DoS Vulnerabilities and Mitigation Strategies in Software-Defined Networks Source: Journal of Network and Computer Applications, Vol. 125, No. 1, pp. 209-219, Jan. 2019 Author: Shu-Hua Deng, Xing Gao, Ze-Bin Lu, Zheng-Fa Li, and Xie- Ping Gao Speaker: Ren-Kai Yang Date: 2019/01/24 3.991 sci 湘潭大學 Memphis
Outline Introduction Preliminary Proposed scheme Performance evaluation Conclusions
(Media Access Control) OSI Application Layer Presentation Layer Session Layer Transport Layer Network Layer Data-link Layer Physical Layer Introduction(1/4) Router Internet Packet Host A? B? C? Switch A Switch B Switch C 應用程式階段:妳打開瀏覽器,在瀏覽器上面輸入網址列,按下 [Enter]。此時網址列與相關資料會被瀏覽器包成一個資料, 並向下傳給 TCP/IP 的應用層; 應用層:由應用層提供的 HTTP 通訊協定,將來自瀏覽器的資料包起來,並給予一個應用層表頭,再向傳送層丟去; 傳送層:由於 HTTP 為可靠連線,因此將該資料丟入 TCP 封包內,並給予一個 TCP 封包的表頭,向網路層丟去; 網路層:將 TCP 包裹包進 IP 封包內,再給予一個 IP 表頭 (主要就是來源與目標的 IP 囉),向鏈結層丟去; 鏈結層:如果使用乙太網路時,此時 IP 會依據 CSMA/CD 的標準,包裹到 MAC 訊框中,並給予 MAC 表頭,再轉成位元串後, 利用傳輸媒體傳送到遠端主機上。 封包經過switch都需要拆解讀取內容再重新組回去傳給別台switch Switch的CPU效能不算太好 這樣的過程效率相對有所缺失 加上當要新增設備及網路服務時 設備的更新不易 需要逐一進行設定 容錯率也低 因而提出SDN網路架構以提升網路效率 Open system interconnection reference model Host MAC (Media Access Control) Port A 00:0A:02:0B:03:0C 1 B 00:05:5D:E8:0F:A3 3 C 00:0C:29:01:98:27 7 Host A Host B Host C
Introduction(2/4) Software-Defined Networks (SDN) SDN Controller
Introduction(3/4) OSI SDN Controller 4 3 Packet-In Secure Channel Application Layer Presentation Layer Session Layer Transport Layer Network Layer Data-link Layer Physical Layer Introduction(3/4) SDN Controller 4 3 Packet-In Secure Channel Packet-Out OpenFlow Agent 2 Host(PC) Switch Unmatch 傳統switch須具備自我學習決定封包傳哪裡和生成樹來避免網路迴圈(基本功能) 1 Host(PC) Flow Table Flow Entry1 Flow Entry2 … Match OpenFlow Switch
Introduction(4/4) MAC Address Table SDN Controller Host A: Port 1 Host C: Port 4 Packet-In Secure Channel Packet-Out Flow Table OpenFlow Switch 1 2 3 4 in-Port: 4, Host A, Output: Port 1 in-Port: 1, Host B, Output: Port 4 傳統switch須具備自我學習決定封包傳哪裡和生成樹來避免網路迴圈(基本功能) Host A Host B Host C
Preliminary(1/3) DoS Attack? Normal ? Denial-of-Service Attack SYN SYN OSI Application Layer Presentation Layer Session Layer Transport Layer Network Layer Data-link Layer Physical Layer Preliminary(1/3) DoS Attack? Denial-of-Service Attack Normal SYN SYN SYN-ACK SYN-ACK Synchronize Acknowledgment TCP, Transmission Control Protocol Syn timeout縮短 給予每麼請求IP一個cookie短時間連續的封包就回報遭受攻擊 以後這個IP的封包就丟棄 ? ACK SYN
Preliminary(2/3) OpenFlow Agent DoS on SDN Networks Unmatch SDN Controller Flow Table Flow Entry1 Flow Entry2 … Match OpenFlow Switch Packet-In Packet-Out OpenFlow Switch MAC Address IP Address Port Number Modification of Host A Host B Attacker
Preliminary(3/3) DoS Attack Results 3000 pps Workload of the OpenFlow Agent Workload of the Secure Channel Workload of the Controller 3000 pps
Proposed scheme(1/4) DosDefender Architecture
Proposed scheme(2/4) Port Management null host connect switch connect LLDP: Link Layer Discovery Protocol TCP: Transmission Control Protocol UDP: User Datagram Protocol null host connect switch connect SDN Controller Packet-In Packet-In TCP/UDP LLDP Host(PC) Packets OpenFlow Switch A OpenFlow Switch B OpenFlow Switch C
Proposed scheme(3/4) Attack Detection & Flow Installing MAC_Port MAC Switch Port Host A 3 Host B 7 Attack Detection & Flow Installing SDN Controller Port_IP Switch Port IP 3 140.134.1.3 7 140.134.1.7 DoS Defender Port Management Attack Detection Flow Rule Installing IP_Portset IP Host Port 140.134.1.3 1234 140.134.1.7 4567 Drop Host(PC) Packets OpenFlow Switch
Proposed scheme(4/4) SDN Controller MAC Address IP Address Port Number MAC_Port MAC Switch Port Host A E1 Proposed scheme(4/4) Host D E4 MAC Address Switch Port Host A E1 Host B E2 Host C E3 Host D E4 SDN Controller Port_IP Switch Port IP E1 140.134.1.1 MAC Address IP Address Port Number E4 140.134.1.4 Host A Host C IP_Portset IP Host Port 140.134.1.1 1234 Attack Detection Packet-In Mac address table keep 300 sec Ethernet規定兩個電腦通訊需要知道對方的MAC address 但不同網域的電腦連線時就算知道MAC還是無法實現 需要透過ARP(Address resolution protocol)經過路由轉發來時實現 E1 OpenFlow Switch E3 140.134.1.4 1234 E2 E4 140.134.1.4 4567 Host B Host D
Performance evaluation(1/3) MAC Attack Protection IP Attack Protection
Performance evaluation(2/3) Port Number Attack Protection Protection on the Secure Channel
Performance evaluation(3/3) CPU Usage Memory Usage
Conclusions Simple Prevent attack traffic