© 2014 open networking foundation · 2017-10-03 · security objective • carrier grade sdn-based...
TRANSCRIPT
![Page 1: © 2014 Open Networking Foundation · 2017-10-03 · Security Objective • Carrier grade SDN-based signaling to mitigate network level Distributed Denial of Service (DDoS) attacks](https://reader033.vdocuments.us/reader033/viewer/2022041911/5e67b0c29f9c9e2a5c4a38c7/html5/thumbnails/1.jpg)
© 2014 Open Networking Foundation
![Page 2: © 2014 Open Networking Foundation · 2017-10-03 · Security Objective • Carrier grade SDN-based signaling to mitigate network level Distributed Denial of Service (DDoS) attacks](https://reader033.vdocuments.us/reader033/viewer/2022041911/5e67b0c29f9c9e2a5c4a38c7/html5/thumbnails/2.jpg)
© 2014 Open Networking Foundation
SDN Security OpenFlow-Based DDoS Attack Mitigation Ali Tizghadam, Theodor Balanescu, Rahul Kumar, Kevin Jones, Walter Miron
![Page 3: © 2014 Open Networking Foundation · 2017-10-03 · Security Objective • Carrier grade SDN-based signaling to mitigate network level Distributed Denial of Service (DDoS) attacks](https://reader033.vdocuments.us/reader033/viewer/2022041911/5e67b0c29f9c9e2a5c4a38c7/html5/thumbnails/3.jpg)
Security
Objective
• Carrier grade SDN-based signaling to mitigate network level Distributed Denial of Service (DDoS) attacks against service provider’s infrastructure and its customers
• Demo targets attack mitigation – In this demo detection of DDoS
attack is assumed to be handled separately
• Overall system diagram is shown
![Page 4: © 2014 Open Networking Foundation · 2017-10-03 · Security Objective • Carrier grade SDN-based signaling to mitigate network level Distributed Denial of Service (DDoS) attacks](https://reader033.vdocuments.us/reader033/viewer/2022041911/5e67b0c29f9c9e2a5c4a38c7/html5/thumbnails/4.jpg)
Security
Block Action Off-Ramp Action Possible Mitigation Plans
• Block action – Simply blocks traffic
• Off-Ramp action – Redirects traffic to an
intermediate site for
further investigation
![Page 5: © 2014 Open Networking Foundation · 2017-10-03 · Security Objective • Carrier grade SDN-based signaling to mitigate network level Distributed Denial of Service (DDoS) attacks](https://reader033.vdocuments.us/reader033/viewer/2022041911/5e67b0c29f9c9e2a5c4a38c7/html5/thumbnails/5.jpg)
Security
Lab Setup
• The diagram
shows details of
OF-based DDoS
mitigation system
in TELUS SDN
lab
SP
192.168.200.5Eth1
ASN: 65039
192.168.200.6
Bluemoon(MX960)Lo0: 172.25.212.88
mgmt: 172.18.132.245
172.18.214.237/31xe-7/0/7
172.18.214.236/31xe-4/3/3
T1600 (BR)
TOROLABSR01MX960
172.18.132.212
CILo0: 172.18.110.14
10.11.12.82/31Ae3 VLAN 1500GE-2/2/0
OF OF-SW1xe-4/2/3.0
192.168.214.1/24xe-4/2/0.0
xe-4/3/0.0OF OF-SW1
xe-4/1/3.0
TOROLABSV01Arbor CP
172.18.132.227
OF Controller Alert Listener
ETH110.0.30.3/24
ETH0172.18.179.161/24
Card 6 Port 11
IXIA61172.18.132.61
Victim Port
192.168.213.7
Card 11 Port 1
Attack Port
RE-29
Card 6 Port 6
Security Port
xe-4/1/0.0OF OF-SW1
![Page 6: © 2014 Open Networking Foundation · 2017-10-03 · Security Objective • Carrier grade SDN-based signaling to mitigate network level Distributed Denial of Service (DDoS) attacks](https://reader033.vdocuments.us/reader033/viewer/2022041911/5e67b0c29f9c9e2a5c4a38c7/html5/thumbnails/6.jpg)
Security
SP
192.168.200.5Eth1
ASN: 65039
192.168.200.6
Bluemoon(MX960)Lo0: 172.25.212.88
mgmt: 172.18.132.245
172.18.214.237/31xe-7/0/7
172.18.214.236/31xe-4/3/3
T1600 (BR)
TOROLABSR01MX960
172.18.132.212
CILo0: 172.18.110.14
10.11.12.82/31Ae3 VLAN 1500GE-2/2/0
OF OF-SW1xe-4/2/3.0
192.168.214.1/24xe-4/2/0.0
xe-4/3/0.0OF OF-SW1
xe-4/1/3.0
TOROLABSV01Arbor CP
172.18.132.227
OF Controller Alert Listener
ETH110.0.30.3/24
ETH0172.18.179.161/24
Attack Traffic1
Card 6 Port 11
IXIA61172.18.132.61
Victim Port
192.168.213.7
Card 11 Port 1
Legitimate Traffic1
Attack Port
RE-29
Card 6 Port 6
Security Port
xe-4/1/0.0OF OF-SW1
1
Flow Design –
Mitigation Process
• Step 1: Attack
arrives
![Page 7: © 2014 Open Networking Foundation · 2017-10-03 · Security Objective • Carrier grade SDN-based signaling to mitigate network level Distributed Denial of Service (DDoS) attacks](https://reader033.vdocuments.us/reader033/viewer/2022041911/5e67b0c29f9c9e2a5c4a38c7/html5/thumbnails/7.jpg)
Security
Flow Design –
Mitigation Process
• Step 2: Netflow
analysis
NetFlow2
Alert Listener
SP
192.168.200.5Eth1
ASN: 65039
192.168.200.6
Bluemoon(MX960)Lo0: 172.25.212.88
mgmt: 172.18.132.245
172.18.214.237/31xe-7/0/7
172.18.214.236/31xe-4/3/3
T1600 (BR)
TOROLABSR01MX960
172.18.132.212
CILo0: 172.18.110.14
10.11.12.82/31Ae3 VLAN 1500GE-2/2/0
OF OF-SW1xe-4/2/3.0
192.168.214.1/24xe-4/2/0.0
xe-4/3/0.0OF OF-SW1
xe-4/1/3.0
TOROLABSV01Arbor CP
172.18.132.227
OF Controller Alert Listener
ETH110.0.30.3/24
ETH0172.18.179.161/24
Card 6 Port 11
IXIA61172.18.132.61
Victim Port
192.168.213.7
Card 11 Port 1
Attack Port
RE-29
Card 6 Port 6
Security Port
xe-4/1/0.0OF OF-SW1
2
![Page 8: © 2014 Open Networking Foundation · 2017-10-03 · Security Objective • Carrier grade SDN-based signaling to mitigate network level Distributed Denial of Service (DDoS) attacks](https://reader033.vdocuments.us/reader033/viewer/2022041911/5e67b0c29f9c9e2a5c4a38c7/html5/thumbnails/8.jpg)
Security
Flow Design –
Mitigation Process
• Step 3: Attack detected
• Step4: Attack details fetched by Alert Listener
SP
TOROLABSV01Arbor CP
172.18.132.227
ETH110.0.30.3/24
ETH0172.18.179.161/24
Fetching Alert Details
Alert Notification3
3
4
4
OF Controller Alert Listener
![Page 9: © 2014 Open Networking Foundation · 2017-10-03 · Security Objective • Carrier grade SDN-based signaling to mitigate network level Distributed Denial of Service (DDoS) attacks](https://reader033.vdocuments.us/reader033/viewer/2022041911/5e67b0c29f9c9e2a5c4a38c7/html5/thumbnails/9.jpg)
Security
Flow Design –
Mitigation Process • Step 5: Attack mitigation
rule installed by OF Controller
• Step 6: Command sent to routers
OF Controller Alert Listener
ETH110.0.30.3/24
ETH0172.18.179.161/24
OpenFlow command
Attack Mitigation Rule
6
5
56
SP
192.168.200.5Eth1
ASN: 65039
192.168.200.6
Bluemoon(MX960)Lo0: 172.25.212.88
mgmt: 172.18.132.245
172.18.214.237/31xe-7/0/7
172.18.214.236/31xe-4/3/3
T1600 (BR)
TOROLABSR01MX960
172.18.132.212
CILo0: 172.18.110.14
10.11.12.82/31Ae3 VLAN 1500GE-2/2/0
OF OF-SW1xe-4/2/3.0
192.168.214.1/24xe-4/2/0.0
xe-4/3/0.0OF OF-SW1
xe-4/1/3.0
TOROLABSV01Arbor CP
172.18.132.227
Card 6 Port 11
IXIA61172.18.132.61
Victim Port
192.168.213.7
Card 11 Port 1
Attack Port
RE-29
Card 6 Port 6
Security Port
xe-4/1/0.0OF OF-SW1
![Page 10: © 2014 Open Networking Foundation · 2017-10-03 · Security Objective • Carrier grade SDN-based signaling to mitigate network level Distributed Denial of Service (DDoS) attacks](https://reader033.vdocuments.us/reader033/viewer/2022041911/5e67b0c29f9c9e2a5c4a38c7/html5/thumbnails/10.jpg)
Security
Flow Design –
Mitigation Process
• Step 7: Action
Attack Traffic7
Legitimate Traffic7 SP
192.168.200.5Eth1
ASN: 65039
192.168.200.6
Bluemoon(MX960)Lo0: 172.25.212.88
mgmt: 172.18.132.245
172.18.214.237/31xe-7/0/7
172.18.214.236/31xe-4/3/3
T1600 (BR)
TOROLABSR01MX960
172.18.132.212
CILo0: 172.18.110.14
10.11.12.82/31Ae3 VLAN 1500GE-2/2/0
OF OF-SW1xe-4/2/3.0
192.168.214.1/24xe-4/2/0.0
xe-4/3/0.0OF OF-SW1
xe-4/1/3.0
TOROLABSV01Arbor CP
172.18.132.227
OF Controller Alert Listener
ETH110.0.30.3/24
ETH0172.18.179.161/24
Card 6 Port 11
IXIA61172.18.132.61
Victim Port
192.168.213.7
Card 11 Port 1
Attack Port
RE-29
Card 6 Port 6
Security Port
xe-4/1/0.0OF OF-SW1
7
![Page 11: © 2014 Open Networking Foundation · 2017-10-03 · Security Objective • Carrier grade SDN-based signaling to mitigate network level Distributed Denial of Service (DDoS) attacks](https://reader033.vdocuments.us/reader033/viewer/2022041911/5e67b0c29f9c9e2a5c4a38c7/html5/thumbnails/11.jpg)
Security
IXIA Victim 12100 packets/s are received
IXIA Attacker ICMP – 12000 packets/s
TCP – 100 packets/s
ICMP Attack
• Generated
by Ixia
![Page 12: © 2014 Open Networking Foundation · 2017-10-03 · Security Objective • Carrier grade SDN-based signaling to mitigate network level Distributed Denial of Service (DDoS) attacks](https://reader033.vdocuments.us/reader033/viewer/2022041911/5e67b0c29f9c9e2a5c4a38c7/html5/thumbnails/12.jpg)
Security
ICMP Attack
Mitigation
IXIA Security 1200 packets/s are received
IXIA Victim TCP – 100 packets/s
![Page 13: © 2014 Open Networking Foundation · 2017-10-03 · Security Objective • Carrier grade SDN-based signaling to mitigate network level Distributed Denial of Service (DDoS) attacks](https://reader033.vdocuments.us/reader033/viewer/2022041911/5e67b0c29f9c9e2a5c4a38c7/html5/thumbnails/13.jpg)
Security
Next Steps
Detection: in next phase the replacement of Netflow with Openflow data will be explored
A second SDN controller will collect flow statistics from the routers via Openflow
Requirement for an application that will detect a security event
Once a security event is raised, the detection controller will signal the network controller
The network controller will issue one of the following commands via Openflow:
• Drop
• Off-ramp towards a defined destination
![Page 14: © 2014 Open Networking Foundation · 2017-10-03 · Security Objective • Carrier grade SDN-based signaling to mitigate network level Distributed Denial of Service (DDoS) attacks](https://reader033.vdocuments.us/reader033/viewer/2022041911/5e67b0c29f9c9e2a5c4a38c7/html5/thumbnails/14.jpg)
Security