Академический Документы
Профессиональный Документы
Культура Документы
The flowtable overflow attack is simulated using Mininet and Pox.Its effect is
analysed with respect to Delay and Bandwidth.
Illegitimate hosts start flooding the flow table of switches and as a result ,
communication between H6 and H8 is adversely affected.
Fig 1 – High Level Design
Openflow FlowTable:
Whenever there is a miss in flow table , the switch asks information from
controller by sending Packet-IN message . It comprises either the entire packet (by
mentioning Buffer ID) or part of a packet. The controller then reply with a Packet-
Out message which is an entry in flow table.
iii) Statistics:
Number of times the rule is used
Fig 2 – How a flow Table gets it’s rules
Timeout of a Flow Entry:
Idle Timeout:
Hard Timeout:
The flow entry gets automatically flushed out after a given number
of seconds(n) irrespective of its usage.
Consequences of Flooding:
Every Switch has a limited number of flow table entries. If flooding occurs ,
new rules cannot be installed (Denial of Service) and it results in packet loss.
Experiment:
Spoofed Packet Generation Logic:
Here 6000 spoofed packets are generated per second. It can be enhanced by
increasing source and destination ports and decreasing interval at which packets are
generated.
Flooding Logic:
As a result of flooding , the flowtable quickly reaches its limit(100) and results
in overflow. As spoofed packets are continuously generated and Switch does not have
rule that matches it , each time the switch forwards it to Controller and it is kept
occupied all the time(Resource Attack).
4) ICMP Packets will be sent from H6 to H8. First packet will take 21 milli
seconds and remaining packets will take 0.0535 milliseconds(Average) to
reach the target.
5) Now , run the attacker code in remaining hosts. As a result , the time taken
will be multiplied by a huge factor (Average time is 12700 milliseconds) and
eventually there will be packet loss. It causes a significant reduction in
bandwidth.
Analysis: