« Previous 1 2 3 4
DDoS protection in the cloud
Inside Defense
Putting It All Together
The pieces of the puzzle for detecting and preventing attacks in a cloud infrastructure are now all available; you just need to put them together. The commercial Flowmon Collector [2] by the Czech company Flowmon (formerly Invea) analyzes NetFlow data and creates meaningful reports from it. Under the hood it relies on nfdump
and nfsen
, two open source tools. Other applications then jump on the collected data and perform evaluation according to specific criteria. One of these Flowmon applications is named "DDoS Defender."
You need to define a training period for subnets that you want to monitor for DDoS activity. When this has expired, a rule then determines when the software triggers actions; for example, when a certain value is exceeded by more than 300 percent. Actions can include sending email, creating SNMP traps and syslog messages, and setting up redirects via BGP and shell scripts. The latter option can in turn be used to start a script that instructs the OpenDaylight controller to enable filtering flows.
DDoS Defender can trigger the action when it detects an attack, or after it has collected data about the attack, so you know which IP addresses and ports play a role in the attack. A script then reads the data from the environment that is passed in to it. On this basis, and depending on the desired behavior, it builds a filter and distributes it independently to the appropriate virtual switches.
Conclusions
As a component in SDN, OpenFlow controls traffic flows [9]. Even if it is (still) not widely used as a protocol on network hardware, apart from white-box operating systems such as PicOS [10] or switches by Corsa [11], it is used by default in environments with Open vSwitch.
As I have shown in this article, the OpenFlow technology can also be used for security. Rather than dropping packets, it would also be possible to route them via OpenFlow and separate benign from malicious traffic to a kind of network washing machine. At the same time, OpenFlow reveals attacks between virtual hosts that might otherwise remain hidden to the administrator.
Infos
- Peakflow: http://www.arbor.com
- Collector: http://www.flowmon.com
- Management information base: https://en.wikipedia.org/wiki/Management_Information_Base
- Blackholing: https://en.wikipedia.org/wiki/Denial-of-service_attack#Blackholing_and_sinkholing
- Open vSwitch: http://openvswitch.org
- Open Networking Foundation: https://www.opennetworking.org
- OpenDaylight project: http://www.opendaylight.org
- "OpenFlow" by Marc Korner, Linux Pro Magazine , issue 162, May 2014, p. 20, http://www.linuxpromagazine.com/Issues/2014/162/OpenFlow
- Postman: https://www.getpostman.com
- PicOS white box SDN: http://www.pica8.com/products/picos
- Corsa switches: http://www.corsa.com/about/
« Previous 1 2 3 4
Buy this article as PDF
(incl. VAT)