chin Jr., Xenia Mountrouidou, Xiangyang Li and Kaiqi](https://reader036.vdocuments.net/reader036/viewer/2022083119/5a4d1acd7f8b9ab0599700a8/html5/thumbnails/12.jpg)
System Architecture – system design
Server Client (normal user, attacker) Open Virtual Switch Monitor Correlator (SDN controller)
National Cheng Kung University CSIE Computer & Internet Architecture Lab
12
![Page 13: Selective Packet Inspection to Detect DoS Flooding Using Software Defined Networking Author : Tommy Chin Jr., Xenia Mountrouidou, Xiangyang Li and Kaiqi](https://reader036.vdocuments.net/reader036/viewer/2022083119/5a4d1acd7f8b9ab0599700a8/html5/thumbnails/13.jpg)
System Architecture - algorithm
The Monitor is running a real time communicator algorithm.
The Correlator, hosted on the SDN controller, runs another algorithm that maintains an open communication with the monitor and the OVS.• A hash table based on original flow table • Another hash table based on current flow table
National Cheng Kung University CSIE Computer & Internet Architecture Lab
13
![Page 14: Selective Packet Inspection to Detect DoS Flooding Using Software Defined Networking Author : Tommy Chin Jr., Xenia Mountrouidou, Xiangyang Li and Kaiqi](https://reader036.vdocuments.net/reader036/viewer/2022083119/5a4d1acd7f8b9ab0599700a8/html5/thumbnails/14.jpg)
System Architecture – communication protocol
National Cheng Kung University CSIE Computer & Internet Architecture Lab
14
![Page 15: Selective Packet Inspection to Detect DoS Flooding Using Software Defined Networking Author : Tommy Chin Jr., Xenia Mountrouidou, Xiangyang Li and Kaiqi](https://reader036.vdocuments.net/reader036/viewer/2022083119/5a4d1acd7f8b9ab0599700a8/html5/thumbnails/15.jpg)
Experiment
Environment• Implementation on GENI• Ubuntu Linux 64 bits• Normal traffic created by iperf• TCP SYN floods with IP spoofing by hping3• Correlator running correlation algorithm on POX• The IDS is implemented by Snort rule• Communication protocol between the monitor and
correlator are implement in Python using socket programming
National Cheng Kung University CSIE Computer & Internet Architecture Lab
15
![Page 16: Selective Packet Inspection to Detect DoS Flooding Using Software Defined Networking Author : Tommy Chin Jr., Xenia Mountrouidou, Xiangyang Li and Kaiqi](https://reader036.vdocuments.net/reader036/viewer/2022083119/5a4d1acd7f8b9ab0599700a8/html5/thumbnails/16.jpg)
Experiment - Result analysis
National Cheng Kung University CSIE Computer & Internet Architecture Lab
16
![Page 17: Selective Packet Inspection to Detect DoS Flooding Using Software Defined Networking Author : Tommy Chin Jr., Xenia Mountrouidou, Xiangyang Li and Kaiqi](https://reader036.vdocuments.net/reader036/viewer/2022083119/5a4d1acd7f8b9ab0599700a8/html5/thumbnails/17.jpg)
Experiment - Result analysis
National Cheng Kung University CSIE Computer & Internet Architecture Lab
17
![Page 18: Selective Packet Inspection to Detect DoS Flooding Using Software Defined Networking Author : Tommy Chin Jr., Xenia Mountrouidou, Xiangyang Li and Kaiqi](https://reader036.vdocuments.net/reader036/viewer/2022083119/5a4d1acd7f8b9ab0599700a8/html5/thumbnails/18.jpg)
Experiment - Result analysis
National Cheng Kung University CSIE Computer & Internet Architecture Lab
18
![Page 19: Selective Packet Inspection to Detect DoS Flooding Using Software Defined Networking Author : Tommy Chin Jr., Xenia Mountrouidou, Xiangyang Li and Kaiqi](https://reader036.vdocuments.net/reader036/viewer/2022083119/5a4d1acd7f8b9ab0599700a8/html5/thumbnails/19.jpg)
Experiment
The monitor is the bottleneck in our experimentation
The most time consuming part of the monitor implementation the time it takes for the monitor to receive the attack packets
To improve the performance, we will need to either increase the number of monitors or use more powerful machines.
National Cheng Kung University CSIE Computer & Internet Architecture Lab
19