Day 6: Most common attacks on SDN controller networks

Today's post let's look at what security issues we can resolve in the architectures we looked at yesterday. The most common malicious attacks that can happen in a distributed SDN controller environment are:

  • DoS attacks (Denial of Service attacks): In these attacks many request messages are sent from the same host to the server (here, controller). The number of packets increases to an extent that the traffic it causes utilizes all of the resources on the server side and thus leads to the system crashing. Thus, to protect the controller network from these attacks, we can observe the entropy of few of the fields of the packet header. To name a few, it could be source IP address, source MAC, destination IP and destination MAC. We can establish the entropy levels which convey that the attack has started.
  • DDoS attacks (Distributed Denial of Service attacks): This is very similar to the above, the only difference being that instead of one host bombarding the request packets, a set of hosts do the same in a more distributed fashion. The complexity of detection increases further since the source IPs and MACs will be different here. This may lead to false positive errors while detection. But there are few thresholding mechanisms to prevent the same. We shall look into this later.
  • Port Scan attacks: This is also a malicious attack where a host can bombard the server side with many request packets but by varying the destination port. These attacks have the potential of revealing the different processes and services the server is running. The attacker can also get an idea of the operating system that the server is running. Such information in the bad hands can land us into much trouble and hence addressing these attacks as well becomes critical.
I have given the gist of all possible attacks we would be addressing in the further posts. Deciding on the architecture is the next big step. We are working on the same .

Image result for work in progress sign
 
Watch out for the architecture we come up with, in tomorrow or day after tomorrow's post.

Comments

  1. Ram P RustagiFebruary 2, 2019 at 1:06 AM

    In today's world, an attacker will not use its own IP Address as source. It will camouflage its src IP Address. This will work for IP, and UDP but not for TCP though. Thus, most attacks for DDoS.

    ReplyDelete
    Replies
    1. ShravanyaFebruary 2, 2019 at 7:48 AM

      Agreed sir. After considering your inputs, we thought of concentrating on Syn flood and Smurf attacks. Once we have successfully built solutions for them, we can hopefully look into other variants. But for now, we have not kept that in the scope of the project.

      Delete

Post a Comment

Popular posts from this blog

Day 12: Master Slave SDN Controller Architecture

In the previous post, I was struggling to figure out why all controllers can install flows in all switches irrespective of the code. Well, today the mystery is getting resolved. I found this book that explains beautifully the various roles that a controller can play. The three roles are: Equal : this happens by default all the equal controllers in a network that are connected to the switch can add and delete flows from it Slave: it has a read-only limitation to the switch openflow tables Master: very similar to the switch, but only 1 master can be connected to the switch at that point of time, and no other flows can intercept the communication between switch and master. I highly recommend you go through the above link to get a better picture. Since the default role of any controller is "Equal", we couldn't really differentiate between the three controller flows yesterday. But one good news from this is that we don't really need extensive coding to assi...
Read more

Day 1: Understanding Ransomware and how to detect them?

Image
To start this journey, let’s begin at the basics and learn about what ransomwares are, what is the meaning of a ransomware attack, how have other people detected it so far? By learning the above, we will be in a position to analyze any ransomware attack and devise methods to detect, mitigate and prevent them. Definition: Ransomware is a type of malicious software from cryptovirology that threatens to publish the victim's data or perpetually block access to it unless a ransom is paid. To continue understanding and addressing the threats posed by ransomware, let us dig a little deeper. As the definition specifies, ransomware is a type of malicious software. Now, what is a malicious software? Definition: Malware (= Malicious + Software) is a software which is specifically designed to disrupt, damage, or gain authorized access to a computer system. These malwares (or simply dangerous content that can corrupt your system), can enter your system from various s...
Read more

Day 50: Tcpreplay and tcpliveplay approach

Today we shall be exploring how to copy and redirect the OpenFlow packets to more than one controller from the load balancer. The load balancer is anyway sending the OpenFlow packets to one of the slave controllers - c1 or c2. The packets sent to these two controllers needs to be sent to master controller so the master controller can update the new flows added by c1 or c2 on the switches. This ensures synchronization between controllers. There are two implementation methods to achieve the same: Copy all packets generated from the load balancer to the controller side. Only the packets having destination IP address of c1 and c2 can be redirected to the master controller. Thus we can prevent the packets which already are reaching the master controller to be sent as duplicates Copy and redirect packets from the slave controllers - c1 and c2. We need not take care of duplicate packets reaching master controller. This will reduce the time taken to redirect packets. Since the second a...
Read more