1 Denial of Service Mitigation with OpenFlow using SciPassHans Addleman TransPAC Engineer, International Networks University Information Technology Services Indiana University INTERNATIONAL NETWORKS At Indiana University Supported by the National Science Foundation

2 Goals Provide adequate security at 100G network speedsDetect Distributed Denial of Service (DDOS) attacks Stop attack inside the Wide Area Network (WAN) Do not impede legitimate traffic

3 Intrusion Detection SystemDeep packet inspection Look for known traffic patterns and signatures that signal an attack Useful for identifying DDOS There are many Intrusion detection systems. They allow for deep packet inspection and can trigger on traffic patterns that may signal an attack. The traffic patterns can be manually set or more helpfully look for known signatures. Once the IDS identifies bad traffic it can signal another action. Typically at this point some human intervention may be required to put manual blocks in place.

4 SciPass Indiana University developed SDN ApplicationAdaptive IDS cluster load balancing Reactive white and blacklisting Web Service API for IDS Feedback Designed primarily for Science DMZ

5 SciPass Normal Operation

6 SciPass Blacklist FeatureCan match: Source / Destination IP Source / Destination Port Ethernet Type SciPass sends OpenFlow rules to switch Flow Based: Block HTTP traffic from Host A to B Prefix Based: Block all traffic to /32 Prefix Based: Block all traffic to or from /24 IDS signals bad traffic to SciPass via web services

7 SciPass Black List Example

8 Path Forward Lab Deployment SciPass + Brocade MLXe + IDS (Bro)Generate test traffic Squash false positives Feasibility / Scale TransPAC4 Field Deployment in logging mode TransPAC4 Field Deployment in automatic mode

9 Questions / Comments? http://globalnoc.iu.edu/sdn/scipass.html Hans Addleman - TransPAC4 NSF IRNC Award: #