Exercise 2.2: A switch filtering unexpected TCP Packets - grupogita/ONOSP4-tutorial GitHub Wiki

Introduction

Attack detection is an important task in network security. There are many types of attacks ranging from basic attacks such as Denial of Service (DoS), which aim at exhausting resources of hosts or network infrastructure to more sophisticated attacks such as session hijacking where the attack tries to steal an ongoing session or reflection, where the attacker tries to init invalid sessions and make a host to forward rejection traffic to attack a victim device by overwhelming it with this traffic.

The two later attacks are usually instrumented by altering the semantics of TCP. These alterations are caused by sending unexpected or out-of-context traffic to a TCP peer. For example, an attacker could send a spoofed SYN packet causing that the reflector devices replies a RST packet towards a target victim device.

In a context of a Software Defined Network (SDN) environment, the processing of network traffic might require the invervention of the control plane. That is, if a switch does not know how to process a packet (i.e. there is not any flow entry within its flow table), it can be configured to forward this packet to the controller so that it can make a decision and to configure the switch by inserting a flow entry in order to process further packets. This mode of operation, called reactive, might be even exploited to introduce a DoS attack targetting the Control Plane. Indeed, if the switch is configured to forward not known packets to the control plane, the execution of a TCP-based attack might render unusable the control plane, causing a complete service disruption of the network.

Hence, providing a switch with capabilities to filter out those undesired TCP packets so that they do not become forwarded to the controller, introduces an additional protection layer both for the network and the control plane.

In 2013, Shin et al. introduced Avant-Guard [1], an approach to filter possibly invalid TCP packets avoiding to forward them to the control plane. The following exercise is partially inspired in Avant-Guard. It implements a filtering mechanism that causes that the switch forwards to the control plane only TCP SYN packets so that the controller configures in the switch flow rules to process further packets associated to the valid section. In case a TCP packet not belonging to a recognized TCP session be received by the switch, the switch will drop the packet by replying a TCP-RST packet to the originating host. Thus, the switch will not forward the packet either to the control plane or to the destination host. Hence, bot of these entities will be protected of this threat.

In this exercise you will implement partially the Classification Stage of the Connection Migration functionality of Avant-Guard, which is described in Section 3.2 of [1]. In particular, you will implement a modified version of the flowchart described in Figure 3 of the paper. In the current version of this exercise, you will not implement yet the generation of a SYN cookie. Instead of that, if the packet is a SYN Packet, you will forward it to the controller, so that the controller configure the flow entries to process further packets for this connection. Thus, you will program the switch and you will develop a controller application which will perform this task.

Topology

For this exercise, you will work with a very simple topology formed by two hosts connected to a switch, and a SDN Controller. In order to implement the functionality of TCP filtering previously described, you will create this topology in Mininet, you will program the switch and you will program the controller application.

Files you will modify

For this exercise, you will have to program the switch by writing a P4 program, and you will have to modify the ONOS application that processes TCP sessions. The P4 program will be written in the sw_gita.p4 file and the ONOS application is contained in the TCPSessionManager.java file located within the app subdirectory of the code file.

Source code:

Go to the Code directory, follow the instructions of the readme.md file and apply the modifications to the indicated files.

Note: For this exercise, it is assumed you already completed the Exercise 2.1. In case you have not, take a look on the corresponding readme specially for the previous configurations you must have in ONOS.

References

[1] Shin, S., Yegneswaran, V., Porras, P., & Gu, G. (2013, November). Avant-guard: Scalable and vigilant switch flow management in software-defined networks. In Proceedings of the 2013 ACM SIGSAC conference on Computer & communications security (pp. 413-424).