Abir Laraba will defend her thesis on Tuesday, 11th October at 2 pm in room A008.
Her thesis is entitled “Protocol Abuse Mitigation In SDN Programmable Data Planes”.
Abstract:
The emergence of the Software-Defined Networking paradigm has supported the development of new network monitoring scheme thanks to network programmability. The first purpose of SDN is to centralize the network intelligence at the control plane with a stateless data plane (i.e., network elements, switches). As a result, the network monitoring functions require the help of the remote controller or the extension of existing data plane protocols. In recent years, efforts have been made to make the data plane more programmable and stateful, permitting customized functions deployment and offloading many applications to network elements (e.g.,forwarding devices). For example, the data plane programmability can be enabled by the P4 language that defines how packets are processed in a switch pipeline and supports stateful packet processing. However, P4 does not provide intuitive stateful abstractions to model behavioral attacks. Therefore, rethinking on the general abstractions to model and track a complex and stateful behavior in the data plane is necessary. To exploit the opportunities offered by a programmable data plane, including stateful and real-time packet processing, we need models which are simple enough to be deployed on a programmable switch with respect to the existing primitives that remain limited and, at the same time, capable of capturing a complex behavior.
Meantime, attackers exploit vulnerabilities present in protocols used in the core of the Internet, such as TCP and DNS. However, the proposed solutions to detect these attacks require modifying the protocol implementation at the end-hosts or having a negative impact on benign flows. Therefore, patching at the scale of the Internet would require much time for deployment, such as in the case of DNSSEC. In this thesis, we address these shortcomings by designing a security function (i.e., an attack mitigation approach) that can be deployed in an SDN programmable data plane. We propose an abstraction based on an Extended Finite State Machine (EFSM) to model an attack behavior. To detect sophisticated attacks such as multi-step attacks, we extend it with Petri Net to synchronize the detection of a set of attack steps. We present how these models can be mapped to P4 primitives so that we can detect and react against an attack within the network. We present three attacks from Layer-3, Layer-4, and Layer-7 of the OSI model, namely the ECN protocol abuse, the Optimistic ACK attack, and the recent DNS multi-step cache poisoning attack. Our approach does not require modifying protocol implementation at the end hosts. Besides, our solution leverages programmable data planes, enabling flow tracking and reaction against attacks in real-time within the network
