Selective Packet Inspection to Detect
DoS Flooding
Using Software Defined Networking
Author : Tommy Chin Jr. , Xenia Mountrouidou , Xiangyang Li and
Kaiqi Xiong
Conference: IEEE 35th International Conference on Distributed
Computing Systems Workshops (ICDCSW), 2015
Presenter: Kuan-Chieh Feng
Date: 2015/10/21
Department of Computer Science and Information Engineering
National Cheng Kung University
Outline




Introduction
Approach
System Architecture
Experiment
National Cheng Kung University CSIE
Computer & Internet Architecture Lab
2
Introduction

In this paper, we discuss a novel attack
detection approach that coordinates monitors
distributed over a network and controllers
centralized on an SDN Open Virtual Switch ,
selectively inspecting network packets on
demand.
National Cheng Kung University CSIE
Computer & Internet Architecture Lab
3
Introduction

Two studies are especially relevant to the
challenges and solutions in this study.
• The OrchSec architecture [3] uses decoupled
•
monitors and SDN correlators in order to
mitigate different types of attacks.
The NICE framework [4] is an IDS agent to
monitor mirrored traffic and to propose potential
countermeasures to attacks.
National Cheng Kung University CSIE
Computer & Internet Architecture Lab
4
Introduction


A monitor is sensitive and lightweight to
quickly detect anomalies in network traffic.
A correlator, upon receiving an alert from a
monitor, verifies the suspicion by inspecting
detailed evidence of network packets in its
neighborhood for additional attack
signatures.
National Cheng Kung University CSIE
Computer & Internet Architecture Lab
5
Approach



DoS flooding attacks try to deplete the
recourses that a victim device has, being the
network bandwidth or host resources.
They utilize a variety of techniques of
flooding, amplification, protocol exploiting,
and malformed packets.
Recently SDN has been applied in several
studies.
National Cheng Kung University CSIE
Computer & Internet Architecture Lab
6
Approach

However, DoS still poses many significant
challenges to current detection and
correlation solutions:
• The ability of Intrusion Detection Systems (IDS)
•
is limited by what they see in data and thus by
their locations on a network.
Even if a SDN correlator is able to get hold of
every bit of data, it is impossible to do deep
inspection on every network packet
National Cheng Kung University CSIE
Computer & Internet Architecture Lab
7
Approach

There is always a tradeoff in handling each
of these problems.
• Ex: IDS location

The key is to consider how to best utilize
different IDS elements together in a dynamic
and adaptive way.
• Solution : SDN
National Cheng Kung University CSIE
Computer & Internet Architecture Lab
8
Approach


Consider the TCP SYN flood attack :
A surge of traffic volume of SYN requests
• Setting up a control threshold over the baseline
traffic in monitor can quickly recognize a surge of
abnormal traffic.

Spoofed IP address in invalid SYN requests
• Requires adequate knowledge to be able to tell
them apart from other legitimate IPs
National Cheng Kung University CSIE
Computer & Internet Architecture Lab
9
Approach
National Cheng Kung University CSIE
Computer & Internet Architecture Lab
10
System Architecture



System Design
Algorithms
Communication Protocol
National Cheng Kung University CSIE
Computer & Internet Architecture Lab
11
System Architecture – system design





Server
Client (normal user, attacker)
Open Virtual Switch
Monitor
Correlator (SDN controller)
National Cheng Kung University CSIE
Computer & Internet Architecture Lab
12
System Architecture - algorithm


The Monitor is running a real time
communicator algorithm.
The Correlator, hosted on the SDN
controller, runs another algorithm that
maintains an open communication with the
monitor and the OVS.
• A hash table based on original flow table
• Another hash table based on current flow table
National Cheng Kung University CSIE
Computer & Internet Architecture Lab
13
System Architecture – communication protocol
National Cheng Kung University CSIE
Computer & Internet Architecture Lab
14
Experiment

Environment
• Implementation on GENI
• Ubuntu Linux 64 bits
• Normal traffic created by iperf
• TCP SYN floods with IP spoofing by hping3
• Correlator running correlation algorithm on POX
• The IDS is implemented by Snort rule
• Communication protocol between the monitor and
correlator are implement in Python using socket
programming
National Cheng Kung University CSIE
Computer & Internet Architecture Lab
15
Experiment - Result analysis
National Cheng Kung University CSIE
Computer & Internet Architecture Lab
16
Experiment - Result analysis
National Cheng Kung University CSIE
Computer & Internet Architecture Lab
17
Experiment - Result analysis
National Cheng Kung University CSIE
Computer & Internet Architecture Lab
18
Experiment



The monitor is the bottleneck in our
experimentation
The most time consuming part of the monitor
implementation the time it takes for the
monitor to receive the attack packets
To improve the performance, we will need to
either increase the number of monitors or use
more powerful machines.
National Cheng Kung University CSIE
Computer & Internet Architecture Lab
19