Enhancing Security Management at Software-Defined Exchange Points

Abstract

Distributed Denial-of-Service (DDoS) attacks continue to escalate in size and scale, and there is growing need for security management at network-level that can restrict a service to a geography (aka geo-blocking) and prevent the victim’s IP address from being faked (aka IP-spoof protection). The former reduces the attack surface on the victim, while the latter reduces liability on the organization from which the attack originates. Unfortunately, these solutions are hard to implement in today’s networks, requiring expensive hardware appliances and/or manual configuration. This was exemplified in the recent attack on the Australian government census website, which had to be brought down for weeks in order for security configurations to be applied. In this paper, we first argue that an Internet Exchange Point (IXP) is an appropriate place for managing security of an enterprise, and then design, implement, and evaluate a geo-blocking and IP-spoofing protection solution for a Software Defined IXP. Our first contribution is to define a grammar for operators to specify their high-level security intents, and a compiler that automatically synthesizes these to low-level flow rules for insertion to the interconnect fabric. Our second contribution is to develop a mixed integer linear program optimization framework for distributing flow rules across switches with limited table size, while minimizing carriage costs of malicious and extraneous traffic. Finally, we evaluate the cost benefits of our scheme via simulation of a large IXP network, and demonstrate its practical utility in blocking attacks via implementation over the open-source ONOS controller and experimentation in an SDN testbed.