SDN-based defense against known IPv6 link-layer attacks Bachelors - PowerPoint PPT Presentation

Fakultät für Informatik Technische Universität München SDN-based defense against known IPv6 link-layer attacks Bachelor’s thesis final talk Andres Rauschecker Advisor: Lukas Schwaighofer Supervisor: Prof. Dr.-Ing. Georg Carle Chair of Network Architectures and Services Department of Informatics Technical University of Munich (TUM)

Overview • Introduction • Related work: NDPMon, Snort & defensive switches • Attack analysis: ICMP • Controller design: Flow Tables, address reuse • Evaluation: attack defense, new threats • Attack vectors on the controller & further issues • Conclusion & future work Andres Rauschecker - SDN-based defense against known IPv6 link-layer attacks - BA final talk 2

Introduction • IPv4 replaced by new v6, but: - similar mechanisms in addressing & host communication - similar attacks on the new protocol, esp. ICMPv6 ➡ link-layer security problematic - Related Work: NDPMon, Snort, defensive switches - active defense? Andres Rauschecker - SDN-based defense against known IPv6 link-layer attacks - BA final talk 3

Related work - NDPMon • Monitoring tool for ND related traffic • two modes: - learn : recognize hosts by analyzing normal traffic ➡ generates XML topology file - monitor : recognize malicious behavior ➡ logging to file/mail ➡ countermeasures limited to simple custom packets Andres Rauschecker - SDN-based defense against known IPv6 link-layer attacks - BA final talk 4

Related work - Snort IDS • rule-set based: monitor every packet for matching patterns • Internal mode: - virtual bridge between two network segments - filter for internal <-> external traffic ➡ limited defense: drop packets between segments, send custom packets Andres Rauschecker - SDN-based defense against known IPv6 link-layer attacks - BA final talk 5

Related work - Defensive switches • CISCO, HP & H3C: IPv6 „Source Guard“ mechanism: - IP-MAC-VLAN table: • learn legitimate hosts from DHCP traffic • CISCO only: learning from ND traffic ➡ drop all packets, that do not match the table Andres Rauschecker - SDN-based defense against known IPv6 link-layer attacks - BA final talk 6

Attack analysis: ICMP Andres Rauschecker - SDN-based defense against known IPv6 link-layer attacks - BA final talk 7

Attack analysis: ICMP • ICMP protocol used for address registration and link-local communication ➔ several attack vectors exist: 
 - Router Advertisement & Solicitation - Echo Request & Reply pair - Neighbor Advertisement & Solicitation Andres Rauschecker - SDN-based defense against known IPv6 link-layer attacks - BA final talk 8

Attack analysis: ICMP • Router Advertisement & Solicitation: - becoming the default router ➔ MitM, DoS - recognizing malicious behavior is complex (rogue RAs are homogenous to legal ones) 
 - idea: white-list approach (not implemented) Andres Rauschecker - SDN-based defense against known IPv6 link-layer attacks - BA final talk 9

Attack analysis: ICMP • Echo Request & Reply pair: - ICMP Ping Smurfing: 
 Attacker sends forged ERq - with Host 1 as source Andres Rauschecker - SDN-based defense against known IPv6 link-layer attacks - BA final talk 10

Attack analysis: ICMP • Echo Request & Reply pair: - ICMP Ping Smurfing: 
 Hosts send back ERp to Host 1 ➔ Distributed DoS Andres Rauschecker - SDN-based defense against known IPv6 link-layer attacks - BA final talk 11

Attack analysis: ICMP • Neighbor Advertisement & Solicitation: - before registering IP - send a Neighbor Solicitation - no answer within interval ➔ we can use the IP Andres Rauschecker - SDN-based defense against known IPv6 link-layer attacks - BA final talk 12

Attack analysis: ICMP • Neighbor Advertisement & Solicitation: - DAD Denial-of-Service: fake Neighbor Advertisement - attacker forges reply ➔ we can not use the IP Andres Rauschecker - SDN-based defense against known IPv6 link-layer attacks - BA final talk 13

Attack analysis: ICMP • Neighbor Advertisement & Solicitation: - Man-in-the-Middle attacks: fake NAs Andres Rauschecker - SDN-based defense against known IPv6 link-layer attacks - BA final talk 14

Attack analysis: ICMP • Neighbor Advertisement & Solicitation: - Man-in-the-Middle attacks: fake NAs Andres Rauschecker - SDN-based defense against known IPv6 link-layer attacks - BA final talk 15

Controller design • Main security problem: packets from forged sources • Idea: Keep track of all legitimate IP registrations • Via: Software Defined Networking Andres Rauschecker - SDN-based defense against known IPv6 link-layer attacks - BA final talk 16

Controller design: Flow Tables • Controller checks for legality of NS • Sends OpenFlow message to all switches to allow IP Andres Rauschecker - SDN-based defense against known IPv6 link-layer attacks - BA final talk 17

Controller design: Flow Tables • OpenFlow table concept: Table forwarding IN PT DST MAC IN PORT SRC MAC SRC IP 2 00:11:22:33:44:55 2 00:11:22:33:44:55 fc00::1:2 4 AA:11:CC:22:EE:55 4 AA:BB:CC:DD:EE:FF fc00::1:3 IP Match Table Mac/Port Table Andres Rauschecker - SDN-based defense against known IPv6 link-layer attacks - BA final talk 18

Controller design: Address reuse • So far: IPs once registered can not be changed ➡ Check IP usage, if new NS requests it Andres Rauschecker - SDN-based defense against known IPv6 link-layer attacks - BA final talk 19

Controller design: Address reuse • Original Host sends back NA ➔ still online, no reuse • No NA from original Host ➔ offline, IP reuse Andres Rauschecker - SDN-based defense against known IPv6 link-layer attacks - BA final talk 20

Evaluation • Selected attacks on Echo and ND messages - successfully defended • Memorizing network states enables a new layer of security! • Keeping track of all NS packets on the controller - attack vectors targeting the controller? Andres Rauschecker - SDN-based defense against known IPv6 link-layer attacks - BA final talk 21

Attack vectors on the controller • Flood of NS, with mutating src MAC & src IP - Fills internal cache dictionaries - Slows down registration of legitimate packets • Possible solution: - Supply exact topology to controller - Controller knows how many IPs per port - Limit packets per port & block port in attack Andres Rauschecker - SDN-based defense against known IPv6 link-layer attacks - BA final talk 22

Further issues • Mininet network initialization race-condition - After network startup: not all NS registered in FTs ➡ Internal problem in the topology startup: 
 Switch-handshake executed during host initializations • Lost switch connection after controller shutdown - restarting the controller and reestablishing switch datapath objects not possible ➡ Loading controller & switch states from file currently not possible Andres Rauschecker - SDN-based defense against known IPv6 link-layer attacks - BA final talk 23

Conclusion • link-layer protection for established hosts • against Ping Smurfing and ND Spoofing • alternative to (costly) proprietary solutions • attack vector on the controller: • problematic for newly registering hosts only • defense dependent on the network infrastructure Andres Rauschecker - SDN-based defense against known IPv6 link-layer attacks - BA final talk 24

Future work • Implementation of router white-list • Incorporating IP registrations from DHCP • Limiting ND propagation • Advanced, scheduled table cleanup • Defending controller attacks Andres Rauschecker - SDN-based defense against known IPv6 link-layer attacks - BA final talk 25

Thank you for your attention. Andres Rauschecker - SDN-based defense against known IPv6 link-layer attacks - BA final talk 26