1. Denial of Service detection and mitigation on GENI
Xenia Mountrouidou, Blaine Billings, College of Charleston

2. Collaborative research
Tommy Chin (RIT), Xenia Mountrouidou, Xiangyang Li (JHU), Kaiqi Xiong (USF), “An SDN-Supported Collaborative Approach for DDoS Flooding Detection and Containment“, International Conference for Military Communications (MILCOM 2015), Tampa, Florida, 2015
Tommy Chin, Xenia Mountrouidou, Xiangyang Li, Kaiqi Xiong, “Selective Packet Inspection to Detect DoS Flooding Using Software Defined Networking (SDN)“, International Workshop on Computer and Networking Experimental Research Using Testbeds (CNERT 2015), Columbus, Ohio, June, 2015

3. Outline Background Motivation Collaborative detection and mitigation
Implementation
Demo
Conclusions

4. Background Cybersecurity Research Experimentation on GENI
Denial of Service Detection and Mitigation using SDN
Covert Storage Channel Detection
Covert Timing Channel Implementation
Cybersecurity Education: experiential learning on GENI
CyberPaths:
GENI Cybersecurity Modules
Liberal Arts Modules: Law, Cyber Insurance, Privacy, Finance

5. Motivation DDoS Threat Computer Networks Today
Half of enterprises worldwide hit by DDoS attacks (Darkreading, 2014)
DDoS attacks: a perfect smoke screen for APTs and silent data breaches (CSO online, 2015)
$150 can buy a week long DDoS attack (TrendMicro)
>2,000 DDoS attacks observed every day (Arbor Networks)
1/3 of all downtime incidents attributed to DDoS (Verisign/Merrill Research)
IoT: Mirai Botnet
Computer Networks Today
Big data
Complex topologies

6. Motivation SDN Capabilities Drop flows Redirect flows Duplicate flows
Information available & accessible on different network layers
Source:

7. DDoS TCP SYN Flood Insights: Traffic pattern Spoofed IPs
Send Spoofed SYN
Send SYN-ACK
Resend SYN-ACK
Attacker
Server
Spoofed Client
Insights:
Traffic pattern
Spoofed IPs

8. Challenges Intrusion Detection System (IDS) SDN Controller
Data availability is limited
Effectiveness depends on position in network
SDN Controller
Bottleneck – cannot analyze every packet
Accuracy vs Performance
Real world implementation

9. Solutions Discrete attack signature constituents IDS elements
Increase in SYN packets
Spoofed source IPs for certain DDoS instances
IDS elements
Distributed
Communication with SDN controllers
SDN controllers posses critical information
Flow table
Add/remove flows
Duplicate flows
Emulation with Global Environment for Network Innovations

10. Increase of normal traffic
Processing overhead
Attack
Increase of normal traffic
Network traffic
Detection Stage
Monitor(s) t
Alert message
Correlation Stage
Evidence/ command
Reset message
Reset
Correlator(s) t
Mitigation Stage
Attack confirmed
Reset
Controller(s) t

11. M2 Controller C2 Attacker OVS2 Client Backbone OVS OVS1 OVS3 Server
Monitor M1
Server
(Victim)
Correlator/
Controller C1
OVS1 M2
Controller C2
Backbone
OVS M3
Attacker
OVS3
OVS2 C3 MB
Controller CB

12. Monitor-Correlator Communication
Controller
(Correlator)
Client
OpenvSwitch
Monitor
Server
Request Content
Insert Flow OvS
Mirror Traffic
Forward Traffic
Send Alert Detail
Query OvS Flow Table
Return Flow Table Data
Insert Flow to OvS

13. Monitor Listen for IDS alerts Alert threshold = # SYN packets / sec
Send alert flag to correlator
Send IPs of selected SYN packets to correlator
Flag can be attack type

14. Monitor – real time snort alert monitoring

15. Monitor – send alert to correlator

16. Correlator Key Value port1 IP1 port2 IP2 port3 IP3 … portn IPn Key
Hash table based on the original flow table of OVS switch
Query this table using the IP addresses from the monitor to look for any unknown IPs
Additional queries to a second hash table created based on the current flow table
Flow Table Snapshot2
Original Flow Table
Flow Table Snapshot1

17. Correlator – parse and process flowdump

18. Correlator – block the port of attack

19. Role of SDN in Implementation
Duplicate flows
Flow table information detects attacker
Drop flows to mitigate
Duplication is implemented with Mirroring
We may mitigate real traffic – flash crowd
Deep packet inspection
Second chance

20. Demo
Video & Live

21. Conclusions and Future Work
Synergistic strategy
monitoring
detection
mitigation
Scalable solution to process high volume of traffic and large scale attacks
Future work
Scalability optimizations
Different security applications – covert channel

22. More security experimentation on GENI
Covert Storage Channel Detection: Yiyuan Hu (JHU), Xiangyang Li (JHU), Xenia Mountrouidou, “Improving Covert Storage Channel Analysis with SDN and Experimentation on GENI“, National Cyber Summit 2016
Covert Timing Channel: ACM Research competition poster “Time Lord: Covert Timing Channel Implementation and Realistic Experimentation”, Eduardo Castillo, Xenia Mountrouidou, Xiangyang Li (JHU)
Firewalls - CoC
VPNs - CoC
XSS -JHU
Certificates -JHU

23. Acknowledgements

24. Questions?
Thank you!

25. Links Project CyberPaths: http://blogs.cofc.edu/cyberpaths/
Intrusion Detection Lab: nsystemgenidesk_v2.html
Correlation & Mitigation lab: esk.html

26. Appendix
Results

27. Results Multiple attackers Multiple users Goals: Identify bottlenecks
Demonstrate effectiveness

28. Results – multiple attackers
Time in msec
Number of Attackers

29. Results – multiple attackers
Monitor Overhead
Correlator Overhead
Time in msec
Time in msec
Time in msec
Number of Attackers
Number of Attackers
t4 : time to process monitor’s alert
t5 : time needed to query OVS
t6 : time needed to issue new rule to drop flow
t1 : time for mirrored traffic to reach monitor
t2 : time for alert to be raised
t3 : time to communicate with Correlator

30. Results - ROC M2, C2: Monitor & Correlator 2

31. Results – Multiple Users
Need to describe x, y axis!!!

32. Results – Multiple Users
t4 : time to process monitor’s alert
t5 : time needed to query OVS
t6 : time needed to issue new rule to drop flow
t1 : time for mirrored traffic to reach monitor
t2 : time for alert to be raisd
t3 : time to communicate with Correlator