Atacando e defendendo redes definidas por software
Autor(a) principal: | |
---|---|
Data de Publicação: | 2018 |
Tipo de documento: | Dissertação |
Idioma: | por |
Título da fonte: | Biblioteca Digital de Teses e Dissertações da UFPB |
Texto Completo: | https://repositorio.ufpb.br/jspui/handle/123456789/13342 |
Resumo: | Software Defined Networks (SDN) facilitate network management by decoupling the data plane which forwards packets using efficient switches from the control plane by leaving the decisions on how packets should be forwarded to a (centralized) controller. However, due to limitations on the number of forwarding rules a switch can store in its Ternary Content-Addressable Memory (TCAM), SDN networks have been subject to saturation and TCAM exhaustion attacks where the attacker is able to deny service by forcing a target switch to install a great number of rules. An underlying assumption is that these attacks are carried out by sending a high rate of unique packets. This work shows that this assumption is not necessarily true and that SDNs are vulnerable to a novel attack, called Slow TCAM exhaustion attacks (Slow-TCAM) in which existing defenses for saturarion and TCAM exhaustion attacks are not able to mitigate it due to its relatively low traffic rate and similarity to legitimate clients. In this work is also proposed a novel defense called SIFT based on selective strategies demonstrating its effectivenes against the SlowTCAM attack in different scenarios, obtaining levels of availability above 92% (worst case scenario)when the network is under attack while having low memory and CPU consumption. |
id |
UFPB_b63200305826344c28d2946e8e3651f8 |
---|---|
oai_identifier_str |
oai:repositorio.ufpb.br:123456789/13342 |
network_acronym_str |
UFPB |
network_name_str |
Biblioteca Digital de Teses e Dissertações da UFPB |
repository_id_str |
|
spelling |
Atacando e defendendo redes definidas por softwareRedes definidas por softwareAtaques de negação de serviçoAtaques low-rateDefesas seletivasSoftware defined networksDenial of service attacksLow-rate attacksSelective defensesCNPQ::CIENCIAS EXATAS E DA TERRA::CIENCIA DA COMPUTACAOSoftware Defined Networks (SDN) facilitate network management by decoupling the data plane which forwards packets using efficient switches from the control plane by leaving the decisions on how packets should be forwarded to a (centralized) controller. However, due to limitations on the number of forwarding rules a switch can store in its Ternary Content-Addressable Memory (TCAM), SDN networks have been subject to saturation and TCAM exhaustion attacks where the attacker is able to deny service by forcing a target switch to install a great number of rules. An underlying assumption is that these attacks are carried out by sending a high rate of unique packets. This work shows that this assumption is not necessarily true and that SDNs are vulnerable to a novel attack, called Slow TCAM exhaustion attacks (Slow-TCAM) in which existing defenses for saturarion and TCAM exhaustion attacks are not able to mitigate it due to its relatively low traffic rate and similarity to legitimate clients. In this work is also proposed a novel defense called SIFT based on selective strategies demonstrating its effectivenes against the SlowTCAM attack in different scenarios, obtaining levels of availability above 92% (worst case scenario)when the network is under attack while having low memory and CPU consumption.Coordenação de Aperfeiçoamento de Pessoal de Nível Superior - CAPESRedes definidas por Software (SDN - Software Defined Networks) facilitam o gerenciamento de redes de computadores a partir da separação do plano de dados, que realiza o encaminhamento de pacotes utilizando switches SDN, e do plano de controle, que define regras (definidas por um controlador central) de como os pacotes devem ser encaminhados e tratados na rede. Contudo, devido à limitação do número de regras de encaminhamento que um switch pode armazenar em sua memória TCAM (Ternary Content-Addressable Memory), redes SDN vêm sendo sujeita a ataques de Saturação (Saturation Attacks) e Exaustão da Tabela TCAM (TCAM exhaustion attacks). Nesses ataques os atacantes são capazes de negar o serviço da rede forçando o switch alvo a instalar um grande número de regras a partir da criação de grande tráfego de pacotes únicos. Esse trabalho mostra que esse pressuposto não é necessariamente verdadeiro e que redes SDN são vulneráveis a um novo ataque, chamado Slow-TCAM (Slow TCAM Exhaustion Attack) em que defesas atuais contra ataques de Saturação e Exaustão da Tabela TCAM não são capazes de mitigá-lo por conta de seu tráfego relativamente baixo e sua similaridade com tráfego legítimo. Nesse trabalho também é proposta uma defesa inédita chamada SIFT, baseada em estratégias seletivas, demonstrando sua eficácia contra o ataque Slow-TCAM, obtendo uma disponibilidade acima de 92% para clientes legítimos (no pior caso) quando a rede está sob ataque com um baixo consumo de memória e CPU.Universidade Federal da ParaíbaBrasilInformáticaPrograma de Pós-Graduação em InformáticaUFPBFonseca, Iguatemi Eduardo dahttp://lattes.cnpq.br/4519016123693631Vivek, NiganPascoal, Túlio Albuquerque2019-02-07T17:52:21Z2019-02-072019-02-07T17:52:21Z2018-02-15info:eu-repo/semantics/publishedVersioninfo:eu-repo/semantics/masterThesishttps://repositorio.ufpb.br/jspui/handle/123456789/13342porAttribution-NoDerivs 3.0 Brazilhttp://creativecommons.org/licenses/by-nd/3.0/br/info:eu-repo/semantics/openAccessreponame:Biblioteca Digital de Teses e Dissertações da UFPBinstname:Universidade Federal da Paraíba (UFPB)instacron:UFPB2019-02-08T06:03:59Zoai:repositorio.ufpb.br:123456789/13342Biblioteca Digital de Teses e Dissertaçõeshttps://repositorio.ufpb.br/PUBhttp://tede.biblioteca.ufpb.br:8080/oai/requestdiretoria@ufpb.br|| diretoria@ufpb.bropendoar:2019-02-08T06:03:59Biblioteca Digital de Teses e Dissertações da UFPB - Universidade Federal da Paraíba (UFPB)false |
dc.title.none.fl_str_mv |
Atacando e defendendo redes definidas por software |
title |
Atacando e defendendo redes definidas por software |
spellingShingle |
Atacando e defendendo redes definidas por software Pascoal, Túlio Albuquerque Redes definidas por software Ataques de negação de serviço Ataques low-rate Defesas seletivas Software defined networks Denial of service attacks Low-rate attacks Selective defenses CNPQ::CIENCIAS EXATAS E DA TERRA::CIENCIA DA COMPUTACAO |
title_short |
Atacando e defendendo redes definidas por software |
title_full |
Atacando e defendendo redes definidas por software |
title_fullStr |
Atacando e defendendo redes definidas por software |
title_full_unstemmed |
Atacando e defendendo redes definidas por software |
title_sort |
Atacando e defendendo redes definidas por software |
author |
Pascoal, Túlio Albuquerque |
author_facet |
Pascoal, Túlio Albuquerque |
author_role |
author |
dc.contributor.none.fl_str_mv |
Fonseca, Iguatemi Eduardo da http://lattes.cnpq.br/4519016123693631 Vivek, Nigan |
dc.contributor.author.fl_str_mv |
Pascoal, Túlio Albuquerque |
dc.subject.por.fl_str_mv |
Redes definidas por software Ataques de negação de serviço Ataques low-rate Defesas seletivas Software defined networks Denial of service attacks Low-rate attacks Selective defenses CNPQ::CIENCIAS EXATAS E DA TERRA::CIENCIA DA COMPUTACAO |
topic |
Redes definidas por software Ataques de negação de serviço Ataques low-rate Defesas seletivas Software defined networks Denial of service attacks Low-rate attacks Selective defenses CNPQ::CIENCIAS EXATAS E DA TERRA::CIENCIA DA COMPUTACAO |
description |
Software Defined Networks (SDN) facilitate network management by decoupling the data plane which forwards packets using efficient switches from the control plane by leaving the decisions on how packets should be forwarded to a (centralized) controller. However, due to limitations on the number of forwarding rules a switch can store in its Ternary Content-Addressable Memory (TCAM), SDN networks have been subject to saturation and TCAM exhaustion attacks where the attacker is able to deny service by forcing a target switch to install a great number of rules. An underlying assumption is that these attacks are carried out by sending a high rate of unique packets. This work shows that this assumption is not necessarily true and that SDNs are vulnerable to a novel attack, called Slow TCAM exhaustion attacks (Slow-TCAM) in which existing defenses for saturarion and TCAM exhaustion attacks are not able to mitigate it due to its relatively low traffic rate and similarity to legitimate clients. In this work is also proposed a novel defense called SIFT based on selective strategies demonstrating its effectivenes against the SlowTCAM attack in different scenarios, obtaining levels of availability above 92% (worst case scenario)when the network is under attack while having low memory and CPU consumption. |
publishDate |
2018 |
dc.date.none.fl_str_mv |
2018-02-15 2019-02-07T17:52:21Z 2019-02-07 2019-02-07T17:52:21Z |
dc.type.status.fl_str_mv |
info:eu-repo/semantics/publishedVersion |
dc.type.driver.fl_str_mv |
info:eu-repo/semantics/masterThesis |
format |
masterThesis |
status_str |
publishedVersion |
dc.identifier.uri.fl_str_mv |
https://repositorio.ufpb.br/jspui/handle/123456789/13342 |
url |
https://repositorio.ufpb.br/jspui/handle/123456789/13342 |
dc.language.iso.fl_str_mv |
por |
language |
por |
dc.rights.driver.fl_str_mv |
Attribution-NoDerivs 3.0 Brazil http://creativecommons.org/licenses/by-nd/3.0/br/ info:eu-repo/semantics/openAccess |
rights_invalid_str_mv |
Attribution-NoDerivs 3.0 Brazil http://creativecommons.org/licenses/by-nd/3.0/br/ |
eu_rights_str_mv |
openAccess |
dc.publisher.none.fl_str_mv |
Universidade Federal da Paraíba Brasil Informática Programa de Pós-Graduação em Informática UFPB |
publisher.none.fl_str_mv |
Universidade Federal da Paraíba Brasil Informática Programa de Pós-Graduação em Informática UFPB |
dc.source.none.fl_str_mv |
reponame:Biblioteca Digital de Teses e Dissertações da UFPB instname:Universidade Federal da Paraíba (UFPB) instacron:UFPB |
instname_str |
Universidade Federal da Paraíba (UFPB) |
instacron_str |
UFPB |
institution |
UFPB |
reponame_str |
Biblioteca Digital de Teses e Dissertações da UFPB |
collection |
Biblioteca Digital de Teses e Dissertações da UFPB |
repository.name.fl_str_mv |
Biblioteca Digital de Teses e Dissertações da UFPB - Universidade Federal da Paraíba (UFPB) |
repository.mail.fl_str_mv |
diretoria@ufpb.br|| diretoria@ufpb.br |
_version_ |
1801842943972081664 |