Towards Autonomic DDoS Mitigation using Software Defined Networking

Similar documents

Network Security: Network Flooding. Seungwon Shin GSIS, KAIST

Towards Autonomic DDoS Mitigation using Software Defined Networking

How To Protect Your Network From A Ddos Attack On A Network With Pip (Ipo) And Pipi (Ipnet) From A Network Attack On An Ip Address Or Ip Address (Ipa) On A Router Or Ipa

Distributed Denial of Service Attacks & Defenses

Future of DDoS Attacks Mitigation in Software Defined Networks

DDoS Threat Report. Chris Beal Chief Security Architect on Twitter

Enabling Practical SDN Security Applications with OFX (The OpenFlow extension Framework)

Index Terms Denial-of-Service Attack, Intrusion Prevention System, Internet Service Provider. Fig.1.Single IPS System

DDoS Attack Protection in the Era of Cloud Computing and Software-Defined Networking

Can Software Defined Networks (SDN) manage the dependability of the service provided to selected customers?

Introduction to DDoS Attacks. Chris Beal Chief Security Architect on Twitter

Provider-Based Deterministic Packet Marking against Distributed DoS Attacks

DDOS WALL: AN INTERNET SERVICE PROVIDER PROTECTOR

A Novel Packet Marketing Method in DDoS Attack Detection

CS 356 Lecture 16 Denial of Service. Spring 2013

Service Description DDoS Mitigation Service

Network Security Demonstration - Snort based IDS Integration -

Flexible Deterministic Packet Marking: An IP Traceback Scheme Against DDOS Attacks

White Paper. Intelligent DDoS Protection Use cases for applying DDoS Intelligence to improve preparation, detection and mitigation

Complete Protection against Evolving DDoS Threats

Denial of Service Attacks

Stress Testing and Distributed Denial of Service Testing of Network Infrastructures

OrchSec: An Orchestrator-Based Architecture For Enhancing Network Monitoring and SDN Control Functions

White paper. TrusGuard DPX: Complete Protection against Evolving DDoS Threats. AhnLab, Inc.

How To Block A Ddos Attack On A Network With A Firewall

An Elastic and Adaptive Anti-DDoS Architecture Based on Big Data Analysis and SDN for Operators

ADVANCED SECURITY MECHANISMS TO PROTECT ASSETS AND NETWORKS: SOFTWARE-DEFINED SECURITY

A Hybrid Approach for Detecting, Preventing, and Traceback DDoS Attacks

Requirements for Security Services based on Software-Defined Networking draft-jeong-i2nsf-sdn-security-services-00

A PREVENTION OF DDOS ATTACKS IN CLOUD USING NEIF TECHNIQUES

Malice Aforethought [D]DoS on Today's Internet

Proceedings of the UGC Sponsored National Conference on Advanced Networking and Applications, 27 th March 2015

HOW TO PREVENT DDOS ATTACKS IN A SERVICE PROVIDER ENVIRONMENT

Software Defined Networking - a new approach to network design and operation. Paul Horrocks Pre-Sales Strategist 8 th November 2012

DISTRIBUTED DENIAL OF SERVICE OBSERVATIONS

A Study on Software Defined Networking

DoS: Attack and Defense

Adaptive Distributed Traffic Control Service for DDoS Attack Mitigation

Radware s Attack Mitigation Solution On-line Business Protection

Router Based Mechanism for Mitigation of DDoS Attack- A Survey

Design and Experiments of small DDoS Defense System using Traffic Deflecting in Autonomous System

Secure Attack Measure Selection and Intrusion Detection in Virtual Cloud Networks. Karnataka.

Dr. Arjan Durresi Louisiana State University, Baton Rouge, LA DDoS and IP Traceback. Overview

Taming IP Packet Flooding Attacks

DDoS Protection Technology White Paper

Application of Netflow logs in Analysis and Detection of DDoS Attacks

SecurityDAM On-demand, Cloud-based DDoS Mitigation

Defending DDoS Attacks Using Traffic Differentiation and Distributed Deployment

Should the IETF do anything about DDoS attacks? Mark Handley

Availability Digest. Prolexic a DDoS Mitigation Service Provider April 2013

DDoS Protection. How Cisco IT Protects Against Distributed Denial of Service Attacks. A Cisco on Cisco Case Study: Inside Cisco IT

DDoS Overview and Incident Response Guide. July 2014

An Efficient Filter for Denial-of-Service Bandwidth Attacks

The server will respond to the client with a list of instances. One such attack was analyzed by an information security researcher in January 2015.

Network Security through Software Defined Networking: a Survey

Strategies to Protect Against Distributed Denial of Service (DD

CISCO INFORMATION TECHNOLOGY AT WORK CASE STUDY: CISCO IOS NETFLOW TECHNOLOGY

RID-DoS: Real-time Inter-network Defense Against Denial of Service Attacks. Kathleen M. Moriarty. MIT Lincoln Laboratory.

An Anomaly-Based Method for DDoS Attacks Detection using RBF Neural Networks

OpenFlow and Onix. OpenFlow: Enabling Innovation in Campus Networks. The Problem. We also want. How to run experiments in campus networks?

Mitigating High-Rate Application Layer DDoS Attacks in Software Defined Networks

Mock RFI for Enterprise SDN Solutions

LPM: Layered Policy Management for Software-Defined Networks

Network Services in the SDN Data Center

A Secure Intrusion detection system against DDOS attack in Wireless Mobile Ad-hoc Network Abstract

CALNET 3 Category 7 Network Based Management Security. Table of Contents

SHARE THIS WHITEPAPER. On-Premise, Cloud or Hybrid? Approaches to Mitigate DDoS Attacks Whitepaper

SOFTWARE-DEFINED NETWORKING AND OPENFLOW

DDoS Attack Trends and Countermeasures A Information Theoretical Metric Based Approach

Depth-in-Defense Approach against DDoS

A Practical Method to Counteract Denial of Service Attacks

Dual Mechanism to Detect DDOS Attack Priyanka Dembla, Chander Diwaker 2 1 Research Scholar, 2 Assistant Professor

Forensics Tracking for IP Spoofers Using Path Backscatter Messages

Introduction to Software Defined Networking (SDN) and how it will change the inside of your DataCentre

LineSwitch: Efficiently Managing Switch Flow in Software-Defined Networking while Effectively Tackling DoS Attacks

Using SDN-OpenFlow for High-level Services

Packet-Marking Scheme for DDoS Attack Prevention

A Layperson s Guide To DoS Attacks

OpenDaylight Project Proposal Dynamic Flow Management

TRAFFIC REDIRECTION ATTACK PROTECTION SYSTEM (TRAPS)

A Flow-based Method for Abnormal Network Traffic Detection

Attack Diagnosis: Throttling Distributed Denialof-Service Attacks Close to the Attack Sources

Denial of Service Attacks, What They are and How to Combat Them

Transcription:

Towards Autonomic DDoS Mitigation using Software Defined Networking Authors: Rishikesh Sahay, Gregory Blanc, Zonghua Zhang, Hervé Debar NDSS Workshop on Security of Emerging Networking Technologies (SENT 2015), San Diego, California, US, 8th February 2015

Outline Key Observations and Motivation Towards Autonomic DDoS Mitigation Our Proposed Framework Related Works Conclusion and Future Work Page 1

Outline Key Observations and Motivation DDoS Attack Key Observation about DDoS Main Attack Vectors Survey of DDoS Mitigation Schemes Lack of Autonomic Properties Towards Autonomic DDoS Mitigation Our Proposed Framework Related Works Conclusion and Future Work Page 2

Exhaust resources of a target, by flooding the target with spurious packets. DDoS Attacks Page 3

Key Observations about DDoS DDoS attacks have become shorter but stronger. Average attack bandwidth was up 72 percent. Reflection and amplification attack have become more popular. 46 percent increase in the Infrastructure attack. Source: Prolexic Quarterly Global DDoS Attack Report Q2 2014 Page 4

Main Attack Vectors Source: Worldwide Infrastructure Security Report, Arbor Special Report 2014. Page 5

Survey of DDoS Mitigation Schemes Capability Based Technique[3]: Capability token is used for secure communication. Congestion Based Technique[4]: Traffic is rate limited based on given threshold. Packet Marking Techniques[5]: A mark is inserted in the IP packets by the routers to reconstruct the path from victim to the attack source. Stateful Policy Technique[6]: Stateful mitigation policy is specified to redirect the DDoS traffic to the middlebox. Page 6

Problems in Existing Schemes States to be maintained at the routers and switches. Additional devices to be deployed at every routers and switches. IDs or mark should be maintained at every routers. Information to be coordinated from different devices deployed at different locations in the network. Middleboxes should be deployed statically in the network. Page 7

Lack of Autonomic Properties Self- configura.on Self- op.miza.on Self- healing Self- protec.on Capability- based DDoS technique Conges9on based technique Packet marking Stateful policy technique Page 8

Outline Key Observations and Motivation Towards Autonomic DDoS Mitigation Autonomic DDoS Mitigation Requirements SDN: Architecture SDN: Towards Autonomic Properties Our Proposed Framework Related Works Conclusion and Future Work Page 9

Autonomic DDoS Mitigation Requirements It should provide on demand DDoS Mitigation. Correlate the information from different devices in the network. Network resources should be optimised. Four autonomic properties(self-configuration, optimization, healing, protection) should be preserved. Labor cost should be minimized. Page 10

SDN: An Overview Source:Software Defined Networking:The New Norms for Networks. ONF White Paper, 2012. Page 11

SDN:Towards Autonomic Properties Logically Centralized Intelligence Flexible Path Management On-demand Resource Allocation Page 12

Outline Key Observations and Motivation Towards Autonomic DDoS Mitigation Our Proposed Framework Design Assumptions in Framework Proposed Architecture Use Case Related Works Conclusion and Future Work Page 13

Design Assumptions in Framework Ø DDoS mitigation framework is distributed across the ISP and customer network. Ø Security API is provided by the ISP to the customer to request for the on demand DDoS mitigation. Ø DDoS detection module is running in the customer network and generates the security alerts. Page 14

Proposed Framework Page 15

Use Case Page 16

Outline Distributed Denial of Service Attack and Mitigation Towards Autonomic DDoS Mitigation Our Proposed Framework Design Assumptions in Framework Proposed Architecture Use Case Related Works Conclusion and Future Work Page 17

DefenseFlow:Industry Product Source: DefenseFlow:The SDN Application that Program Network for DoS Security, 2013. Page 18

DrawBridge Source: J.Li,DrawBridge: Software-defined DDoS-resistant Traffic Engineering,in Proceedings of the 2014 ACM Conference on SIGCOMM. ACM, 2014. Page 19

Conclusion and Future Work We will implement the major components of the framework. We will evaluate the framework on its scalability on handling large number of requests from customers. We will also evaluate the response latency in redirecting the suspicious flow to the middleboxes. Page 20

References [1]. Prolexic Quarterly Global DDoS Attack Report Q2 2014. [2]. Worldwide Infrastructure Security Report, Arbor Special Report 2014. [3]. Abraham Yaar, SIFF: A Stateless Internet Flow Filter to Mitigate DDoS Flooding Attacks, in Proceedings of the 2004 IEEE Symposium on Security and Privacy, 2004. [4]. J.Ioannidis, Implementing Pushback: Router Based Defense Against DDoS Attacks, in Proceedings of Network and Distributed Security Symposium (NDSS), 2002. [5].A.Yaar, Pi: A Path Identification Mechanism to Defend against DDoS Attacks, in Security and Privacy, 2003. [6]. A.Mahimkar, dfence:transparent Network-based Denial of Service Mitigation, in Proceedings of the 4th USENIX Conference on Networked Systems Design Implementation (NSDI),2007 Page 21

References [7]. Software Defined Networking:The New Norms for Networks. ONF White Paper, 2012. [8].DefenseFlow:The SDN Application that Program Network for DoS Security, 2013. [9]. J.Li,DrawBridge: Software-defined DDoS-resistant Traffic Engineering,in Proceedings of the 2014 ACM Conference on SIGCOMM. ACM, 2014. [10]. Seyed Kaveh Fayazbakhsh, FlowTags: Enforcing Network-Wide Policies in the Presence of Dynamic Middlebox Actions, in HotSDN, 2013. Page 22

Acknowledgment The research project (NECOMA) is funded by Ministry of Internal Affairs and Communication Japan and by the European Union Seventh Framework Programme. The link of the project is: http://www.necoma-project.eu/ Page 23

Thanks for your Attention Page 24