DDoS on Sketch: Spoofed DDoS attack defense with programmable data planes using sketches in SDN
Distributed Denial of Service (DDoS) attacks continues to be a major issue in todays Internet. Over the last few years, we have observed a dramatic escalation in the number, scale, and diversity of these attacks. Among the various types, spoofed TCP SYN Flood is one of the most common forms of volumetric DDoS attacks. Several works explored the flexible management control provided by the new network paradigm called Software Defined Networking (SDN) to produce a flexible and powerful defense system. Among them, data plane based solutions combined with the recent flexibility of programmable switches aims to leverage the hardware speed and defend against Spoofed Flooding attacks. Usually, they implement anti-spoofing mechanisms that rely on performing client authentication on the data plane using techniques such as TCP Proxy, TCP Reset, and Safe Reset. However, these mechanisms present several limitations. First, due to the required interaction to authenticate the client, they penalize all clients connection time even without an ongoing attack. Second, they use a limited version of TCP cookies to detect a valid client ACK or RST, and finally, they are vulnerable to a buffer saturation attack due to limited data plane resources that stores the whitelist of authenticated users. In this work, we propose the use of sketch-based solutions to improve the data plane Safe Reset anti-spoofing defense mechanism. We implemented our solution in P4, a high-level language for programmable data planes, and evaluate our solution against a data plane Safe Reset technique on an emulated environment using Mininet.
Ambrosin, M., Conti, M., De Gaspari, F., and Poovendran, R. (2017). Lineswitch: tackling control plane saturation attacks in software-defined networking. IEEE/ACM Transactions on Networking, 25(2):1206–1219.
Braga, R., Mota, E., and Passito, A. (2010). Lightweight ddos flooding attack detection using nox/openflow. In Local Computer Networks (LCN), 2010 IEEE 35th Conference on, pages 408–415. IEEE.
Chen, W. and Yeung, D.-Y. (2006). Defending against tcp syn flooding attacks under different types of ip spoofing. In Networking, International Conference on Systems and International Conference on Mobile Communications and Learning Technologies, 2006. ICN/ICONS/MCL 2006. International Conference on, pages 38–38. IEEE.
Dhawan, M., Poddar, R., Mahajan, K., and Mann, V. (2015). Sphinx: Detecting security attacks in software-defined networks. In NDSS.
Dodig, I., Sruk, V., and Cafuta, D. (2017). Reducing false rate packet recognition using dual counting bloom filter. Telecommunication Systems, pages 1–12.
Dzurenda, P., Martinasek, Z., and Malina, L. (2015). Network protection against ddos attacks. International Journal of Advances in Telecommunications, Electrotechnics, Signals and Systems, 4(1):8–14.
Fayaz, S. K., Tobioka, Y., Sekar, V., and Bailey, M. (2015). Bohatei: Flexible and elastic ddos defense. In 24th USENIX Security Symposium (USENIX Security 15), pages 817– 832.
Fichera, S., Galluccio, L., Grancagnolo, S. C., Morabito, G., and Palazzo, S. (2015).
Operetta: An openflow-based remedy to mitigate tcp synflood attacks against web servers. Computer Networks, 92:89–100.
Giotis, K., Argyropoulos, C., Androulidakis, G., Kalogeras, D., and Maglaris, V. (2014). Combining openflow and sflow for an effective and scalable anomaly detection and mitigation mechanism on sdn environments. Computer Networks, 62:122–136.
Kompella, R. R., Singh, S., and Varghese, G. (2004). On scalable attack detection in the network. In Proceedings of the 4th ACM SIGCOMM conference on Internet measurement, pages 187–200. ACM.
Kreutz, D., Ramos, F. M., Verissimo, P. E., Rothenberg, C. E., Azodolmolky, S., and Uhlig, S. (2015). Software-defined networking: A comprehensive survey. Proceedings of the IEEE, 103(1):14–76.
Martinasek, Z. (2015). Scalable ddos mitigation system for data centers. Advances in Electrical and Electronic Engineering, 13(4):325.
McKeown, N. (2009). Software-defined networking. INFOCOM keynote talk, 17(2):30– 32.
Mohammadi, R., Javidan, R., and Conti, M. (2017). Slicots: an sdn-based lightweight countermeasure for tcp syn flooding attacks. IEEE Transactions on Network and Service Management, 14(2):487–497.
Radware (2016). 2017-2018 global application network security report. URL https://www.radware.com/ert-report-2017. (visited on Dec. 10, 2017).
Shin, S., Yegneswaran, V., Porras, P., and Gu, G. (2013). Avant-guard: Scalable and vigilant switch flow management in software-defined networks. In Proceedings of the 2013 ACM SIGSAC conference on Computer & communications security, pages 413– 424. ACM.
Sun, C., Hu, C., Zhou, Y., Xiao, X., and Liu, B. (2009). A more accurate scheme to detect syn flood attacks. In INFOCOM Workshops 2009, IEEE, pages 1–2. IEEE.
Wang, H., Zhang, D., and Shin, K. G. (2002). Detecting syn flooding attacks. In INFOCOM 2002. Twenty-First Annual Joint Conference of the IEEE Computer and Communications Societies. Proceedings. IEEE, volume 3, pages 1530–1539. IEEE.
Xing, T., Huang, D., Xu, L., Chung, C.-J., and Khatkar, P. (2013). Snortflow: A openflowbased intrusion prevention system in cloud environment. In Research and Educational Experiment Workshop (GREE), 2013 Second GENI, pages 89–92. IEEE.
YuHunag, C., MinChi, T., YaoTing, C., YuChieh, C., and YanRen, C. (2010). A novel design for future on-demand service and security. In Communication Technology (ICCT), 2010 12th IEEE International Conference on, pages 385–388. IEEE.