Denial of Service detection and mitigation on GENI Xenia Mountrouidou, Blaine Billings, College of Charleston
Collaborative research Tommy Chin (RIT), Xenia Mountrouidou, Xiangyang Li (JHU), Kaiqi Xiong (USF), “An SDN-Supported Collaborative Approach for DDoS Flooding Detection and Containment“, International Conference for Military Communications (MILCOM 2015), Tampa, Florida, 2015 Tommy Chin, Xenia Mountrouidou, Xiangyang Li, Kaiqi Xiong, “Selective Packet Inspection to Detect DoS Flooding Using Software Defined Networking (SDN)“, International Workshop on Computer and Networking Experimental Research Using Testbeds (CNERT 2015), Columbus, Ohio, June, 2015
Outline Background Motivation Collaborative detection and mitigation Implementation Demo Conclusions
Background Cybersecurity Research Experimentation on GENI Denial of Service Detection and Mitigation using SDN Covert Storage Channel Detection Covert Timing Channel Implementation Cybersecurity Education: experiential learning on GENI CyberPaths: GENI Cybersecurity Modules Liberal Arts Modules: Law, Cyber Insurance, Privacy, Finance
Motivation DDoS Threat Computer Networks Today Half of enterprises worldwide hit by DDoS attacks (Darkreading, 2014) DDoS attacks: a perfect smoke screen for APTs and silent data breaches (CSO online, 2015) $150 can buy a week long DDoS attack (TrendMicro) >2,000 DDoS attacks observed every day (Arbor Networks) 1/3 of all downtime incidents attributed to DDoS (Verisign/Merrill Research) IoT: Mirai Botnet Computer Networks Today Big data Complex topologies
Motivation SDN Capabilities Drop flows Redirect flows Duplicate flows Information available & accessible on different network layers Source: https://www.opennetworking.org/sdn-resources/sdn-definition
DDoS TCP SYN Flood Insights: Traffic pattern Spoofed IPs Send Spoofed SYN Send SYN-ACK Resend SYN-ACK Attacker Server Spoofed Client Insights: Traffic pattern Spoofed IPs
Challenges Intrusion Detection System (IDS) SDN Controller Data availability is limited Effectiveness depends on position in network SDN Controller Bottleneck – cannot analyze every packet Accuracy vs Performance Real world implementation
Solutions Discrete attack signature constituents IDS elements Increase in SYN packets Spoofed source IPs for certain DDoS instances IDS elements Distributed Communication with SDN controllers SDN controllers posses critical information Flow table Add/remove flows Duplicate flows Emulation with Global Environment for Network Innovations
Increase of normal traffic Processing overhead Attack Increase of normal traffic Network traffic Detection Stage Monitor(s) t Alert message Correlation Stage Evidence/ command Reset message Reset Correlator(s) t Mitigation Stage Attack confirmed Reset Controller(s) t
M2 Controller C2 Attacker OVS2 Client Backbone OVS OVS1 OVS3 Server Monitor M1 Server (Victim) Correlator/ Controller C1 OVS1 M2 Controller C2 Backbone OVS M3 Attacker OVS3 OVS2 C3 MB Controller CB
Monitor-Correlator Communication Controller (Correlator) Client OpenvSwitch Monitor Server Request Content Insert Flow OvS Mirror Traffic Forward Traffic Send Alert Detail Query OvS Flow Table Return Flow Table Data Insert Flow to OvS
Monitor Listen for IDS alerts Alert threshold = # SYN packets / sec Send alert flag to correlator Send IPs of selected SYN packets to correlator Flag can be attack type
Monitor – real time snort alert monitoring
Monitor – send alert to correlator
Correlator Key Value port1 IP1 port2 IP2 port3 IP3 … portn IPn Key Hash table based on the original flow table of OVS switch Query this table using the IP addresses from the monitor to look for any unknown IPs Additional queries to a second hash table created based on the current flow table Flow Table Snapshot2 Original Flow Table Flow Table Snapshot1
Correlator – parse and process flowdump
Correlator – block the port of attack
Role of SDN in Implementation Duplicate flows Flow table information detects attacker Drop flows to mitigate Duplication is implemented with Mirroring We may mitigate real traffic – flash crowd Deep packet inspection Second chance
Demo Video & Live
Conclusions and Future Work Synergistic strategy monitoring detection mitigation Scalable solution to process high volume of traffic and large scale attacks Future work Scalability optimizations Different security applications – covert channel
More security experimentation on GENI Covert Storage Channel Detection: Yiyuan Hu (JHU), Xiangyang Li (JHU), Xenia Mountrouidou, “Improving Covert Storage Channel Analysis with SDN and Experimentation on GENI“, National Cyber Summit 2016 Covert Timing Channel: ACM Research competition poster “Time Lord: Covert Timing Channel Implementation and Realistic Experimentation”, Eduardo Castillo, Xenia Mountrouidou, Xiangyang Li (JHU) Firewalls - CoC VPNs - CoC XSS -JHU Certificates -JHU
Acknowledgements
Questions? Thank you!
Links Project CyberPaths: http://blogs.cofc.edu/cyberpaths/ Intrusion Detection Lab: http://mountrouidoux.people.cofc.edu/CyberPaths/intrusiondetectio nsystemgenidesk_v2.html Correlation & Mitigation lab: http://mountrouidoux.people.cofc.edu/CyberPaths/correlation_genid esk.html
Appendix Results
Results Multiple attackers Multiple users Goals: Identify bottlenecks Demonstrate effectiveness
Results – multiple attackers Time in msec Number of Attackers
Results – multiple attackers Monitor Overhead Correlator Overhead Time in msec Time in msec Time in msec Number of Attackers Number of Attackers t4 : time to process monitor’s alert t5 : time needed to query OVS t6 : time needed to issue new rule to drop flow t1 : time for mirrored traffic to reach monitor t2 : time for alert to be raised t3 : time to communicate with Correlator
Results - ROC M2, C2: Monitor & Correlator 2
Results – Multiple Users Need to describe x, y axis!!!
Results – Multiple Users t4 : time to process monitor’s alert t5 : time needed to query OVS t6 : time needed to issue new rule to drop flow t1 : time for mirrored traffic to reach monitor t2 : time for alert to be raisd t3 : time to communicate with Correlator