Day 41: Detection of DoS attacks on Load Balancer using HAProxy

In the previous post, we have built the basic network. Let's remember the problem statement we are working on: Securing the SDN distributed controller architecture against DoS attacks specifically - Syn-Flood and Smurf attacks.

Now, we have the basic SDN conroller architecture ready. We need to now concentrate on securing this network. Have a look at the architecture we have built so far(an implementation oriented diagram):



Let's start with detecting Syn-Flood attacks on the load balancer. Why the load balancer? The reason is that all packets have to go through it and if any controller is under a DoS attack, we can come to know about the same from observing packets that the load balancer has to forward to the controller pool. I have already implemented Syn-Flood attacks on the controllers and stored the tcpdump data in 2 of my files. ping.txt consists of packets generated in a normal scenario when the switch has not installed any flow tables and contacts the controller for the first few times. attack.txt consists of all the packets observed when one of the hosts is attacking another host through a syn-flood attack. During this scenario, the malicious host tries to ping the victim posing as differnet IP addresses. Thus the switch keeps on contacting the controller whenever it encounters a new IP address. Thus the switch too is potentially attacking the controller unknowingly.



After observing the tcpdump files of both scenarios, there are few very clear distinctions between a normal ping phase and a DoS attack phase:

  1. Packet rate: Packet rate when calculated for a normal ping scenario, came to 4.583 packets per second. For an attack scenario, it came upto 1943.716 packets per second. This is a huge difference and can be accounted as a paramter in detecting Syn-flood attacks in our SDN network.
  2. Packet length: In scenario 1, we can observe that the packet length is almost always 8. In scenario 2, we can observe that the packets length is between 100-300. This can also be used as another factor in identifying a DoS attack.
Since the detection algorithm that I shall be using is not ML based, I would only be considering these few factors to drop few of the packets that might potentially cause a DoS attack on the controllers. Using ML techniques will further enhance the accuracy and avoid false positives.

How to tackle malicious packets?

My approach right now, is to detect DoS attcak in my load balancer and drop few packets that satisfy few conditions for malicious packets. Since I am already using HAProxy as my load balancer, I shall be looking into what features it offers with respect to dealing with DoS attacks.

This article gives a detailed explanation of how we can define threshold packet rates, threshold packet length which would be forwarded by the load balancer. Once this threshold is crossed, the packets would be dropped. I shall implement the same in the next article and also upload a video showing it's working. Till then, you can go through the link and familiarize yourslef with the various approaches we could take.

While researching on the same, I also found out that most load balancer tools provide various features to detect and prevent DoS attacks. The below table is a summary of the same. If you are looking at various tools to decide on which could be the best, this table might help you with the same.


Refer to previous and next posts here.

Author: Shravanya
Co-Author: Swati

Comments

Post a Comment

Popular posts from this blog

Day 12: Master Slave SDN Controller Architecture

In the previous post, I was struggling to figure out why all controllers can install flows in all switches irrespective of the code. Well, today the mystery is getting resolved. I found this book that explains beautifully the various roles that a controller can play. The three roles are: Equal : this happens by default all the equal controllers in a network that are connected to the switch can add and delete flows from it Slave: it has a read-only limitation to the switch openflow tables Master: very similar to the switch, but only 1 master can be connected to the switch at that point of time, and no other flows can intercept the communication between switch and master. I highly recommend you go through the above link to get a better picture. Since the default role of any controller is "Equal", we couldn't really differentiate between the three controller flows yesterday. But one good news from this is that we don't really need extensive coding to assi
Read more

Day 50: Tcpreplay and tcpliveplay approach

Today we shall be exploring how to copy and redirect the OpenFlow packets to more than one controller from the load balancer. The load balancer is anyway sending the OpenFlow packets to one of the slave controllers - c1 or c2. The packets sent to these two controllers needs to be sent to master controller so the master controller can update the new flows added by c1 or c2 on the switches. This ensures synchronization between controllers. There are two implementation methods to achieve the same: Copy all packets generated from the load balancer to the controller side. Only the packets having destination IP address of c1 and c2 can be redirected to the master controller. Thus we can prevent the packets which already are reaching the master controller to be sent as duplicates Copy and redirect packets from the slave controllers - c1 and c2. We need not take care of duplicate packets reaching master controller. This will reduce the time taken to redirect packets. Since the second a
Read more

Day 10: Mininet Simulation of a basic distributed SDN controller architeture

Hi and welcome back! We have not been able to update the blog since we were busy debugging and figuring out!!! We are back to give you an in-detail explanation of how we have simulated a basic distributed SDN controller architecture. Requirement: 2 Hosts Mininet up and running Ryu controller up and running on each 1 D-link switch We have used two linux machines with Ubuntu 16.04 OS running on them.  How to install Mininet? Run the following command on a terminal to install mininet: > sudo apt-get install mininet How to install Ryu Controller? Make sure to install Ryu controller on each of the Linux machines so that they can act as a controller. Run the following commands for a successful installation of Ryu controller: > git clone git://github.com/osrg/ryu.git > cd ryu > sudo apt-get install python-dev python-pip python-setuptools   > sudo pip install . > sudo pip install webob eventlet paramiko routes Set Up the network
Read more