the World: Performance and Security Song Wang*, Karina Gomez Chavez*, Sithamparanathan Kandeepan* and Paul Zanna Northbound Networks, Melbourne Australia ∗RMIT University, 124 La Trobe, 3000, Melbourne Australia Email: {name.surname}@rmit.edu.au, paul@northboundnetworks.com
Abstract—Zodiac-FX is the first OpenFlow switch designed to
sit on a desk, not in a datacenter. In this demo, we present Zodiac-FX the world’s smallest OpenFlow Software Defined Network Switch. Our main objective is to showcase the usage and functionalities of Zodiac-FX in handling OpenFlow protocol. We will also demonstrate SDN sEcure COntrol and Data Plane (SECOD), an SDN secure controller algorithm to detect and defend SDN against DoS attacks. We will demonstrate Zodiac-FX and SECOD value via experiments within real traffic and Denial- of-Service (DoS) attacks allowing the audience to interact with the complete toolkit system. I. M OTIVATION There are numerous open source SDN controllers that allow the prototyping and modelling of a SDN. However a small and affordable OpenFlow switch has not been previously available. Therefore, several SDN framework emulators and simula- tors, such as Mininet or OpenFlowOmnet [1], were the only Fig. 1: Communication peripherals of Zodiac-FX. way to model and prototype SDN applications. Even though II. Zodiac-FX D ESCRIPTION simulators are inexpensive, flexible and reasonable accurate, The Zodiac-FX is a four-port network development board they cannot capture real hardware equipment interactions and designed for anyone who requires a low cost SDN develop- performance. The Zodiac FX is the first OpenFlow switch ment platform. By providing the firmware source code users designed to provide all the advantages of a hardware based are free to create their own versions. The main communication SDN while keeping the equipment cost affordable [2]. peripherals of Zodiac FX are sketched in Fig. 1. The CLI pro- We believe Zodiac FX offers the ideal platform to extract vides the ability to configure setting and monitor the operation SDN capability of easy-to-configure network control. of the Zodiac-FX. To simplify operations the CLI uses the On the other hand, security in SDN is an important re- concept of a context, this limits the available commands. There search topic with still several research questions to investigate. are currently four available contexts: Base, Config, OpenFlow Related works have been done in SDN security, however and Debug. Majority of the Zodiac-FX functionalities available some countermeasures cannot protect both control and data via CLI are also available via web-interface, which provides plane [3], or extra interface or device may be required [4], the ability to configure settings and monitor the operations. or no real implementation be conducted so far [5]. Thus we For example, the flows page displays the current flows in the design and implement SECOD [6], an innovative algorithm, flow table, along with their configurations. Currently, up to that detects and blocks DoS attacks in SDN. In this demo, we eight per-flow meters can be configured, with up to three meter put forward a solution that attempts to demonstrate: bands on each. Up-to-date meter statistics are also shown in • The functionalities of Zodiac-FX, an open source, cost the web-interface, allowing meters to be monitored. efficient and programmable OpenFlow switch fully sup- porting OpenFlow protocol. • The capabilities of SECOD, a powerful algorithm for III. SECOD D ESCRIPTION detecting and defending SDN from DoS attacks (Full SECOD algorithm is based on [6] and summarized in Fig. 2, paper is presented in the main conference). it is running on the controller to protect control and data plane The aim of this demonstration is to validate the design of SDN without any extra device involved. It uses counters and choices we have made in conceiving and deploying the Zo- thresholds to determine if the network is under attack, and the diac FX and SECOD testbed. Furthermore, we will demon- threshold can be updated dynamically. Due to the constraint strate the capability of hardware & software toolkit to properly of hardware performance and requirement of customer, the support secure SDN applications. pre-definition of threshold varies from each other. SECOD 978-1-5386-3416-5/18/$31.00 c 2018 IEEE monitors network and collects statistics which are used to 2
Fig. 2: High-level description of SECOD algorithm showing the different functions for detecting and stopping DoS attacks.
d) debug will be explained and demonstrated. Zodiac-
FX CLI and web-interface will be used to explore the flow tables and other configurations. 2) Effect of DoS Attacks in SDN: Using the attacker to initialize DoS attacks (low, medium and high intensity attacks) while monitoring the network performance. This will allow us to visualize the impact of DoS attacks on the network performance. 3) SECOD in Action: SECOD will be activated and DoS attack will be executed again while monitoring the network performance. This will allow the visualization Fig. 3: Architecture to showcase Zodiac-FX and SECOD. of SECOD ability to detect and block the attacks while maintaining a good network performance. generate threshold. By comparing counters with the threshold, 4) Platform Functionalities: Finally, conference attendees SECOD is able to detect a DoS attack. While drop rules will be able to explore the Zodiac-FX platform by con- help SECOD to localize the source of attacker and block the figuring Zodiac-FX themselves and exploring SECOD’s incoming packets to protect legitimate users in the network. different functions as well. We hope that our Zodiac-FX software and hardware toolkit IV. D EMONSTRATION S CENARIOS will be considered as the platform to test innovative SDN This demo aims at i) showing the capability of hard- solutions and SECOD algorithm will be used to detect and ware&software Zodiac-FX toolkit to properly deploy SDNs, mitigate DoS attacks in SDN. ii) showing the effect of DoS attacks in SDN, and iii) showing In order to demonstrate, we will prepare 1 Zodiac FX the ability of SECOD to protect SDN. The relevant network switch, 1 traditional switch, 5 Rpis and 1 notebook. While setup is sketched in Fig. 3: we would like to request 8 power sockets, 1 external monitor, • One Raspberry Pi (Rpi) will act as the SDN controller 1 table to accommodate the demo equipment and space to (running RYU controller) and host SECOD algorithm, display the demo-poster. Estimated preparation time is 1 hour. operations will be displayed in the monitor. • Zodiac-FX will be connected to controller, CLI (displayed R EFERENCES in the monitor) will be used to show the creation of flow [1] D. Klein and M. Jarschel, “An OpenFlow extension for the OMNeT++ tables and different functionalities of Zodiac-FX. INET Framework,” in Proceedings of the ICST Conference on SimuTools, • Legacy switch is connected to the Zodiac-FX to allow ICST, Brussels, Belgium, Belgium, 2013, pp. 322–329. [2] Zodiac. (2017) Northbound Networks Pty. Ltd. [Online]. Available: multiple Rpis running under the same port of Zodiac-FX. http://northboundnetworks.com/collections/zodiac-fx/products/zodiac-fx • There are four physical Rpi hosts connected to Zodiac- [3] M. Kuerban, Y. Tian, Q. Yang, Y. Jia, B. Huebert, and D. Poss, “FlowSec: FX switch. Three hosts run legitimate TCP stream (Using DoS attack mitigation strategy on SDN controller,” in IEEE Networking, Architecture and Storage, 2016, pp. 1–2. iPerf traffic generator), two hosts are the sender and the [4] T. Xing, Z. Xiong, D. Huang, and D. Medhi, “SDNIPS: Enabling other one is the receiver. While the fourth host is the software-defined networking based intrusion prevention system in attacker who generates malicious UDP streams. clouds,” in IEEE Network and Service Management, 2014, pp. 308–311. [5] R. Kandoi and M. Antikainen, “Denial-of-service attacks in OpenFlow The following application scenarios will be involved: SDN networks,” in IEEE Integrated Network Management, 2015. 1) Zodiac-FX functionalities: Firstly, Zodiac-FX function- [6] S. Wang, K. Gomez, and S. Kandeepan, “SECO: SDN sEcure COntroller algorithm for detecting and defending denial-of-service attacks,” in IEEE alities in terms of a) base, b) config, c) OpenFlow, and International Conference on ICT, 2017.