Presentation is loading. Please wait.

Presentation is loading. Please wait.

SPEAKER: Yu-Shan Chou ADVISOR: DR. Kai-Wei Ke

Published byAlexandrina Potter Modified over 5 years ago

Similar presentations

Presentation on theme: "SPEAKER: Yu-Shan Chou ADVISOR: DR. Kai-Wei Ke"— Presentation transcript:

1 SPEAKER: Yu-Shan Chou ADVISOR: DR. Kai-Wei Ke
NetworksDetecting and Mitigating Denial of Service Attacks against the Data Plane in Software Defined Networks SPEAKER: Yu-Shan Chou ADVISOR: DR. Kai-Wei Ke DATE:2018/03/23

2 Outline INTRODUCTION RELATED WORK
DENIAL OF SERVICE ATTACKS AGAINST THE DATA PLANE EVALUATION CONCLUSION 1

3 INTRODUCTION Software Defined Networking (SDN)
SDN proposes a marked shift from the current network infrastructure by decoupling the network logic layer, called the control plane, and the data layer, called the data plane, into separate entities. 2

4 2) into a PacketIn message and sent to the controller.
1) A host sends a packet for a new connection which reaches an SDN switch. 2) into a PacketIn message and sent to the controller. 3) In the controller the PacketIn is processed by an SDN application. 4) If has set up a rule in the switch to handle the flow, further packets belonging to that flow will be processed. 3

5 RELATED WORK In this work we focus on a much less investigated area of SDN security – the detection and mitigation of Denial of Service attacks against the data plane. Forwarding tables have limited memory capacities. Typically, switches rely on Content Addressable Memory (CAM) that performs table lookups at line rate. Especially, Ternary CAM (TCAM) is expensive and therefore very small, ranging in the region of 1k to 2k entries. But also, regular and cheaper Binary CAM (BCAM) is limited to only a couple of 100k entries. 4

6 LIMITATIONS OF THE RELATED WORK
Some works extend the available table size by using a combination of software and hardware flow tables. the severity of the DoS is reduced, as software tables allow far more entries. Although, also software tables suffer from performance penalties for big table sizes, e.g. Open vSwitch uses a linear search to handle wildcard rules. 5

7 DENIAL OF SERVICE ATTACKS AGAINST THE DATA PLANE
The attacker causes a high number of PacketIn messages by changing header fields. Our proposed detection approach is based on the observation that an attacker cannot change all header fields. This allows us to identify the attack. 6

8 Attack Description An attacker knowing about the controller’s decision making and flow rule setting behavior is able to craft packets. For the switch these packets appear as new flows and therefore, are handled by the controller resulting in an increasing number of flow rules in the switching tables.

9 Detection 1.The idea for the detection of DoS attacks against the data plane aims at localizing the fixed header fields of the attacking flow. 2.The approach uses a table of counters with the different header fields as columns. 3.To normalize the table size the header fields are hashed by a uniformly dispersing function with fixed output size.

10 used the 32Bit FNV-1a hashing function folded to an output size of 16Bit by applying an XOR operation of the upper half to the lower half of the hash sum. This results in 2 ^16 rows in the counter table. 9

11 Analytic Evaluation of the Detection Performanceion
1.The idea for the detection of DoS attacks against the data plane aims at localizing the fixed header fields of the attacking flow. 2.The approach uses a table of counters with the different header fields as columns. 3.To normalize the table size the header fields are hashed by a uniformly dispersing function with fixed output size.

12 the memory consumption can be bound to:
11

13 The detection algorithm has a complexity of : O(|hash| · |H|)
12

14 EVALUATION In order to evaluate the detection method we built a simulation based on the widely used OMNeT++ framework 13

15 the attacker arrival rate is called λa.
inter arrival time arrival rate λl = 1/ Tl . the attacker arrival rate is called λa. the window size tW , i.e. the time between two consecutive runs of the detection algorithm the detection threshold θm. 14

16 Analytic Evaluation of the Detection Performanceion
give a more systematic approach for determining the threshold. The expected mT corresponds with the maximum expected collisions of a header value. 15

17 16

18 Results a network of legitimate H = 100 hosts. We simulated 10 repetitions for each setting with a duration of 1000 s per run. 17

19 Fig. 5: Working region of detection algorithm, with λa = 10·λl and H = 100
18

20 CONCLUSION In this work we introduced a novel detection and mitigation algorithm for Denial of Service Attacks in Software Defined Networks. This work concentrates on attacks which aim to overflow the hardware tables of SDN switches In cloud environments. uses a table with the header fields as columns and hashes of the header fields as rows. If an attack occurs the fields corresponding to the unchanged fields grow tremendously.. 19

21 REFERENCES R. Durner, C. Lorenz, M. Wiedemann and W. Kellerer, "Detecting and mitigating denial of service attacks against the data plane in software defined networks," 2017 IEEE Conference on Network Softwarization (NetSoft), Bologna, 2017, pp. 1-6. 20

Download ppt "SPEAKER: Yu-Shan Chou ADVISOR: DR. Kai-Wei Ke"

Similar presentations

1 IP Forwarding Relates to Lab 3. Covers the principles of end-to-end datagram delivery in IP networks.

1 IP Forwarding Relates to Lab 3. Covers the principles of end-to-end datagram delivery in IP networks.
IP Forwarding Relates to Lab 3.

IP Forwarding Relates to Lab 3.
Delivery and Forwarding of

Delivery and Forwarding of
A Scalable and Reconfigurable Search Memory Substrate for High Throughput Packet Processing Sangyeun Cho and Rami Melhem Dept. of Computer Science University.

A Scalable and Reconfigurable Search Memory Substrate for High Throughput Packet Processing Sangyeun Cho and Rami Melhem Dept. of Computer Science University.
1 Mobile IPv6-Based Ad Hoc Networks: Its Development and Application Advisor: Dr. Kai-Wei Ke Speaker: Wei-Ying Huang.

1 Mobile IPv6-Based Ad Hoc Networks: Its Development and Application Advisor: Dr. Kai-Wei Ke Speaker: Wei-Ying Huang.
NETWORK LAYER (1) T.Najah AlSubaie Kingdom of Saudi Arabia Prince Norah bint Abdul Rahman University College of Computer Since and Information System NET331.

NETWORK LAYER (1) T.Najah AlSubaie Kingdom of Saudi Arabia Prince Norah bint Abdul Rahman University College of Computer Since and Information System NET331.
Outline Introduction Related work on packet classification Grouper Performance Empirical Evaluation Conclusions.

Outline Introduction Related work on packet classification Grouper Performance Empirical Evaluation Conclusions.
OpenFlow-Based Server Load Balancing GoneWild

OpenFlow-Based Server Load Balancing GoneWild
SDN and Openflow.

SDN and Openflow.
Traffic Management - OpenFlow Switch on the NetFPGA platform Chun-Jen Chung(1203584897) SriramGopinath(1203800749)

Traffic Management - OpenFlow Switch on the NetFPGA platform Chun-Jen Chung( ) SriramGopinath( )
Hash Tables With Finite Buckets Are Less Resistant to Deletions Yossi Kanizo (Technion, Israel) Joint work with David Hay (Columbia U. and Hebrew U.) and.

Hash Tables With Finite Buckets Are Less Resistant to Deletions Yossi Kanizo (Technion, Israel) Joint work with David Hay (Columbia U. and Hebrew U.) and.
An Efficient IP Lookup Architecture with Fast Update Using Single-Match TCAMs Author: Jinsoo Kim, Junghwan Kim Publisher: WWIC 2008 Presenter: Chen-Yu.

An Efficient IP Lookup Architecture with Fast Update Using Single-Match TCAMs Author: Jinsoo Kim, Junghwan Kim Publisher: WWIC 2008 Presenter: Chen-Yu.
Fast binary and multiway prefix searches for pachet forwarding Author: Yeim-Kuan Chang Publisher: COMPUTER NETWORKS, Volume 51, Issue 3, pp. 588-605, February.

Fast binary and multiway prefix searches for pachet forwarding Author: Yeim-Kuan Chang Publisher: COMPUTER NETWORKS, Volume 51, Issue 3, pp , February.
WXES2106 Network Technology Semester 1 2004/2005 Chapter 8 Intermediate TCP CCNA2: Module 10.

WXES2106 Network Technology Semester /2005 Chapter 8 Intermediate TCP CCNA2: Module 10.
1 IP Forwarding Relates to Lab 3. Covers the principles of end-to-end datagram delivery in IP networks.

1 IP Forwarding Relates to Lab 3. Covers the principles of end-to-end datagram delivery in IP networks.
Section 4 : The OSI Network Layer CSIS 479R Fall 1999 “Network +” George D. Hickman, CNI, CNE.

Section 4 : The OSI Network Layer CSIS 479R Fall 1999 “Network +” George D. Hickman, CNI, CNE.
PARALLEL TABLE LOOKUP FOR NEXT GENERATION INTERNET

PARALLEL TABLE LOOKUP FOR NEXT GENERATION INTERNET
– Chapter 5 – Secure LAN Switching

– Chapter 5 – Secure LAN Switching
1 IP Forwarding Relates to Lab 3. Covers the principles of end-to-end datagram delivery in IP networks.

1 IP Forwarding Relates to Lab 3. Covers the principles of end-to-end datagram delivery in IP networks.
CS3502: Data and Computer Networks Local Area Networks - 4 Bridges / LAN internetworks.

CS3502: Data and Computer Networks Local Area Networks - 4 Bridges / LAN internetworks.

Similar presentations

Ads by Google