SlideShare a Scribd company logo

DDoS Attack Detection & Mitigation in SDN

C
Chao Chen

This document summarizes a presentation on detecting and mitigating distributed denial of service (DDoS) attacks in software-defined networks. It discusses using sFlow and the Floodlight controller to detect common DDoS attack types like ICMP floods, SYN floods, and DNS amplification. An application was developed in Python to classify attacks and push static flow entries to direct attack traffic to the sFlow collector for analysis. The scheme was tested in a Mininet virtual network and shown to successfully mitigate ICMP and SYN flood attacks. Future work includes testing DNS amplification and UDP floods, implementing adaptive sampling rates and thresholds, and designing an unblocking mechanism.

Engineering
1 of 32
Downloaded 399 times
1
2
Most read
3
4
5
6
7
8
9
10
11
12
13
Most read
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
DDoS Attack Detection & Mitigation in SDN FINAL VIVA PRESENTATION 2014-12-08 COMSE-6998 Presented by Chao CHEN (cc3736)
Key Words DDoS Attack Detection and Mitigation Type: ICMP Flood SYN Flood DNS Amplification UDP Flood InMon sFlow-RT + Floodlight controller + Mininet SDN Application to perform DDoS Protection
RESEARCH BACKGROUND SCHEME DESIGN APPLICATION DEVELOPMENT ENVIRONMENT ESTABLISHMENT TEST & EVALUATION
RESEARCH BACKGROUND
Research Background Real Time detection and mitigation with lowest cost of device deployment
Research Background sFlow = sampled Flow Device Capability → Easy Deployment Physical Device: Cisco Nexus 3000/3100 series IBM c/g/m/r/s/x/y series Juniper EX 2200/3200/3300/4200/6200 series …… Virtual Device: OpenVSwitch Apache Nginx …… sFlow Collectors: InMon sFlow-RT Brocade Network Advisor …… SDN analytics and control using sFlow standard
Research Background sFlow + Openflow 1. switch samples packets 2. switch sends the header of sampled packets to sFlow-RT 3. sFlow-RT maps it into fine-grained flow(e.g. tcpflags=SYN, icmptype=3…) 4. if exceed the threshold, trigger an event 5. events accessible from external apps through REST API
Research Background sFlow + Openflow 1. switch samples packets 2. switch sends the header of sampled packets to sFlow-RT 3. sFlow-RT maps it into fine-grained flow(e.g. tcpflags=SYN, icmptype=3…) 4. if exceed the threshold, trigger an event 5. events accessible from external apps through REST API detection mitigation processing
SCHEME DESIGN
Scheme Design Yes No Overall Flowchart of Application need to be specified for different kinds of attacks
Scheme Design ICMP Flood Attack Mechanism: Each device in the botnet ping the server at a high rate. Flow Definition: ipsource=0.0.0.0/0, ipdestination=10.0.0.2/32, #suppose h2 is the server outputifindex!=discard, #packet is not discarded ipprotocol=1 #ICMP Match Field in blocking flow entry: ether-type, protocol, src-ip, dst-ip
Scheme Design SYN Flood Attack Mechanism: Each device in the botnet sends TCP SYN packets to the server at a high rate. Flow Definition: ipsource=0.0.0.0/0, ipdestination=10.0.0.2/32, #suppose h2 is the server outputifindex!=discard, #packet is not discarded tcpflags~…….1.=1 #TCP SYN packet Match Field in blocking flow entry: ether-type, protocol, src-ip, dst-ip
Scheme Design DNS Amplification Attack Mechanism: Each device in the botnet sends DNS query to several DNS servers with src-ip=victim’s ip. (take ANY(15) for example)
Scheme Design DNS Amplification Attack Flow Definition: ipsource=0.0.0.0/0, ipdestination=[10.0.0.1/32, 10.0.0.2/32], #suppose h1 and h2 are the DNS servers outputifindex!=discard, #packet is not discarded dnsqr=false, dnsqtype=255 Match Field in blocking flow entry: ether-type, protocol, src-ip, dst-ip Protect at the DNS servers (instead of the victim)
Scheme Design UDP Flood Attack Mechanism: Each device in the botnet sends UDP packets to all the ports if the server Attacker botnet/compromised system target server Command Command Command 1 5 7 9 11 13 15 … UDP port list UDP Packets ICMP Destination Unreachable
Scheme Design UDP Flood Attack Flow Definition: ipsource=10.0.0.2/32, #reversed ipdestination=0.0.0.0/0, outputifindex!=discard, #packet is not discarded ipprotocol=1, #ICMP icmptype=3, #Destination Unreachable Match Field in blocking flow entry: ether-type, protocol, src-ip=dst-ip_in_flow, dst-ip=server-ip Protect by monitoring ICMP Destination Unreachable packets
APPLICATION DEVELOPMENT
Application Development python Import requests & json to perform GET/PUT/POST via REST API Different attacks are implemented similarly. Take ICMP Flood attack as example. Definition of flows, thresholds,…: POST the definition to sFlow-RT:
Application Development Attack classification & Static Flow Entry Push:
ENVIRONMENT ESTABLISHMENT
Environment Establishment Laptop Ubuntu VM App Mininet 10.0.0.1 10.0.0.2 10.0.0.3 10.0.0.4 10.0.0.5 10.0.0.6 10.10.10.2:6633 10.10.10.2:8080 10.10.10.2:8008 10.10.10.2:6343
TEST & EVALUATION
Test & Evaluation Launch floodlight: ./floodlight.sh Launch InMon sFlow-RT: ./start.sh Launch InMon sFlow-RT: sudo ./topo.sh set s1 is a sFlow agent, and set up bridge between s1 and sFlow-RT
Test & Evaluation Without mitigation: h1 ICMP attack on h2 with: ping -f 10.0.0.2 network traffic flow attack from h4 ICMP Flood Attack
Test & Evaluation With mitigation: h4 ICMP attack on h2 network traffic flow attack from h4 is mitigated ICMP Flood Attack
Test & Evaluation Continue: h5 ICMP attack on h2 network traffic flow attack from h5 is mitigated ICMP Flood Attack
Test & Evaluation ICMP Flood Attack ‘subflows’ in ICMP Attack Flow Events triggered in this case Flowtable of s1 (attacked by h3, h4, h6)
Test & Evaluation SYN Flood Attack Without mitigation: h1 SYN attack on h2 with: ping —tcp -p 80 —flag syn -rate 2000 —count 20000000 —no-capture —quiet 10.0.0.2 network traffic flow
Test & Evaluation SYN Flood Attack With mitigation: h6 and h4 SYN attack on h2 SYN Flood Traffic Flowtable of s1 (attacked by h3, h4, h5, h6) attacks from h6 and h4 are mitigated
Test & Evaluation DNS Amplification Attack & UDP Flood Attack: Cannot simulate attacks → No test result yet
Test & Evaluation Future Work: 1. Test on DNS Amplification Attack & UDP Flood Attack 2. {new_sample_rate, new_threshold} =update(old_sample_rate, old_threshold, network_congestion, server_status,…) 3. Sample Theory is efficient on large flows. Think about {tiny flows x n} 4. Reasonable unblock mechanism
Q&A

More Related Content

What's hot (20)

PPT
Firewall protection
VC Infotech
 
PPTX
Cisco ASA Firewalls
Bryley Systems Inc.
 
PPT
DDoS Attack PPT by Nitin Bisht
Nitin Bisht
 
PPTX
Firewall and Types of firewall
Coder Tech
 
PPTX
Software Defined Network - SDN
Venkata Naga Ravi
 
PPTX
Named Data Networking
Mustafa Cantürk
 
PPTX
CCNA Course Training Presentation
Rohit Singh
 
PPT
Security in wireless sensor networks
Piyush Mittal
 
PPT
DDOS Attack
Ahmed Salama
 
PPT
IDS and IPS
Santosh Khadsare
 
PPTX
Introduction to SDN: Software Defined Networking
Ankita Mahajan
 
PPT
security in wireless sensor networks
Vishnu Kudumula
 
PDF
Evolution of Cloud Computing
NephoScale
 
PPTX
Zero Trust Model
Yash
 
PPTX
Security Onion - Brief
Ashley Deuble
 
PPTX
Security issues and attacks in wireless sensor networks
Md Waresul Islam
 
PPTX
Load balancing
ankur bhalla
 
PDF
Topics in network security
Nasir Bhutta
 
PPT
Security in mobile ad hoc networks
Piyush Mittal
 
PDF
12 types of DDoS attacks
Haltdos
 
Firewall protection
VC Infotech
 
Cisco ASA Firewalls
Bryley Systems Inc.
 
DDoS Attack PPT by Nitin Bisht
Nitin Bisht
 
Firewall and Types of firewall
Coder Tech
 
Software Defined Network - SDN
Venkata Naga Ravi
 
Named Data Networking
Mustafa Cantürk
 
CCNA Course Training Presentation
Rohit Singh
 
Security in wireless sensor networks
Piyush Mittal
 
DDOS Attack
Ahmed Salama
 
IDS and IPS
Santosh Khadsare
 
Introduction to SDN: Software Defined Networking
Ankita Mahajan
 
security in wireless sensor networks
Vishnu Kudumula
 
Evolution of Cloud Computing
NephoScale
 
Zero Trust Model
Yash
 
Security Onion - Brief
Ashley Deuble
 
Security issues and attacks in wireless sensor networks
Md Waresul Islam
 
Load balancing
ankur bhalla
 
Topics in network security
Nasir Bhutta
 
Security in mobile ad hoc networks
Piyush Mittal
 
12 types of DDoS attacks
Haltdos
 

Similar to DDoS Attack Detection & Mitigation in SDN (20)

PDF
Implementation of ICMP flood detection and mitigation system based on softwar...
TELKOMNIKA JOURNAL
 
PDF
DDoS Attack
Gopi Krishnan S
 
PDF
Common Dos and DDoS
Jayesh Patel
 
PDF
Azure DDoS Protection Standard
arnaudlh
 
PPT
D do s
sunilkumar021
 
PDF
DDoS Threat Landscape - Ron Winward CHINOG16
Radware
 
PPTX
BADCamp 2017 - Anatomy of DDoS
Suzanne Aldrich
 
PPTX
Anatomy of DDoS - Builderscon Tokyo 2017
Suzanne Aldrich
 
PPTX
SCE11-0315
Jonathan Lee
 
PDF
A10 issa d do s 5-2014
Raleigh ISSA
 
DOCX
Entropy based DDos Detection in SDN
Vishal Vasudev
 
PPT
Floodlight OpenFlow DDoS
Yoav Francis
 
PDF
Fortinet_FortiDDoS_Introduction
swang2010
 
PDF
Common Types of DDoS Attacks | MazeBolt Technologies
MazeBolt Technologies
 
PDF
MS_ISAC__DDoS_Attacks_Guide__2023_05.pdf
ssuser262297
 
PPTX
Unleash the Hammer on Denial-of-Service: Conquer DDos Attacks!
PriyadharshiniHemaku
 
PPT
透视消费者.ppt
wei mingyang
 
DOC
Detection of application layer ddos attack using hidden semi markov model (20...
Mumbai Academisc
 
PPTX
DDOS ATTACKS
Shaurya Gogia
 
PPT
DDoS.ppt
EllenSutiyem
 
Implementation of ICMP flood detection and mitigation system based on softwar...
TELKOMNIKA JOURNAL
 
DDoS Attack
Gopi Krishnan S
 
Common Dos and DDoS
Jayesh Patel
 
Azure DDoS Protection Standard
arnaudlh
 
D do s
sunilkumar021
 
DDoS Threat Landscape - Ron Winward CHINOG16
Radware
 
BADCamp 2017 - Anatomy of DDoS
Suzanne Aldrich
 
Anatomy of DDoS - Builderscon Tokyo 2017
Suzanne Aldrich
 
SCE11-0315
Jonathan Lee
 
A10 issa d do s 5-2014
Raleigh ISSA
 
Entropy based DDos Detection in SDN
Vishal Vasudev
 
Floodlight OpenFlow DDoS
Yoav Francis
 
Fortinet_FortiDDoS_Introduction
swang2010
 
Common Types of DDoS Attacks | MazeBolt Technologies
MazeBolt Technologies
 
MS_ISAC__DDoS_Attacks_Guide__2023_05.pdf
ssuser262297
 
Unleash the Hammer on Denial-of-Service: Conquer DDos Attacks!
PriyadharshiniHemaku
 
透视消费者.ppt
wei mingyang
 
Detection of application layer ddos attack using hidden semi markov model (20...
Mumbai Academisc
 
DDOS ATTACKS
Shaurya Gogia
 
DDoS.ppt
EllenSutiyem
 
Ad

Recently uploaded (20)

PDF
An Evaluative Study on Performance Growth Plan of ICICI Mutual Fund and SBI M...
PoonamKilaniya
 
PPTX
ENG8 Q1, WEEK 4.pptxoooiioooooooooooooooooooooooooo
chubbychubz1
 
PDF
A presentation on the Urban Heat Island Effect
studyfor7hrs
 
PDF
SE_Syllabus_NEP_Computer Science and Engineering ( IOT and Cyber Security Inc...
krshewale
 
PDF
Natural Language processing and web deigning notes
AnithaSakthivel3
 
PDF
LEARNING CROSS-LINGUAL WORD EMBEDDINGS WITH UNIVERSAL CONCEPTS
kjim477n
 
PPTX
Smart_Cities_IoT_Integration_Presentation.pptx
YashBhisade1
 
PPTX
UNIT III CONTROL OF PARTICULATE CONTAMINANTS
sundharamm
 
PDF
Web Technologies - Chapter 3 of Front end path.pdf
reemaaliasker
 
PDF
A NEW FAMILY OF OPTICALLY CONTROLLED LOGIC GATES USING NAPHTHOPYRAN MOLECULE
ijoejnl
 
PPT
Oxygen Co2 Transport in the Lungs(Exchange og gases)
SUNDERLINSHIBUD
 
PPTX
Water resources Engineering GIS KRT.pptx
Krunal Thanki
 
PDF
mosfet introduction engg topic for students.pdf
trsureshkumardata
 
PDF
July 2025 - Top 10 Read Articles in Network Security & Its Applications.pdf
IJNSA Journal
 
PDF
NOISE CONTROL ppt - SHRESTH SUDHIR KOKNE
SHRESTHKOKNE
 
PPTX
00-ClimateChangeImpactCIAProcess_PPTon23.12.2024-ByDr.VijayanGurumurthyIyer1....
praz3
 
PDF
POWER PLANT ENGINEERING (R17A0326).pdf..
haneefachosa123
 
PPTX
Presentation on Foundation Design for Civil Engineers.pptx
KamalKhan563106
 
PDF
MRI Tool Kit E2I0500BC Plus Presentation
Ing. Ph. J. Daum GmbH & Co. KG
 
PPTX
Basics of Auto Computer Aided Drafting .pptx
Krunal Thanki
 
An Evaluative Study on Performance Growth Plan of ICICI Mutual Fund and SBI M...
PoonamKilaniya
 
ENG8 Q1, WEEK 4.pptxoooiioooooooooooooooooooooooooo
chubbychubz1
 
A presentation on the Urban Heat Island Effect
studyfor7hrs
 
SE_Syllabus_NEP_Computer Science and Engineering ( IOT and Cyber Security Inc...
krshewale
 
Natural Language processing and web deigning notes
AnithaSakthivel3
 
LEARNING CROSS-LINGUAL WORD EMBEDDINGS WITH UNIVERSAL CONCEPTS
kjim477n
 
Smart_Cities_IoT_Integration_Presentation.pptx
YashBhisade1
 
UNIT III CONTROL OF PARTICULATE CONTAMINANTS
sundharamm
 
Web Technologies - Chapter 3 of Front end path.pdf
reemaaliasker
 
A NEW FAMILY OF OPTICALLY CONTROLLED LOGIC GATES USING NAPHTHOPYRAN MOLECULE
ijoejnl
 
Oxygen Co2 Transport in the Lungs(Exchange og gases)
SUNDERLINSHIBUD
 
Water resources Engineering GIS KRT.pptx
Krunal Thanki
 
mosfet introduction engg topic for students.pdf
trsureshkumardata
 
July 2025 - Top 10 Read Articles in Network Security & Its Applications.pdf
IJNSA Journal
 
NOISE CONTROL ppt - SHRESTH SUDHIR KOKNE
SHRESTHKOKNE
 
00-ClimateChangeImpactCIAProcess_PPTon23.12.2024-ByDr.VijayanGurumurthyIyer1....
praz3
 
POWER PLANT ENGINEERING (R17A0326).pdf..
haneefachosa123
 
Presentation on Foundation Design for Civil Engineers.pptx
KamalKhan563106
 
MRI Tool Kit E2I0500BC Plus Presentation
Ing. Ph. J. Daum GmbH & Co. KG
 
Basics of Auto Computer Aided Drafting .pptx
Krunal Thanki
 
Ad

DDoS Attack Detection & Mitigation in SDN

  • 1. DDoS Attack Detection & Mitigation in SDN FINAL VIVA PRESENTATION 2014-12-08 COMSE-6998 Presented by Chao CHEN (cc3736)
  • 2. Key Words DDoS Attack Detection and Mitigation Type: ICMP Flood SYN Flood DNS Amplification UDP Flood InMon sFlow-RT + Floodlight controller + Mininet SDN Application to perform DDoS Protection
  • 3. RESEARCH BACKGROUND SCHEME DESIGN APPLICATION DEVELOPMENT ENVIRONMENT ESTABLISHMENT TEST & EVALUATION
  • 5. Research Background Real Time detection and mitigation with lowest cost of device deployment
  • 6. Research Background sFlow = sampled Flow Device Capability → Easy Deployment Physical Device: Cisco Nexus 3000/3100 series IBM c/g/m/r/s/x/y series Juniper EX 2200/3200/3300/4200/6200 series …… Virtual Device: OpenVSwitch Apache Nginx …… sFlow Collectors: InMon sFlow-RT Brocade Network Advisor …… SDN analytics and control using sFlow standard
  • 7. Research Background sFlow + Openflow 1. switch samples packets 2. switch sends the header of sampled packets to sFlow-RT 3. sFlow-RT maps it into fine-grained flow(e.g. tcpflags=SYN, icmptype=3…) 4. if exceed the threshold, trigger an event 5. events accessible from external apps through REST API
  • 8. Research Background sFlow + Openflow 1. switch samples packets 2. switch sends the header of sampled packets to sFlow-RT 3. sFlow-RT maps it into fine-grained flow(e.g. tcpflags=SYN, icmptype=3…) 4. if exceed the threshold, trigger an event 5. events accessible from external apps through REST API detection mitigation processing
  • 10. Scheme Design Yes No Overall Flowchart of Application need to be specified for different kinds of attacks
  • 11. Scheme Design ICMP Flood Attack Mechanism: Each device in the botnet ping the server at a high rate. Flow Definition: ipsource=0.0.0.0/0, ipdestination=10.0.0.2/32, #suppose h2 is the server outputifindex!=discard, #packet is not discarded ipprotocol=1 #ICMP Match Field in blocking flow entry: ether-type, protocol, src-ip, dst-ip
  • 12. Scheme Design SYN Flood Attack Mechanism: Each device in the botnet sends TCP SYN packets to the server at a high rate. Flow Definition: ipsource=0.0.0.0/0, ipdestination=10.0.0.2/32, #suppose h2 is the server outputifindex!=discard, #packet is not discarded tcpflags~…….1.=1 #TCP SYN packet Match Field in blocking flow entry: ether-type, protocol, src-ip, dst-ip
  • 13. Scheme Design DNS Amplification Attack Mechanism: Each device in the botnet sends DNS query to several DNS servers with src-ip=victim’s ip. (take ANY(15) for example)
  • 14. Scheme Design DNS Amplification Attack Flow Definition: ipsource=0.0.0.0/0, ipdestination=[10.0.0.1/32, 10.0.0.2/32], #suppose h1 and h2 are the DNS servers outputifindex!=discard, #packet is not discarded dnsqr=false, dnsqtype=255 Match Field in blocking flow entry: ether-type, protocol, src-ip, dst-ip Protect at the DNS servers (instead of the victim)
  • 15. Scheme Design UDP Flood Attack Mechanism: Each device in the botnet sends UDP packets to all the ports if the server Attacker botnet/compromised system target server Command Command Command 1 5 7 9 11 13 15 … UDP port list UDP Packets ICMP Destination Unreachable
  • 16. Scheme Design UDP Flood Attack Flow Definition: ipsource=10.0.0.2/32, #reversed ipdestination=0.0.0.0/0, outputifindex!=discard, #packet is not discarded ipprotocol=1, #ICMP icmptype=3, #Destination Unreachable Match Field in blocking flow entry: ether-type, protocol, src-ip=dst-ip_in_flow, dst-ip=server-ip Protect by monitoring ICMP Destination Unreachable packets
  • 18. Application Development python Import requests & json to perform GET/PUT/POST via REST API Different attacks are implemented similarly. Take ICMP Flood attack as example. Definition of flows, thresholds,…: POST the definition to sFlow-RT:
  • 21. Environment Establishment Laptop Ubuntu VM App Mininet 10.0.0.1 10.0.0.2 10.0.0.3 10.0.0.4 10.0.0.5 10.0.0.6 10.10.10.2:6633 10.10.10.2:8080 10.10.10.2:8008 10.10.10.2:6343
  • 23. Test & Evaluation Launch floodlight: ./floodlight.sh Launch InMon sFlow-RT: ./start.sh Launch InMon sFlow-RT: sudo ./topo.sh set s1 is a sFlow agent, and set up bridge between s1 and sFlow-RT
  • 24. Test & Evaluation Without mitigation: h1 ICMP attack on h2 with: ping -f 10.0.0.2 network traffic flow attack from h4 ICMP Flood Attack
  • 25. Test & Evaluation With mitigation: h4 ICMP attack on h2 network traffic flow attack from h4 is mitigated ICMP Flood Attack
  • 26. Test & Evaluation Continue: h5 ICMP attack on h2 network traffic flow attack from h5 is mitigated ICMP Flood Attack
  • 27. Test & Evaluation ICMP Flood Attack ‘subflows’ in ICMP Attack Flow Events triggered in this case Flowtable of s1 (attacked by h3, h4, h6)
  • 28. Test & Evaluation SYN Flood Attack Without mitigation: h1 SYN attack on h2 with: ping —tcp -p 80 —flag syn -rate 2000 —count 20000000 —no-capture —quiet 10.0.0.2 network traffic flow
  • 29. Test & Evaluation SYN Flood Attack With mitigation: h6 and h4 SYN attack on h2 SYN Flood Traffic Flowtable of s1 (attacked by h3, h4, h5, h6) attacks from h6 and h4 are mitigated
  • 30. Test & Evaluation DNS Amplification Attack & UDP Flood Attack: Cannot simulate attacks → No test result yet
  • 31. Test & Evaluation Future Work: 1. Test on DNS Amplification Attack & UDP Flood Attack 2. {new_sample_rate, new_threshold} =update(old_sample_rate, old_threshold, network_congestion, server_status,…) 3. Sample Theory is efficient on large flows. Think about {tiny flows x n} 4. Reasonable unblock mechanism
  • 32. Q&A