DoS Vulnerabilities and Mitigation Strategies in Software-Defined Networks Source: Journal of Network and Computer Applications, Vol. 125, No. 1, pp. 209-219, Jan. 2019 Author: Shu-Hua Deng, Xing Gao, Ze-Bin Lu, Zheng-Fa Li, and Xie- Ping Gao Speaker: Ren-Kai Yang Date: 2019/01/24
Outline Introduction Preliminary Proposed scheme Performance evaluation Conclusions
(Media Access Control) OSI Application Layer Presentation Layer Session Layer Transport Layer Network Layer Data-link Layer Physical Layer Introduction(1/3) Router Internet Packet Host A? B? C? Switch A Switch B Switch C 應用程式階段:妳打開瀏覽器,在瀏覽器上面輸入網址列,按下 [Enter]。此時網址列與相關資料會被瀏覽器包成一個資料, 並向下傳給 TCP/IP 的應用層; 應用層:由應用層提供的 HTTP 通訊協定,將來自瀏覽器的資料包起來,並給予一個應用層表頭,再向傳送層丟去; 傳送層:由於 HTTP 為可靠連線,因此將該資料丟入 TCP 封包內,並給予一個 TCP 封包的表頭,向網路層丟去; 網路層:將 TCP 包裹包進 IP 封包內,再給予一個 IP 表頭 (主要就是來源與目標的 IP 囉),向鏈結層丟去; 鏈結層:如果使用乙太網路時,此時 IP 會依據 CSMA/CD 的標準,包裹到 MAC 訊框中,並給予 MAC 表頭,再轉成位元串後, 利用傳輸媒體傳送到遠端主機上。 封包經過switch都需要拆解讀取內容再重新組回去傳給別台switch Switch的CPU效能不算太好 這樣的過程效率相對有所缺失 加上當要新增設備及網路服務時 設備的更新不易 需要逐一進行設定 容錯率也低 因而提出SDN網路架構以提升網路效率 Host MAC (Media Access Control) Port A 00:0A:02:0B:03:0C 1 B 00:05:5D:E8:0F:A3 3 C 00:0C:29:01:98:27 7 Host A Host B Host C
Introduction(2/3) OSI Software-Defined Networks (SDN) SDN Controller 4 Application Layer Presentation Layer Session Layer Transport Layer Network Layer Data-link Layer Physical Layer Introduction(2/3) Software-Defined Networks (SDN) SDN Controller 4 3 Packet-In Secure Channel Packet-Out Host(PC) Switch OpenFlow Agent 2 傳統switch須具備自我學習決定封包傳哪裡和生成樹來避免網路迴圈(基本功能) Unmatch 1 Host(PC) Flow Table Flow Entry1 Flow Entry2 … Match OpenFlow Switch
Introduction(3/3) MAC Address Table SDN Controller Host A: Port 1 Host C: Port 4 Packet-In Secure Channel Packet-Out Flow Table OpenFlow Switch 1 2 3 4 in-Port: 4, Host A, Output: Port 1 in-Port: 1, Host B, Output: Port 4 傳統switch須具備自我學習決定封包傳哪裡和生成樹來避免網路迴圈(基本功能) Host A Host B Host C
Preliminary(1/3) DoS Attack? Normal ? Denial-of-Service Attack SYN SYN OSI Application Layer Presentation Layer Session Layer Transport Layer Network Layer Data-link Layer Physical Layer Preliminary(1/3) DoS Attack? Denial-of-Service Attack Normal SYN SYN SYN-ACK SYN-ACK ? ACK SYN
Preliminary(2/3) OpenFlow Agent DoS on SDN Networks Unmatch SDN Controller Flow Table Flow Entry1 Flow Entry2 … Match OpenFlow Switch Packet-In Packet-Out OpenFlow Switch MAC Address IP Address Port Number Modification of Host A Host B Attacker
Preliminary(3/3) DoS Attack Results 3000 pps Workload of the OpenFlow Agent Workload of the Secure Channel Workload of the Controller 3000 pps
Proposed scheme(1/3) DosDefender Architecture
Proposed scheme(2/3) Port Management null host connect switch connect LLDP: Link Layer Discovery Protocol TCP: Transmission Control Protocol UDP: User Datagram Protocol null host connect switch connect SDN Controller Packet-In Packet-In TCP/UDP LLDP Host(PC) Packets OpenFlow Switch A OpenFlow Switch B OpenFlow Switch C
Proposed scheme(3/3) Attack Detection MAC_Port MAC Switch Port Host A Host B 7 Attack Detection SDN Controller Port_IP Switch Port IP 3 140.134.1.3 7 140.134.1.7 DoS Defender Port Management Attack Detection Flow Rule Installing IP_Portset IP Host Port 140.134.1.3 1234 140.134.1.7 4567 Drop Host(PC) Packets OpenFlow Switch
Performance evaluation(1/3) MAC Attack Protection IP Attack Protection
Performance evaluation(2/3) Port Number Attack Protection Protection on the Secure Channel
Performance evaluation(3/3) CPU Usage Memory Usage
Conclusions Simple Prevent attack traffic