Towards Load Balancing in SDN Networks During DDoS attacks Mikhail Belyaev St.Petersburg Polytechnic University Svetlana Gaivoronski Moscow State University ARCCN
DDoS - attacks DDoS attack distributed attack causing denial-of-service of victim system. For a lot of scary number, visit arbornetworks.com
DDoS mitigation Mitigation techniques: active mitigation : detection and filtering of attacking machines; survival mitigation : effective load balancing.
Existing Solutions Static load balancing uses a-priori information about system state: Random selection Hash selection (Weighted) round-robin Dynamic load balancing distributes load between servers during runtime: Round-robin A lot of more sophisticated algorithms
SDN load balancing problems Existing solutions do not consider properties of incoming traffic Experiments show that they are not effective during DDoS
SDN load balancing problems Existing solutions do not consider properties of incoming traffic Experiments show that they are not effective during DDoS
SDN load balancing problems Existing solutions do not consider properties of incoming traffic Experiments show that they are not effective during DDoS
Proposed Approach: Idea 2 independent levels of load balancing: L7 load balancing (DNS/NAT) L4 load balancing Local network
Algorithm 1. Acquire the load and topology information for network; 2. Override the routing for the network with static routing information; 3. Iteratively keep splitting (and reapplying) traffic paths for routers that are: 1. Overloaded 2. Have alternate routes available
Pre-phases Phase 1: Needs to be executed before the need of load balancing arises Updates the network load mask M load, where the element! ij corresponds to number of bytes coming from i to j Phase 2: Applied only once to override the default packet routing mechanisms Performed by running Bellman-Ford algorithm on the whole network topology graph
Iterative phase (1/3) M load 1. Update and with current info. Mfree
Iterative phase (1/3) M load 1. Update and with current info. Mfree 2. Find the first overloaded link in M load :! ij + > ij! ij
Iterative phase (1/3) M load 1. Update and with current info. Mfree 2. Find the first overloaded link in M load :! ij + > ij r q 3. Find the first path in T path such that contains link (i, j) T path : {ips src,ip i,path} r q! ij
Iterative phase (2/3) ip i r q 4. For part of, find a new shortest path to server i, assuming than link (i, j) is not presented. Let us call new path path q i
Iterative phase (2/3) ip i r q 4. For part of, find a new shortest path to server i, assuming than link (i, j) is not presented. Let us call new path path q path q i
Iterative phase (2/3) ip i r q 4. For part of, find a new shortest path to server i, assuming than link (i, j) is not presented. Let us call new path path q 5. Calculate maximum additional load for path q, looking up every link path in : M free al = min(m ij :(i, j) 2 path q ) i path q
Iterative phase (3/3) 6. Calculate the new sets of masks ips old and such that they divide into pairs with coef. al/! ij ips new ips src Remove corr. Entry from T path and insert new ones.
Iterative phase (3/3) 6. Calculate the new sets of masks ips old and such that they divide into pairs with coef. al/! ij ips new ips src Remove corr. Entry from T path and insert new ones. {ips old,ip i,path} {ips new,ip i,path q }
Iterative phase (3/3) 6. Calculate the new sets of masks ips old and such that they divide into pairs with coef. al/! ij ips new ips src Remove corr. Entry from T path and insert new ones. 7. Commit the changes in to all switches across and path q. T path path {ips old,ip i,path} {ips new,ip i,path q }
Iterative phase (3/3) 6. Calculate the new sets of masks ips old and such that they divide into pairs with coef. al/! ij Remove corr. Entry from T path ips new ips src and insert new ones. 7. Commit the changes in to all switches across and path q. 8. Wait for timeframe and go to step 1. T path path {ips old,ip i,path} {ips new,ip i,path q }
Implementation CALLOPHRYS DDoS attack detection and mitigation system: Distributed Asynchronous Based on actor model Agent SDN Manager Controller
Implementation Asynchronous context implies: All parts of the balancer are separate asynchronous agents The loop is created using timed messages sent to the balancer The rest of the algorithm doesn t change much
Evaluation CALLOPHRYS has been tested using a virtual network setup q Mininet o Simulated low-spec and slowed down network q Floodlight q Iperf for attack simulation o Combined TCP/UDP mode
Evaluation: results Load balancing was evaluated separately from the detectors Reaching full link & switch employment in 10-60 seconds Up to 3000 rules generated for criticalpath switches
Limitations & Future Work Stale rules in switches may degrade network performance over time We do not employ any asynchronous features of the actor-based solution Algorithm parameters are deduced by handmade experiments We need a real benchmark and evaluation on physical networks!
Mikhail Belyaev: belyaev@kspt.icc.spbstu.ru Svetlana Gaivoronski: s.gaivoronski@gmail.com YOUR QUESTIONS?
Notations (i, j) - channel between switches i and j; a ij - bandwidth of channel (i, j)! ij - current channel load The channel is overloaded if 1,..., K - destination servers!ij + > ij M load!ij a ij! ij - load matrix N x N containing current load values M free - Matrix of available resources -