Content uploaded by Vijaya Eligar
Author content
All content in this area was uploaded by Vijaya Eligar on Mar 14, 2020
Content may be subject to copyright.
Detecting Denial-of-Service Attacks Using sFlow
Shivaraj Hublikar, Vijaya Eligar and Arun Kakhandki
Abstract This paper addresses how to detect denial-of- service attacks using sFlow.
Denial-of-Service (DoS) attack is a critical security challenge in Software Defined
Network (SDN). In DoS attack, the network bandwidth is acquired by disrupting
the services of the server by abruptly increasing the traffic and making the server
unavailable for other users. The most challenging problem of DoS attack is to de-
tect the attack almost instantly and in a precise manner. This paper presents the
detection of DoS attacks by using sFlow analyzer, a SDNs flow monitoring tool.
In the event of any attack sFlow collects sample packets from network traffic, an-
alyzes suspicious behaviour and creates handling rules which are then sent to the
controller. Implementation of DoS attack is carried out by emulating a typical net-
work in Mininet and integrating this with sFlow analyzer. Through the simulated
results, the potential DoS victims and attackers are quickly found.
Key words: bandwidth detection, DoS attack, SDN, sFlow
1 Introduction
In a traditional data network devices are structured into data-plane and control-plane
which are local. If there are ten devices in a network, then each device has its own
data-plane and control-plane that are having all the relevant information regarding
forwarding tables. The data-plane comprises of switches while the control-plane
comprises of controllers of different types. Networking device will get the packets
Shivaraj Hublikar
KLE Technological University, Hubballi, India e-mail: shivaraj@bvb.edu
Vijaya Eligar
KLE Technological University, Hubballi, India e-mail: vijayaeligar@bvb.edu
Arun Kakhandki
KLSs VDRIT, Haliyal, India e-mail: bvbarun@gmail.com
1
2 Shivaraj Hublikar, Vijaya Eligar and Arun Kakhandki
which are decided by forwarding tables. Since the demand of traditional networks is
increasing, working on topology is complex [5]. Even though traditional networks
are global and very popular, they have various drawbacks. Firstly, there is no scope
to extend the network if a new feature or a protocol is to be added. Secondly, any
new command cannot be accepted to improve the functionality of traditional net-
works since it is not programmable. Thirdly, cost of the network is effectively high
since each device contains both data-plane and control-plane. Different topologies
of the network are not possible since the traditional network is configured with set
of predefined rules during the manufacture. Furthermore the physical network in-
frastructure cannot be fully utilized since arranging the traditional network with
predefined polices becomes complicated and error prone.
Recent trends such as machine learning, artificial intelligence, cyber security,
internet of things (IoT) and mobile traffic has heavy traffic which cannot be managed
by the network. SDN manages the overall network programmatically. SDN is very
Fig. 1 Traditonal network
and SDN [11]
unique from the traditional networks which provide entire central control over the
network by separating the control-plane and the data-plane as shown in Fig. 1.
SDN manages the network by centrally controlling the devices which greatly
utilize and improve the network management. This network has data-plane within
the device for sharing the forwarding data, whereas the control-plane is connected
with separate device called controller which handles the information. SDN is cat-
egorized into three parts, Controllers, Southbound Application Program Interfaces
(APIs) and Northbound (APIs. Controller which is the programmable central sys-
tem controls the entire network which has the information of all the resources (like
switches and routers) connected to this network. Switches and routers are the infor-
mation devices which require Southbound APIs as the medium for the controllers to
transfer the data packets. OpenFlow is standard protocol used in Southbound APIs.
SDN uses Northbound APIs to manage the traffic which is monitored by the network
administrators to communicate with applications shown in Fig. 2.
Detecting Denial-of-Service Attacks Using sFlow 3
Fig. 2 SDN Controller
1.1 Open-Flow
Open-Flow is a standard protocol that provides a communication and interface be-
tween control-plane and data-plane in SDN. The data packets are transferred be-
tween devices which have to maintain traffic routing flows that is managed by the
OpenFlow protocol. Each SDN device needs to maintain the set of Flow-tables
that is controlled by OpenFlow switch. The incoming packets are controlled by the
switch which are installed by the control-plane that maintains communication chan-
nel and also contains the Flow-table rules [1]. Fig. 3 presents the logical structure
of an OpenFlow switch. When there is a mismatch in the Flow-tables that does not
Fig. 3 Open Switch Architec-
ture
match with any existing flow rules the mismatch flows try to trigger forwarding
plane to the controller which reduces the bandwidth and memory .The limited com-
munication bandwidth between the control and data-planes could be a bottleneck of
the whole network, and lead to security problems. Todays commercial OpenFlow
switches only support cable connection to the controller. The practical connection
bandwidth is tested to be less than 10Mbps.
Research in SDN and DoS attacks are predominantly focused on detection of
the attack. In July 2001 internet infrastructure was hit worldwide by DoS attack
worms named Code Red and NIMDA. Network scanning was used by Code Red
Worm to attack the network at a rapid propagation rate to detect and exploit Internet
Information Server (IIS) automatically. This DoS attack consumed huge bandwidth
which affected lot of network devices. The attack was complex since the attack came
from various sources of IP addresses for which packet analyzing was a big task. In
order to mitigate or limit the damage to network resources, content filtering of some
type were performed.
4 Shivaraj Hublikar, Vijaya Eligar and Arun Kakhandki
In [2] the authors propose a mechanism that avoids the overloading of switch
TCAMs along with controller and control channel bandwidth and a solution called
SLICOTS, which mitigates a type of flooding attack TCPSYN in SDN. It is built on
top of the controller in order to monitor the network traffic related to TCP requests.
This paper is organized as follows. Section 2 discusses DoS attacks on SDN.
Section 3 presents the DoS detection method based on sFlow tool. Section 4 demon-
strates the method to detect DoS attacks. The simulation results and discussion are
presented in Section 5 followed by conclusion in Section 6.
2 DoS Attack
DoS attack causes serious impact on the computing system. DoS attacks deny ser-
vices to valid users by completely consuming the target resources. DoS attacks are
usually initiated by an individual or group of individuals exploiting aspects of the
Internet Protocol to deny other users from legitimate access to systems and infor-
mation. The router hosts are disconnected if forwarding packets are stopped by
router. The recent applications which are targets to these attacks are web servers,
mail servers and other services [6].
In [9] the authors explain SDN-aimed DoS attacks (data-to-control-plane satu-
ration attacks). The attacker first sends the packets which do not match the packets
in the Flow-tables by generating table-miss packets without the order with some
or all fields, which does not match with existing flow rules on the target switch
as shown in Fig. 4. Then, the attacker launches DoS attacks on the SDN network
Fig. 4 DoS Attack
by flooding with large amount of table-miss packets. These table-miss packets will
target massive packet in messages from the switch to the controller, and consume
their communication bandwidth, CPU computation, and memory in both control
and data-planes [2].
Detecting Denial-of-Service Attacks Using sFlow 5
DoS attacks can be of various types:
•Destructive: Attacks which destroy the device to prevent the proper operation
of function, such as deleting or changing properties or information and power
supply.
•Resource consumption: Attacks which try to reduce the ability of the device
to perform effectively by opening many simultaneous connections to a single
device.
•Bandwidth consumption: Attacks which attempt to affect the bandwidth capac-
ity of the network device.
This paper aims to concentrate on bandwidth attack which is done using sFlow
tool. When any DoS attack is detected sFlow generates flow rules by analyzing
samples of packets collected from the network traffic to be sent to the controller. In
this work security services are developed to protect networks against different type
of network attacks for third parties like servers. A DoS attacker attacks the network
by providing enormous flooding traffic in a short time to a server by increasing flow
so that the server gets disconnected.
3 sFlow
sFlow helps to monitor the network, that develops various ways of handling the traf-
fic flows, and to improve the performance of the network which consist of switches
and routers. sFlow [12] is an open-source sampling tool used for measuring the traf-
fic which is compatible with OpenFlow network. It consists of sFlow agents and
collector. The sFlow Agent capture traffic statistics from the device which is under
observation that uses sampling technology. sFlow Datagrams immediately forward
the sampled traffic statistics to a sFlow collector for analysis. The main task of the
two modules is listed below.
1. sFlow Collector: It is a server where sFlow datagrams are collected and stored.
2. sFlow Analyzer: It provides real-time overview of the network traffic flow by
analyzing the received datagrams by analyzing the irregularities of the network
parameters and detailed information. sFlow agents send a stream of sFlow sam-
plings continuously to the collector where they are analyzed to supply a real-time,
network-wide view of traffic flows.
3.1 Integration of Mininet and sFlow
Network simulators play an important role by evaluating network topologies of dif-
ferent types over a small scale. Many network simulators like Mininet, GNS3 and
EsiNet are available. Mininet is used here which is an open-source network simula-
tor used to generate traffic and analyze its flow.
6 Shivaraj Hublikar, Vijaya Eligar and Arun Kakhandki
Mininet [8] is an open source network emulator and is a Command Line Interface
(CLI) and enabled simulator which supports the use of analysis tools like the sFlow,
NetFlow and RMON. Mininet creates virtual switch, hosts, links and controllers on
a single Linux kernel with a single command. Custom topologies are created using
Mininet. It simulates a real machine and can create different hosts. The limitation of
Mininet is that it does not have OpenFlow controller and it runs on slower links (10
or 100 Mbps).
According to [7] these simulators provide a platform to set a network topology
as a replication to the real-world environment about analysis and detection of the
attacks using Mininet and sFlow. The analysis is done in a number of steps in the
tool, which are listed here.
1. Start.sh will run the shell script command to run the sFlow application.
2. In another window Mininet topology will execute. The ping command is run to
check the connectivity between the hosts of the topology created. A zero percent-
age drop depicts the complete connectivity between the hosts.
3. For accessing the sFlow trend GUI, a local host is created using the command:
localhost: 8008.
4. A Mininet command with sFlow-RT detection of elephant flows is given as:
http://localhost:8008/app/mininet-dashboard/html/. It provides an approach to
run a SDN Controller along with it.
4 Implementation
In this section the implementation of the network is discussed. Initially sFlow-RT
is created to receive a continuous flow of data that is sent from the network devices
and converted into metrics. As soon as the flow reaches certain predefined metric
level it is sent to an analyzer. Next using the Mininet command a topology is built
with link bandwidths of 10 Mbps. Finally the output is the link between two hosts.
In order to make it easier to get started, the latest release of sFlow-RT includes
a Mininet helper script sflow.py that automates sFlow configuration. The following
example shows how to use the script and build a simple application in Python.
The various steps to detect the flows in a Mininet topology created in Linux
environment using sFlow-RT are listed here and shown in Fig. 5.
1. sFlow-RT: sFlow-RT is an open-source tool that has an embedded OpenFlow
controller, allowing monitoring and flow insertions to OpenFlow supporting
switches. It analyzes certain events of interest, raise triggers and apply traffic
handling rules to a particular controller. In order to analyze sFlow-RT flows and
react on traffic changes, it has to be configured to work together with the existing
network.
2. For Creating Mininet: : In a second terminal, add the –custom argument to the
Mininet command line. The following command builds a depth ‘2’ tree topology
with link bandwidths of 10 Mbit/s.
Detecting Denial-of-Service Attacks Using sFlow 7
Fig. 5 Starting sFlow
cd sflow-rt
sudo mn –custom extras/sflow.py –link tc, bw=10 –topo tree, depth=2, fanout=2
The response of the tool after creating the topology is shown in Fig. 6. The
Fig. 6 Creating Topology
sflow.py script extends Mininet, automatically enabling sFlow on each of the
switches in the topology, and posting a JSON representation of the Mininet topol-
ogy using sFlow-RT.
5 Results and Discussion
Whenever the network is simulated without any attack, bandwidth between the two
hosts maintained at 9.63 Mbps. When a DOS attack is initiated on the network, the
bandwidth falls to 30 kbps. The bandwidth has reduced from Mbits to kbits due
to the DoS attack which has increased the datarate. This resulted in the decreased
system performance. The GUI output of the DoS detection is shown in Fig. 7. Here
sFlow is initiated in the local host to detect the DoS attack when host h1 pings h2.
As more number of packets are sent DoS attack is detected.
6 Conclusion
DoS attack was detected by acquiring network bandwidth and disrupting the ser-
vices of the server by abruptly increasing the traffic by making the server unavailable
8 Shivaraj Hublikar, Vijaya Eligar and Arun Kakhandki
Fig. 7 DoS attack detected
for other users. DoS attack was detected using the sFlow tool. In case of any attack
sFlow collects sample packets from network traffic, analyzes suspicious behaviour
and creates handling rules which are then sent to the controller. Implementation of
DoS attack is carried out by emulating a typical network in Mininet and integrating
this with sFlow analyzer. The results indicate efficient identification of DoS attack
by using sFlow.
References
1. Ambrosin, M., Conti, M., De Gaspari, F., Poovendran, R.: Lineswitch: Tackling control plane
saturation attacks in software-defined networking. IEEE/ACM Transactions on Networking
(TON) 25(2), 1206–1219 (2017)
2. Dridi, L., Zhani, M.F.: A holistic approach to mitigating dos attacks in sdn networks. Interna-
tional Journal of Network Management 28(1), e1996 (2018)
3. Jyothirmai, P., Raj, J.S., Smys, S.: Secured self organizing network architecture in wireless
personal networks. Wireless Personal Communications 96(4), 5603–5620 (2017)
4. Nugraha, M., Paramita, I., Musa, A., Choi, D., Cho, B.: Utilizing openflow and sflow to detect
and mitigate syn flooding attack. 17(8), 988–994 (2014)
5. Ombase, P.M., Kulkarni, N.P., Bagade, S.T., Mhaisgawali, A.V.: Survey on dos attack chal-
lenges in software defined networking
6. Othman, R.A.R.: Understanding the various types of denial of service attack. Business Week
Online (2000)
7. Peter: Mininet flow analytics. https://blog.sflow.com/2016/05/mininet-flow-analytics.html.
Accessed: 2019-01-10
8. Scarlato, M.: Network monitoring in software defined networking
9. Shang, G., Zhe, P., Bin, X., Aiqun, H., Kui, R.: Flooddefender: Protecting data and control
plane resources under sdn-aimed dos attacks. In: INFOCOM 2017-IEEE Conference on Com-
puter Communications, IEEE, pp. 1–9. IEEE (2017)
10. Sridhar, S., Smys, S.: A hybrid multilevel authentication scheme for private cloud environ-
ment. In: Intelligent Systems and Control (ISCO), 2016 10th International Conference on, pp.
1–5. IEEE (2016)
11. Stallings, W.: Foundations of modern networking: SDN, NFV, QoE, IoT, and Cloud. Addison-
Wesley Professional (2015)
12. Swapna, A.I., Reza, M.R.H., Aion, M.K.: Security analysis of software defined wireless net-
work monitoring with sflow and flowvisor. In: Communication and Electronics Systems (IC-
CES), International Conference on, pp. 1–7. IEEE (2016)
