ARCHITECTURE FORFPGA 135
A.4. HPOFS: A HIGH PERFORMANCE AND SECURED
OPENFLOWSWITCH ARCHITECTURE FORFPGA
• Cuong Pham-Quoc, Duc-Minh Ngo, Tran Ngoc Thinh. HPOFS: A High Performance and Secured OpenFlow Switch Architecture for FPGA.
Advances in Electrical and Computer Engineering - Issue: 3, Volume: 19, 19-28 (2019) -ISBN/ISSN: 1582-7445 (SCIE).
1
1Abstract—Although Software Defined Networking offers many advantages, it suffers from many security issues due to centralized control. In this paper, we introduce HPOFS (High- Performance and Secured OpenFlow Switching Architecture) for FPGA which is not only able to route packets from sources to destinations according to the OpenFlow protocol but also able to protect the system against different attacks efficiently.
Thanks to FPGA technology, the two processes can be scheduled in parallel; thus, the switch can work at very high throughput. We implement the first prototype version on Xilinx xc5vtx240t FPGA device with three different security functions to protect the system against DDoS attack types, including Hop-count filtering, port Ingress/Egress filtering, and SYN Flood attacks defender. While the first two protection techniques are adapted from our previous work, the SYN Flood defender core is designed and implemented with a pipeline model in this work. The core is able to protect the system against SYN Flood attacks at up to 30,000,000 packets per second with only 0.248 ms overhead. The full switch can provide throughput at up to 78.96 Gbps with only 0.0012%
drop rate.
Index Terms—Field programmable gate arrays, Software defined networking, Computer security, High performance computing, Reconfigurable architectures
I. INTRODUCTION
Software-defined networking (SDN) [1] offers many benefits compared to traditional networking by separating the control from the data plane [2]. In recent years, SDN becomes more popular in both academia and industry.
However, there still exist known issues in SDN, especially security vulnerabilities [3-4].
The centralized control model of SDN may cause many security issues, since attacks to controllers could break the entire network systems. Many previous studies have focused on building secured functions for controllers or increasing strength of controllers [5-6]. However, these approaches could lead to performance issues. In recent years, many alternatives have been developing intelligent data planes where data is pre-processed to prevent systems from attacking [7-9]. Nevertheless, with the fast increasing of the number of network attacks as well as attacking types, a system needs to be augmented with different protection techniques to survive from attacks. When building secured functionalities for SDN, one of the critical issues is to not breaking the principles of SDN such as centralization control and monitoring and decoupling controller and data planes.
Among the others, OpenFlow [10] is one of the most
popular and successful SDN instantiates. Taking the principles of SDN into design, OpenFlow switches decouple control from data planes. While forwarding devices at the data plane are responsible for routing network packets, an associated controller at the control plane handles these devices and makes high-level routing decisions. According to SDN principles, the first packet of a new flow coming to a forwarding device will be forwarded to the controller for making the corresponding routing path. Due to this regulation, the OpenFlow network as well as SDN is highly sensitive to saturation attacks, such as SYN Flooding, where extreme new flows come to a switch simultaneously.
In this work, we propose High-Performance Secured OpenFlow Switch Architecture (HPOFS) for building an FPGA-based high-performance and secured OpenFlow switch. HPOFS provides not only high-throughput network switching ability but also secured cores that are able to protect the switch against attacks. Thanks to FPGA technology, HPOFS can work in a pipeline model for the switching function while multiple secured cores can examine network packets in parallel. Therefore, our HPOFS will not introduce any latency when switching packets.
Moreover, the switch is able to countermeasure many attacking types with a negligible decline in performance. We implement a prototype version using a NetFPGA-10G board, containing a Virtex-5 xc5vtx240t device. In this prototype, three security functions are implemented as secured cores to protect the switch from DDoS and SYN Flooding attacks. Those are SYN Defender, Hop-count Filtering, and Port Ingress/Egress Filtering. Experimental results with the first prototype version show that HPOFS in NetFPGA-10G achieved the switching throughput by up to 39.48 Gbps while the maximum throughput supported by the board is 40 Gbps. Detection rates with Hop-count Filtering and Port Ingress/Egress Filtering techniques are at 100% with only 2.9% false positive rate while about 30+
millions SYN Flood attacking packets per second are prevented by SYN Defender.
The main contributions of this work can be categorized into three folds.
(1) We propose the architecture for High-Performance Secured OpenFlow Switch (HPOFS) that can route packets from sources to destinations according to the OpenFlow protocol and examine these packets to countermeasure different attacks. The two behaviors can be executed in both parallel and pipeline models to achieve optimized performance.
(2) We design and implement an efficient pipelined SYN Defender core in FPGA. Our SYN Defender core is
HPOFS: A High Performance and Secured OpenFlow Switch Architecture for FPGA
Cuong PHAM-QUOC, Duc-Minh NGO, Tran Ngoc THINH Ho Chi Minh City University of Technology Vietnam National University – Ho Chi Minh City, Vietnam
cuongpham@hcmut.edu.vn
Advances in Electrical and Computer Engineering Volume xx, Number x, 20xx
2
able to prevent the switch from SYN Flooding attacks, one of the most serious attacking methods. The core can protect the system against attacks at 30,000,000 packets per second with only 0.248 ms overhead. It outperforms most well-known SYN Flood defender systems in the literature.
(3) We implement and evaluate our proposed HPOFS on the NetFPGA-10G platform that contains a Virtex-5 xc5vtx240t FPGA device. In this prototype version, we integrate the SYN Defender core and two DDoS countermeasure cores developed from our previous work, Port Ingress/Egress filtering and Hop-Count filtering [11]. To the best of our knowledge, this is the first switch with these secure cores in the literature. The switch can provide throughput at up to 78.96 Gbps with only 0.0012% drop rate.
The rest of the paper is organized as follows. Section II summarizes related work and quickly discusses background.
Section III presents our proposed HPOFS architecture. We introduce our prototype version using the NetFPGA-10G board in Section IV. Section V analyzes our experimental results. Finally, conclusions and future work are introduced in Section VI.
II. BACKGROUND AND RELATED WORK
In this section, we summarize background and introduce related work in the literature.
A. Background
Reconfigurable technology, for example Field Programmable Gate Array (FPGA), is a dominant technology for building high-performance computing applications as well as reconfigurable computing systems [12-13]. Compared to general purpose processors, FPGA provides higher performance and lower energy consumption. When compared to Application Specific Integrated Circuits (ASIC), FPGA allows hardware circuits to be reconfigured. With these advantages, FPGA is widely used in both academic research and industry products.
Although FPGA is programmable, the limitation of hardware resources is the main drawback of FPGA technology. In other words, FPGA is not suitable for applications that need to store huge amount of data.
Therefore, in this work, we exploit the parallelism ability of FPGA to efficiently prevent DDoS attacks [14]. DDoS attack types are diverse and can be classified based on different parameters such as degrees of automation, exploited weaknesses, source address validity, possibility of characterizations, attack rate dynamics, impact of the victim, victim types, and persistence of agent set [15]. Based on attacking levels, DDoS flooding attacks are classified into two categories: (i) Network/transport-level DDoS attacks;
and (ii) Application-level DDoS attacks. In the literature, several DDoS defense techniques have been proposed to combat DDoS flooding attacks. These techniques are also classified into two categories as DDoS attacks: (i) DDoS mechanisms against Network/transport-level DDoS attacks;
and (ii) DDoS mechanisms against Application-level DDoS attacks [16]. However, systems proposed in the literature using these techniques are either implemented as software programs only or against only one DDoS attack type [17-
22]. With high-speed networks, software-based DDoS countermeasure systems cannot fully decode and classify all incoming packets. Meanwhile, defense against only one DDoS attack technique is not efficient enough.
Among the DDoS filtering techniques, SYN Cookie (SYNC) is one of the most important techniques. SYNC algorithm is usually deployed on a target server to against SYN Flooding attacks [23]. Figure 1a illustrates the TCP 3- Way Handshake protocol which can be exploited by attackers to make the system unresponsive to legitimate traffics. A target server without SYNC deployed has to use hardware resources (memory) to keep track initialized connections when received SYN messages (1). Meanwhile, SYN Cookie (Figure 1b) attempts to protect the target server by sending SYN/ACK message (2) with generated SEQ number. The server, then, waits for a reply value (3) from the next user incoming packet to authenticating the user.
The strengthening of SYNC depends on the complexity level of SEQ creation algorithm. The technique inventor proposed a method to generate SEQ number by using the incoming SYN packet header field (IP, Ethernet Port, and Maximum segment size) and current time value [24]. The main advantage of SYN Cookie is that the receiver does not need to store any connecting information which is also suitable for FPGA platform.
Client Side
Server Side
..
Data exchange..
Client Side
Server Side
..
Data exchange..
Generate Cookies Y and discard
SYN packet
Validate Y
(a) (b)
Figure 1. The three ways handshaking protocol (a) normal process, (b) with SYN cookies
In the literature, there exists a number of studies that build security functions in the control plane of an SDN such as research in [25-28]. For example, SLICOTS [29] built a lightweight module on the control plane to prevent TCP SYN Flooding attacks by observing and installing short- term forwarding rules to the data plane. However, the main drawback of these works is the use of controller resources, which are already a target for saturation attacks, for performing security functions. In recent years, bringing some intelligent processes from the control to the data plane becomes a trend in SDN called stateful SDN data planes [2].
OpenState [7], FAST [30], and SDPA [31] are examples. A stateful SDN data plane releases the bottle-neck in the communication channel between the control and the data plane but this approach introduces new securities challenges such as switch memory saturation, CPU exhaustion, and state inconsistency.
Although implementing SDN switches on FPGA platforms has been investigated for a while, especially
3 OpenFlow network - an SDN instance such as work in [10],
[32-33]. These switches lack of security ability, including DDoS protection. OFX framework [8] can be considered as one of the first study that proposed to build security functions in the switch. The framework allows network administrators to build up security functions on both control plane and data plane by inserting more flow tables on the data plane. However, the switches in this work still need general purpose processors to perform software-based security behaviors.
Regarding to using SYNC in SDN/OpenFlow switches to protect target servers against DDoS attacks, AVANT- GUARD [34] developed the Connection Migration module in the data plane. This module authenticates legitimate users by using the SYN Cookies algorithm and repeating the 3- way handshake protocol with target servers when an user is authenticated. AVANT-GUARD uses a mechanism that stores differences between two SEQ numbers in memory to synchronize SEQ numbers from the two sides. Due to this mechanism, memory could be overloaded and is the weakness of this approach. LineSwitch [35] also prevents SYN Flood attacks by combining SYN proxy technique [36]
and probabilistic blacklisting of network traffic. The authors in [9] uses the TCP reset technique to prevent SYN Flood attacks by inserting a number of switching rules into flow table.
Although there exist a number of studies in augmenting security functions for SDN or OpenFlow networks, they suffer from low performance and throughput due to software-based implementation. Therefore, a high- performance and secured OpenFlow switch using hardware to achieve optimized performance is an essential demand.
III. PROPOSED ARCHITECTURE
In this section, we first introduce an overview about the use of our proposed HPOFS to the data plane of an OpenFlow network. We then present in detail the architecture of the proposed switch.
A. Overview
SDN Controller
Data Plane
OpenFlow Protocol OpenFlow
Switch OpenFlow
Switch OpenFlow
Switch
OpenFlow Switch OpenFlow
Switch OpenFlow
Switch Network Data Plane Control Plane
SDN Controller
OpenFlow Protocol
Network Secure Core
Monitor HPOFS Control Plane
HPOFS Data Plane
HPOFS
HPOFS
HPOFS
HPOFS
HPOFS
HPOFS
(a) (b)
Figure 2. The overview of our approach: (a) traditional SDN; (b) our switches are used to protect the system
Figure 2a depicts the architecture of an OpenFlow network, an instance of SDN. The main components are OpenFlow switches that are functioning on the data plane and are connected to the controller through the OpenFlow protocol. This traditional architecture illustrates the centralized control of OpenFlow networks, as well as SDN.
Although centralization provides many advantages, it
usually suffers from many security vulnerabilities, especially saturation attacks.
Our HPOFS architecture provides high performance and secured switches based on the OpenFlow infrastructure.
Moreover, thanks to reconfigurable technology, secure cores in HPOFS are flexible and programmable. The proposed switch leverages the parallelism processing ability of FPGA platforms to simultaneously perform security and switching functions. As illustrated in Figure 2b, HPOFS allows network administrators to monitor the whole network and manage security functions executing at the data plane.
Besides, we also develop a Secure Core Monitor running on the control plane to handle security functions of our HPOFS.
Network administrators could further update or modify these security functions when needed. With this ability, the proposed switch is adaptable to different attack types that are one of the main drawbacks of other hardware-based security devices.
B. HPOFS Architecture
Figure 3 illustrates in details the FPGA-based architecture of HPOFS. HPOFS follows the SDN principal by decoupling HPOFS control plane from HPOFS data plane and using the centralized SDN controller for making routing decisions. As stated above, beside the traditional SDN controller at the control plane, we also develop a Secure Core Monitor working at the control plane for monitoring and controlling secure cores in the switches that are functioning at the data plane. The communication channel between Secure Core Monitor and secure cores also follows the OpenFlow protocol.
As presented above, our proposed HPOFSes can be deployed at data plane to protect the entire network as depicted in Figure 2b. Each HPOFS consists of one OpenFlow Agent executing on a general-purpose processor and a switch implemented on an FPGA device. The Agent is responsible for communicating with the associated controller and managing the flow table inside the switch.
The switch processes incoming network packets according to OpenFlow protocol and examines these packets to drop attacking ones. The FPGA-based architecture of the switch consists of five main blocks, including Ingress, Egress, Packet Management, Switching Management, and Secure Management.
1) Ingress block
The Ingress block is responsible for receiving incoming packets through the network interfaces InPort_[1,2,...,n] and controlling packets through the InPort_Ctr interface. These input packets are arranged by the Input Arbiter module and forwarded one by one to the Packet Management block. Due to the reconfigurable technology, this arbiter can schedule packets in round robin or follow a priority model determined by the associated controller.
2) Egress block
In contrast to the Ingress block, the Egress block receives processed packets from the Packet Management block to store them into the Output Queue. The block, then, forwards these packets to the corresponding network output ports OutPort_[1,2,...,n] or the control output interface OutPort_Ctr according to the decision of the Packet Management block. Packets arriving the Egress block are
Advances in Electrical and Computer Engineering Volume xx, Number x, 20xx
4
legitimate packets, i.e. they are safe for the network.
3) Switching Management block
The Switching Management block can be considered as the main component of the switch. The block operating the OpenFlow switching protocol consists of three modules:
OpenFlow Lookup provides interfaces to communicate with the Packet Management block. The module is also able to look up or update the Flow Table according to control signals generated by the Packet Management block. This module also communicates with the OpenFlow Host Agent module to either send or receive data to/from OpenFlow Agent.
Flow Table holds flow table entries according to the OpenFlow protocol including exact and wildcard match table entries for the switching process.
OpenFlow Host Agent uses information receiving from OpenFlow Agent for updating Flow Table and collecting statistic information of packet flows.
4) Secure Management block
The Secure Management block is responsible for examining packets to determine whether a packet is spoofed or harm to the network. The block includes a Secure Controller, an OFS Scanner, and multiple Secure Cores:
Secured Controller provides interfaces to communicate with the Packet Management block. This module distributes data extracted from network packets by the Packet Management block to Secure Cores and collects scanning results from OFS Scanner.
Secure Cores are responsible for examining packets to against different network attack types. Each core is implemented for one dedicated attack type. By dividing scanning process into particular cores, we aim to apply
the partial reconfiguration technique to help the system be more favorable and practical in use in the future.
OFS Scanner is the main component of the block. The module collects scanning results from Secure Cores and feedbacks to Secure Controller. When a packet is recognized as an illegitimate packet from any Secure Core, the OFS Scanner module will issue an alert signal to the Packet Management block.
5) Packet Management block
Packet Management extracts data from incoming packets and delivers required data to both the Switching Management and Secure Management blocks while keeping these original packets in a local buffer. When a packet is classified as a legitimate packet, it will be forwarded to the Egress block together with routing information collected from the Switching Management block; otherwise, the packet is removed from the system. The block consists of three modules:
Packet Pre-processing receives incoming packets forwarded from Input Arbiter and executes the initial processing step. This includes two main tasks, extracting a set of features from header fields of packets and storing incoming packets in the Packet Buffer module.
Packet Buffer is a FIFO memory for keeping packets processing by both the Switching Management and Secure Management blocks. The main purpose of this FIFO memory is to increase system performance. As packets coming to the Packet Pre-processing module frame by frame, the task extracting features from packet header fields could be done before the last frame coming. A buffer allows packet flows to be received
Figure 3. The architecture of our high-performance and secured OpenFlow switch – HPOFS