• No results found

Towards Load Balancing in SDN Networks During DDoS attacks

N/A
N/A
Info
Download
Protected

Academic year: 2021

Share "Towards Load Balancing in SDN Networks During DDoS attacks"

Copied!
27
0
0

Loading.... (view fulltext now)

Download now ( 27 Page )

Full text

(1)

Towards Load Balancing in SDN

Networks During DDoS attacks

Mikhail Belyaev St.Petersburg Polytechnic University Svetlana Gaivoronski Moscow State University

(2)

•  DDoS attack – distributed attack causing denial-of-service of victim system.

•  For a lot of scary number, visit arbornetworks.com

(3)

DDoS mitigation

• Mitigation techniques:

–  “active mitigation”: detection and filtering of attacking machines;

(4)

Existing Solutions

• Static load balancing uses a-priori

information about system state:

–  Random selection –  Hash selection

–  (Weighted) round-robin

• Dynamic load balancing distributes load

between servers during runtime:

–  Round-robin

(5)

SDN load balancing problems

•  Existing solutions do not consider properties of incoming traffic •  Experiments show that they are not

(6)

SDN load balancing problems

•  Existing solutions do not consider properties of incoming traffic •  Experiments show that they are not

(7)

SDN load balancing problems

•  Existing solutions do not consider properties of incoming traffic •  Experiments show that they are not

(8)

Proposed Approach: Idea

• 2 independent levels of load balancing:

–  L7 load balancing (DNS/NAT) –  L4 load balancing

(9)

Algorithm

1.  Acquire the load and topology

information for network;

2.  Override the routing for the network with

static routing information;

3.  Iteratively keep splitting (and reapplying)

traffic paths for routers that are:

1.  Overloaded

(10)

Pre-phases

• Phase 1:

–  Needs to be executed before the need of load balancing arises

–  Updates the network load mask , where the element corresponds to number of bytes coming from i to j

• Phase 2:

–  Applied only once to override the default packet routing mechanisms

–  Performed by running Bellman-Ford algorithm on the whole network topology graph

!ij

(11)

Iterative phase (1/3)

1.  Update and with current info.

(12)

Iterative phase (1/3)

1.  Update and with current info.

2.  Find the first overloaded link in

Mload Mf ree

M

load

: !

ij

+ ✏ > ↵

ij

(13)

Iterative phase (1/3)

1.  Update and with current info.

2.  Find the first overloaded link in

3.  Find the first path in such that contains link Mload Mf ree

M

load

: !

ij

+ ✏ > ↵

ij

r

q

T

path (i, j) !ij

r

q

(14)

4.  For part of , find a new shortest path to

server , assuming than link is not presented. Let us call new path

ip

i

r

q i (i, j) pathq i

Iterative phase (2/3)

(15)

4.  For part of , find a new shortest path to

server , assuming than link is not presented. Let us call new path

ip

i

r

q i (i, j) pathq i pathq

Iterative phase (2/3)

(16)

4.  For part of , find a new shortest path to

server , assuming than link is not presented. Let us call new path

5.  Calculate maximum

additional load for ,

looking up every link path in :

ip

i

r

q i (i, j) pathq pathq Mf ree i pathq

al = min(mij : (i, j) 2 pathq)

(17)

Iterative phase (3/3)

6.  Calculate the new sets of masks and

such that they divide into pairs with coef.

Remove corr. Entry from and insert new ones.

ipsold ipsnew

ipssrc

al/!ij

(18)

Iterative phase (3/3)

6.  Calculate the new sets of masks and

such that they divide into pairs with coef.

Remove corr. Entry from and insert new ones.

ipsold ipsnew

ipssrc

al/!ij

Tpath

(19)

Iterative phase (3/3)

6.  Calculate the new sets of masks and

such that they divide into pairs with coef.

Remove corr. Entry from and insert new ones. 7.  Commit the changes in

to all switches across and .

ipsold ipsnew

ipssrc al/!ij Tpath Tpath path pathq

(20)

Iterative phase (3/3)

6.  Calculate the new sets of masks and

such that they divide into pairs with coef.

Remove corr. Entry from and insert new ones. 7.  Commit the changes in

to all switches across and .

8.  Wait for timeframe and go to step 1.

ipsold ipsnew

ipssrc al/!ij Tpath Tpath path pathq

(21)

Implementation

CALLOPHRYS DDoS attack

detection and mitigation system:

• 

Distributed

• 

Asynchronous

• 

Based on actor model

SDN

Agent Manager

(22)

Implementation

Asynchronous context implies:

• 

All parts of the balancer are separate

asynchronous agents

• 

The loop is created using timed messages

sent to the balancer

• 

The rest of the algorithm doesn’t change

much

(23)

Evaluation

CALLOPHRYS has been tested using a

virtual network setup

q 

Mininet

o  Simulated low-spec and slowed down

network

q 

Floodlight

q 

Iperf for attack simulation

(24)

Evaluation: results

• 

Load balancing was

evaluated separately

from the detectors

• 

Reaching full link &

switch employment in

10-60 seconds

• 

Up to 3000 rules

generated for

critical-path switches

(25)

Limitations & Future Work

§ 

Stale rules in switches may degrade

network performance over time

§ 

We do not employ any asynchronous

features of the actor-based solution

§ 

Algorithm parameters are deduced by

handmade experiments

We need a real benchmark and evaluation on

physical networks!

(26)

YOUR QUESTIONS?

Mikhail Belyaev: [email protected] Svetlana Gaivoronski: [email protected]

(27)

Notations

•  - channel between switches i and j; •  - bandwidth of channel

•  - current channel load •  The channel is overloaded if

•  - destination servers

•  - load matrix N x N containing current load values

•  - Matrix of available resources -

(i, j) (i, j)

!

ij 1, . . . , K

a

ij

!

ij

+ ✏ > ↵

ij Mload

!

ij

a

ij

!

ij

M

f ree

References

Download now ( PDF - 27 Page - 4.15 MB )

Related documents

Information literacy instruction for satellite university students

As most of the satellite campus students are enrolled in the Faculty of Management, in June 2009 library administration charged the Management Liaison Librarian with the task

Revising the recent past. Criterio and Esquiú magazines and the human rights issue, 1981-1985

El interés por este tema surgió en trabajos previos, donde pudimos observar que la jerarquía de la Iglesia jugó un rol protagónico en esa discusión y que principios de onda

Design and Performance Evaluation of a Solar Dryer

The data loggers to measure temperature and humidity were placed in the drying chamber, on the metal collector and outside the dryer.. At three intervals during the day, the weight

th Quarter Results

Immersive and stunning visual experience Diverse and specific field applications Visual Solutions AiO LED Theme/Event Dome/Cave Gaming TV/Cinema Simulation Differentiated

Surrogate modelling for the prediction of spatial fields based on simultaneous dimensionality reduction of high-dimensional input/output spaces

In this paper, we propose a method for simultaneously reducing the dimensionality of very high-dimensional input and output spaces in Gaussian process emulators for stochastic

NNTP Protocol Analysis and Implementation

Testovanie úspešnej komunikácie medzi klientom a serverom prostredníctvom proxy ap- likácie v prípade kedy je klientskou aplikáciou skutočná aplikácia určená na prijímanie

The Biocomplexity of Benthic Communities Associated with a Shallow-water Hydrothermal System in Papua New Guinea

The physical environment and biological communities in Tutum Bay and at the Danlum Bay reference site formed four distinct communities based on their pore water and