Assessing the impact Of DDoS attack

in SDN through simulation

Introduction:

In Software Defined Networks , the control plane(Controllers) and data

plane(Switches) are separated. It enables Open , Scalable , Secure and Programmable
Network Infrastructure. Openflow protocol establishes communication between the
two planes. Controller can view the whole network and Switches has flowtable for
flow entries.

The Controller is centralised and gives flowtable for Switches.Whenever a new

packet arrives and flowtable entry is not matched , the packet is sent to the Controller
for processing. The size of flowtable is limited and it leads to Scalability problems
which results in serious security issue in DDoS attack.Now the attackers can generate
spoofed packets and send it to a host .This overloads the centralised controller.So the
table overflows and installation of new rule is rejected leading to packet loss or
delay(DDoS).

The flowtable overflow attack is simulated using Mininet and Pox.Its effect is
analysed with respect to Delay and Bandwidth.

High Level Design and its Explanation:

There is an SDN Controller(C0)(can view the entire network) . Two switches

(S1,S2) are connected to it. S1 is connected to S2 via Router (R0).Each Switch has
four hosts connected to it.Totally there are 8 hosts (H1 to H8).
H6(Server) , H8(Client) are Legitimate hosts.
H1,H2,H3,H4,H5,H7 are illegitimate hosts.

Illegitimate hosts start flooding the flow table of switches and as a result ,
communication between H6 and H8 is adversely affected.
 Fig 1 – High Level Design
Openflow FlowTable:

Whenever there is a miss in flow table , the switch asks information from
controller by sending Packet-IN message . It comprises either the entire packet (by
mentioning Buffer ID) or part of a packet. The controller then reply with a Packet-
Out message which is an entry in flow table.

Parts of a Flow Table:

i) Rule Matching Pattern section (IP Address , MAC Address , Port

Number etc)
ii) Associated Action:
1) Forward the packet (specific output port or all output ports)
2) Drop the packet
3) Modify the packet header

iii) Statistics:
Number of times the rule is used
 Fig 2 – How a flow Table gets it’s rules
Timeout of a Flow Entry:

Flow entries in a Flow Table gets flushed based on two factors.

Idle Timeout:

If the flow entry is not matched(used) for given number of seconds(n),

then it gets flushed out after n seconds.

Hard Timeout:

The flow entry gets automatically flushed out after a given number
of seconds(n) irrespective of its usage.

We use Pox controller in which we can modify Timeout values.

Flow Table Entry Contents:

1) in_port 2) eth_src 3) eth_dst 4) eth_type 5) vlan_vid 6) vlan_pcp

7) ip_src 8) ip_dst 9) nw_proto 10) nw_tos 11) tcp_src 12) tcp_ds

Flooding the FlowTable:

1) Generate large number of packets in an infinite loop
2) Permuting source and destination IP Addresses
3) Permuting Source and Destination ports
 Here we generate spoofed packets by permuting source and destination ports.

Consequences of Flooding:
Every Switch has a limited number of flow table entries. If flooding occurs ,
new rules cannot be installed (Denial of Service) and it results in packet loss.

Experiment:
Spoofed Packet Generation Logic:

We have five Randomized Source Ports and twenty Randomized Destination

Ports.Here , packets are generated for every 0.1 second.Each host generates
approximately 1000 packets per second.

How to calculate #Spoofed Packets generated per second:

Packet_Count = N * S_P * D_P

N ---> Number of Attacker Hosts
S_P ---> Number of Source Ports
D_P ---> Number of Destination Ports

Here 6000 spoofed packets are generated per second. It can be enhanced by
increasing source and destination ports and decreasing interval at which packets are
generated.

Flooding Logic:

Default Flow Table size is 1000000. We reduced it to 100.

As a result of flooding , the flowtable quickly reaches its limit(100) and results
in overflow. As spoofed packets are continuously generated and Switch does not have
rule that matches it , each time the switch forwards it to Controller and it is kept
occupied all the time(Resource Attack).

Experiment In Terms of Delay and Bandwidth:

1) Enable Pox Controller and run Python code to set Topology.

2) Aforementioned Topology will be set up.

3) Execute ping command between H6 and H8.

4) ICMP Packets will be sent from H6 to H8. First packet will take 21 milli
seconds and remaining packets will take 0.0535 milliseconds(Average) to
reach the target.
 5) Now , run the attacker code in remaining hosts. As a result , the time taken
will be multiplied by a huge factor (Average time is 12700 milliseconds) and
eventually there will be packet loss. It causes a significant reduction in
bandwidth.

Analysis:

Depending upon number of attacking hosts and timeout of a flow entry ,

the impact varies proportionally. The impact is inversely proportional to the size
of flow table.
Conclusion:

Controller and Flow Table are very important components of SDN.So it is

highly vulnerable.The larger the timeout value , the higher the possibility of attacks.
The performance of SDN can be severely affected by attacks to flow table.Research
should be made in mitigating such attacks and Timeout should be as low as possible.
References:
1) Ying Qian , Wanqing You , Kai Qian , “Openflow Flow table overflow
attacks and countermeasures” , IEEE