Implementation of Lawful Interception and Malicious traffic Prevention based on software defined network Speaker: Muhammad Reza Zulman Advisor: Dr. Kai-Wei Ke Date: July 11, 2016
Outline Lawful Interception, SIP and Malicious Traffic overview. What is SDN? OpenFlow. Objectives. System Design and Implementation. Malicious Detection Mechanism. References.
Fig. 1. Basic Interception operation Lawful Interception Lawful Interception (LI) describes by ITU as a lawfully authorized interception and monitoring of telecommunications pursuant to an order of a government body, to obtain the forensics necessary for pursuing wrongdoers. In general, the operator of public network infrastructure can undertake LI activities for their infrastructure protection and cybersecurity. User A Surveillance System User B Intercepting… Fig. 1. Basic Interception operation
SIP Overview(Session Initiation Protocol) A signaling communications protocol, widely used for controlling multimedia communication session. UA UA INVITE INVITE 100 Trying 100 Ringing 100 Ringing 200 OK 200 OK ACK ACK Conversation BYE 200 OK Fig. 2. Message flow of SIP calling procedure
Malicious Traffic Any traffic anomalies that occur from hardware or software failures to internet packets with maliciously modified options. Malicious traffic usually exhausts the legitimate resources by sending a lot of traffic or violate the communication protocol. Some of malicious behavior, e.g., Ping Attack, ARP Spoofing, and SYN Flooding.
Malicious Traffic (Cont.) Source Destination SYN SYN/ACK ACK Station A IP A / MAC A Server IP C / MAC C IP MAC C A Attacker IP B/ MAC B Fig. 4. ARP Spoofing Fig. 3. SYN Flooding
What is SDN ? According to ONF(OpenFlow Networking Foundation) “The physical separation of the network control plane from the forwarding plane, and where a control plane controls several devices.” “The OpenFlow® protocol is a foundational element for building SDN solutions.” SDN Architecture Application Layer Control Layer Infrastructure Layer Business Application SDN Application Cloud Orchestration SDN Controller Programmable Open APIs Network device 🔳🔳🔳🔳🔳🔳 Control and data plane programmable interface (e.g., Openflow) Fig. 5. Software Defined Network Architecture
Fig. 6. OpenFlow Architecture Controller Main Component of an OpenFlow Switch Meter Table Group Table Secure Channel OpenFlow Switch 🔳🔳🔳🔳🔳🔳 Flow Table Flow Table Flow Table OpenFlow Switch 🔳🔳🔳🔳🔳🔳 End System Fig. 6. OpenFlow Architecture
Fig. 7. OpenFlow Basic Operation OpenFlow(cont.) How does OpenFlow works ? When the first packet coming in to the switch, the switch does not have any idea how to handle the packet. Since there is no match entry in it’s flow table, packet will dropped. However, to handle the packet, flow miss entry should be initialize to the switch to controller. OpenFlow Switch 🔳🔳🔳🔳🔳🔳 host table-miss Controller Packet in drop Fig. 7. OpenFlow Basic Operation
Table 1. Required OpenFlow Match Fields OpenFlow(cont.) Flow table A flow table consist of flow entries: Match fields Priority Counters Instructions Timeouts Cookie Flags Fields Description OXM_OF_IN_PORT Ingress port. This may be a physical or switch-defined logical port. OXM_OF_ETH_DST Ethernet source address. Can use arbitrary bitmask OXM_OF_ETH_SRC Ethernet destination address. Can use arbitrary bitmask OXM_OF_ETH_TYPE Ethernet type of the OpenFlow packet payload, after VLAN tags. OXM_OF_IP_PROTO IPv4 or IPv6 protocol number OXM_OF_IPV4_SRC IPv4 source address. Can use subnet mask or arbitrary bitmask OXM_OF_IPV4_DST IPv4 destination address. Can use subnet mask or arbitrary bitmask OXM_OF_IPV6_SRC IPv6 source address. Can use subnet mask or arbitrary bitmask OXM_OF_IPV6_DST IPv6 destination address. Can use subnet mask or arbitrary bitmask OXM_OF_TCP_SRC TCP source port OXM_OF_TCP_DST TCP destination port OXM_OF_UDP_SRC UDP source port OXM_OF_UDP_DST UDP destination port * All in tables are required match fields that must be support by a switch Table 1. Required OpenFlow Match Fields
Objectives Implementing record and monitoring surveillance system, detecting and preventing malicious traffic by utilizing software defined network. Surveillance system for VoIP traffic on SIP protocol. Malicious traffic, including overdose ping, arp spoofing and syn flood attack.
System Design and Implementation OpenFlow Switch 🔳🔳🔳🔳🔳🔳 IPS Device IRS Host 1 Host 2 SDN Controller table-miss Flow adding Classification of the traffic is performed by controller Controller install flow entries to corresponding type of traffic to avoid packet in next time. flow entries action is to mirror the traffic to corresponding IRS and IPS device. IRS and IPS analyze and record the traffic. IPS notify the controller whenever an attack is detected for prevention. host 1 send packet to host 2 Fig. 8. Overall System Architecture
Fig. 9. Multiples OpenFlow Table System Mirroring Implementation OpenFlow switch support multiple tables. This features allow a different actions to be set for each table. Fig. 9. Multiples OpenFlow Table
Fig. 10. Mirroring Implementation System Mirroring Implementation(Cont.) Using Multiple tables for duplicating packets. The reason is for easy flow table modification. Packet in SDN Controller Flow Install 3 Table 0 Output = 3, Goto 1 Table 1 Output = 4, Goto 2 Table 1 Output = 2 IRS 1 Host 1 4 2 IPS Device Fig. 10. Mirroring Implementation Host 1
Classification Process Classification process is done use deep packet inspection (port number base). Drawbacks of the system is some protocol does not use fixed port number such as RTP that used in SIP protocol. For this occasion, specific mechanism need to be implemented. SDN Controller Flow Classification Mirror Port setting OpenFlow Switch 🔳🔳🔳🔳🔳🔳 Fig. 11. Classification Process
SIP Classification on Controller. SIP protocol use port 5060 and 5061 on both TCP or UDP for signaling. While for media streaming, RTP protocol will be used. Although TCP is standardize for RTP use, the majority of RTP used UDP. The system design will assume that RTP only use UDP protocol.
SIP Classification on Controller(Cont.) IRS will get first RTP packet and send information to controller. Controller keep data information sent by IRS. System assume the next packet is next media stream. Fig. 12. SIP Traffic Classification Flowchart
Malicious Traffic Detection and Prevention The IDS is placed on the packets route. Every packet goes in the IDS to be analyzed and then forwarded to it’s destination. This method prevents that any unseen malicious packet. client attacker IDS/firewall server Fig . 13. On-path Detection IDS X However, as every packet must be analyzed before being forwarded. When there is to many packet, the IDS works as a packet buffer. This will affecting the network’s performance
Malicious Traffic Detection and Prevention(Cont.) X client attacker Controller With IDS function server OpenFlow Switch 🔳🔳🔳🔳🔳🔳 With SDN, the IDS/Firewall can be place as a network function in Controller. Every packet goes to the controller to be analyzed and then request the switch to forwarded to the destination or block. Fig . 14. IDS Function on Controller However, This will consume controller resources (Heavy load).
Malicious Traffic Detection and Prevention(Cont.) Another way is by placing the IDS as another separated node. Every packet that arrive is mirrored to the port in which the IDS is connected. This way, although it is possible that some malicious packet goes to it’s destination before detected, the network performance is not affected. Controller attacker OpenFlow Switch 🔳🔳🔳🔳🔳🔳 server client IDS Fig . 15. IDS Function on Separated Node This method is chosen with the consideration of solving the performance and to ease the controller workload.
Utilizing OpenFlow for Malicious Traffic Prevention attacker IDS server client OpenFlow Switch 🔳🔳🔳🔳🔳🔳 Controller With controller have full control of the switch. The controller will request the switch to stop forwarding the malicious traffic. IDS send notification to controller when malicious traffic detected. The controller then request the switch to block the traffic from the “attacker” Malicious is detected! Send notification! Fig . 16. OpenFlow for Malicious Prevention
Utilizing OpenFlow for Malicious Traffic Prevention(Cont.)
Malicious Detection Mechanism Overdose ping detection ICMP flood attack overwhelms the target with ICMP echo request packet, generally sending packet as fast as possible without waiting for replies. IDS will calculate how many ICMP echo request send by a host. When IDS get first ICMP packet, it record the source and start timer. The threshold can be set by admin.
Malicious Detection Mechanism(Cont.) ARP Spoofing Arp Spoofing is used to attack host in Local Area Network. Host A Host B When the arp request is send, the attacker replies with their own MAC_ADDR to make Host A think that attacker is Host B. Attacker also send arp request to learn Host B MAC_ADDR. Attacker able to forward message from Host A to Host B. Attacker arp request arp reply data Fig . 17. Arp Spoofing Illustration
Malicious Detection Mechanism(Cont.) ARP Spoofing The detection is determine by comparing the attacker information with the one stored in IDS Host A IDS Attacker arp request arp reply OpenFlow Switch 🔳🔳🔳🔳🔳🔳 Record arp traffic. Counting arp_reply and arp request packet. Compare with stored arp table. IRS stored arp table from all connected Host. Whenever arp reply received, get sender IP and compared with stored information. If change, IDS will start counting the arp reply, If > threshold and amount of arp_reply/arp_request > 10, arp spoofing detected. Fig . 18. Arp Spoofing detection
References [1] Open Networking Foundation, “Software-Defined Networking: The New Norm for Networks”, ONF White Paper, April 13, 2012 [3] J. R. Ballard, I. Rae, and A. Akella, “Extensible and scalable network monitoring using opensafe,” Proc. INM/WREN, 2010. [4] R. U. Rehman, "Intrusion detection systems with snort," in BRUCE PERENS OPEN SOURCE SERIES.
THANK YOU