Selective Packet Inspection to Detect DoS Flooding Using Software Defined Networking Author : Tommy Chin Jr. , Xenia Mountrouidou , Xiangyang Li and Kaiqi Xiong Conference: IEEE 35th International Conference on Distributed Computing Systems Workshops (ICDCSW), 2015 Presenter: Kuan-Chieh Feng Date: 2015/10/21 Department of Computer Science and Information Engineering National Cheng Kung University Outline Introduction Approach System Architecture Experiment National Cheng Kung University CSIE Computer & Internet Architecture Lab 2 Introduction In this paper, we discuss a novel attack detection approach that coordinates monitors distributed over a network and controllers centralized on an SDN Open Virtual Switch , selectively inspecting network packets on demand. National Cheng Kung University CSIE Computer & Internet Architecture Lab 3 Introduction Two studies are especially relevant to the challenges and solutions in this study. • The OrchSec architecture [3] uses decoupled • monitors and SDN correlators in order to mitigate different types of attacks. The NICE framework [4] is an IDS agent to monitor mirrored traffic and to propose potential countermeasures to attacks. National Cheng Kung University CSIE Computer & Internet Architecture Lab 4 Introduction A monitor is sensitive and lightweight to quickly detect anomalies in network traffic. A correlator, upon receiving an alert from a monitor, verifies the suspicion by inspecting detailed evidence of network packets in its neighborhood for additional attack signatures. National Cheng Kung University CSIE Computer & Internet Architecture Lab 5 Approach DoS flooding attacks try to deplete the recourses that a victim device has, being the network bandwidth or host resources. They utilize a variety of techniques of flooding, amplification, protocol exploiting, and malformed packets. Recently SDN has been applied in several studies. National Cheng Kung University CSIE Computer & Internet Architecture Lab 6 Approach However, DoS still poses many significant challenges to current detection and correlation solutions: • The ability of Intrusion Detection Systems (IDS) • is limited by what they see in data and thus by their locations on a network. Even if a SDN correlator is able to get hold of every bit of data, it is impossible to do deep inspection on every network packet National Cheng Kung University CSIE Computer & Internet Architecture Lab 7 Approach There is always a tradeoff in handling each of these problems. • Ex: IDS location The key is to consider how to best utilize different IDS elements together in a dynamic and adaptive way. • Solution : SDN National Cheng Kung University CSIE Computer & Internet Architecture Lab 8 Approach Consider the TCP SYN flood attack : A surge of traffic volume of SYN requests • Setting up a control threshold over the baseline traffic in monitor can quickly recognize a surge of abnormal traffic. Spoofed IP address in invalid SYN requests • Requires adequate knowledge to be able to tell them apart from other legitimate IPs National Cheng Kung University CSIE Computer & Internet Architecture Lab 9 Approach National Cheng Kung University CSIE Computer & Internet Architecture Lab 10 System Architecture System Design Algorithms Communication Protocol National Cheng Kung University CSIE Computer & Internet Architecture Lab 11 System Architecture – system design Server Client (normal user, attacker) Open Virtual Switch Monitor Correlator (SDN controller) National Cheng Kung University CSIE Computer & Internet Architecture Lab 12 System Architecture - algorithm The Monitor is running a real time communicator algorithm. The Correlator, hosted on the SDN controller, runs another algorithm that maintains an open communication with the monitor and the OVS. • A hash table based on original flow table • Another hash table based on current flow table National Cheng Kung University CSIE Computer & Internet Architecture Lab 13 System Architecture – communication protocol National Cheng Kung University CSIE Computer & Internet Architecture Lab 14 Experiment Environment • Implementation on GENI • Ubuntu Linux 64 bits • Normal traffic created by iperf • TCP SYN floods with IP spoofing by hping3 • Correlator running correlation algorithm on POX • The IDS is implemented by Snort rule • Communication protocol between the monitor and correlator are implement in Python using socket programming National Cheng Kung University CSIE Computer & Internet Architecture Lab 15 Experiment - Result analysis National Cheng Kung University CSIE Computer & Internet Architecture Lab 16 Experiment - Result analysis National Cheng Kung University CSIE Computer & Internet Architecture Lab 17 Experiment - Result analysis National Cheng Kung University CSIE Computer & Internet Architecture Lab 18 Experiment The monitor is the bottleneck in our experimentation The most time consuming part of the monitor implementation the time it takes for the monitor to receive the attack packets To improve the performance, we will need to either increase the number of monitors or use more powerful machines. National Cheng Kung University CSIE Computer & Internet Architecture Lab 19