Day 65: DoS detection from Ryu controller

Working on from where we left off in Day 63, we have to start off with writing the code to detect the DoS attack. I shall be considering only 1 feature - that is the bitrate of the packets that go in and out of the switch ports.

This has been sufficient enough for a basic thresholding mechanism of identifying DoS attacks. According to my observation, I have set up a 200 bitrate threshold for identifying a DoS attack. This is a little higher threshold cosidering the average bitrate numbers.

The reason I have setup a higher bitrate is to avoid false positives. At the same time, I am fine with few DoS attacks geting to my controller side as the controllers are designed to sustain the attacks in a round-robin sort of fashion. As of now, I have left my DoS attack prolong for 5 - 10 minutes without affecting the functionality of my controllers. The ML algorithm being built would take care of more critical details and better identification of DoS attacks.

The one built on the Ryu controller right now is very naive and works well for our case. It might not hold good in any other non-SDN environment. I am trying to exploit the knowledge possessed by the controllers about the switches to identify these attacks. A video will be uploaded shortly showing how this would work in real time. I have not built the code from scratch. I have borrowed many modules already present in this Github link to achieve the same.

Refer to previous and next posts here.

Author: Shravanya
Co-author: Swati

Comments

Popular posts from this blog

Day 12: Master Slave SDN Controller Architecture

Day 50: Tcpreplay and tcpliveplay approach

Day 1: Understanding Ransomware and how to detect them?