DDoS on Sketch: Spoofed DDoS attack defense with programmable data planes using sketches in SDN
Resumo
Os ataques de negação de serviço distribuído (DDoS) ainda são uma questão importante na Internet nos dias de hoje. Nos últimos anos, observamos um aumento significativo no número, escala e diversidade desses ataques. Entre os vários tipos, o Spoofed TCP SYN Flood é um dos tipos mais comuns de ataques de DDoS volumétricos. Diversos trabalhos exploraram o controle flexível de gerenciamento fornecido pelo novo paradigma de rede chamado SDN (Software Defined Networking) para produzir um sistema de defesa flexível e poderoso. No entanto, esses trabalhos geralmente apresentam um aumento no tempo de conexão para todos os clientes ou vulnerabilidade a ataques de saturação de buffer. Neste trabalho, propomos o uso de soluções baseadas em sketch para melhorar o mecanismo de defesa anti-spoofing Safe Reset no plano de dados. Implementamos nossa solução em P4, uma linguagem de alto nível para planos de dados programáveis, e avaliamos nossa solução em relação a uma técnica de Safe Reset no plano de dados em um ambiente emulado usando o Mininet.
Referências
Afek, Y., Bremler-Barr, A., and Shafir, L. (2017). Network anti-spoofing with sdn data plane. In INFOCOM 2017-IEEE Conference on Computer Communications, IEEE, pages 1–9. IEEE.
Ambrosin, M., Conti, M., De Gaspari, F., and Poovendran, R. (2017). Lineswitch: tackling control plane saturation attacks in software-defined networking. IEEE/ACM Transactions on Networking, 25(2):1206–1219.
Braga, R., Mota, E., and Passito, A. (2010). Lightweight ddos flooding attack detection using nox/openflow. In Local Computer Networks (LCN), 2010 IEEE 35th Conference on, pages 408–415. IEEE.
Chen, W. and Yeung, D.-Y. (2006). Defending against tcp syn flooding attacks under different types of ip spoofing. In Networking, International Conference on Systems and International Conference on Mobile Communications and Learning Technologies, 2006. ICN/ICONS/MCL 2006. International Conference on, pages 38–38. IEEE.
Dhawan, M., Poddar, R., Mahajan, K., and Mann, V. (2015). Sphinx: Detecting security attacks in software-defined networks. In NDSS.
Dodig, I., Sruk, V., and Cafuta, D. (2017). Reducing false rate packet recognition using dual counting bloom filter. Telecommunication Systems, pages 1–12.
Dzurenda, P., Martinasek, Z., and Malina, L. (2015). Network protection against ddos attacks. International Journal of Advances in Telecommunications, Electrotechnics, Signals and Systems, 4(1):8–14.
Fayaz, S. K., Tobioka, Y., Sekar, V., and Bailey, M. (2015). Bohatei: Flexible and elastic ddos defense. In 24th USENIX Security Symposium (USENIX Security 15), pages 817– 832.
Fichera, S., Galluccio, L., Grancagnolo, S. C., Morabito, G., and Palazzo, S. (2015).
Operetta: An openflow-based remedy to mitigate tcp synflood attacks against web servers. Computer Networks, 92:89–100.
Giotis, K., Argyropoulos, C., Androulidakis, G., Kalogeras, D., and Maglaris, V. (2014). Combining openflow and sflow for an effective and scalable anomaly detection and mitigation mechanism on sdn environments. Computer Networks, 62:122–136.
Kompella, R. R., Singh, S., and Varghese, G. (2004). On scalable attack detection in the network. In Proceedings of the 4th ACM SIGCOMM conference on Internet measurement, pages 187–200. ACM.
Kreutz, D., Ramos, F. M., Verissimo, P. E., Rothenberg, C. E., Azodolmolky, S., and Uhlig, S. (2015). Software-defined networking: A comprehensive survey. Proceedings of the IEEE, 103(1):14–76.
Martinasek, Z. (2015). Scalable ddos mitigation system for data centers. Advances in Electrical and Electronic Engineering, 13(4):325.
McKeown, N. (2009). Software-defined networking. INFOCOM keynote talk, 17(2):30– 32.
Mohammadi, R., Javidan, R., and Conti, M. (2017). Slicots: an sdn-based lightweight countermeasure for tcp syn flooding attacks. IEEE Transactions on Network and Service Management, 14(2):487–497.
Radware (2016). 2017-2018 global application network security report. URL https://www.radware.com/ert-report-2017. (visited on Dec. 10, 2017).
Shin, S., Yegneswaran, V., Porras, P., and Gu, G. (2013). Avant-guard: Scalable and vigilant switch flow management in software-defined networks. In Proceedings of the 2013 ACM SIGSAC conference on Computer & communications security, pages 413– 424. ACM.
Sun, C., Hu, C., Zhou, Y., Xiao, X., and Liu, B. (2009). A more accurate scheme to detect syn flood attacks. In INFOCOM Workshops 2009, IEEE, pages 1–2. IEEE.
Wang, H., Zhang, D., and Shin, K. G. (2002). Detecting syn flooding attacks. In INFOCOM 2002. Twenty-First Annual Joint Conference of the IEEE Computer and Communications Societies. Proceedings. IEEE, volume 3, pages 1530–1539. IEEE.
Xing, T., Huang, D., Xu, L., Chung, C.-J., and Khatkar, P. (2013). Snortflow: A openflowbased intrusion prevention system in cloud environment. In Research and Educational Experiment Workshop (GREE), 2013 Second GENI, pages 89–92. IEEE.
YuHunag, C., MinChi, T., YaoTing, C., YuChieh, C., and YanRen, C. (2010). A novel design for future on-demand service and security. In Communication Technology (ICCT), 2010 12th IEEE International Conference on, pages 385–388. IEEE.