DDOS ATTACK DETECTION AND MITIGATION AT SDN ENVIROMENT

- Software-Deﬁned Networking (SDN) is a network architecture approach enables the network to be intelligently and centrally controlled, or programmed, using software applications to helps operators manage the entire network consistently and holistically. Although SDN on the surface provides a simple framework for network programmability and monitoring, few have been said about security measures to make it resilient to hitherto security ﬂaws in the traditional networks and the new threats the architecture is ushering in. One of the security weaknesses the architecture is ushering in due to separation of control and data plane is distributed Denial of Service (DDoS) attack. The main goal of this attack is to make network resources unavailable to legitimate users or introduce large delays. In this paper, the effect of a DDoS attack on SDN is presented, and automatic detection and mitigation of the attacks, using an SDN application written in python with the help of the OpenFlow protocol.


II. LITERATURE SURVEY
In paper [6], the effect of the DoS attack on SDN is presented using Mininet, OpenDaylight (ODL) controller. (ICMP) flood attack is performed on a (TCP) server and a (UDP) server which are both connected to OpenFlow switches. The simulation results reveal a drop in network throughput from 233 Mbps to 87.4Mbps and the introduction of large jitter between 0.003 ms and 0.789 ms during a DoS attack. This paper offers the impact of the DoS attack on SDNs without the mitigation of the attack. [7] In this paper, proposed SDN-Guard, a comprehensive SDN solution that is able to mitigate SDN-specific threats related to DoS attacks. By dynamically rerouting potential malicious traffic, adjusting flow timeouts, and aggregating flow rules associated with malicious traffic. In these two papers only study DOS, not DDoS attack first one only impact and the second take ten minutes to mitigation. [2] In this paper, studied how to utilize SDN to detect DDoS attacks. The methods capture the flow volume feature as well as the flow rate asymmetry feature, to adaptively change the flow monitoring granularities on all switches to quickly locate the potential victims and suspicious attackers. [8] In this paper, propose to use Advanced Support Vector Machine (ASVM) algorithm in order to detect DDoS attacks.
Both papers in [2] and [8] talk only about DDoS detection by using POX and ONOS controllers. In [9], a firewall will block the addresses forwarded by the server. DDoS detection method checks the incoming traffic and analyzes it. If an attacker is found, the address will be forwarded to the firewall. The firewall will mount and block the packets. This paper uses a third-party firewall for blocking, with four hosts and one server, using the POX controller. This solution has no different from traditional network solutions which forwarding traffic to centralize firewall. [10] In this paper, show how a DDoS attack can be instigated on a primary server. The attack is instigated by generating a huge number of packets with destination IP addresses to switch which connects the primary server. The flow table rules are repeatedly installed by the (POX) controller into this switch, leading to exhaustion of its flow table space. The paper contains a weak attack scenario, the flow entries for the packets which are directly installed by the controller are classified as attack traffic whereas the flow table entries for those packets which are requested by the switch are grouped under genuine traffic, by manipulating with "TIMEOUT" parameter value without SDN application. [11] In this paper, the network constructs consist of virtual hosts, representing both normal users and attackers. The goal is to enable SDN programmability, against a DDoS ping attack. Shows TCP and UDP throughputs, round-trip time as measurable by emulated network users to demonstrate the application of SDN in resolving the attacking adverse effects with Opendaylight controller. Paper in [11] is the most similar to this project idea. with different in testbed components, its use GNS3 emulator and VMware where this paper use Mininet support OpenFlow for highly flexible custom routing and Software-Defined Networking. The network topology of [11] does not customize like this paper topology its only simple mesh topology. The weakness in paper [11], it already knows the attacker IP while this paper finds and extracts the attackers from the traffic toward the victim. In [11] the dropping rule send to all the switches in the network so the user will be denied from all the other network, while this project perform rule sending to specific switch, in [11] the script work manually so there is no time for mitigation can be evaluated . In this paper python script work automatically whenever attack detected

III. OPENFLOW PROTOCOL
OpenFlow is a Layer 2 communications protocol that gives access to the forwarding plane of a network switch or router over the network. The OpenFlow pipeline of every OpenFlow switch contains multiple flow tables, each flow table containing multiple flow entries [12]. A flow table consists of flow entries, Match Fields, Priority, Counters, Instructions, Timeouts and Cookie.An OpenFlow switch is an OpenFlow-enabled data switch that communicates over the OpenFlow channel to an external controller [13]. It performs packet lookup and forwarding according to one or more flow tables and a group table as shown in Fig. 2. The OpenFlow switch communicates with the controller and the controller manages the switch via the OpenFlow switch protocol. They are either based on the OpenFlow protocol or compatible with it. There is a set of actions that the controller will send to the switch to perform; forward, drop, push in a queue, quality of service and modifying a field, i. e. , modifying VLAN tag, MAC address or IP address [14]. A. Architecture overview of the tested Components The system operates via a loop control among three basic architectural components in Fig. 3 part-A contains the Open-DayLight controller, part-B include the network topology, and part-C contain SDN application. The testbed components, namely, mininet emulator and OpenDayLight, installed with the Ubuntu operating system as shown in Fig. 4 • Attackers are some of these hosts who want to disrupt the connectivity between users and the victim server.
• The victim is a server connected to switch number two with the IP address (10.0.2.60). Hosts will attack the server using the Hping3 tool. Hping3 is a network tool able to send custom TCP/ IP packets.
It supports TCP, UDP, ICMP, and RAW-IP protocols, Hping3 allowing to send manipulated packets. This tool allows controlling the size, quantity, and fragmentation of packets to overload the target and bypass or attack firewalls.

D. Proposed Solution
Current practices in traditional networks would be to rely on a firewall sitting at the network domain border or gateway to drop harmful packets. With SDN All the OVS switches can be reprogrammed to drop attacker traffics at the earliest possible locations, by using an SDN application (python script was written and developed in this paper) to capture and analyze the traffic toward the server (victim). whenever a detection of unusual behavior happens in the traffic, application start packet analyzing to extract the attackers IP according to the largest traffic senders, who forwarding huge traffic, for making normal users easily reach the server, a dropping rule applies to the Openvswitch the server was connected to as shown in Fig. 8 .The rule was forwarded from the application to OpenDayLight controller API. When Fig. 9 show the The first three flow entries rules with high priority were added from the application to block malicious hosts. Applying another scenario with different number of host or switch, the perform of the application didn't change, because it depend on the victim location in the network to apply the blocking rule on it.