1. Denial of Service in Software Defined
Networks
Mohammad Faraji
ms.faraji@mail.utoronto.ca
Supervisor: Alberto Leon-Garcia
2. Cloud Computing
• Cloud computing is a model for
– on-demand network access
– shared pool of configurable computing resources
– rapidly provisioned and
– released with minimal management effort.
2
5. Denial Of Service
• Denial of Service : explicit attempt by
attackers to prevent legitimate users of a
service from using that service. (CERT)
• Examples:
– Flooding a network
• Denial Of Service is considered as the
largest security threat
6. Problem
• Application is distributed throughout the
network (ECC)
• Isolating application traffic reduce
probability of denial of service significantly
• Network isolation through VLAN
• Limitation:
– Scalability (4k VLAN id space)
– Complicated Network Management
– Per user policy control
9. Architecture Elements
sw Secure
Channel
hw Flow Policy Unit
Table
Virtual Resource 3 Virtual Resource 2 Virtual Resource 1
10. Methodology
• Identifying attack set
• Setting up Implementation Platform
• Selecting representative topologies
• Modeling Policy Unit
• Implementing Network Virtualization
• Evaluation
11. Policy Unit model
• Keystone (Openstack Identity Manager)
• Attribute Based Access Control
Policy Enforcement
Authorization and Access Control
Attribute Assertion
Authentication Assertion (single sign-on)
12. Implementation Platform
SOAP/WS-API
Control (BPEL)
Resource Manager Storage Manager
AAA(BPEL) (BPEL)
(BPEL)
Dynamic Link Generator
(BPEL)
Data Store(BPEL) Resources
Resources Storage
Resources
(WS) Storage
Query
DB Result Fabric Programmable
(WS)
(WS)Storage
Generator
(WS)
Processor (WS) Resources (WS)
Resource
(WS) (WS) (WS,BPEL) (WS,BPEL)
Fabric
MySQ Agent
L Resource Resource
SNMP Resource Resource
File
Resource Servers
Fabric
13. Outcome
• A software Platform on OpenFlow switches
• It decreases chance of denial of service by:
– Application is able to define their network
topology
– Each application can have its own policy
– Policy control is fine-grained
• DoS does not affect other’s traffic
• Attack can be easily interrupted
14. References
1. Karig, David and Ruby Lee. Remote Denial of Service Attacks and Countermeasures, Princeton
University Department of Electrical Engineering Technical Report CE-L2001-002, October 2001.
2. M. Jensen, N. Gruschka, and N. Luttenberger, “The impact of flooding attacks on network-based
services,” in Availability, Reliability and Security, 2008. ARES 08. Third International Conference
on, march 2008, pp. 509 –513.
3. B. Kerns, “Amazon: Hey spammers, get off my cloud!” Jul. 2008. [Online].
Availabhttp://voices.washingtonpost.com/securityfix/2008/07/
4. P. Mell and T. Grance, “The nist definition of cloud computing,” National Institute of Standards and
Technology, vol. 53, no. 6, p. 50, 2009. [Online]. Available: http://csrc.nist.gov/groups/SNS/cloud-
computing/cloud-def-v15.doc
5. S. Shankland, “Hps hurd dings cloud computing, ibm,” Oct. 2009.
6. D. Catteddu and G. Hogben, “Cloud Computing Risk Assessment,” Nov. 2009. [Online]. Available:
http://www.enisa.europa.eu/act/rm/files/deliverables/cloud-computing-risk-assessment
7. B. Kerns, “Amazon: Hey spammers, get off my cloud!” Jul. 2008. [Online]. Available:
http://voices.washingtonpost.com/securityfix/2008/07/
8. M. C. Ferrer, “Zeus in-the-cloud,” CA Community Blog, Dec. 2009.
9. M. Price, “The paradox of security in virtual environments,” Computer, vol. 41, no. 11, pp. 22 –
28, nov. 2008.
10. S. King and P. Chen, “Subvirt: implementing malware with virtual machines,” in Security and
Privacy, 2006 IEEE Symposium on, may 2006, pp. 14 pp. –327.
17. The NIST Cloud Definition Framework
Hybrid Clouds
Deployment
Models Private Community
Public Cloud
Cloud Cloud
Service Software as a Platform as a Infrastructure as a
Models Service (SaaS) Service (PaaS) Service (IaaS)
On Demand Self-Service
Essential
Broad Network Access Rapid Elasticity
Characteristics
Resource Pooling Measured Service
Massive Scale Resilient Computing
Common Homogeneity Geographic Distribution
Characteristics Virtualization Service Orientation
Low Cost Software Advanced Security
Based upon original chart created by Alex Dowbor - http://ornot.wordpress.com
17
18. Classification of DoS Attacks[1]
Attack Affected Area Example Description
Network Level Routers, IP Ascend Kill II, Attack attempts to exhaust hardware
Device Switches, “Christmas Tree Packets” resources using multiple duplicate packets
Firewalls or a software bug.
OS Level Equipment Ping of Death, Attack takes advantage of the way operating
Vendor OS, End- ICMP Echo Attacks, systems implement protocols.
User Equipment. Teardrop
Application Finger Bomb Finger Bomb, Attack a service or machine by using an
Level Attacks Windows NT RealServer application attack to exhaust resources.
G2 6.0
Data Flood Host computer or Smurf Attack (amplifier Attack in which massive quantities of data
(Amplification, network attack) are sent to a target with the intention of
Oscillation, Simple using up bandwidth/processing resources.
Flooding)
UDP Echo (oscillation
attack)
Protocol Feature Servers, Client SYN (connection Attack in which “bugs” in protocol are
Attacks PC, DNS Servers depletion) utilized to take down network resources.
Methods of attack include: IP address
spoofing, and corrupting DNS server cache.
Editor's Notes
In extended cloud computing, resources limitedly provisioned in the a set of clusters near user that are called smart edge. You can find any type of resources in smart edge ranging from computation to FPGA boards. If an application needs more resources, remote datacenters are used where similar resources but in large amount are provided. The set of APIs that are offered in smart edge may be different from the remote resources.
Some security challenges has been established before the advent of cloud computing. Like phishing where a trusted entity is masqueraded. Downtime that a system is out of service. Password weakness due to uneducated user (like using only digit or letter for password). Botnet where a lot of computer throughout the world are compromised and are used to lauch a specific type of attack. However what is important here is that botnet is more serious in cloud computing due huge amount of resources that cloud provider provisions for the user.
This cloud model promotes availability and is composed of five essential characteristics, three service models, and three deployment models.