Network anti-spoofing with SDN data plane

Traditional DDoS anti-spoofing scrubbers require dedicated middleboxes thus adding CAPEX, latency and complexity in the network. This paper starts by showing that the current SDN match-and-action model is rich enough to implement a collection of anti-spoofing methods. Secondly we develop and utilize advance methods for dynamic resource sharing to distribute the required mitigation resources over a network of switches. None of the earlier attempts to implement anti-spoofing in SDN actually directly exploited the match and action power of the switch data plane. They required additional functionalities on top of the match-and-action model, and are not implementable on an SDN switch as is. Our method builds on the premise that an SDN data path is a very fast and efficient engine to perform low level primitive operations at wire speed. The solution requires a number of flow-table rules and switch-controller messages proportional to the legitimate traffic. To scale when protecting multiple large servers the flow tables of multiple switches are harnessed in a distributed and dynamic network based solution. We have fully implemented all our methods in either Open-Flow1.5 in Open-vSwitch and in P4. The system mitigates spoofed attacks on either the SDN infrastructure itself or on downstream servers.

[1]  Vyas Sekar,et al.  Bohatei: Flexible and Elastic DDoS Defense , 2015, USENIX Security Symposium.

[2]  Fang Hao,et al.  Scotch: Elastically Scaling up SDN Control-Plane using vSwitch based Overlay , 2014, CoNEXT.

[3]  Guofei Gu,et al.  Attacking software-defined networks: a first feasibility study , 2013, HotSDN '13.

[4]  Aditya Akella,et al.  Stratos: Virtual Middleboxes as First-Class Entities , 2012 .

[5]  George Varghese,et al.  Programming Protocol-Independent Packet Processors , 2013, ArXiv.

[6]  Vinod Yegneswaran,et al.  AVANT-GUARD: scalable and vigilant switch flow management in software-defined networks , 2013, CCS.

[7]  Basil S. Maglaris,et al.  Leveraging SDN for Efficient Anomaly Detection and Mitigation on Legacy Networks , 2014, 2014 Third European Workshop on Software Defined Networks.

[8]  David Thaler,et al.  Multipath Issues in Unicast and Multicast Next-Hop Selection , 2000, RFC.

[9]  George Varghese,et al.  P4: programming protocol-independent packet processors , 2013, CCRV.

[10]  David Walker,et al.  Abstractions for network update , 2012, SIGCOMM '12.

[11]  Chen Liang,et al.  Participatory networking: an API for application control of SDNs , 2013, SIGCOMM.

[12]  George Varghese,et al.  Forwarding metamorphosis: fast programmable match-action processing in hardware for SDN , 2013, SIGCOMM.

[13]  Fang Hao,et al.  Application-aware data plane processing in SDN , 2014, HotSDN.

[14]  Tal Mizrahi,et al.  TimeFlip: Scheduling network updates with timestamp-based TCAM ranges , 2015, 2015 IEEE Conference on Computer Communications (INFOCOM).

[15]  Tal Garfinkel,et al.  SANE: A Protection Architecture for Enterprise Networks , 2006, USENIX Security Symposium.

[16]  Richard Wang,et al.  OpenFlow-Based Server Load Balancing Gone Wild , 2011, Hot-ICE.

[17]  Giuseppe Bianchi,et al.  OpenState: programming platform-independent stateful openflow applications inside the switch , 2014, CCRV.