DDoS protection in the cloud

Inside Defense

Putting It All Together

The pieces of the puzzle for detecting and preventing attacks in a cloud infrastructure are now all available; you just need to put them together. The commercial Flowmon Collector [2] by the Czech company Flowmon (formerly Invea) analyzes NetFlow data and creates meaningful reports from it. Under the hood it relies on nfdump and nfsen, two open source tools. Other applications then jump on the collected data and perform evaluation according to specific criteria. One of these Flowmon applications is named "DDoS Defender."

You need to define a training period for subnets that you want to monitor for DDoS activity. When this has expired, a rule then determines when the software triggers actions; for example, when a certain value is exceeded by more than 300 percent. Actions can include sending email, creating SNMP traps and syslog messages, and setting up redirects via BGP and shell scripts. The latter option can in turn be used to start a script that instructs the OpenDaylight controller to enable filtering flows.

DDoS Defender can trigger the action when it detects an attack, or after it has collected data about the attack, so you know which IP addresses and ports play a role in the attack. A script then reads the data from the environment that is passed in to it. On this basis, and depending on the desired behavior, it builds a filter and distributes it independently to the appropriate virtual switches.

Conclusions

As a component in SDN, OpenFlow controls traffic flows [9]. Even if it is (still) not widely used as a protocol on network hardware, apart from white-box operating systems such as PicOS [10] or switches by Corsa [11], it is used by default in environments with Open vSwitch.

As I have shown in this article, the OpenFlow technology can also be used for security. Rather than dropping packets, it would also be possible to route them via OpenFlow and separate benign from malicious traffic to a kind of network washing machine. At the same time, OpenFlow reveals attacks between virtual hosts that might otherwise remain hidden to the administrator.

Infos

Peakflow: http://www.arbor.com
Collector: http://www.flowmon.com
Management information base: https://en.wikipedia.org/wiki/Management_Information_Base
Blackholing: https://en.wikipedia.org/wiki/Denial-of-service_attack#Blackholing_and_sinkholing
Open vSwitch: http://openvswitch.org
Open Networking Foundation: https://www.opennetworking.org
OpenDaylight project: http://www.opendaylight.org
"OpenFlow" by Marc Korner, Linux Pro Magazine , issue 162, May 2014, p. 20, http://www.linuxpromagazine.com/Issues/2014/162/OpenFlow
Postman: https://www.getpostman.com
PicOS white box SDN: http://www.pica8.com/products/picos
Corsa switches: http://www.corsa.com/about/

The Author

Konstantin Agouros works at Xantaro, Germany as a solutions architect focusing on network, cloud security, and automation. His book DNS/DHCP was published by Open Source Press.

« Previous 1 2 3 4