Presentation is loading. Please wait.

Presentation is loading. Please wait.

Denial of Service detection and mitigation on GENI

Published byNathaniel Rich Modified over 6 years ago

Similar presentations

Presentation on theme: "Denial of Service detection and mitigation on GENI"— Presentation transcript:

1 Denial of Service detection and mitigation on GENI
Xenia Mountrouidou, Blaine Billings, College of Charleston

2 Collaborative research
Tommy Chin (RIT), Xenia Mountrouidou, Xiangyang Li (JHU), Kaiqi Xiong (USF), “An SDN-Supported Collaborative Approach for DDoS Flooding Detection and Containment“, International Conference for Military Communications (MILCOM 2015), Tampa, Florida, 2015 Tommy Chin, Xenia Mountrouidou, Xiangyang Li, Kaiqi Xiong, “Selective Packet Inspection to Detect DoS Flooding Using Software Defined Networking (SDN)“, International Workshop on Computer and Networking Experimental Research Using Testbeds (CNERT 2015), Columbus, Ohio, June, 2015

3 Outline Motivation Collaborative detection and mitigation
Implementation Demo Conclusions

4 Motivation DDoS Threat Computer Networks Today
Half of enterprises worldwide hit by DDoS attacks (Darkreading, 2014) DDoS attacks: a perfect smoke screen for APTs and silent data breaches (CSO online, 2015) $150 can buy a week long DDoS attack (TrendMicro) >2,000 DDoS attacks observed every day (Arbor Networks) 1/3 of all downtime incidents attributed to DDoS (Verisign/Merrill Research) IoT: Mirai Botnet Computer Networks Today Big data Complex topologies

5 Motivation SDN Capabilities Drop flows Redirect flows Duplicate flows
Information available & accessible on different network layers Source:

6 DDoS TCP SYN Flood Insights: Traffic pattern Spoofed IPs
Send Spoofed SYN Send SYN-ACK Resend SYN-ACK Attacker Server Spoofed Client Insights: Traffic pattern Spoofed IPs

7 Challenges Intrusion Detection System (IDS) SDN Controller
Data availability is limited Effectiveness depends on position in network SDN Controller Bottleneck – cannot analyze every packet Accuracy vs Performance Real world implementation

8 Solutions Discrete attack signature constituents IDS elements
Increase in SYN packets Spoofed source IPs for certain DDoS instances IDS elements Distributed Communication with SDN controllers SDN controllers posses critical information Flow table Add/remove flows Duplicate flows Emulation with Global Environment for Network Innovations

9 Increase of normal traffic
Processing overhead Attack Increase of normal traffic Network traffic Detection Stage Monitor(s) t Alert message Correlation Stage Evidence/ command Reset message Reset Correlator(s) t Mitigation Stage Attack confirmed Reset Controller(s) t

10 M2 Controller C2 Attacker OVS2 Client Backbone OVS OVS1 OVS3 Server
Monitor M1 Server (Victim) Correlator/ Controller C1 OVS1 M2 Controller C2 Backbone OVS M3 Attacker OVS3 OVS2 C3 MB Controller CB

11 Monitor-Correlator Communication
Controller (Correlator) Client OpenvSwitch Monitor Server Request Content Insert Flow OvS Mirror Traffic Forward Traffic Send Alert Detail Query OvS Flow Table Return Flow Table Data Insert Flow to OvS

12 Monitor Listen for IDS alerts Alert threshold = # SYN packets / sec
Send alert flag to correlator Send IPs of selected SYN packets to correlator Flag can be attack type

13 Monitor – real time snort alert monitoring

14 Monitor – send alert to correlator

15 Correlator Key Value port1 IP1 port2 IP2 port3 IP3 … portn IPn Key
Hash table based on the original flow table of OVS switch Query this table using the IP addresses from the monitor to look for any unknown IPs Additional queries to a second hash table created based on the current flow table Flow Table Snapshot2 Original Flow Table Flow Table Snapshot1

16 Correlator – parse and process flowdump

17 Correlator – block the port of attack

18 Role of SDN in Implementation
Duplicate flows Flow table information detects attacker Drop flows to mitigate Duplication is implemented with Mirroring We may mitigate real traffic – flash crowd Deep packet inspection Second chance

19 Demo Video & Live

20 Conclusions and Future Work
Synergistic strategy monitoring detection mitigation Scalable solution to process high volume of traffic and large scale attacks Future work Scalability optimizations Different security applications – covert channel

21 More security experimentation on GENI
Covert Storage Channel Detection: Yiyuan Hu, Xiangyang Li, Xenia Mountrouidou, “Improving Covert Storage Channel Analysis with SDN and Experimentation on GENI“, National Cyber Summit 2016 Covert Timing Channel: ACM Research competition poster “Time Lord: Covert Timing Channel Implementation and Realistic Experimentation”, Eduardo Castillo, Xenia Mountrouidou, Xiangyang Li Moving Target Defense

22 Acknowledgements

23 Questions? Thank you!

24 Links Project CyberPaths: http://blogs.cofc.edu/cyberpaths/
Intrusion Detection Lab: nsystemgenidesk_v2.html Correlation & Mitigation lab: esk.html

Download ppt "Denial of Service detection and mitigation on GENI"

Similar presentations

REFLEX INTRUSION PREVENTION SYSTEM.. OVERVIEW The Reflex Interceptor appliance is an enterprise- level Network Intrusion Prevention System. It is designed.

REFLEX INTRUSION PREVENTION SYSTEM.. OVERVIEW The Reflex Interceptor appliance is an enterprise- level Network Intrusion Prevention System. It is designed.
Network and Application Attacks Contributed by- Chandra Prakash Suryawanshi CISSP, CEH, SANS-GSEC, CISA, ISO 27001LI, BS 25999LA, ERM (ISB) June 2006.

Network and Application Attacks Contributed by- Chandra Prakash Suryawanshi CISSP, CEH, SANS-GSEC, CISA, ISO 27001LI, BS 25999LA, ERM (ISB) June 2006.
1 Reading Log Files. 2 Segment Format

1 Reading Log Files. 2 Segment Format
Lecture slides prepared for “Computer Security: Principles and Practice”, 2/e, by William Stallings and Lawrie Brown, Chapter 7 “Denial-of-Service-Attacks”.

Lecture slides prepared for “Computer Security: Principles and Practice”, 2/e, by William Stallings and Lawrie Brown, Chapter 7 “Denial-of-Service-Attacks”.
Firewalls and Intrusion Detection Systems

Firewalls and Intrusion Detection Systems
DFence: Transparent Network-based Denial of Service Mitigation CSC7221 Advanced Topics in Internet Technology Presented by To Siu Sang Eric (07016080)

DFence: Transparent Network-based Denial of Service Mitigation CSC7221 Advanced Topics in Internet Technology Presented by To Siu Sang Eric ( )
Beyond the perimeter: the need for early detection of Denial of Service Attacks John Haggerty,Qi Shi,Madjid Merabti Presented by Abhijit Pandey.

Beyond the perimeter: the need for early detection of Denial of Service Attacks John Haggerty,Qi Shi,Madjid Merabti Presented by Abhijit Pandey.
Lecture 15 Denial of Service Attacks

Lecture 15 Denial of Service Attacks
Host Intrusion Prevention Systems & Beyond

Host Intrusion Prevention Systems & Beyond
Game-based Analysis of Denial-of- Service Prevention Protocols Ajay Mahimkar Class Project: CS 395T.

Game-based Analysis of Denial-of- Service Prevention Protocols Ajay Mahimkar Class Project: CS 395T.
1 Integrating a Network IDS into an Open Source Cloud Computing Environment 1st International Workshop on Security and Performance in Emerging Distributed.

1 Integrating a Network IDS into an Open Source Cloud Computing Environment 1st International Workshop on Security and Performance in Emerging Distributed.
Computer Security: Principles and Practice First Edition by William Stallings and Lawrie Brown Lecture slides by Lawrie Brown Chapter 8 – Denial of Service.

Computer Security: Principles and Practice First Edition by William Stallings and Lawrie Brown Lecture slides by Lawrie Brown Chapter 8 – Denial of Service.
Intrusion Prevention System. Module Objectives By the end of this module, participants will be able to: Use the FortiGate Intrusion Prevention System.

Intrusion Prevention System. Module Objectives By the end of this module, participants will be able to: Use the FortiGate Intrusion Prevention System.
Denial of Service Bryan Oemler Web Enhanced Information Management March 22 nd, 2011.

Denial of Service Bryan Oemler Web Enhanced Information Management March 22 nd, 2011.
Web Application Firewall (WAF) RSA ® Conference 2013.

Web Application Firewall (WAF) RSA ® Conference 2013.
Sungkyunkwan University (SKKU) Security Lab. A Framework for Security Services based on Software-Defined Networking Jaehoon (Paul) Jeong 1, Jihyeok Seo.

Sungkyunkwan University (SKKU) Security Lab. A Framework for Security Services based on Software-Defined Networking Jaehoon (Paul) Jeong 1, Jihyeok Seo.
Othman Othman M.M., Koji Okamura Kyushu University 1.

Othman Othman M.M., Koji Okamura Kyushu University 1.
CSCI 530 Lab Intrusion Detection Systems IDS. A collection of techniques and methodologies used to monitor suspicious activities both at the network and.

CSCI 530 Lab Intrusion Detection Systems IDS. A collection of techniques and methodologies used to monitor suspicious activities both at the network and.
IEEE Communications Surveys & Tutorials 1st Quarter 2008.

IEEE Communications Surveys & Tutorials 1st Quarter 2008.
Information Fusion By Ganesh Godavari. Outline of Talk Problem Definition –Attack Types Correlation Solutions OSSIM Work Status.

Information Fusion By Ganesh Godavari. Outline of Talk Problem Definition –Attack Types Correlation Solutions OSSIM Work Status.

Similar presentations

Ads by Google