SSG - A Solution to Prevent Saturation Attack on the Data Plane and Control Plane in SDN/Openflow Network
Abstract
The SDN/Openflow architecture opens new opportunities for effective solutions to address network security problems; however, it also brings new security challenges compared to the traditional network. One of those is the mechanism of reactive installation for new flow entries that can make the data plane and control plane easily become a target for resource saturation attacks with spoofing technique such as SYN flood. There are a number of solutions to this problem such as Connection Migration (CM) mechanism in Avant-Guard solution. However, most of them increase load to the commodity switches and/or split benign TCP connections, which can cause increase of packet latency and disable some features of the TCP protocol. This paper presents a solution called SDN-based SYN Flood Guard (SSG), which takes advantages of Openflow’s ability to match TCP Flags fields and the RST Cookie technique to authenticate three-way handshake processes of TCP connections in a separated device from SDN/Openflow switches. The experiment results reveal that SSG solves the aforementioned problems and improves the SYN Flood.
References
Open Networking Foundation, “SDN Architecture Overview Version 1.0,” 2013. [Online]. Available: https://www.opennetworking.org/images/stories/downloads/sdn-resources/technical-reports/SDN-architecture-overview-1.0.pdf
Open Networking Foundation, “OpenFlow Switch Specification Version 1.3.0 (Wire Protocol 0x04),” 2012. [Online]. Available: https://www.opennetworking.org/wp-content/uploads/2014/10/openflow-spec-v1.3.0.pdf
Open Networking Foundation,, “OpenFlow switch specification version 1.5.1 ( protocol version 0x06 ),” 2015. [Online]. Available: https://www.opennetworking.org/wp-content/uploads/2014/10/openflow-switch-v1.5.1.pdf
T. Peng, C. Leckie, and K. Ramamohanarao, “Survey of network-based defense mechanisms countering the DoS and DDoS problems,” ACM Computer Survey, vol. 39, no. 1, p. 42 pages, 2007. [Online]. Available: http://doi.acm.org/10.1145/1216370.1216373
S. Scott-Hayward, G. O’Callaghan, and S. Sezer, “Sdn security: A survey,” in 2013 IEEE SDN for Future Networks and Services (SDN4FNS). Trento, Italy: IEEE, New York, NY, USA, November 11-13, 2013, pp. 1–7. [Online]. Available: http://ieeexplore.ieee.org/document/6702553/
S. Shin and G. Gu, “Attacking software-defined networks: A first feasibility study,” in Proceedings of the Second ACM SIGCOMM Workshop on Hot Topics in Software Defined Networking – HotSDN ’13. Hong Kong, China: ACM Press, New York, NY, USA, August 16, 2013, pp. 165–166. [Online]. Available: http://doi.acm.org/10.1145/2491185.2491220
R. Kandoi and M. Antikainen, “Denial-of-service attacks in OpenFlow SDN networks,” in 2015 IFIP/IEEE International Symposium on Integrated Network Management (IM). Ottawa, ON, Canada: IEEE, New York, NY, USA, May 11-15, 2015, pp. 1322–1326.
S. Shin, V. Yegneswaran, P. Porras, and G. Gu, “AVANT-GUARD: scalable and vigilant switch flow management in software-defined networks,” in Proceedings of the 2013 ACM SIGSAC conference on Computer & communications security - CCS ’13. Berlin, Germany: ACM Press, New York, NY, USA, November 04 - 08, 2013, pp. 413–424. [Online]. Available: http://dl.acm.org/citation.cfm?doid=2508859.2516684
Daniel J. Bernstein, “SYN cookies.” [Online]. Available: https://cr.yp.to/syncookies.html
M. Ambrosin, M. Conti, F. De Gaspari, and R. Poovendran, “LineSwitch: Tackling control plane saturation attacks in softwaredefined networking,” IEEE/ACM Transactions on Networking, vol. 25, no. 2, pp. 1206 – 1219, 2017.
Analysis, CAIDA: Center for Applied Internet Data, “The CAIDA Anonymized Internet Traces 2013 Dataset.” [Online]. Available: http://www.caida.org/data/passive/passive 2013 dataset.xml
P. Porras, S. Shin, V. Yegneswaran, M. Fong, M. Tyson, and G. Gu, “A security enforcement kernel for OpenFlow networks,” in Proceedings of the first workshop on Hot topics in software defined networks - HotSDN ’12. Helsinki, Finland: ACM Press, New York, NY, USA, August 13, 2012, pp. 121–126. [Online]. Available: http://dl.acm.org/citation.cfm?doid=2342441.2342466
L. Wei and C. Fung, “FlowRanger: A request prioritizing algorithm for controller DoS attacks in software defined networks,” in 2015 IEEE International Conference on Communications (ICC). London, UK: IEEE, New York, NY, USA, June 8-12, 2015, pp. 5254–5259. [Online]. Available: http://ieeexplore.ieee.org/document/7249158/
N.-N. Dao, J. Park, M. Park, and S. Cho, “A feasible method to combat against DDoS attack in SDN network,” in 2015 International Conference on Information Networking (ICOIN). Siem Reap, Cambodia: IEEE, New York, NY, USA, January 12-14, 2015, pp. 309–311.
R. Sahay, G. Blanc, Z. Zhang, and H. Debar, “Towards autonomic DDoS mitigation using software defined networking,” in Proceedings 2015 Workshop on Security of Emerging Networking Technologies. San Diego, CA: Internet Society, February 8, 2015, p. 7 pages. [Online]. Available: https: //www.ndss-symposium.org/ndss2015/ndss-2015-sent-programme/towards-autonomic-ddos-mitigation-using-software-defined-networking
S. Shin, Y. Song, T. Lee, S. Lee, J. Chung, P. Porras, V. Yegneswaran, J. Noh, and B. B. Kang, “Rosemary: A robust, secure, and highperformance network operating system,” in Proceedings of the 2014 ACM SIGSAC Conference on Computer and Communications Security - CCS ’14. Scottsdale, Arizona, USA: ACM Press, New York, NY, USA, November 03 - 07, 2014, pp. 78–89. [Online]. Available: http://dl.acm.org/citation.cfm?doid=2660267.2660353
S. Hong, L. Xu, H. Wang, and G. Gu, “Poisoning network visibility in Software-Defined Networks: New attacks and countermeasures,” in Proceedings 2015 Network and Distributed System Security Symposium. San Diego, CA: Internet Society, February 8-11, 2015, p. 15 pages.
M. Dhawan, R. Poddar, K. Mahajan, and V. Mann, “SPHINX: Detecting security attacks in software-defined networks,” in Proceedings 2015 Network and Distributed System Security Symposium. San Diego, CA: Internet Society, February 8-11, 2015, p. 15 pages. [Online]. Available: https://www.ndss-symposium.org/ndss2015/ndss-2015-programme/sphinx-detecting-security-attacks-software-defined-networks/
D. Kreutz, F. M. Ramos, and P. Verissimo, “Towards secure and dependable software-defined networks,” in Proceedings of the second ACM SIGCOMM workshop on Hot topics in software defined networking - HotSDN ’13. Hong Kong, China: ACM Press, New York, NY, USA, August 16, 2013, pp. 55–60. [Online]. Available: http://dl.acm.org/citation.cfm?doid=2491185.2491199
R. Kloti, V. Kotronis, and P. Smith, “OpenFlow: A security analysis,” in 2013 21st IEEE International Conference on Network Protocols (ICNP). Goettingen, Germany: IEEE, New York, NY, USA, October 07-10, 2013, pp. 1–6. [Online]. Available: http: //ieeexplore.ieee.org/lpdocs/epic03/wrapper.htm?arnumber=6733671
T. Koponen, M. Casado, N. Gude, J. Stribling, L. Poutievski, M. Zhu, R. Ramanathan, Y. Iwata, H. Inoue, T. Hama, and S. Shenker, “Onix: A distributed control platform for largescale production networks,” in Proceedings of the 9th USENIX Conference on Operating Systems Design and Implementation - OSDI’10. Vancouver, BC, Canada: USENIX Association, Berkeley, CA, USA, October 04 - 06, 2010, pp. 351–364. [Online]. Available: http://dl.acm.org/citation.cfm?id=1924943.1924968
A. Tootoonchian and Y. Ganjali, “HyperFlow: A distributed control plane for OpenFlow,” in Proceedings of the 2010 Internet Network Management Conference on Research on Enterprise Networking - INM/WREN’10. San Jose, CA: USENIX Association, Berkeley, CA, USA, April 28–30, 2010, p. 6 pages. [Online]. Available: http://dl.acm.org/citation.cfm?id=1863133.1863136
P. Berde, W. Snow, G. Parulkar, M. Gerola, J. Hart, Y. Higuchi, M. Kobayashi, T. Koide, B. Lantz, B. O’Connor, and P. Radoslavov, “ONOS: towards an open, distributed SDN OS,” in Proceedings of the third workshop on Hot topics in software defined networking - HotSDN ’14. Chicago, Illinois, USA: ACM Press, New York, NY, USA, August 22, 2014, pp. 1–6. [Online]. Available: http: //dl.acm.org/citation.cfm?doid=2620728.2620744
A. Vishnoi, R. Poddar, V. Mann, and S. Bhattacharya, “Effective switch memory management in OpenFlow networks,” in Proceedings of the 8th ACM International Conference on Distributed Event-Based Systems - DEBS ’14. Mumbai, India: ACM Press, New York,
NY, USA, May 26-29, 2014, pp. 177–188. [Online]. Available: http://dl.acm.org/citation.cfm?doid=2611286.2611301
L. Dridi and M. F. Zhani, “SDN-guard: DoS attacks mitigation in SDN networks,” in 2016 5th IEEE International Conference on Cloud Networking (Cloudnet). Pisa, Italy: IEEE, New York, NY, USA, August-17, 2016, pp. 212–217. [Online]. Available: http://ieeexplore.ieee.org/document/7776605/
H. Wang, L. Xu, and G. Gu, “FloodGuard: A DoS attack prevention extension in software-defined networks,” in 2015 45th Annual IEEE/IFIP International Conference on Dependable Systems and Networks. Rio de Janeiro, Brazil: IEEE, New York, NY, USA, June 22-25, 2015, pp. 239–250.
M. Yu, J. Rexford, M. J. Freedman, and J. Wang, “Scalable flow-based networking with DIFANE,” in Proceedings of the ACM SIGCOMM 2010 Conference - SIGCOMM ’10. New Delhi, India: ACM Press, New York, NY, USA, August 30 - September 03, 2010, pp. 351–362. [Online]. Available: http://doi.acm.org/10.1145/1851182.1851224
A. R. Curtis, J. C. Mogul, J. Tourrilhes, P. Yalagandula, P. Sharma, and S. Banerjee, “DevoFlow: Scaling flow management for highperformance networks,” in Proceedings of the ACM SIGCOMM 2011 conference. Toronto, ON, Canada: ACM Press, New York, NY, USA, August 15 - 19, 2011, pp. 254–265.
H. Mekky, F. Hao, S. Mukherjee, Z.-L. Zhang, and T. Lakshman, “Application-aware data plane processing in SDN,” in Proceedings of the Third Workshop on Hot Topics in Software Defined Networking - HotSDN ’14. Chicago, Illinois, USA: ACM Press, New York,
NY, USA, August 22 - 22, 2014, pp. 13–18. [Online]. Available: http://doi.acm.org/10.1145/2620728.2620735
D. Kotani and Y. Okabe, “A packet-in message filtering mechanism for protection of control plane in OpenFlow switches,” IEICE Transactions on Information and Systems, vol. E99.D, no. 3, pp. 695–707, 2016. [Online]. Available: https://www.jstage.jst.go.jp/article/transinf/E99.D/3/E99.D 2015EDP7256/_article
C. Schuba, I. Krsul, M. Kuhn, E. Spafford, A. Sundaram, and D. Zamboni, “Analysis of a denial of service attack on TCP,” in Proceedings. 1997 IEEE Symposium on Security and Privacy. Oakland, CA, USA: IEEE Computer Society Press, May 04-07, 1997, pp. 208–223. [Online]. Available: http://ieeexplore.ieee.org/document/601338/
C. Douligeris and A. Mitrokotsa, “DDoS attacks and defense mechanisms: Classification and state-of-the-art,” Computer Networks, vol. 44, pp. 643–666, 2004.
Eddy Wesley M., “Defenses against TCP SYN flooding attacks,” The Internet Protocol Journal, vol. 9, no. 4, pp. 2–16, 2006. [Online]. Available: https://www.cisco.com/c/en/us/about/press/internet-protocol-journal/back-issues/table-contents-34/syn-flooding-attacks.html
Postel, J., “Transmission Control Protocol, DAPRA Internet Program - Protocol Specification, RFC 793,” 1981. [Online]. Available:https://tools.ietf.org/html/rfc793
The Linux Foundation Projects, “Data plane development kit (DPDK),” [Online]. Available: https://www.dpdk.org/
J. L. Deng, “Introduction to grey system theory,” The Journal of Grey System, vol. 1, no. 1, pp. 1–24, 1989. [Online]. Available: http://dl.acm.org/citation.cfm?id=90757.90758
T. Bohlin, Practical Grey-box Process Identification: Theory and Applications (Advances in Industrial Control). Berlin, Heidelberg, Germany: Springer-Verlag, 2006.
E. Kayacan, B. Ulutas, and O. Kaynak, “Grey System Theorybased Models in Time Series Prediction,” Expert Systems with Applications, vol. 37, no. 2, pp. 1784–1789, 2010. [Online]. Available: http://dx.doi.org/10.1016/j.eswa.2009.07.064
D. Zhang, H. Wang, and K. G. Shin, “Change-Point Monitoring for the Detection of DoS Attacks,” IEEE Transactions on Dependable and Secure Computing, vol. 1, no. 4, pp. 193–208, 2004. [Online]. Available: doi.ieeecomputersociety.org/10.1109/TDSC.2004.34
J. L. Hellerstein, F. Zhang, and P. Shahabuddin, “A Statistical Approach to Predictive Detection,” Computer Networks, vol. 35, no. 1, pp. 77–95, 2001. [Online]. Available: http://dx.doi.org/10.1016/S1389-1286(00)00151-1
S. Wang, Q. Sun, H. Zou, and F. Yang, “Detecting SYN flooding attacks based on traffic prediction: A demonstration of the security communication networks class file,” Security and Communication Networks, vol. 5, no. 10, pp. 1131–1140, 2012. [Online]. Available: http://doi.wiley.com/10.1002/sec.428
The Linux Foundation Collaborative Project, “Open vSwitch.” [Online]. Available: https://www.openvswitch.org/
Project Floodlight, “Floodlight OpenFlow Controller.” [Online]. Available: http://www.projectfloodlight.org/floodlight/
M. Goldstein, “BoNeSi: the DDoS Botnet Simulator.” [Online]. Available: https://github.com/Markus-Go/bonesi
W. Foundation, “Wireshark.” [Online]. Available: https://www.wireshark.org/
Fred Klassen, “Tcpreplay - Pcap editing and replaying utilities.” [Online]. Available: https://tcpreplay.appneta.com/
