Denial-of-Service (DoS) Attacks in an SDN Environmenthongxih/teaching/2020spring/Labs/DOS.pdf · 9)...
Transcript of Denial-of-Service (DoS) Attacks in an SDN Environmenthongxih/teaching/2020spring/Labs/DOS.pdf · 9)...
![Page 1: Denial-of-Service (DoS) Attacks in an SDN Environmenthongxih/teaching/2020spring/Labs/DOS.pdf · 9) On the Mininet terminal, run ‘h1 hping3 h2 -c 10000 -S –flood –rand-source](https://reader030.fdocuments.us/reader030/viewer/2022040401/5e7b0e9c34f36f37e45c3d7f/html5/thumbnails/1.jpg)
Denial-of-Service (DoS) Attacks in an SDN Environment
![Page 2: Denial-of-Service (DoS) Attacks in an SDN Environmenthongxih/teaching/2020spring/Labs/DOS.pdf · 9) On the Mininet terminal, run ‘h1 hping3 h2 -c 10000 -S –flood –rand-source](https://reader030.fdocuments.us/reader030/viewer/2022040401/5e7b0e9c34f36f37e45c3d7f/html5/thumbnails/2.jpg)
Contents ExperimentTaskDesign:..............................................................................................................................3
Submission:..................................................................................................................................................3
StarttheExperiment...................................................................................................................................3
ConducttheExperiment..............................................................................................................................6
Section1.1:InstallingDependencies......................................................................................................6
Section1.2:InstallingMininet................................................................................................................8
Section1.3:InstallingHping3.................................................................................................................8
Section2:RunningFloodlight.................................................................................................................9
Conclusions................................................................................................................................................15
![Page 3: Denial-of-Service (DoS) Attacks in an SDN Environmenthongxih/teaching/2020spring/Labs/DOS.pdf · 9) On the Mininet terminal, run ‘h1 hping3 h2 -c 10000 -S –flood –rand-source](https://reader030.fdocuments.us/reader030/viewer/2022040401/5e7b0e9c34f36f37e45c3d7f/html5/thumbnails/3.jpg)
Experiment Task Design: Inthislab,studentsareabletolaunchaDoSattackontheSDNdataplaneandexplaintheattackconsequences.Thislabprovidesstep-by-stepinstructionstoassiststudentsinsettinguptheprofile,creatingtheexperimentaltopologyandconductingtheDoSattackinthedataplaneofSDN.
Submission: Studentsshouldsubmitscreenshotsofstep1andstep2andexplaineachscreenshotinaparagraph.
Start the Experiment Clickthe“Experiments”buttonontheupper-leftcornerandchoose“StartExperiment”.
![Page 4: Denial-of-Service (DoS) Attacks in an SDN Environmenthongxih/teaching/2020spring/Labs/DOS.pdf · 9) On the Mininet terminal, run ‘h1 hping3 h2 -c 10000 -S –flood –rand-source](https://reader030.fdocuments.us/reader030/viewer/2022040401/5e7b0e9c34f36f37e45c3d7f/html5/thumbnails/4.jpg)
Click“ChangeProfile”toselectaproperprofileforthisexperiment.
Inthepage,searchtheprofile“DoSServer”andclickthenametoselectit.ThenClick
“SelectProfile”.
![Page 5: Denial-of-Service (DoS) Attacks in an SDN Environmenthongxih/teaching/2020spring/Labs/DOS.pdf · 9) On the Mininet terminal, run ‘h1 hping3 h2 -c 10000 -S –flood –rand-source](https://reader030.fdocuments.us/reader030/viewer/2022040401/5e7b0e9c34f36f37e45c3d7f/html5/thumbnails/5.jpg)
Proceedbyclick“Next”.Beforefinalizetheconfiguration,chooseacluster.E.g.,choose
“Emulab”asthecluster.
Belowistheconfigurationoftheprofileforyourreference.Youmayalsobeableto
createyourownprofilebyfollowingtheinstructionsinLab1.
![Page 6: Denial-of-Service (DoS) Attacks in an SDN Environmenthongxih/teaching/2020spring/Labs/DOS.pdf · 9) On the Mininet terminal, run ‘h1 hping3 h2 -c 10000 -S –flood –rand-source](https://reader030.fdocuments.us/reader030/viewer/2022040401/5e7b0e9c34f36f37e45c3d7f/html5/thumbnails/6.jpg)
Conduct the Experiment Section 1.1: Installing Dependencies Thefollowingdependenciesneedtobeinstalledontheinstantiatednode:Floodlight,Mininet,HpingMininethttps://github.com/mininet/mininetFloodlighthttps://github.com/floodlight/floodlight)withitspre-requisiteshping3(Note)TheseinstallationswillnotbesavedwhentheCloudlabExperimenthasbeenterminated.Cloudlaballowsuserstorequestadditionalleasingtimethroughofthe‘Extend’button.
![Page 7: Denial-of-Service (DoS) Attacks in an SDN Environmenthongxih/teaching/2020spring/Labs/DOS.pdf · 9) On the Mininet terminal, run ‘h1 hping3 h2 -c 10000 -S –flood –rand-source](https://reader030.fdocuments.us/reader030/viewer/2022040401/5e7b0e9c34f36f37e45c3d7f/html5/thumbnails/7.jpg)
1) Openanewterminal.Clicktheiconandchoose“Shell”
2) Run‘sudoapt-getupdate’3) Run‘sudoapt-getinstalldefault-jdk-y;sudoapt-getinstalldefault-jre-y’toinstalljava.4) Run‘sudoapt-getinstallbuild-essentialmavenantpython-dev’toinstallthepre-
requisitestobeabletobuildFloodlight
5) Run‘gitclonegit://github.com/floodlight/floodlight.git-bv1.2’tocloneFloodlightfromGithub
6) cdintothefloodlightdirectory‘cdfloodlight’
![Page 8: Denial-of-Service (DoS) Attacks in an SDN Environmenthongxih/teaching/2020spring/Labs/DOS.pdf · 9) On the Mininet terminal, run ‘h1 hping3 h2 -c 10000 -S –flood –rand-source](https://reader030.fdocuments.us/reader030/viewer/2022040401/5e7b0e9c34f36f37e45c3d7f/html5/thumbnails/8.jpg)
7) Run‘gitsubmoduleupdate’
8) Run‘ant’tobuildFloodlight.
9) Run‘sudomkdir/var/lib/floodlight’
10) Run‘sudochmod777/var/lib/floodlight’toprovideproperLinuxFileexecutionpermissionstobeabletorunFloodlightproperly
Note:Youcandownloadandrunourscript(set_floodlight.sh)toexecutetheabovecommandsautomatically.Run‘wgethttps://people.cs.clemson.edu/~hongdal/set_floodlight.sh.’todownloadthescript.Run‘sudo/bin/shset_floodlight.sh;cdfloodlight’tobuildFloodlight.Section 1.2: Installing Mininet 1) Changedirectorytoyourhomedirectorybyrunning‘cd~’2) Run‘gitclonegit://github.com/mininet/mininet’tocloneMininetfromGithub3) AftercloningMininet,cdintotheMininetdirectory
4) Run‘gittag’tolisttheavailablebranchesofMininet
5) Run‘gitcheckout-b2.2.12.2.1’toinstallMininetversion2.2.16) cdoutoftheMininetdirectoryandinstallMininetbyrunning‘mininet/util/install.sh-a’.
Choose“Yes”ifanoptionisprompted.Note:Youcandownloadandrunourscript(set_mininet.sh)toexecutetheabovecommandsautomatically.Run‘wgethttps://people.cs.clemson.edu/~hongdal/set_mininet.sh.’todownloadthescript.Run‘sudo/bin/shset_mininet.sh’toinstallMininet.Section 1.3: Installing Hping3 1) Run‘sudoapt-getinstallhping3’toinstallHping3
![Page 9: Denial-of-Service (DoS) Attacks in an SDN Environmenthongxih/teaching/2020spring/Labs/DOS.pdf · 9) On the Mininet terminal, run ‘h1 hping3 h2 -c 10000 -S –flood –rand-source](https://reader030.fdocuments.us/reader030/viewer/2022040401/5e7b0e9c34f36f37e45c3d7f/html5/thumbnails/9.jpg)
Section 2: Running Floodlight 1) Openanewterminal2) cdintothefloodlightdirectoryshell.
3) Run‘java-jartarget/floodlight.jar’toruntheFloodlightController
![Page 10: Denial-of-Service (DoS) Attacks in an SDN Environmenthongxih/teaching/2020spring/Labs/DOS.pdf · 9) On the Mininet terminal, run ‘h1 hping3 h2 -c 10000 -S –flood –rand-source](https://reader030.fdocuments.us/reader030/viewer/2022040401/5e7b0e9c34f36f37e45c3d7f/html5/thumbnails/10.jpg)
4) Openanothernewterminal
5) Run‘sudomn--controller=remote,ip=127.0.0.1,port=6653--switchovsk,
protocols=OpenFlow13’torunaMininetTopologyNote:Thecommandinstep5hasthefollowingparametersandexplanations:-2hostsarecreatedbydefault-The2hostswillbeconnectedviaanOVSbridge(Switch)-TheOVSbridgewillbeconnectedtothecontrollerbasedonthespecifiedIPaddress(127.0.0.1)
![Page 11: Denial-of-Service (DoS) Attacks in an SDN Environmenthongxih/teaching/2020spring/Labs/DOS.pdf · 9) On the Mininet terminal, run ‘h1 hping3 h2 -c 10000 -S –flood –rand-source](https://reader030.fdocuments.us/reader030/viewer/2022040401/5e7b0e9c34f36f37e45c3d7f/html5/thumbnails/11.jpg)
6) Run‘pingall’toconfirmthatthehost(s)arereachabletoeachother
7) Openanewterminal8) Run‘sudoovs-ofctldump-flowss1-OOpenFlow13’toprintthecurrentflow-rulesinside
theswitchTask1:Whatcanbeseenafterrunningthiscommand?Takeascreenshot.Thisscreenshotwillbeneededtorefertofurtherobservationswithoutputsinthefuturesteps.
![Page 12: Denial-of-Service (DoS) Attacks in an SDN Environmenthongxih/teaching/2020spring/Labs/DOS.pdf · 9) On the Mininet terminal, run ‘h1 hping3 h2 -c 10000 -S –flood –rand-source](https://reader030.fdocuments.us/reader030/viewer/2022040401/5e7b0e9c34f36f37e45c3d7f/html5/thumbnails/12.jpg)
9) OntheMininetterminal,run‘h1hping3h2-c10000-S–flood–rand-source-V’tofloodalotofpacketstoh2.
Everypacketsenttoh2willinvokeanOFPT_PACKET_INwhichwillforwardthefirstincomingpackettothecontroller.Afterreceivingthepacket-inmessage,thecontrollerthensendsanOFPT_FLOW_MODmessagetotheswitchtoinstallanewflow-rule.
10) Onaseparateterminal,checktheflowentriesinswitchS1.
Task2:Whatcanbeseenobservedintheflow-tablenowthathping3isrunning?Anynoticeabledifferencesinoutput?
![Page 13: Denial-of-Service (DoS) Attacks in an SDN Environmenthongxih/teaching/2020spring/Labs/DOS.pdf · 9) On the Mininet terminal, run ‘h1 hping3 h2 -c 10000 -S –flood –rand-source](https://reader030.fdocuments.us/reader030/viewer/2022040401/5e7b0e9c34f36f37e45c3d7f/html5/thumbnails/13.jpg)
11) OntheMininetterminal,stophping3byusingctrl+C.12) Pingh1fromh2.Whatcanbeobservedonhere?
![Page 14: Denial-of-Service (DoS) Attacks in an SDN Environmenthongxih/teaching/2020spring/Labs/DOS.pdf · 9) On the Mininet terminal, run ‘h1 hping3 h2 -c 10000 -S –flood –rand-source](https://reader030.fdocuments.us/reader030/viewer/2022040401/5e7b0e9c34f36f37e45c3d7f/html5/thumbnails/14.jpg)
13) Wait2–3minsandrepeatthepreviousstep
14) Onanemptyterminal,checktheflow-tablerulesofOVSSwitchS1
![Page 15: Denial-of-Service (DoS) Attacks in an SDN Environmenthongxih/teaching/2020spring/Labs/DOS.pdf · 9) On the Mininet terminal, run ‘h1 hping3 h2 -c 10000 -S –flood –rand-source](https://reader030.fdocuments.us/reader030/viewer/2022040401/5e7b0e9c34f36f37e45c3d7f/html5/thumbnails/15.jpg)
Conclusions WhentheflowtableofOVSswitchesisfull,anyadditionalflow-ruleinstallationwillbefailedduetoinsufficientspaceintheflowtable.Aswitchthatcannotinstallaflow-entrywillsendanOFPT_ERRORmessagetothecontrolleralongwithOFPFMFC_TABLE_FULL.Theswitchthendropsthepacketsinceitisunabletoreceiveinstructionstoinstallaflow-entryduetotheresourceexhaustion.ThisisaDoSattackinthedataplaneofSDN.