SlideShare a Scribd company logo

DDoS Attack Detection & Mitigation in SDN

C
Chao Chen

project of Software Defined Networks course

Engineering
1 of 32
Download to read offline
DDoS Attack Detection & Mitigation in SDN FINAL VIVA PRESENTATION 2014-12-08 COMSE-6998 Presented by Chao CHEN (cc3736)
Key Words DDoS Attack Detection and Mitigation Type: ICMP Flood SYN Flood DNS Amplification UDP Flood InMon sFlow-RT + Floodlight controller + Mininet SDN Application to perform DDoS Protection
RESEARCH BACKGROUND SCHEME DESIGN APPLICATION DEVELOPMENT ENVIRONMENT ESTABLISHMENT TEST & EVALUATION
RESEARCH BACKGROUND
Research Background Real Time detection and mitigation with lowest cost of device deployment
Research Background sFlow = sampled Flow Device Capability → Easy Deployment Physical Device: Cisco Nexus 3000/3100 series IBM c/g/m/r/s/x/y series Juniper EX 2200/3200/3300/4200/6200 series …… Virtual Device: OpenVSwitch Apache Nginx …… sFlow Collectors: InMon sFlow-RT Brocade Network Advisor …… SDN analytics and control using sFlow standard
Research Background sFlow + Openflow 1. switch samples packets 2. switch sends the header of sampled packets to sFlow-RT 3. sFlow-RT maps it into fine-grained flow(e.g. tcpflags=SYN, icmptype=3…) 4. if exceed the threshold, trigger an event 5. events accessible from external apps through REST API
Research Background sFlow + Openflow 1. switch samples packets 2. switch sends the header of sampled packets to sFlow-RT 3. sFlow-RT maps it into fine-grained flow(e.g. tcpflags=SYN, icmptype=3…) 4. if exceed the threshold, trigger an event 5. events accessible from external apps through REST API detection mitigation processing
SCHEME DESIGN
Scheme Design Yes No Overall Flowchart of Application need to be specified for different kinds of attacks
Scheme Design ICMP Flood Attack Mechanism: Each device in the botnet ping the server at a high rate. Flow Definition: ipsource=0.0.0.0/0, ipdestination=10.0.0.2/32, #suppose h2 is the server outputifindex!=discard, #packet is not discarded ipprotocol=1 #ICMP Match Field in blocking flow entry: ether-type, protocol, src-ip, dst-ip
Scheme Design SYN Flood Attack Mechanism: Each device in the botnet sends TCP SYN packets to the server at a high rate. Flow Definition: ipsource=0.0.0.0/0, ipdestination=10.0.0.2/32, #suppose h2 is the server outputifindex!=discard, #packet is not discarded tcpflags~…….1.=1 #TCP SYN packet Match Field in blocking flow entry: ether-type, protocol, src-ip, dst-ip
Scheme Design DNS Amplification Attack Mechanism: Each device in the botnet sends DNS query to several DNS servers with src-ip=victim’s ip. (take ANY(15) for example)
Scheme Design DNS Amplification Attack Flow Definition: ipsource=0.0.0.0/0, ipdestination=[10.0.0.1/32, 10.0.0.2/32], #suppose h1 and h2 are the DNS servers outputifindex!=discard, #packet is not discarded dnsqr=false, dnsqtype=255 Match Field in blocking flow entry: ether-type, protocol, src-ip, dst-ip Protect at the DNS servers (instead of the victim)
Scheme Design UDP Flood Attack Mechanism: Each device in the botnet sends UDP packets to all the ports if the server Attacker botnet/compromised system target server Command Command Command 1 5 7 9 11 13 15 … UDP port list UDP Packets ICMP Destination Unreachable
Scheme Design UDP Flood Attack Flow Definition: ipsource=10.0.0.2/32, #reversed ipdestination=0.0.0.0/0, outputifindex!=discard, #packet is not discarded ipprotocol=1, #ICMP icmptype=3, #Destination Unreachable Match Field in blocking flow entry: ether-type, protocol, src-ip=dst-ip_in_flow, dst-ip=server-ip Protect by monitoring ICMP Destination Unreachable packets
APPLICATION DEVELOPMENT
Application Development python Import requests & json to perform GET/PUT/POST via REST API Different attacks are implemented similarly. Take ICMP Flood attack as example. Definition of flows, thresholds,…: POST the definition to sFlow-RT:
Application Development Attack classification & Static Flow Entry Push:
ENVIRONMENT ESTABLISHMENT
Environment Establishment Laptop Ubuntu VM App Mininet 10.0.0.1 10.0.0.2 10.0.0.3 10.0.0.4 10.0.0.5 10.0.0.6 10.10.10.2:6633 10.10.10.2:8080 10.10.10.2:8008 10.10.10.2:6343
TEST & EVALUATION
Test & Evaluation Launch floodlight: ./floodlight.sh Launch InMon sFlow-RT: ./start.sh Launch InMon sFlow-RT: sudo ./topo.sh set s1 is a sFlow agent, and set up bridge between s1 and sFlow-RT
Test & Evaluation Without mitigation: h1 ICMP attack on h2 with: ping -f 10.0.0.2 network traffic flow attack from h4 ICMP Flood Attack
Test & Evaluation With mitigation: h4 ICMP attack on h2 network traffic flow attack from h4 is mitigated ICMP Flood Attack
Test & Evaluation Continue: h5 ICMP attack on h2 network traffic flow attack from h5 is mitigated ICMP Flood Attack
Test & Evaluation ICMP Flood Attack ‘subflows’ in ICMP Attack Flow Events triggered in this case Flowtable of s1 (attacked by h3, h4, h6)
Test & Evaluation SYN Flood Attack Without mitigation: h1 SYN attack on h2 with: ping —tcp -p 80 —flag syn -rate 2000 —count 20000000 —no-capture —quiet 10.0.0.2 network traffic flow
Test & Evaluation SYN Flood Attack With mitigation: h6 and h4 SYN attack on h2 SYN Flood Traffic Flowtable of s1 (attacked by h3, h4, h5, h6) attacks from h6 and h4 are mitigated
Test & Evaluation DNS Amplification Attack & UDP Flood Attack: Cannot simulate attacks → No test result yet
Test & Evaluation Future Work: 1. Test on DNS Amplification Attack & UDP Flood Attack 2. {new_sample_rate, new_threshold} =update(old_sample_rate, old_threshold, network_congestion, server_status,…) 3. Sample Theory is efficient on large flows. Think about {tiny flows x n} 4. Reasonable unblock mechanism
Q&A

Recommended

12 types of DDoS attacks
12 types of DDoS attacks12 types of DDoS attacks
12 types of DDoS attacksHaltdos
 
Denial of service
Denial of serviceDenial of service
Denial of servicegarishma bhatia
 
DDoS Attack PPT by Nitin Bisht
DDoS Attack PPT by Nitin BishtDDoS Attack PPT by Nitin Bisht
DDoS Attack PPT by Nitin BishtNitin Bisht
 
KHNOG 3: DDoS Attack Prevention
KHNOG 3: DDoS Attack PreventionKHNOG 3: DDoS Attack Prevention
KHNOG 3: DDoS Attack PreventionAPNIC
 
Denial of Service Attacks (DoS/DDoS)
Denial of Service Attacks (DoS/DDoS)Denial of Service Attacks (DoS/DDoS)
Denial of Service Attacks (DoS/DDoS)Gaurav Sharma
 
DDoS - Distributed Denial of Service
DDoS - Distributed Denial of ServiceDDoS - Distributed Denial of Service
DDoS - Distributed Denial of ServiceEr. Shiva K. Shrestha
 
Introduction to foot printing
Introduction to foot printingIntroduction to foot printing
Introduction to foot printingCHETAN THAKRE
 
Dos n d dos
Dos n d dosDos n d dos
Dos n d dossadhana21297
 

Recommended

12 types of DDoS attacks
12 types of DDoS attacks12 types of DDoS attacks
12 types of DDoS attacksHaltdos
 
Denial of service
Denial of serviceDenial of service
Denial of servicegarishma bhatia
 
DDoS Attack PPT by Nitin Bisht
DDoS Attack PPT by Nitin BishtDDoS Attack PPT by Nitin Bisht
DDoS Attack PPT by Nitin BishtNitin Bisht
 
KHNOG 3: DDoS Attack Prevention
KHNOG 3: DDoS Attack PreventionKHNOG 3: DDoS Attack Prevention
KHNOG 3: DDoS Attack PreventionAPNIC
 
Denial of Service Attacks (DoS/DDoS)
Denial of Service Attacks (DoS/DDoS)Denial of Service Attacks (DoS/DDoS)
Denial of Service Attacks (DoS/DDoS)Gaurav Sharma
 
DDoS - Distributed Denial of Service
DDoS - Distributed Denial of ServiceDDoS - Distributed Denial of Service
DDoS - Distributed Denial of ServiceEr. Shiva K. Shrestha
 
Introduction to foot printing
Introduction to foot printingIntroduction to foot printing
Introduction to foot printingCHETAN THAKRE
 
Dos n d dos
Dos n d dosDos n d dos
Dos n d dossadhana21297
 
DDoS ATTACKS
DDoS ATTACKSDDoS ATTACKS
DDoS ATTACKSAnil Antony
 
Understanding NMAP
Understanding NMAPUnderstanding NMAP
Understanding NMAPPhannarith Ou, G-CISO
 
Ddos attacks
Ddos attacksDdos attacks
Ddos attackscommunication-eg
 
Denial of service attack
Denial of service attackDenial of service attack
Denial of service attackAhmed Ghazey
 
Network security cryptography ppt
Network security cryptography pptNetwork security cryptography ppt
Network security cryptography pptThushara92
 
Module 6 Session Hijacking
Module 6 Session HijackingModule 6 Session Hijacking
Module 6 Session Hijackingleminhvuong
 
DDOS Attack
DDOS Attack DDOS Attack
DDOS Attack Ahmed Salama
 
Ethical Hacking - sniffing
Ethical Hacking - sniffingEthical Hacking - sniffing
Ethical Hacking - sniffingBhavya Chawla
 
Intrusion Detection Systems and Intrusion Prevention Systems
Intrusion Detection Systems and Intrusion Prevention Systems Intrusion Detection Systems and Intrusion Prevention Systems
Intrusion Detection Systems and Intrusion Prevention Systems Cleverence Kombe
 
An introduction to denial of service attack
An introduction to denial of service attackAn introduction to denial of service attack
An introduction to denial of service attackMohammad Reza Mousavinasr
 
Dos attack
Dos attackDos attack
Dos attackManjushree Mashal
 
DoS or DDoS attack
DoS or DDoS attackDoS or DDoS attack
DoS or DDoS attackstollen_fusion
 
Intrusion detection and prevention system
Intrusion detection and prevention systemIntrusion detection and prevention system
Intrusion detection and prevention systemNikhil Raj
 
Intrusion detection system
Intrusion detection systemIntrusion detection system
Intrusion detection systemOECLIB Odisha Electronics Control Library
 
Denial of service attack
Denial of service attackDenial of service attack
Denial of service attackKaustubh Padwad
 
Malicious traffic
Malicious trafficMalicious traffic
Malicious trafficIshraq Al Fataftah
 
Network security
Network securityNetwork security
Network securityfatimasaham
 
Brute force-attack presentation
Brute force-attack presentationBrute force-attack presentation
Brute force-attack presentationMahmoud Ibra
 
Overview of the Cyber Kill Chain [TM]
Overview of the Cyber Kill Chain [TM]Overview of the Cyber Kill Chain [TM]
Overview of the Cyber Kill Chain [TM]David Sweigert
 
Packet sniffers
Packet sniffersPacket sniffers
Packet sniffersKunal Thakur
 
Hacking Cisco
Hacking CiscoHacking Cisco
Hacking Ciscoguestd05b31
 
Practical steps to mitigate DDoS attacks
Practical steps to mitigate DDoS attacksPractical steps to mitigate DDoS attacks
Practical steps to mitigate DDoS attacksMartin Holovský
 

More Related Content

What's hot

Denial of service attack
Denial of service attackDenial of service attack
Denial of service attackAhmed Ghazey
 
Network security cryptography ppt
Network security cryptography pptNetwork security cryptography ppt
Network security cryptography pptThushara92
 
Module 6 Session Hijacking
Module 6 Session HijackingModule 6 Session Hijacking
Module 6 Session Hijackingleminhvuong
 
Ethical Hacking - sniffing
Ethical Hacking - sniffingEthical Hacking - sniffing
Ethical Hacking - sniffingBhavya Chawla
 
Intrusion Detection Systems and Intrusion Prevention Systems
Intrusion Detection Systems and Intrusion Prevention Systems Intrusion Detection Systems and Intrusion Prevention Systems
Intrusion Detection Systems and Intrusion Prevention Systems Cleverence Kombe
 
Intrusion detection and prevention system
Intrusion detection and prevention systemIntrusion detection and prevention system
Intrusion detection and prevention systemNikhil Raj
 
Denial of service attack
Denial of service attackDenial of service attack
Denial of service attackKaustubh Padwad
 
Network security
Network securityNetwork security
Network securityfatimasaham
 
Brute force-attack presentation
Brute force-attack presentationBrute force-attack presentation
Brute force-attack presentationMahmoud Ibra
 
Overview of the Cyber Kill Chain [TM]
Overview of the Cyber Kill Chain [TM]Overview of the Cyber Kill Chain [TM]
Overview of the Cyber Kill Chain [TM]David Sweigert
 

What's hot (20)

DDoS ATTACKS
DDoS ATTACKSDDoS ATTACKS
DDoS ATTACKS
 
Understanding NMAP
Understanding NMAPUnderstanding NMAP
Understanding NMAP
 
Ddos attacks
Ddos attacksDdos attacks
Ddos attacks
 
Denial of service attack
Denial of service attackDenial of service attack
Denial of service attack
 
Network security cryptography ppt
Network security cryptography pptNetwork security cryptography ppt
Network security cryptography ppt
 
Module 6 Session Hijacking
Module 6 Session HijackingModule 6 Session Hijacking
Module 6 Session Hijacking
 
DDOS Attack
DDOS Attack DDOS Attack
DDOS Attack
 
Ethical Hacking - sniffing
Ethical Hacking - sniffingEthical Hacking - sniffing
Ethical Hacking - sniffing
 
Intrusion Detection Systems and Intrusion Prevention Systems
Intrusion Detection Systems and Intrusion Prevention Systems Intrusion Detection Systems and Intrusion Prevention Systems
Intrusion Detection Systems and Intrusion Prevention Systems
 
An introduction to denial of service attack
An introduction to denial of service attackAn introduction to denial of service attack
An introduction to denial of service attack
 
Dos attack
Dos attackDos attack
Dos attack
 
DoS or DDoS attack
DoS or DDoS attackDoS or DDoS attack
DoS or DDoS attack
 
Intrusion detection and prevention system
Intrusion detection and prevention systemIntrusion detection and prevention system
Intrusion detection and prevention system
 
Intrusion detection system
Intrusion detection systemIntrusion detection system
Intrusion detection system
 
Denial of service attack
Denial of service attackDenial of service attack
Denial of service attack
 
Malicious traffic
Malicious trafficMalicious traffic
Malicious traffic
 
Network security
Network securityNetwork security
Network security
 
Brute force-attack presentation
Brute force-attack presentationBrute force-attack presentation
Brute force-attack presentation
 
Overview of the Cyber Kill Chain [TM]
Overview of the Cyber Kill Chain [TM]Overview of the Cyber Kill Chain [TM]
Overview of the Cyber Kill Chain [TM]
 
Packet sniffers
Packet sniffersPacket sniffers
Packet sniffers
 

Similar to DDoS Attack Detection & Mitigation in SDN

Practical steps to mitigate DDoS attacks
Practical steps to mitigate DDoS attacksPractical steps to mitigate DDoS attacks
Practical steps to mitigate DDoS attacksMartin Holovský
 
Type of DDoS attacks with hping3 example
Type of DDoS attacks with hping3 exampleType of DDoS attacks with hping3 example
Type of DDoS attacks with hping3 exampleHimani Singh
 
HACKING THE BRAIN: Customize Evil Protocol to Pwn an SDN Controller
HACKING THE BRAIN: Customize Evil Protocol to Pwn an SDN ControllerHACKING THE BRAIN: Customize Evil Protocol to Pwn an SDN Controller
HACKING THE BRAIN: Customize Evil Protocol to Pwn an SDN ControllerPriyanka Aash
 
Azure DDoS Protection Standard
Azure DDoS Protection StandardAzure DDoS Protection Standard
Azure DDoS Protection Standardarnaudlh
 
PLNOG 9: Paweł Wachelka - Network protection against DoS/DDoS attacks
PLNOG 9: Paweł Wachelka - Network protection against DoS/DDoS attacks PLNOG 9: Paweł Wachelka - Network protection against DoS/DDoS attacks
PLNOG 9: Paweł Wachelka - Network protection against DoS/DDoS attacks PROIDEA
 
Incident response: Advanced Network Forensics
Incident response: Advanced Network ForensicsIncident response: Advanced Network Forensics
Incident response: Advanced Network ForensicsNapier University
 
Practical steps to mitigate DDoS attacks
Practical steps to mitigate DDoS attacksPractical steps to mitigate DDoS attacks
Practical steps to mitigate DDoS attacksSecurity Session
 
Layer one 2011-gh0stwood-d-dos-attacks
Layer one 2011-gh0stwood-d-dos-attacksLayer one 2011-gh0stwood-d-dos-attacks
Layer one 2011-gh0stwood-d-dos-attacksfangjiafu
 
Hunting for APT in network logs workshop presentation
Hunting for APT in network logs workshop presentationHunting for APT in network logs workshop presentation
Hunting for APT in network logs workshop presentationOlehLevytskyi1
 
Floodlight OpenFlow DDoS
Floodlight OpenFlow DDoSFloodlight OpenFlow DDoS
Floodlight OpenFlow DDoSYoav Francis
 
Networking @Scale'19 - Getting a Taste of Your Network - Sergey Fedorov
Networking @Scale'19 - Getting a Taste of Your Network - Sergey FedorovNetworking @Scale'19 - Getting a Taste of Your Network - Sergey Fedorov
Networking @Scale'19 - Getting a Taste of Your Network - Sergey FedorovSergey Fedorov
 
Attacks and their mitigations
Attacks and their mitigationsAttacks and their mitigations
Attacks and their mitigationsMukesh Chaudhari
 
Topology Service Injection using Dragonflow & Kuryr
Topology Service Injection using Dragonflow & KuryrTopology Service Injection using Dragonflow & Kuryr
Topology Service Injection using Dragonflow & KuryrEshed Gal-Or
 
Ntp in Amplification Inferno
Ntp in Amplification InfernoNtp in Amplification Inferno
Ntp in Amplification InfernoSriram Krishnan
 

Similar to DDoS Attack Detection & Mitigation in SDN (20)

Hacking Cisco
Hacking CiscoHacking Cisco
Hacking Cisco
 
Practical steps to mitigate DDoS attacks
Practical steps to mitigate DDoS attacksPractical steps to mitigate DDoS attacks
Practical steps to mitigate DDoS attacks
 
Type of DDoS attacks with hping3 example
Type of DDoS attacks with hping3 exampleType of DDoS attacks with hping3 example
Type of DDoS attacks with hping3 example
 
HACKING THE BRAIN: Customize Evil Protocol to Pwn an SDN Controller
HACKING THE BRAIN: Customize Evil Protocol to Pwn an SDN ControllerHACKING THE BRAIN: Customize Evil Protocol to Pwn an SDN Controller
HACKING THE BRAIN: Customize Evil Protocol to Pwn an SDN Controller
 
DDoS-bdNOG
DDoS-bdNOGDDoS-bdNOG
DDoS-bdNOG
 
Azure DDoS Protection Standard
Azure DDoS Protection StandardAzure DDoS Protection Standard
Azure DDoS Protection Standard
 
R bernardino hand_in_assignment_week_1
R bernardino hand_in_assignment_week_1R bernardino hand_in_assignment_week_1
R bernardino hand_in_assignment_week_1
 
PLNOG 9: Paweł Wachelka - Network protection against DoS/DDoS attacks
PLNOG 9: Paweł Wachelka - Network protection against DoS/DDoS attacks PLNOG 9: Paweł Wachelka - Network protection against DoS/DDoS attacks
PLNOG 9: Paweł Wachelka - Network protection against DoS/DDoS attacks
 
Incident response: Advanced Network Forensics
Incident response: Advanced Network ForensicsIncident response: Advanced Network Forensics
Incident response: Advanced Network Forensics
 
Practical steps to mitigate DDoS attacks
Practical steps to mitigate DDoS attacksPractical steps to mitigate DDoS attacks
Practical steps to mitigate DDoS attacks
 
DDoS.ppt
DDoS.pptDDoS.ppt
DDoS.ppt
 
Layer one 2011-gh0stwood-d-dos-attacks
Layer one 2011-gh0stwood-d-dos-attacksLayer one 2011-gh0stwood-d-dos-attacks
Layer one 2011-gh0stwood-d-dos-attacks
 
Hunting for APT in network logs workshop presentation
Hunting for APT in network logs workshop presentationHunting for APT in network logs workshop presentation
Hunting for APT in network logs workshop presentation
 
Network Sniffing
Network SniffingNetwork Sniffing
Network Sniffing
 
Floodlight OpenFlow DDoS
Floodlight OpenFlow DDoSFloodlight OpenFlow DDoS
Floodlight OpenFlow DDoS
 
Networking @Scale'19 - Getting a Taste of Your Network - Sergey Fedorov
Networking @Scale'19 - Getting a Taste of Your Network - Sergey FedorovNetworking @Scale'19 - Getting a Taste of Your Network - Sergey Fedorov
Networking @Scale'19 - Getting a Taste of Your Network - Sergey Fedorov
 
3-sdn-lab.pdf
3-sdn-lab.pdf3-sdn-lab.pdf
3-sdn-lab.pdf
 
Attacks and their mitigations
Attacks and their mitigationsAttacks and their mitigations
Attacks and their mitigations
 
Topology Service Injection using Dragonflow & Kuryr
Topology Service Injection using Dragonflow & KuryrTopology Service Injection using Dragonflow & Kuryr
Topology Service Injection using Dragonflow & Kuryr
 
Ntp in Amplification Inferno
Ntp in Amplification InfernoNtp in Amplification Inferno
Ntp in Amplification Inferno
 

Recently uploaded

Call for Papers - Educational Administration: Theory and Practice, E-ISSN: 21...
Call for Papers - Educational Administration: Theory and Practice, E-ISSN: 21...Call for Papers - Educational Administration: Theory and Practice, E-ISSN: 21...
Call for Papers - Educational Administration: Theory and Practice, E-ISSN: 21...Christo Ananth
 
Unit 1 - Soil Classification and Compaction.pdf
Unit 1 - Soil Classification and Compaction.pdfUnit 1 - Soil Classification and Compaction.pdf
Unit 1 - Soil Classification and Compaction.pdfRagavanV2
 
chapter 5.pptx: drainage and irrigation engineering
chapter 5.pptx: drainage and irrigation engineeringchapter 5.pptx: drainage and irrigation engineering
chapter 5.pptx: drainage and irrigation engineeringmulugeta48
 
PVC VS. FIBERGLASS (FRP) GRAVITY SEWER - UNI BELL
PVC VS. FIBERGLASS (FRP) GRAVITY SEWER - UNI BELLPVC VS. FIBERGLASS (FRP) GRAVITY SEWER - UNI BELL
PVC VS. FIBERGLASS (FRP) GRAVITY SEWER - UNI BELLManishPatel169454
 
Java Programming :Event Handling(Types of Events)
Java Programming :Event Handling(Types of Events)Java Programming :Event Handling(Types of Events)
Java Programming :Event Handling(Types of Events)simmis5
 
XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXssuser89054b
 
Bhosari ( Call Girls ) Pune 6297143586 Hot Model With Sexy Bhabi Ready For ...
Bhosari ( Call Girls ) Pune 6297143586 Hot Model With Sexy Bhabi Ready For ...Bhosari ( Call Girls ) Pune 6297143586 Hot Model With Sexy Bhabi Ready For ...
Bhosari ( Call Girls ) Pune 6297143586 Hot Model With Sexy Bhabi Ready For ...tanu pandey
 
The Most Attractive Pune Call Girls Budhwar Peth 8250192130 Will You Miss Thi...
The Most Attractive Pune Call Girls Budhwar Peth 8250192130 Will You Miss Thi...The Most Attractive Pune Call Girls Budhwar Peth 8250192130 Will You Miss Thi...
The Most Attractive Pune Call Girls Budhwar Peth 8250192130 Will You Miss Thi...ranjana rawat
 
The Most Attractive Pune Call Girls Manchar 8250192130 Will You Miss This Cha...
The Most Attractive Pune Call Girls Manchar 8250192130 Will You Miss This Cha...The Most Attractive Pune Call Girls Manchar 8250192130 Will You Miss This Cha...
The Most Attractive Pune Call Girls Manchar 8250192130 Will You Miss This Cha...ranjana rawat
 
Call Girls Pimpri Chinchwad Call Me 7737669865 Budget Friendly No Advance Boo...
Call Girls Pimpri Chinchwad Call Me 7737669865 Budget Friendly No Advance Boo...Call Girls Pimpri Chinchwad Call Me 7737669865 Budget Friendly No Advance Boo...
Call Girls Pimpri Chinchwad Call Me 7737669865 Budget Friendly No Advance Boo...roncy bisnoi
 
BSides Seattle 2024 - Stopping Ethan Hunt From Taking Your Data.pptx
BSides Seattle 2024 - Stopping Ethan Hunt From Taking Your Data.pptxBSides Seattle 2024 - Stopping Ethan Hunt From Taking Your Data.pptx
BSides Seattle 2024 - Stopping Ethan Hunt From Taking Your Data.pptxfenichawla
 
Top Rated Pune Call Girls Budhwar Peth ⟟ 6297143586 ⟟ Call Me For Genuine Se...
Top Rated Pune Call Girls Budhwar Peth ⟟ 6297143586 ⟟ Call Me For Genuine Se...Top Rated Pune Call Girls Budhwar Peth ⟟ 6297143586 ⟟ Call Me For Genuine Se...
Top Rated Pune Call Girls Budhwar Peth ⟟ 6297143586 ⟟ Call Me For Genuine Se...Call Girls in Nagpur High Profile
 
Booking open Available Pune Call Girls Pargaon 6297143586 Call Hot Indian Gi...
Booking open Available Pune Call Girls Pargaon 6297143586 Call Hot Indian Gi...Booking open Available Pune Call Girls Pargaon 6297143586 Call Hot Indian Gi...
Booking open Available Pune Call Girls Pargaon 6297143586 Call Hot Indian Gi...Call Girls in Nagpur High Profile
 
Call for Papers - International Journal of Intelligent Systems and Applicatio...
Call for Papers - International Journal of Intelligent Systems and Applicatio...Call for Papers - International Journal of Intelligent Systems and Applicatio...
Call for Papers - International Journal of Intelligent Systems and Applicatio...Christo Ananth
 
Call for Papers - African Journal of Biological Sciences, E-ISSN: 2663-2187, ...
Call for Papers - African Journal of Biological Sciences, E-ISSN: 2663-2187, ...Call for Papers - African Journal of Biological Sciences, E-ISSN: 2663-2187, ...
Call for Papers - African Journal of Biological Sciences, E-ISSN: 2663-2187, ...Christo Ananth
 
Online banking management system project.pdf
Online banking management system project.pdfOnline banking management system project.pdf
Online banking management system project.pdfKamal Acharya
 
data_management_and _data_science_cheat_sheet.pdf
data_management_and _data_science_cheat_sheet.pdfdata_management_and _data_science_cheat_sheet.pdf
data_management_and _data_science_cheat_sheet.pdfJiananWang21
 

Recently uploaded (20)

Call for Papers - Educational Administration: Theory and Practice, E-ISSN: 21...
Call for Papers - Educational Administration: Theory and Practice, E-ISSN: 21...Call for Papers - Educational Administration: Theory and Practice, E-ISSN: 21...
Call for Papers - Educational Administration: Theory and Practice, E-ISSN: 21...
 
Unit 1 - Soil Classification and Compaction.pdf
Unit 1 - Soil Classification and Compaction.pdfUnit 1 - Soil Classification and Compaction.pdf
Unit 1 - Soil Classification and Compaction.pdf
 
chapter 5.pptx: drainage and irrigation engineering
chapter 5.pptx: drainage and irrigation engineeringchapter 5.pptx: drainage and irrigation engineering
chapter 5.pptx: drainage and irrigation engineering
 
(INDIRA) Call Girl Meerut Call Now 8617697112 Meerut Escorts 24x7
(INDIRA) Call Girl Meerut Call Now 8617697112 Meerut Escorts 24x7(INDIRA) Call Girl Meerut Call Now 8617697112 Meerut Escorts 24x7
(INDIRA) Call Girl Meerut Call Now 8617697112 Meerut Escorts 24x7
 
PVC VS. FIBERGLASS (FRP) GRAVITY SEWER - UNI BELL
PVC VS. FIBERGLASS (FRP) GRAVITY SEWER - UNI BELLPVC VS. FIBERGLASS (FRP) GRAVITY SEWER - UNI BELL
PVC VS. FIBERGLASS (FRP) GRAVITY SEWER - UNI BELL
 
Java Programming :Event Handling(Types of Events)
Java Programming :Event Handling(Types of Events)Java Programming :Event Handling(Types of Events)
Java Programming :Event Handling(Types of Events)
 
XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
 
Bhosari ( Call Girls ) Pune 6297143586 Hot Model With Sexy Bhabi Ready For ...
Bhosari ( Call Girls ) Pune 6297143586 Hot Model With Sexy Bhabi Ready For ...Bhosari ( Call Girls ) Pune 6297143586 Hot Model With Sexy Bhabi Ready For ...
Bhosari ( Call Girls ) Pune 6297143586 Hot Model With Sexy Bhabi Ready For ...
 
Water Industry Process Automation & Control Monthly - April 2024
Water Industry Process Automation & Control Monthly - April 2024Water Industry Process Automation & Control Monthly - April 2024
Water Industry Process Automation & Control Monthly - April 2024
 
The Most Attractive Pune Call Girls Budhwar Peth 8250192130 Will You Miss Thi...
The Most Attractive Pune Call Girls Budhwar Peth 8250192130 Will You Miss Thi...The Most Attractive Pune Call Girls Budhwar Peth 8250192130 Will You Miss Thi...
The Most Attractive Pune Call Girls Budhwar Peth 8250192130 Will You Miss Thi...
 
The Most Attractive Pune Call Girls Manchar 8250192130 Will You Miss This Cha...
The Most Attractive Pune Call Girls Manchar 8250192130 Will You Miss This Cha...The Most Attractive Pune Call Girls Manchar 8250192130 Will You Miss This Cha...
The Most Attractive Pune Call Girls Manchar 8250192130 Will You Miss This Cha...
 
(INDIRA) Call Girl Aurangabad Call Now 8617697112 Aurangabad Escorts 24x7
(INDIRA) Call Girl Aurangabad Call Now 8617697112 Aurangabad Escorts 24x7(INDIRA) Call Girl Aurangabad Call Now 8617697112 Aurangabad Escorts 24x7
(INDIRA) Call Girl Aurangabad Call Now 8617697112 Aurangabad Escorts 24x7
 
Call Girls Pimpri Chinchwad Call Me 7737669865 Budget Friendly No Advance Boo...
Call Girls Pimpri Chinchwad Call Me 7737669865 Budget Friendly No Advance Boo...Call Girls Pimpri Chinchwad Call Me 7737669865 Budget Friendly No Advance Boo...
Call Girls Pimpri Chinchwad Call Me 7737669865 Budget Friendly No Advance Boo...
 
BSides Seattle 2024 - Stopping Ethan Hunt From Taking Your Data.pptx
BSides Seattle 2024 - Stopping Ethan Hunt From Taking Your Data.pptxBSides Seattle 2024 - Stopping Ethan Hunt From Taking Your Data.pptx
BSides Seattle 2024 - Stopping Ethan Hunt From Taking Your Data.pptx
 
Top Rated Pune Call Girls Budhwar Peth ⟟ 6297143586 ⟟ Call Me For Genuine Se...
Top Rated Pune Call Girls Budhwar Peth ⟟ 6297143586 ⟟ Call Me For Genuine Se...Top Rated Pune Call Girls Budhwar Peth ⟟ 6297143586 ⟟ Call Me For Genuine Se...
Top Rated Pune Call Girls Budhwar Peth ⟟ 6297143586 ⟟ Call Me For Genuine Se...
 
Booking open Available Pune Call Girls Pargaon 6297143586 Call Hot Indian Gi...
Booking open Available Pune Call Girls Pargaon 6297143586 Call Hot Indian Gi...Booking open Available Pune Call Girls Pargaon 6297143586 Call Hot Indian Gi...
Booking open Available Pune Call Girls Pargaon 6297143586 Call Hot Indian Gi...
 
Call for Papers - International Journal of Intelligent Systems and Applicatio...
Call for Papers - International Journal of Intelligent Systems and Applicatio...Call for Papers - International Journal of Intelligent Systems and Applicatio...
Call for Papers - International Journal of Intelligent Systems and Applicatio...
 
Call for Papers - African Journal of Biological Sciences, E-ISSN: 2663-2187, ...
Call for Papers - African Journal of Biological Sciences, E-ISSN: 2663-2187, ...Call for Papers - African Journal of Biological Sciences, E-ISSN: 2663-2187, ...
Call for Papers - African Journal of Biological Sciences, E-ISSN: 2663-2187, ...
 
Online banking management system project.pdf
Online banking management system project.pdfOnline banking management system project.pdf
Online banking management system project.pdf
 
data_management_and _data_science_cheat_sheet.pdf
data_management_and _data_science_cheat_sheet.pdfdata_management_and _data_science_cheat_sheet.pdf
data_management_and _data_science_cheat_sheet.pdf
 

DDoS Attack Detection & Mitigation in SDN

  • 1. DDoS Attack Detection & Mitigation in SDN FINAL VIVA PRESENTATION 2014-12-08 COMSE-6998 Presented by Chao CHEN (cc3736)
  • 2. Key Words DDoS Attack Detection and Mitigation Type: ICMP Flood SYN Flood DNS Amplification UDP Flood InMon sFlow-RT + Floodlight controller + Mininet SDN Application to perform DDoS Protection
  • 3. RESEARCH BACKGROUND SCHEME DESIGN APPLICATION DEVELOPMENT ENVIRONMENT ESTABLISHMENT TEST & EVALUATION
  • 5. Research Background Real Time detection and mitigation with lowest cost of device deployment
  • 6. Research Background sFlow = sampled Flow Device Capability → Easy Deployment Physical Device: Cisco Nexus 3000/3100 series IBM c/g/m/r/s/x/y series Juniper EX 2200/3200/3300/4200/6200 series …… Virtual Device: OpenVSwitch Apache Nginx …… sFlow Collectors: InMon sFlow-RT Brocade Network Advisor …… SDN analytics and control using sFlow standard
  • 7. Research Background sFlow + Openflow 1. switch samples packets 2. switch sends the header of sampled packets to sFlow-RT 3. sFlow-RT maps it into fine-grained flow(e.g. tcpflags=SYN, icmptype=3…) 4. if exceed the threshold, trigger an event 5. events accessible from external apps through REST API
  • 8. Research Background sFlow + Openflow 1. switch samples packets 2. switch sends the header of sampled packets to sFlow-RT 3. sFlow-RT maps it into fine-grained flow(e.g. tcpflags=SYN, icmptype=3…) 4. if exceed the threshold, trigger an event 5. events accessible from external apps through REST API detection mitigation processing
  • 10. Scheme Design Yes No Overall Flowchart of Application need to be specified for different kinds of attacks
  • 11. Scheme Design ICMP Flood Attack Mechanism: Each device in the botnet ping the server at a high rate. Flow Definition: ipsource=0.0.0.0/0, ipdestination=10.0.0.2/32, #suppose h2 is the server outputifindex!=discard, #packet is not discarded ipprotocol=1 #ICMP Match Field in blocking flow entry: ether-type, protocol, src-ip, dst-ip
  • 12. Scheme Design SYN Flood Attack Mechanism: Each device in the botnet sends TCP SYN packets to the server at a high rate. Flow Definition: ipsource=0.0.0.0/0, ipdestination=10.0.0.2/32, #suppose h2 is the server outputifindex!=discard, #packet is not discarded tcpflags~…….1.=1 #TCP SYN packet Match Field in blocking flow entry: ether-type, protocol, src-ip, dst-ip
  • 13. Scheme Design DNS Amplification Attack Mechanism: Each device in the botnet sends DNS query to several DNS servers with src-ip=victim’s ip. (take ANY(15) for example)
  • 14. Scheme Design DNS Amplification Attack Flow Definition: ipsource=0.0.0.0/0, ipdestination=[10.0.0.1/32, 10.0.0.2/32], #suppose h1 and h2 are the DNS servers outputifindex!=discard, #packet is not discarded dnsqr=false, dnsqtype=255 Match Field in blocking flow entry: ether-type, protocol, src-ip, dst-ip Protect at the DNS servers (instead of the victim)
  • 15. Scheme Design UDP Flood Attack Mechanism: Each device in the botnet sends UDP packets to all the ports if the server Attacker botnet/compromised system target server Command Command Command 1 5 7 9 11 13 15 … UDP port list UDP Packets ICMP Destination Unreachable
  • 16. Scheme Design UDP Flood Attack Flow Definition: ipsource=10.0.0.2/32, #reversed ipdestination=0.0.0.0/0, outputifindex!=discard, #packet is not discarded ipprotocol=1, #ICMP icmptype=3, #Destination Unreachable Match Field in blocking flow entry: ether-type, protocol, src-ip=dst-ip_in_flow, dst-ip=server-ip Protect by monitoring ICMP Destination Unreachable packets
  • 18. Application Development python Import requests & json to perform GET/PUT/POST via REST API Different attacks are implemented similarly. Take ICMP Flood attack as example. Definition of flows, thresholds,…: POST the definition to sFlow-RT:
  • 21. Environment Establishment Laptop Ubuntu VM App Mininet 10.0.0.1 10.0.0.2 10.0.0.3 10.0.0.4 10.0.0.5 10.0.0.6 10.10.10.2:6633 10.10.10.2:8080 10.10.10.2:8008 10.10.10.2:6343
  • 23. Test & Evaluation Launch floodlight: ./floodlight.sh Launch InMon sFlow-RT: ./start.sh Launch InMon sFlow-RT: sudo ./topo.sh set s1 is a sFlow agent, and set up bridge between s1 and sFlow-RT
  • 24. Test & Evaluation Without mitigation: h1 ICMP attack on h2 with: ping -f 10.0.0.2 network traffic flow attack from h4 ICMP Flood Attack
  • 25. Test & Evaluation With mitigation: h4 ICMP attack on h2 network traffic flow attack from h4 is mitigated ICMP Flood Attack
  • 26. Test & Evaluation Continue: h5 ICMP attack on h2 network traffic flow attack from h5 is mitigated ICMP Flood Attack
  • 27. Test & Evaluation ICMP Flood Attack ‘subflows’ in ICMP Attack Flow Events triggered in this case Flowtable of s1 (attacked by h3, h4, h6)
  • 28. Test & Evaluation SYN Flood Attack Without mitigation: h1 SYN attack on h2 with: ping —tcp -p 80 —flag syn -rate 2000 —count 20000000 —no-capture —quiet 10.0.0.2 network traffic flow
  • 29. Test & Evaluation SYN Flood Attack With mitigation: h6 and h4 SYN attack on h2 SYN Flood Traffic Flowtable of s1 (attacked by h3, h4, h5, h6) attacks from h6 and h4 are mitigated
  • 30. Test & Evaluation DNS Amplification Attack & UDP Flood Attack: Cannot simulate attacks → No test result yet
  • 31. Test & Evaluation Future Work: 1. Test on DNS Amplification Attack & UDP Flood Attack 2. {new_sample_rate, new_threshold} =update(old_sample_rate, old_threshold, network_congestion, server_status,…) 3. Sample Theory is efficient on large flows. Think about {tiny flows x n} 4. Reasonable unblock mechanism
  • 32. Q&A