Presentation is loading. Please wait.

Presentation is loading. Please wait.

Network Anti-Spoofing with SDN Data plane Authors:Yehuda Afek et al.

Published byMadison Tyler Modified over 6 years ago

Similar presentations

Presentation on theme: "Network Anti-Spoofing with SDN Data plane Authors:Yehuda Afek et al."— Presentation transcript:

1 Network Anti-Spoofing with SDN Data plane Authors:Yehuda Afek et al.
Presenter : Soorya Ravichandran

2 Flow-table rules and Switch-controller messages.
Introduction Traditional Middle box for anti-spoofing mitigation  CAPEX, Latency and Complexity. Anti-DDOS system with SDN  Implementing mitigations for both SDN and underlaying infrastructure. Flow-table rules and Switch-controller messages.

3 Technologies Used OpenFLow 1.5 and P4
P4 for flexible programming of the any protocol header. Open Vswitch Hping 3 tool  For generating SYN flood attack.

4 OVerVIew OF SDN Software Defined Networking  Segregation of Control and Data Plane. OpenFlow The interface between the Control Plane and Forwarding Plane is done through Open Flow Match and Action frame work.  Single Match Table (SMT), Multi Match Table (MMT), Reconfigurable Match Table (RMT – Used in this Paper)

5 Problems and SoLutions
DDOS using Spoofed SYN attack. Statefull and Control Plane saturation attack in SDN controller. Flow-state congestion Solutions : Anti-Sync Spoofing. State –less challenge response. Distributed Network Solution.

6 Anti-Sync Spoofing Exhaustion of TCP on server and SDN Flow-table.
Sync Cookie method HTTP Redirect with same server address. TCP reset

7 SYNC Cookie Method

8 Generation OF Cookie Controller Communication for Cookie Generation.
Random + SYNC packet parameters Parameters used = source IP + Source PORT + 32 bit random number 8 bit portion spanned periodically.

9 Distributed Network Solution
Flow table exhaustion due to increased legitimate traffic pin holes. Vertical Distribution  Resources of Switches are utilised along the bottleneck traffic path. Table for Space Di for path Pi for each switch. Threshold level is 80% of rules capacity and processing power. All switches involving in a saturated path are involved for load balancing.

10 Anti-Spoofing Performance
Without mitigation –Http request fails at 2.7k pps With mitigation Successful rate is upto 206kpps Throughput decreases as the mitigation actions are implemented.

11 Anti-Spoofing Performance - cntd

12 Criticism Open vSwitch Security Vulnerability to be taken care
 Buffer Over read Vulnerability. Open Flow Bypass Vulnerability : bypass of actions in pinholes Execute Code Open Flow Vulnerability : Allows unauth attacker to execute code Time stamp consideration in cookie generation.

13

14

Download ppt "Network Anti-Spoofing with SDN Data plane Authors:Yehuda Afek et al."

Similar presentations

Jennifer Rexford Princeton University MW 11:00am-12:20pm Logically-Centralized Control COS 597E: Software Defined Networking.

Jennifer Rexford Princeton University MW 11:00am-12:20pm Logically-Centralized Control COS 597E: Software Defined Networking.
IP Router Architectures. Outline Basic IP Router Functionalities IP Router Architectures.

IP Router Architectures. Outline Basic IP Router Functionalities IP Router Architectures.
Interconnection Networks: Flow Control and Microarchitecture.

Interconnection Networks: Flow Control and Microarchitecture.
OpenFlow overview Joint Techs Baton Rouge. Classic Ethernet Originally a true broadcast medium Each end-system network interface card (NIC) received every.

OpenFlow overview Joint Techs Baton Rouge. Classic Ethernet Originally a true broadcast medium Each end-system network interface card (NIC) received every.
OpenFlow-Based Server Load Balancing GoneWild

OpenFlow-Based Server Load Balancing GoneWild
Ranges & Cross-Entrance Consistency with OpenFlow Liron Schiff (TAU) Joint work with Yehuda Afek (TAU) Anat Bremler-Barr (IDC) Israel Networking Day 2014.

Ranges & Cross-Entrance Consistency with OpenFlow Liron Schiff (TAU) Joint work with Yehuda Afek (TAU) Anat Bremler-Barr (IDC) Israel Networking Day 2014.
IP Spoofing Defense On the State of IP Spoofing Defense TOBY EHRENKRANZ and JUN LI University of Oregon 1 IP Spoofing Defense.

IP Spoofing Defense On the State of IP Spoofing Defense TOBY EHRENKRANZ and JUN LI University of Oregon 1 IP Spoofing Defense.
DFence: Transparent Network-based Denial of Service Mitigation CSC7221 Advanced Topics in Internet Technology Presented by To Siu Sang Eric (07016080)

DFence: Transparent Network-based Denial of Service Mitigation CSC7221 Advanced Topics in Internet Technology Presented by To Siu Sang Eric ( )
1 © 2005 Cisco Systems, Inc. All rights reserved. 111 © 2004, Cisco Systems, Inc. All rights reserved.

1 © 2005 Cisco Systems, Inc. All rights reserved. 111 © 2004, Cisco Systems, Inc. All rights reserved.
1 A Policy-aware Switching Layer for Data Centers Dilip Joseph Arsalan Tavakoli Ion Stoica University of California at Berkeley.

1 A Policy-aware Switching Layer for Data Centers Dilip Joseph Arsalan Tavakoli Ion Stoica University of California at Berkeley.
Towards a More Functional and Secure Network Infrastructure Dan Adkins, Karthik Lakshminarayanan, Adrian Perrig (CMU), and Ion Stoica.

Towards a More Functional and Secure Network Infrastructure Dan Adkins, Karthik Lakshminarayanan, Adrian Perrig (CMU), and Ion Stoica.
Lecture 15 Denial of Service Attacks

Lecture 15 Denial of Service Attacks
Common forms and remedies Neeta Bhadane Raunaq Nilekani Sahasranshu.

Common forms and remedies Neeta Bhadane Raunaq Nilekani Sahasranshu.
Firewalls CS432. Overview  What are firewalls?  Types of firewalls Packet filtering firewalls Packet filtering firewalls Sateful firewalls Sateful firewalls.

Firewalls CS432. Overview  What are firewalls?  Types of firewalls Packet filtering firewalls Packet filtering firewalls Sateful firewalls Sateful firewalls.
1 Proceeding the Second Exercises on Computer and Systems Engineering Professor OKAMURA Laboratory. Othman Othman M.M.

1 Proceeding the Second Exercises on Computer and Systems Engineering Professor OKAMURA Laboratory. Othman Othman M.M.
Computer Security: Principles and Practice First Edition by William Stallings and Lawrie Brown Lecture slides by Lawrie Brown Chapter 8 – Denial of Service.

Computer Security: Principles and Practice First Edition by William Stallings and Lawrie Brown Lecture slides by Lawrie Brown Chapter 8 – Denial of Service.
Workpackage 3 New security algorithm design ICS-FORTH Paris, 30 th June 2008.

Workpackage 3 New security algorithm design ICS-FORTH Paris, 30 th June 2008.
Software-Defined Networks Jennifer Rexford Princeton University.

Software-Defined Networks Jennifer Rexford Princeton University.
VeriFlow: Verifying Network-Wide Invariants in Real Time

VeriFlow: Verifying Network-Wide Invariants in Real Time
Distributed Denial of Service CRyptography Applications Bistro Presented by Lingxuan Hu April 15, 2004.

Distributed Denial of Service CRyptography Applications Bistro Presented by Lingxuan Hu April 15, 2004.

Similar presentations

Ads by Google