Thursday, February 20, 2014

#NFD7 Real Time SDN and NFV Analytics for DDoS Mitigation

Today, at Networking Field Day 7, Ramki Krishnan of Brocade Networks demonstrated how the sFlow and OpenFlow standards can be combined to deliver DDoS mitigation as a service. Ramki is a co-author of related Internet Drafts: Large Flow Use Cases for I2RS PBR and QoS and Mechanisms for Optimal LAG/ECMP Component Link Utilization in Networks.
The talk starts by outlining the growing problem of DDoS attacks and the market opportunity for mitigation solutions, referencing the articles, Prolexic Publishes Top 10 DDoS Attack Trends for 2013, World's largest DDoS strikes US, Europe.
The diagram shows the unique position occupied by Internet Service Provider (ISP) and Internet Exchange (IX) networks, allowing them to filter large flood attacks and prevent them from overwhelming Enterprise customer connections - provided they can use their network to efficiently detect attacks and automatically filter traffic for their customers.
This diagram shows how standard sFlow enabled in the switches and routers provides a continuous stream of measurement data to InMon sFlow-RT, which provided real-time detection and notification of DDoS attacks to the DDoS Mitigation SDN Application. The DDoS Mitigation SDN Application selects a mitigation action and instructs the SDN Controller to push the action to selected switches (for example using a standard OpenFlow rules to drop traffic associated with the DDoS attack).

The key making this solution scale is the use of hybrid port OpenFlow. By default, all traffic is handled by the switch's normal hardware switching and routing function without any intervention from the controller. The OpenFlow rules are used to override the normal forwarding behavior for the selected flow. The solution uses a software controller to leverages the standard sFlow and OpenFlow capabilities of existing network hardware to provide a scaleable, automated, cost effective solution that allows ISP/IX networks to effectively mitigate flood attacks.
The live demo shows a continuous stream of NTP reflection attacks created by a traffic generator, each attack lasting 20 seconds. The chart at the top right shows the attack traffic in red and the normal traffic in green. The Brocade MLXe switch sends a continuous stream of sFlow measurements to InMon's sFlow-RT analytics engine.

The sFlow-RT software performs a number of functions:
  1. Provides a REST API allowing the customer to set thresholds and mitigation policies
  2. Detects the DDoS attack
  3. Extracts attributes that characterize the attack traffic - UDP source port (123) and destination IP address ( in this example
  4. Constructs a filter to drop the attack
  5. Makes a call to OpenDaylight's Flow Programmer REST API to instruct OpenDaylight to send the filter as an OpenFlow rule the MLXe
  6. Continues to monitor the DDoS traffic
  7. Makes a call to OpenDaylight to remove the rule once the attack subsides
  8. Provides statistics to drive the demo dashboard - which in a real deployment would be the customer portal
The chart at the bottom right of the screen shows the traffic after it has been filtered by the controller. As each new attack is launched, it is immediately detected and removed so that the link is protected and the normal traffic gets to the customer network. While the demonstration shows one switch and one protected 10Gigabit link, the solution easily scales to hundreds of switches, tens of thousands links and 100Gigabit link speeds.

This demonstration of DDoS mitigation is only one application of this architecture - Ramki's OpenDaylight Summit talk Flow-aware Real-time SDN Analytics (FRSA)  presented a number of others.

1 comment:

  1. This would be a good feature (using both sFlow and SDN) with low cost for small/medium enterprise