Published December 12, 2021 | Version v1
Thesis Open

A Strategy for Detection and Mitigation of DoS Attacks on Software-Defined Networks

Authors/Creators

  • 1. UNIFACS

Contributors

  • 1. Universidade Salvador (UNIFACS)

Description

Computer networks support applications in virtually every area of application and knowledge, and as such, they have widely distributed structures and are susceptible to security attacks in general.


Software-Defined Networks (SDN), in turn, are a technological solution that has several advantages by separating the control plane from the data plane in the structuring of computer networks. Given this technological difference, software-defined networks are a network implementation paradigm used to mitigate network security attacks. In summary, the use of SDN to mitigate network attacks provides greater flexibility in implementing the attack strategy. However, the separation of control and data planes creates new points of vulnerability for the security of the network operation.


The denial of service attack (DoS) of the type Syn-Flooding is one of the most common possible attacks. It can cause, concerning the network, the commitment to perform services and, concerning the operation of the SDN, the commitment in the bandwidth of the communication channel between the control planes and the data plane, the saturation of the ow table in the switch, and the increasing of the processing load in the controller.

In general, the investigation about new strategies aimed at safety with SDN becomes necessary to improve security strategies for network attacks and maximize the reliability of SDN operation, allowing use in different application scenarios. This work presents a defense strategy against attacks of DoS Syn-Flooding using the SDN facilities of an integrated controller with an intrusion detection system (IDS).


The proposed strategy aims to mitigate Syn-Flooding DoS attacks and the vulnerability arising from the use of SDN to mitigate attacks.

Files

Dissertacao_Mestrado_Diogo - UNIFACS.pdf

Files (3.2 MB)

Name Size Download all
md5:9701a2074b5454ab0ee016ecda8c6ecf
3.2 MB Preview Download

Additional details

References

  • D. B. Rawat and S. R. Reddy, \Software dened networking architecture, security and energy efficiency: A survey," IEEE Communications Surveys & Tutorials, vol. 19, no. 1, pp. 325{346, 2016.
  • F. López Rodríguez, "Arquitetura e protótipo de uma rede sdn-openflow para provedor de serviço," dissertação de mestrado, Universidade de Brasília UNB, 2014..
  • V. Kumar and O. P. Sangwan, "Signature based intrusion detection system using snort," International Journal of Computer Applications & Information Technology, vol. 1, no. 3, pp. 35{41, 2012.
  • R. Kandoi and M. Antikainen, "Denial-of-service attacks in openflow sdn networks," in 2015 IFIP/IEEE International Symposium on Integrated Network Management (IM), pp. 1322{1326, IEEE, 2015.
  • S. Bera, S. Misra, and A. V. Vasilakos, "Software-Defined Networking for Internet of Things: A Survey," IEEE Internet of Things Journal, vol. 4, pp. 1994{ 2008, Dec. 2017.
  • R. Lohiya and A. Thakkar, "Application Domains, Evaluation Data Sets, and Research Challenges of IoT: A Systematic Review," IEEE Internet of Things Journal, vol. 8, pp. 8774{8798, June 2021. Conference Name: IEEE Internet of Things Journal.
  • B. Ji, X. Zhang, S. Mumtaz, C. Han, C. Li, H. Wen, and D. Wang, "Survey on the Internet of Vehicles: Network Architectures and Applications," IEEE Communications Standards Magazine, vol. 4, pp. 34{41, Mar. 2020. Conference Name: IEEE Communications Standards Magazine.
  • J. Wan, B. Chen, M. Imran, F. Tao, D. Li, C. Liu, and S. Ahmad, "Toward Dynamic Resources Management for IoT-Based Manufacturing," IEEE Communications Magazine, vol. 56, pp. 52{59, Feb. 2018.
  • G. S. Aujla, M. Singh, A. Bose, N. Kumar, G. Han, and R. Buyya, "BlockSDN: Blockchain-as-a-Service for Software Defined Networking in Smart City Applications," IEEE Network, vol. 34, pp. 83{91, Mar. 2020. Conference Name: IEEE Network.
  • D. Comer, Internetworking with TCP/IP, vol. 1. Pearson, 6th edition ed., 2013. book.
  • I. I. E. T. Force, "Multiprotocol Label Switching Architecture," RFC - Request for Comments RFC 3031, IETF - Internet Engineering Task Force, 2001.
  • J. F. Kurose and K. Ross, Computer Networking: A Top-Down Approach. Pearson, 7th edition ed., 2016.
  • D. Kreutz, F. Ramos, P. Verissimo, C. E. Rothenberg, S. Azodolmolky, and S. Uhlig, "Software-defined networking: A comprehensive survey," arXiv preprint arXiv:1406.0440, 2014.
  • W. Stallings, "Software-defined networks and openflow," The internet protocol Journal, vol. 16, no. 1, pp. 2{14, 2013.
  • S. Azodolmolky, Software defined networking with OpenFlow, vol. 153. Packt Publishing Ltd, 2013.
  • Maxli Campos and J. S. B. Martins, "A SDN-Based Flexible System for on-the- Fly Monitoring and Treatment of Security Events," in Proceedings of the 5th International Workshop on ADVANCEs in ICT Infrastructure and Services (ADVANCE), pp. 1-4, Jan. 2017.
  • C. VASCONCELOS, NoBI: uma interface northbound para a programação dinâmica de redes openflow com suporte à interoperabilidade entre controladores. 2018. 160 f. Tese (doutorado, Universidade Federal de Campina Grande, Campina Grande, 2018.
  • J. S. B. Martins, "Towards Smart City Innovation Under the Perspective of Software-Defined Networking, Artificial Intelligence and Big Data," Revista de Tecnologia da Informação e Comunicação, vol. 8, pp. 1-7, Oct. 2018.
  • H. Lin, Z. Yan, Y. Chen, and L. Zhang, "A Survey on Network Security-Related Data Collection Technologies," IEEE Access, vol. 6, pp. 18345-18365, 2018. Conference Name: IEEE Access.
  • M. Campos and J. Martins, "A Security Architecture Proposal for Detection and Response to Threats in SDN Networks," in Proceedings of the IEEE Andean Council International Conference IEEE ANDESCON 2016, (Arequipa, Peru), pp. 1-4, IEEE Institute of Electrical and Electronics Engineers, Oct. 2016.
  • T. Alharbi, S. Layeghy, and M. Portmann, "Experimental evaluation of the impact of DoS attacks in SDN," in Proceedings of the 27th International Telecommunication Networks and Applications Conference (ITNAC), 2017.
  • C. Birkinshaw, E. Rouka, and V. G. Vassilakis, "Implementing an intrusion detection and prevention system using software-dened networking: Defending against port-scanning and denial-of-service attacks," Journal of Network and Computer Applications, vol. 136, pp. 71-85, 2019.
  • Y. Hande and A. Muddana, "A survey on intrusion detection system for software defined networks (sdn)," in Research Anthology on Articial Intelligence Applications in Security, pp. 467-489, IGI Global, 2021.
  • M. B. CAMPOS, "Um ambiente flexível para detecção e prevenção flexível de ataques em redes openflow/sdn," dissertação de mestrado, Universidade Salvador, 2017.
  • R. N. Carvalho, DoSSEC: proposta de detecção e mitigação de ataques SYN Flood em redes SDN. Tese de doutorado, Universidade de Brasília UNB, 2020.
  • O. N. Foundation, "OpenFlow Switch Specification version 1.3.1." https: //opennetworking.org/wp-content/uploads/2013/04/openflow-spec-v1. 3.1.pdf, 2012. Acesso: 20-05-2021.
  • A. Lara, A. Kolasani, and B. Ramamurthy,"Network innovation using open ow: A survey," IEEE communications surveys & tutorials, vol. 16, no. 1, pp. 493-512, 2013.
  • S. Sharma, D. Staessens, D. Colle, M. Pickavet, and P. Demeester, "In-band control, queuing, and failure recovery functionalities for open ow," IEEE Network, vol. 30, no. 1, pp. 106-112, 2016.
  • T. A. Pascoal et al., "Atacando e defendendo redes denidas por software," dissertação de mestrado, Universidade Federal da Paraíba, 2018.
  • M. L. Donner and L. Oliveira, "Análise de satisfação com a segurança no uso de internet banking em relação aos atuais recursos disponíveis no canal eletrônico," XXXII Encontro da ANPAD{EnANPAD. Rio de Janeiro, 2008.
  • M. Goodrich and R. Tamassia, Introdução à Segurança de Computadores. Bookman, 2013. isbn 9788540701939.
  • P. M. Menezes, L. M. Cardoso, and F. G. Rocha, "Segurança em redes de computadores uma visão sobre o processo de pentest," Interfaces Científicas- Exatas e Tecnológicas, vol. 1, no. 2, pp. 85{96, 2015.
  • S. Schmitt and F. Kandah, "Denial of service attacks prevention using traffic pattern recognition over software-defined network,"EAI Endorsed Transactions on Ambient Systems, vol. 6, no. 18, 2019.
  • N. A. Aziz, T. Mantoro, M. A. Khairudin, et al., "Software defined networking (sdn) and its security issues," in 2018 International Conference on Computing, Engineering, and Design (ICCED), pp. 40-45, IEEE, 2018.
  • J. J. Gondim, R. de Oliveira Albuquerque, and A. L. Sandoval Orozco, "Mirror saturation in amplified reflection distributed denial of service: A case of study using snmp, ssdp, ntp and dns protocols," Future Generation Computer Systems, vol. 108, pp. 68-81, 2020.
  • E. F. B.-L. Fox et al., \Detecção de ataques syn- flooding em redes denidas por software," dissertação de mestrado, 2019.
  • K. Scarfone, P. Mell, et al., "Guide to intrusion detection and prevention systems (idps)," NIST special publication, vol. 800, no. 2007, p. 94, 2007.
  • M. S. Hoque, M. Mukit, M. Bikas, A. Naser, et al.,"An implementation of intrusion detection system using genetic algorithm," arXiv preprint arXiv:1204.1336, 2012.
  • J. McHugh, "Intrusion and intrusion detection," International Journal of Information Security, vol. 1, no. 1, pp. 14-35, 2001.
  • OISF, "suricata user guide 6.0.3 documentation." https://suricata. readthedocs.io/en/suricata-6.0.3/manpages/suricata.html. Accessed: 2021-04-20.
  • J. Timofte et al., "Intrusion detection using open source tools," Informatica Economica Journal Issn, vol. 14531305, pp. 75-79, 2008.
  • F. Silva, "Em que consiste um ids." Disponível em: https://paginas.fe.up.pt/ mgi98020/pgr/snort.htm. Acessado: 20-04-2021.
  • S. Scott-Hayward, S. Natarajan, and S. Sezer, \A survey of security in software defined networks," IEEE Communications Surveys & Tutorials, vol. 18, no. 1, pp. 623-654, 2015.
  • R. F. Diorio, E. Seram, K. R. Alves, and M. C. Meira, "Prototipação de redes denidas por software (sdn) open ow com open vswitch, oodlight e virtualbox," in v. 4 (2018): IV Congresso de Educação Profissional e Tecnológica do IFSP, 2018.
  • C. NS-3, "OpenFlowSwitchNetDevice Class Reference." https://www.nsnam. org/docs/release/3.18/doxygen/classns3_1_1_open_flow_switch_net_ device.html#details, 2014. Acessado: 2021-04-20.
  • Dell Technologies Services, Dell EMC PowerSwitch S3048-ON Spec Sheet, July 2020. Manual v1.5.
  • D. Singh, B. Ng, Y.-C. Lai, Y.-D. Lin, and W. K. Seah, "Modelling software defined networking: Software and hardware switches," Journal of Network and Computer Applications, vol. 122, pp. 24-36, 2018.
  • O. project, "About the OpenWrt." Disponível em: https://openwrt.org/ about, 2018. Acessado: 2021-04-20.
  • S. Fichera, L. Galluccio, S. C. Grancagnolo, G. Morabito, and S. Palazzo, "Operetta: An open ow-based remedy to mitigate tcp synflood attacks against web servers," Computer Networks, vol. 92, pp. 89-100, 2015.
  • S. Shin, V. Yegneswaran, P. Porras, and G. Gu, "Avant-guard: Scalable and vigilant switch ow management in software-defined networks," in 2013 ACM SIGSAC Conference on Computer & Communications Security, pp. 413-424, 2013.
  • H. Wang, L. Xu, and G. Gu, "Floodguard: A dos attack prevention extension in software-defined networks," in 2015 45th Annual IEEE/IFIP International Conference on Dependable Systems and Networks, pp. 239-250, IEEE, 2015.
  • P. Manso, J. Moura, and C. Serrão, "Sdn-based intrusion detection system for early detection and mitigation of ddos attacks," Information, vol. 10, no. 3, p. 106, 2019.
  • M. B. Campos and J. Martins, "Uma proposta de arquitetura de segurança para a detecção e reação a ameaças em redes sdn," Revista Brasileira de Computação Aplicada, vol. 9, no. 1, pp. 107-119, 2017.
  • R. Durner, C. Lorenz, M. Wiedemann, and W. Kellerer, "Detecting and mitigating denial of service attacks against the data plane in software defined networks," in 2017 IEEE Conference on Network Softwarization (NetSoft), pp. 1-6, IEEE, 2017.
  • P. T. RYU, "Ryu sdn framework using OpenFlow 1.3.." https://book. ryu-sdn.org/en/Ryubook.pdf, 2014. book Ryu. Acessado: 20-03-2021.
  • R. S. F. Community, "Ryu SDN Framework." https://ryu-sdn.org/index. html, 2017. Site Projeto Ryu. Acessado: 20-03-2021.
  • J. Lin, "Pigrelay." https://github.com/John-Lin/pigrelay/blob/master/ pigrelay.py, 2014. Github Pigrelay. Acessado: 20-03-2021.