Assessing the impact Of DDoS attack
in SDN through simulation
September 12 2018, 16:12:15
Introduction:
In Software Defined Networks , the control plane(Controllers) and data
plane(Switches) are separated. It enables Open , Scalable , Secure and ProgrammableNetwork Infrastructure. Openflow protocol establishes communication between the two planes. Controller can view the whole network and Switches has flowtable for flow entries.
The Controller is centralised and gives flowtable for Switches.Whenever a new packet arrives and flowtable entry is not matched , the packet is sent to the Controller for processing. The size of flowtable is limited and it leads to Scalability problems which results in serious security issue in DDoS attack.Now the attackers can generate spoofed packets and send it to a host .This overloads the centralised controller.So the table overflows and installation of new rule is rejected leading to packet loss or delay(DDoS).
The flowtable overflow attack is simulated using Mininet and Pox.Its effect is
analysed with respect to Delay and Bandwidth.
High Level Design and its Explanation:
There is an SDN Controller(C0)(can view the entire network) . Two switches
(S1,S2) are connected to it. S1 is connected to S2 via Router (R0).Each Switch has four hosts connected to it.Totally there are 8 hosts (H1 to H8).
H6(Server) , H8(Client) are Legitimate hosts.
H1,H2,H3,H4,H5,H7 are illegitimate hosts.
Illegitimate hosts start flooding the flow table of switches and as a result ,
communication between H6 and H8 is adversely affected.
Openflow FlowTable:
Whenever there is a miss in flow table , the switch asks information from
controller by sending Packet-IN message . It comprises either the entire packet (by mentioning Buffer ID) or part of a packet. The controller then reply with a Packet-Out message which is an entry in flow table.
Parts of a Flow Table:
i) Rule Matching Pattern section (IP Address , MAC Address , Port
Number etc)
ii) Associated Action:
1) Forward the packet (specific output port or all output ports)
2) Drop the packet
3) Modify the packet header
iii) Statistics:
Number of times the rule is used
Timeout of a Flow Entry:
Flow entries in a Flow Table gets flushed based on two factors.
Idle Timeout:
If the flow entry is not matched(used) for given number of seconds(n),
then it gets flushed out after n seconds.
Hard Timeout:
The flow entry gets automatically flushed out after a given number
of seconds(n) irrespective of its usage.
We use Pox controller in which we can modify Timeout values.
Flow Table Entry Contents:
1) in_port 2) eth_src 3) eth_dst 4) eth_type
5) vlan_vid 6) vlan_pcp 7) ip_src 8) ip_dst
9) nw_proto 10) nw_tos 11) tcp_src 12) tcp_ds
Flooding the FlowTable:
1) Generate large number of packets in an infinite loop
2) Permuting source and destination IP Addresses
3) Permuting Source and Destination ports
Here we generate spoofed packets by permuting source and destination ports.
Consequences of Flooding:
Every Switch has a limited number of flow table entries. If flooding occurs ,
new rules cannot be installed (Denial of Service) and it results in packet loss.
Experiment:
Spoofed Packet Generation Logic:
We have five Randomized Source Ports and twenty Randomized Destination
Ports.Here , packets are generated for every 0.1 second.Each host generates
approximately 1000 packets per second.
How to calculate #Spoofed Packets generated per second:
Packet_Count = N * S_P * D_P
N — -> Number of Attacker Hosts
S_P — -> Number of Source Ports
D_P — -> Number of Destination Ports
Here 6000 spoofed packets are generated per second. It can be enhanced by
increasing source and destination ports and decreasing interval at which packets are generated.
Flooding Logic:
Default Flow Table size is 1000000. We reduced it to 100.
As a result of flooding , the flowtable quickly reaches its limit(100) and results
in overflow. As spoofed packets are continuously generated and Switch does not have rule that matches it , each time the switch forwards it to Controller and it is kept occupied all the time(Resource Attack).
Experiment In Terms of Delay and Bandwidth:
1) Enable Pox Controller and run Python code to set Topology.
2) Aforementioned Topology will be set up.
3) Execute ping command between H6 and H8.
4) ICMP Packets will be sent from H6 to H8. First packet will take 21 milli
seconds and remaining packets will take 0.0535 milliseconds(Average) to
reach the target.
5) Now , run the attacker code in remaining hosts. As a result , the time taken will be multiplied by a huge factor (Average time is 12700 milliseconds) and
eventually there will be packet loss. It causes a significant reduction in
bandwidth.
Analysis:
Depending upon number of attacking hosts and timeout of a flow entry ,
the impact varies proportionally. The impact is inversely proportional to the size of flow table.
Conclusion:
Controller and Flow Table are very important components of SDN.So it is
highly vulnerable.The larger the timeout value , the higher the possibility of attacks. The performance of SDN can be severely affected by attacks to flow table.Research should be made in mitigating such attacks and Timeout should be as low as possible.
References:
1) Ying Qian , Wanqing You , Kai Qian , “Openflow Flow table overflow
attacks and countermeasures” , IEEE
