Presentation is loading. Please wait.

Presentation is loading. Please wait.

Implementation of Lawful Interception and Malicious traffic Prevention based on software defined network Speaker: Muhammad Reza Zulman Advisor: Dr. Kai-Wei.

Published byΕυτέρπη Αγγελόπουλος Modified over 5 years ago

Similar presentations

Presentation on theme: "Implementation of Lawful Interception and Malicious traffic Prevention based on software defined network Speaker: Muhammad Reza Zulman Advisor: Dr. Kai-Wei."— Presentation transcript:

1 Implementation of Lawful Interception and Malicious traffic Prevention based on software defined network Speaker: Muhammad Reza Zulman Advisor: Dr. Kai-Wei Ke Date: July 11, 2016

2 Outline Lawful Interception, SIP and Malicious Traffic overview.
What is SDN? OpenFlow. Objectives. System Design and Implementation. Malicious Detection Mechanism. References.

3 Fig. 1. Basic Interception operation
Lawful Interception Lawful Interception (LI) describes by ITU as a lawfully authorized interception and monitoring of telecommunications pursuant to an order of a government body, to obtain the forensics necessary for pursuing wrongdoers. In general, the operator of public network infrastructure can undertake LI activities for their infrastructure protection and cybersecurity. User A Surveillance System User B Intercepting… Fig. 1. Basic Interception operation

4 SIP Overview(Session Initiation Protocol)
A signaling communications protocol, widely used for controlling multimedia communication session. UA UA INVITE INVITE 100 Trying 100 Ringing 100 Ringing 200 OK 200 OK ACK ACK Conversation BYE 200 OK Fig. 2. Message flow of SIP calling procedure

5 Malicious Traffic Any traffic anomalies that occur from hardware or software failures to internet packets with maliciously modified options. Malicious traffic usually exhausts the legitimate resources by sending a lot of traffic or violate the communication protocol. Some of malicious behavior, e.g., Ping Attack, ARP Spoofing, and SYN Flooding.

6 Malicious Traffic (Cont.)
Source Destination SYN SYN/ACK ACK Station A IP A / MAC A Server IP C / MAC C IP MAC C A Attacker IP B/ MAC B Fig. 4. ARP Spoofing Fig. 3. SYN Flooding

7 What is SDN ? According to ONF(OpenFlow Networking Foundation)
“The physical separation of the network control plane from the forwarding plane, and where a control plane controls several devices.” “The OpenFlow® protocol is a foundational element for building SDN solutions.” SDN Architecture Application Layer Control Layer Infrastructure Layer Business Application SDN Application Cloud Orchestration SDN Controller Programmable Open APIs Network device 🔳🔳🔳🔳🔳🔳 Control and data plane programmable interface (e.g., Openflow) Fig. 5. Software Defined Network Architecture

8 Fig. 6. OpenFlow Architecture
Controller Main Component of an OpenFlow Switch Meter Table Group Table Secure Channel OpenFlow Switch 🔳🔳🔳🔳🔳🔳 Flow Table Flow Table Flow Table OpenFlow Switch 🔳🔳🔳🔳🔳🔳 End System Fig. 6. OpenFlow Architecture

9 Fig. 7. OpenFlow Basic Operation
OpenFlow(cont.) How does OpenFlow works ? When the first packet coming in to the switch, the switch does not have any idea how to handle the packet. Since there is no match entry in it’s flow table, packet will dropped. However, to handle the packet, flow miss entry should be initialize to the switch to controller. OpenFlow Switch 🔳🔳🔳🔳🔳🔳 host table-miss Controller Packet in drop Fig. 7. OpenFlow Basic Operation

10 Table 1. Required OpenFlow Match Fields
OpenFlow(cont.) Flow table A flow table consist of flow entries: Match fields Priority Counters Instructions Timeouts Cookie Flags Fields Description OXM_OF_IN_PORT Ingress port. This may be a physical or switch-defined logical port. OXM_OF_ETH_DST Ethernet source address. Can use arbitrary bitmask OXM_OF_ETH_SRC Ethernet destination address. Can use arbitrary bitmask OXM_OF_ETH_TYPE Ethernet type of the OpenFlow packet payload, after VLAN tags. OXM_OF_IP_PROTO IPv4 or IPv6 protocol number OXM_OF_IPV4_SRC IPv4 source address. Can use subnet mask or arbitrary bitmask OXM_OF_IPV4_DST IPv4 destination address. Can use subnet mask or arbitrary bitmask OXM_OF_IPV6_SRC IPv6 source address. Can use subnet mask or arbitrary bitmask OXM_OF_IPV6_DST IPv6 destination address. Can use subnet mask or arbitrary bitmask OXM_OF_TCP_SRC TCP source port OXM_OF_TCP_DST TCP destination port OXM_OF_UDP_SRC UDP source port OXM_OF_UDP_DST UDP destination port * All in tables are required match fields that must be support by a switch Table 1. Required OpenFlow Match Fields

11 Objectives Implementing record and monitoring surveillance system, detecting and preventing malicious traffic by utilizing software defined network. Surveillance system for VoIP traffic on SIP protocol. Malicious traffic, including overdose ping, arp spoofing and syn flood attack.

12 System Design and Implementation
OpenFlow Switch 🔳🔳🔳🔳🔳🔳 IPS Device IRS Host 1 Host 2 SDN Controller table-miss Flow adding Classification of the traffic is performed by controller Controller install flow entries to corresponding type of traffic to avoid packet in next time. flow entries action is to mirror the traffic to corresponding IRS and IPS device. IRS and IPS analyze and record the traffic. IPS notify the controller whenever an attack is detected for prevention. host 1 send packet to host 2 Fig. 8. Overall System Architecture

13 Fig. 9. Multiples OpenFlow Table
System Mirroring Implementation OpenFlow switch support multiple tables. This features allow a different actions to be set for each table. Fig. 9. Multiples OpenFlow Table

14 Fig. 10. Mirroring Implementation
System Mirroring Implementation(Cont.) Using Multiple tables for duplicating packets. The reason is for easy flow table modification. Packet in SDN Controller Flow Install 3 Table 0 Output = 3, Goto 1 Table 1 Output = 4, Goto 2 Table 1 Output = 2 IRS 1 Host 1 4 2 IPS Device Fig. 10. Mirroring Implementation Host 1

15 Classification Process
Classification process is done use deep packet inspection (port number base). Drawbacks of the system is some protocol does not use fixed port number such as RTP that used in SIP protocol. For this occasion, specific mechanism need to be implemented. SDN Controller Flow Classification Mirror Port setting OpenFlow Switch 🔳🔳🔳🔳🔳🔳 Fig. 11. Classification Process

16 SIP Classification on Controller.
SIP protocol use port 5060 and 5061 on both TCP or UDP for signaling. While for media streaming, RTP protocol will be used. Although TCP is standardize for RTP use, the majority of RTP used UDP. The system design will assume that RTP only use UDP protocol.

17 SIP Classification on Controller(Cont.)
IRS will get first RTP packet and send information to controller. Controller keep data information sent by IRS. System assume the next packet is next media stream. Fig. 12. SIP Traffic Classification Flowchart

18 Malicious Traffic Detection and Prevention
The IDS is placed on the packets route. Every packet goes in the IDS to be analyzed and then forwarded to it’s destination. This method prevents that any unseen malicious packet. client attacker IDS/firewall server Fig On-path Detection IDS X However, as every packet must be analyzed before being forwarded. When there is to many packet, the IDS works as a packet buffer. This will affecting the network’s performance

19 Malicious Traffic Detection and Prevention(Cont.)
X client attacker Controller With IDS function server OpenFlow Switch 🔳🔳🔳🔳🔳🔳 With SDN, the IDS/Firewall can be place as a network function in Controller. Every packet goes to the controller to be analyzed and then request the switch to forwarded to the destination or block. Fig IDS Function on Controller However, This will consume controller resources (Heavy load).

20 Malicious Traffic Detection and Prevention(Cont.)
Another way is by placing the IDS as another separated node. Every packet that arrive is mirrored to the port in which the IDS is connected. This way, although it is possible that some malicious packet goes to it’s destination before detected, the network performance is not affected. Controller attacker OpenFlow Switch 🔳🔳🔳🔳🔳🔳 server client IDS Fig IDS Function on Separated Node This method is chosen with the consideration of solving the performance and to ease the controller workload.

21 Utilizing OpenFlow for Malicious Traffic Prevention
attacker IDS server client OpenFlow Switch 🔳🔳🔳🔳🔳🔳 Controller With controller have full control of the switch. The controller will request the switch to stop forwarding the malicious traffic. IDS send notification to controller when malicious traffic detected. The controller then request the switch to block the traffic from the “attacker” Malicious is detected! Send notification! Fig OpenFlow for Malicious Prevention

22 Utilizing OpenFlow for Malicious Traffic Prevention(Cont.)

23 Malicious Detection Mechanism
Overdose ping detection ICMP flood attack overwhelms the target with ICMP echo request packet, generally sending packet as fast as possible without waiting for replies. IDS will calculate how many ICMP echo request send by a host. When IDS get first ICMP packet, it record the source and start timer. The threshold can be set by admin.

24 Malicious Detection Mechanism(Cont.)
ARP Spoofing Arp Spoofing is used to attack host in Local Area Network. Host A Host B When the arp request is send, the attacker replies with their own MAC_ADDR to make Host A think that attacker is Host B. Attacker also send arp request to learn Host B MAC_ADDR. Attacker able to forward message from Host A to Host B. Attacker arp request arp reply data Fig Arp Spoofing Illustration

25 Malicious Detection Mechanism(Cont.)
ARP Spoofing The detection is determine by comparing the attacker information with the one stored in IDS Host A IDS Attacker arp request arp reply OpenFlow Switch 🔳🔳🔳🔳🔳🔳 Record arp traffic. Counting arp_reply and arp request packet. Compare with stored arp table. IRS stored arp table from all connected Host. Whenever arp reply received, get sender IP and compared with stored information. If change, IDS will start counting the arp reply, If > threshold and amount of arp_reply/arp_request > 10, arp spoofing detected. Fig Arp Spoofing detection

26 References [1] Open Networking Foundation, “Software-Defined Networking: The New Norm for Networks”, ONF White Paper, April 13, 2012 [3] J. R. Ballard, I. Rae, and A. Akella, “Extensible and scalable network monitoring using opensafe,” Proc. INM/WREN, 2010. [4] R. U. Rehman, "Intrusion detection systems with snort," in BRUCE PERENS OPEN SOURCE SERIES.

27 THANK YOU

Download ppt "Implementation of Lawful Interception and Malicious traffic Prevention based on software defined network Speaker: Muhammad Reza Zulman Advisor: Dr. Kai-Wei."

Similar presentations

An OpenFlow Extension for the OMNeT++ INET Framework

An OpenFlow Extension for the OMNeT++ INET Framework
Umut Girit 200535027.  One of the core members of the Internet Protocol Suite, the set of network protocols used for the Internet. With UDP, computer.

Umut Girit  One of the core members of the Internet Protocol Suite, the set of network protocols used for the Internet. With UDP, computer.
Media Access Control (MAC) addresses in the network access layer ▫ Associated w/ network interface card (NIC) ▫ 48 bits or 64 bits IP addresses for the.

Media Access Control (MAC) addresses in the network access layer ▫ Associated w/ network interface card (NIC) ▫ 48 bits or 64 bits IP addresses for the.
Internet Control Protocols Savera Tanwir. Internet Control Protocols ICMP ARP RARP DHCP.

Internet Control Protocols Savera Tanwir. Internet Control Protocols ICMP ARP RARP DHCP.
© 2008 Cisco Systems, Inc. All rights reserved.Cisco ConfidentialPresentation_ID 1 W. Schulte Chapter 5: Inter-VLAN Routing Routing And Switching.

© 2008 Cisco Systems, Inc. All rights reserved.Cisco ConfidentialPresentation_ID 1 W. Schulte Chapter 5: Inter-VLAN Routing Routing And Switching.
SDN and Openflow.

SDN and Openflow.
Traffic Management - OpenFlow Switch on the NetFPGA platform Chun-Jen Chung(1203584897) SriramGopinath(1203800749)

Traffic Management - OpenFlow Switch on the NetFPGA platform Chun-Jen Chung( ) SriramGopinath( )
Oct 21, 2004CS573: Network Protocols and Standards1 IP: Addressing, ARP, Routing Network Protocols and Standards Autumn 2004-2005.

Oct 21, 2004CS573: Network Protocols and Standards1 IP: Addressing, ARP, Routing Network Protocols and Standards Autumn
Sanjay Goel, School of Business/Center for Information Forensics and Assurance University at Albany Proprietary Information 1 Unit Outline Information.

Sanjay Goel, School of Business/Center for Information Forensics and Assurance University at Albany Proprietary Information 1 Unit Outline Information.
FIREWALLS & NETWORK SECURITY with Intrusion Detection and VPNs, 2 nd ed. 6 Packet Filtering By Whitman, Mattord, & Austin© 2008 Course Technology.

FIREWALLS & NETWORK SECURITY with Intrusion Detection and VPNs, 2 nd ed. 6 Packet Filtering By Whitman, Mattord, & Austin© 2008 Course Technology.
Secure Telephony Enabled Middle-box (STEM) Maggie Nguyen Dr. Mark Stamp SJSU - CS 265 Spring 2003 STEM is proposed as a solution to network vulnerabilities,

Secure Telephony Enabled Middle-box (STEM) Maggie Nguyen Dr. Mark Stamp SJSU - CS 265 Spring 2003 STEM is proposed as a solution to network vulnerabilities,
Lecture 15 Denial of Service Attacks

Lecture 15 Denial of Service Attacks
Design and Implementation of SIP-aware DDoS Attack Detection System.

Design and Implementation of SIP-aware DDoS Attack Detection System.
© 2008 Cisco Systems, Inc. All rights reserved.Cisco ConfidentialPresentation_ID 1 Chapter 5: Inter-VLAN Routing Routing And Switching.

© 2008 Cisco Systems, Inc. All rights reserved.Cisco ConfidentialPresentation_ID 1 Chapter 5: Inter-VLAN Routing Routing And Switching.
CN2668 Routers and Switches Kemtis Kunanuraksapong MSIS with Distinction MCTS, MCDST, MCP, A+

CN2668 Routers and Switches Kemtis Kunanuraksapong MSIS with Distinction MCTS, MCDST, MCP, A+
Packet Filtering. 2 Objectives Describe packets and packet filtering Explain the approaches to packet filtering Recommend specific filtering rules.

Packet Filtering. 2 Objectives Describe packets and packet filtering Explain the approaches to packet filtering Recommend specific filtering rules.
Exploring the Packet Delivery Process Chapter 1 - 6.

Exploring the Packet Delivery Process Chapter
Chapter 6: Packet Filtering

Chapter 6: Packet Filtering
1 Semester 2 Module 10 Intermediate TCP/IP Yuda college of business James Chen

1 Semester 2 Module 10 Intermediate TCP/IP Yuda college of business James Chen
PA3: Router Junxian (Jim) Huang EECS 489 W11 /

PA3: Router Junxian (Jim) Huang EECS 489 W11 /

Similar presentations

Ads by Google