Attacks in SDN Domains Kostas Giotis , Maria Apostolaki, Vasilis - PowerPoint PPT Presentation

NATIONAL TECHNICAL UNIVERSITY OF ATHENS - NTUA SCHOOL OF ELECTRICAL & COMPUTER ENGINEERING NETWORK MANAGEMENT & OPTIMAL DESIGN LABORATORY (NETMODE) A Reputation-based Collaborative Schema for the Mitigation of Distributed Attacks in SDN Domains Kostas Giotis , Maria Apostolaki, Vasilis Maglaris IEEE/IFIP Network Operations and Management Symposium 2016 Istanbul, April 2016

High-level Description .  Gradual path identification for malicious flows  SDN domains are aware of their adjacent domain that forward malicious flows  Distributed mitigation of distributed attacks (DDoS), in a per-flow manner  Requirement: SDN-enabled Domains at AS premises 2

Overall Approach  Cooperative Mitigation Manager:  Evaluate cooperation level  Inject new OpenFlow rules on behalf of “reputable” domains under attack  Incident Manager:  Victim Domain: Assemble and disseminate Incident Reports (IRP)  Transit or Source Domains: Receive and disseminate Incident Reports (IRH, IRP) 3

Cooperation and Reputation between SDNs .  Assess cooperation level of adjacent SDN Domains  Employ Beta (𝑏, 𝑐) distribution  Parameters 𝑏, 𝑐 are updated for a given SDN domain after accepting ( s=1 ) or declining ( s=0 ) to contribute in the mitigation of a DDoS attack 𝑏 𝑜+1 = 𝑏 𝑜 ∙ 𝑣 + 𝑡, 𝑐 𝑜+1 = 𝑐 𝑜 ∙ 𝑣 + 1 − 𝑡  Reputation Score  Adjacent Domain: 𝑏 𝑜 / (𝑏 𝑜 + 𝑐 𝑜 )  Disjoint Domain: Based on reputation score advertised by SDN domains that have prior experience regarding the domain in question 4

Incident Reports Dissemination via URIs  SDNi: Enables the exchange of information between SDN domains under a single administrative entity  Leverages on BGP signaling  SDNi-related messages are enclosed within the NLRI field  SDNi messages: BGP updates without Withdrawn Routes and Path Attribute fields  Proposed extension of the ODL-SDNi application  Include Content-URI Address Family as a BGP Capability (RFC 3392)  Content-URI field is added to the NLRI field  Content-URI field stores appropriate pointers (URIs) to respective IODEF-formatted incident reports 5

Large Scale Experimentation via Simulation . Topology Simulator 6

Assessment of the proposed approach 1 st Experimental Procedure 2 nd Experimental Procedure Benefits delivered by the Reputation mechanism  Experiment:  Multiple DDoS Attacks  33% non-cooperative SDN domains  Observe Transit Domain  Outcome:  42% less flow entries  Transit domain preserves its Reputation level towards other reputable domains. 7

Conclusion and Future Works  DDoS mitigation is pushed close to the malicious sources.  Victim SDN domain requires significantly less network resources to handle and mitigate a distributed attack.  The reputation mechanism provides the necessary incentives to promote and preserve cooperation between SDN Domains. Future Work  NETCONF-based implementation for a legacy networks- compatible approach  Case studies for potential (malicious) exploitation of the cooperative mechanism 8

Questions? Thank you! coyiotis@netmode.ntua.gr 9