TOWARDS LOAD BALANCING IN SDN NETWORKS DURING DDOS ATTACKS - MIKHAIL BELYAEV SVETLANA GAIVORONSKI
←
→
Page content transcription
If your browser does not render page correctly, please read the page content below
Towards Load Balancing in SDN
Networks During DDoS attacks
Mikhail Belyaev St.Petersburg Polytechnic University
Svetlana Gaivoronski Moscow State University
ARCCN
DDoS - attacks • DDoS attack – distributed attack causing denial-of-service of victim system. • For a lot of scary number, visit arbornetworks.com
DDoS mitigation
• Mitigation techniques:
– “active mitigation”: detection and filtering of
attacking machines;
– “survival mitigation”: effective load balancing.
Existing Solutions • Static load balancing uses a-priori information about system state: – Random selection – Hash selection – (Weighted) round-robin • Dynamic load balancing distributes load between servers during runtime: – Round-robin – A lot of more sophisticated algorithms
SDN load balancing problems • Existing solutions do not consider properties of incoming traffic • Experiments show that they are not effective during DDoS
SDN load balancing problems • Existing solutions do not consider properties of incoming traffic • Experiments show that they are not effective during DDoS
SDN load balancing problems • Existing solutions do not consider properties of incoming traffic • Experiments show that they are not effective during DDoS
Proposed Approach: Idea
• 2 independent levels of load balancing:
– L7 load balancing (DNS/NAT)
– L4 load balancing
Local networkAlgorithm 1. Acquire the load and topology information for network; 2. Override the routing for the network with static routing information; 3. Iteratively keep splitting (and reapplying) traffic paths for routers that are: 1. Overloaded 2. Have alternate routes available
Pre-phases
• Phase 1:
– Needs to be executed before the need of load balancing
arises
– Updates the network load mask Mload , where the element
!ij corresponds to number of bytes coming from i to j
• Phase 2:
– Applied only once to override the default packet routing
mechanisms
– Performed by running Bellman-Ford algorithm on the
whole network topology graphIterative phase (1/3) 1. UpdateMload andMf ree with current info.
Iterative phase (1/3) 1. UpdateMload andMf ree with current info. 2. Find the first overloaded !ij link in Mload : !ij + ✏ > ↵ij
Iterative phase (1/3)
1. UpdateMload andMf ree
with current info. rq
2. Find the first overloaded !ij
link in
Mload : !ij + ✏ > ↵ij
3. Find the first path rq in
Tpath such that contains
link (i, j)
Tpath : {ipssrc , ip i , path}Iterative phase (2/3)
4. For ip i part of rq , find a
new shortest path to
server i , assuming than
link (i, j) is not presented.
Let us call new path pathq
iIterative phase (2/3)
4. For ip i part of rq , find a
new shortest path to pathq
server i , assuming than
link (i, j) is not presented.
Let us call new path pathq
iIterative phase (2/3)
4. For ip i part of rq , find a
new shortest path to pathq
server i , assuming than
link (i, j) is not presented.
Let us call new path pathq
5. Calculate maximum
additional load for pathq ,
looking up every link path
in Mf ree :
al = min(mij : (i, j) 2 pathq )
iIterative phase (3/3) 6. Calculate the new sets of masks ipsold and ipsnew such that they divide ipssrc into pairs with coef. al/!ij Remove corr. Entry from Tpath and insert new ones.
Iterative phase (3/3)
6. Calculate the new sets of
masks ipsold and ipsnew {ips old , ip i
, path} {ipsnew , ip i , pathq }
such that they divide ipssrc
into pairs with coef. al/!ij
Remove corr. Entry from
Tpath and insert new ones.Iterative phase (3/3)
6. Calculate the new sets of
masks ipsold and ipsnew {ips old , ip i
, path} {ipsnew , ip i , pathq }
such that they divide ipssrc
into pairs with coef. al/!ij
Remove corr. Entry from
Tpath and insert new ones.
7. Commit the changes in Tpath
to all switches across path
and pathq .Iterative phase (3/3)
6. Calculate the new sets of
masks ipsold and ipsnew {ips old , ip i
, path} {ipsnew , ip i , pathq }
such that they divide ipssrc
into pairs with coef. al/!ij
Remove corr. Entry from
Tpath and insert new ones.
7. Commit the changes in Tpath
to all switches across path
and pathq .
8. Wait for timeframe and
go to step 1.Implementation
CALLOPHRYS DDoS attack
detection and mitigation system:
• Distributed
• Asynchronous
• Based on actor model
Agent Manager
SDN
… ControllerImplementation Asynchronous context implies: • All parts of the balancer are separate asynchronous agents • The loop is created using timed messages sent to the balancer • The rest of the algorithm doesn’t change much
Evaluation
CALLOPHRYS has been tested using a
virtual network setup
q Mininet
o Simulated low-spec and slowed down
network
q Floodlight
q Iperf for attack simulation
o Combined TCP/UDP modeEvaluation: results
• Load balancing was
evaluated separately
from the detectors
• Reaching full link &
switch employment in
10-60 seconds
• Up to 3000 rules
generated for critical-
path switchesLimitations & Future Work § Stale rules in switches may degrade network performance over time § We do not employ any asynchronous features of the actor-based solution § Algorithm parameters are deduced by handmade experiments We need a real benchmark and evaluation on physical networks!
Mikhail Belyaev: belyaev@kspt.icc.spbstu.ru Svetlana Gaivoronski: s.gaivoronski@gmail.com YOUR QUESTIONS?
Notations • (i, j) - channel between switches i and j; • aij - bandwidth of channel (i, j) • !ij - current channel load • The channel is overloaded if !ij + ✏ > ↵ij • 1 , . . . , K - destination servers • Mload - load matrix N x N containing current load values !ij • Mf ree - Matrix of available resources aij - !ij
You can also read
