An SDN-based Approach For Defending Against Reflective DDoS Attacks

Distributed Reflective Denial of Service (DRDoS) attacks are an immanent threat to Internet services. The potential scale of such attacks became apparent in March 2018 when a memcached-based attack peaked at 1.7 Tbps. Novel services built upon UDP increase the need for automated mitigation mechanisms that react to attacks without prior knowledge of the actual application protocols used. With the flexibility that software-defined networks offer, we developed a new approach for defending against DRDoS attacks; it not only protects against arbitrary DRDoS attacks but is also transparent for the attack target and can be used without assistance of the target host operator. The approach provides a robust mitigation system which is protocol-agnostic and effective in the defense against DRDoS attacks

SDN-Assisted Network-Based Mitigation of Slow HTTP Attacks

SDN-Assisted Network-Based Mitigation of Slow HTTP Attack

Edge computing infrastructure for 5G networks: a placement optimization solution

This thesis focuses on how to optimize the placement of the Edge Computing infrastructure for upcoming 5G networks. To this aim, the core contributions of this research are twofold: 1) a novel heuristic called Hybrid Simulated Annealing to tackle the NP-hard nature of the problem and, 2) a framework called EdgeON providing a practical tool for real-life deployment optimization. In more detail, Edge Computing has grown into a key solution to 5G latency, reliability and scalability requirements. By bringing computing, storage and networking resources to the edge of the network, delay-sensitive applications, location-aware systems and upcoming real-time services leverage the benefits of a reduced physical and logical path between the end-user and the data or service host. Nevertheless, the edge node placement problem raises critical concerns regarding deployment and operational expenditures (i.e., mainly due to the number of nodes to be deployed), current backhaul network capabilities and non-technical placement limitations. Common approaches to the placement of edge nodes are based on: Mobile Edge Computing (MEC), where the processing capabilities are deployed at the Radio Access Network nodes and Facility Location Problem variations, where a simplistic cost function is used to determine where to optimally place the infrastructure. However, these methods typically lack the flexibility to be used for edge node placement under the strict technical requirements identified for 5G networks. They fail to place resources at the network edge for 5G ultra-dense networking environments in a network-aware manner. This doctoral thesis focuses on rigorously defining the Edge Node Placement Problem (ENPP) for 5G use cases and proposes a novel framework called EdgeON aiming at reducing the overall expenses when deploying and operating an Edge Computing network, taking into account the usage and characteristics of the in-place backhaul network and the strict requirements of a 5G-EC ecosystem. The developed framework implements several placement and optimization strategies thoroughly assessing its suitability to solve the network-aware ENPP. The core of the framework is an in-house developed heuristic called Hybrid Simulated Annealing (HSA), seeking to address the high complexity of the ENPP while avoiding the non-convergent behavior of other traditional heuristics (i.e., when applied to similar problems). The findings of this work validate our approach to solve the network-aware ENPP, the effectiveness of the heuristic proposed and the overall applicability of EdgeON. Thorough performance evaluations were conducted on the core placement solutions implemented revealing the superiority of HSA when compared to widely used heuristics and common edge placement approaches (i.e., a MEC-based strategy). Furthermore, the practicality of EdgeON was tested through two main case studies placing services and virtual network functions over the previously optimally placed edge nodes. Overall, our proposal is an easy-to-use, effective and fully extensible tool that can be used by operators seeking to optimize the placement of computing, storage and networking infrastructure at the users’ vicinity. Therefore, our main contributions not only set strong foundations towards a cost-effective deployment and operation of an Edge Computing network, but directly impact the feasibility of upcoming 5G services/use cases and the extensive existing research regarding the placement of services and even network service chains at the edge

Tennison: A Distributed SDN Framework for Scalable Network Security

Despite the relative maturity of the Internet, the computer networks of today are still susceptible to attack. The necessary distributed nature of networks for wide area connectivity has traditionally led to high cost and complexity in designing and implementing secure networks. With the introduction of software-defined networks (SDNs) and network functions virtualization, there are opportunities for efficient network threat detection and protection. SDN's global view provides a means of monitoring and defense across the entire network. However, current SDN-based security systems are limited by a centralized framework that introduces significant control plane overhead, leading to the saturation of vital control links. In this paper, we introduce TENNISON, a novel distributed SDN security framework that combines the efficiency of SDN control and monitoring with the resilience and scalability of a distributed system. TENNISON offers effective and proportionate monitoring and remediation, compatibility with widely available networking hardware, support for legacy networks, and a modular and extensible distributed design. We demonstrate the effectiveness and capabilities of the TENNISON framework through the use of four attack scenarios. These highlight multiple levels of monitoring, rapid detection, and remediation, and provide a unique insight into the impact of multiple controllers on network attack detection at scale

Rethinking Software Network Data Planes in the Era of Microservices

L'abstract è presente nell'allegato / the abstract is in the attachmen

4MIDable: Flexible Network Offloading For Security VNFs

The ever-growing volume of network traffic and widening adoption of Internet protocols to underpin common communication processes augments the importance of network security. In order to enforce network security policies, network managers adopt a widening set of middleboxes and network appliances to improve traffic monitoring and processing capabilities. The resource requirements to support network security appliances are constantly increasing, making efficiency of these systems an essential aspect. The move toward Software-Defined Networking and programmable data planes offers a mean to offload traffic processing functionalities to within the network itself. To this end, we present the 4MIDable framework: a platform that facilitates the integration of existing middleboxes and monitoring appliances with an SDN (P4) network infrastructure. We also present P4Protect, a 4MIDable agent that protects the network from control plane DoS attacks with negligible impact on control plane latency, and P4ID (P4-Enhanced Intrusion Detection), a 4MIDable agent that offers stateful processing and feedback to unmodified Intrusion Detection System middleboxes and reduces traffic processing by over 80% without affecting threat detection rates

Enhancing and Protecting Intrusion Detection Systems Using P4-Enabled Data Planes

As computer networks have evolved to form the Internet, there has been an ever-growing attack surface, ready to be exploited by malicious actors. Computer networks are fundamental to daily life, with dependence on them further increasing every single day. The Internet is used to facilitate manufacturing, finance, critical infrastructure and global communication. Networks also serve as a fundamental attack surface, exposing users and devices to malicious actors, internally and externally. The cost of weak security can now prove to be enormous, in terms of material costs, as well as outages to service and production. With the evolution of the uses of computer networks, with networks becoming more pervasive, there has been a need for more flexible and dynamic network management. To this end, the concept of Software-Defined Networking has evolved, taking the historically rigid realm of network management into open specifications and protocols. This paradigm shift from fixed-function to programmable platforms —referred to as softwarisation— has enabled innovation in both the management of networks, and how network devices process traffic. Network hardware can be involved not only in forwarding traffic, but also in actively determining how traffic is forwarded. In this thesis, we explore the intersection of programmable control with pro- grammable hardware. We examine how we can not only leverage existing technologies, but combine them to harness the benefits of distinct approaches. Building on this concept, we present a framework and prototype implementation to facilitate this combination with existing platforms. With the 4MIDable framework, we demonstrate how we can integrate existing network security appliances into emerging network architectures, disseminating their capability deeper into the network. We also show how programmable network infrastructure can be used to protect the network itself

Advancing SDN from OpenFlow to P4: a survey

Software-defined Networking (SDN) marked the beginning of a new era in the field of networking by decoupling the control and forwarding processes through the OpenFlow protocol. The Next Generation SDN is defined by Open Interfaces and full programmability of the data plane. P4 is a domain-specific language that fulfills these requirements and has known wide adoption over recent years from Academia and Industry. This work is an extensive survey of the P4 language covering domains of application, a detailed overview of the language, and future directions

A Survey on Data Plane Programming with P4: Fundamentals, Advances, and Applied Research

With traditional networking, users can configure control plane protocols to match the specific network configuration, but without the ability to fundamentally change the underlying algorithms. With SDN, the users may provide their own control plane, that can control network devices through their data plane APIs. Programmable data planes allow users to define their own data plane algorithms for network devices including appropriate data plane APIs which may be leveraged by user-defined SDN control. Thus, programmable data planes and SDN offer great flexibility for network customization, be it for specialized, commercial appliances, e.g., in 5G or data center networks, or for rapid prototyping in industrial and academic research. Programming protocol-independent packet processors (P4) has emerged as the currently most widespread abstraction, programming language, and concept for data plane programming. It is developed and standardized by an open community and it is supported by various software and hardware platforms. In this paper, we survey the literature from 2015 to 2020 on data plane programming with P4. Our survey covers 497 references of which 367 are scientific publications. We organize our work into two parts. In the first part, we give an overview of data plane programming models, the programming language, architectures, compilers, targets, and data plane APIs. We also consider research efforts to advance P4 technology. In the second part, we analyze a large body of literature considering P4-based applied research. We categorize 241 research papers into different application domains, summarize their contributions, and extract prototypes, target platforms, and source code availability.Comment: Submitted to IEEE Communications Surveys and Tutorials (COMS) on 2021-01-2