Hands on SDN and BRO

Malware Research Conference 2016

Ian Welch,
School of Engineering and Computer Science
Victoria University of Wellington
11th July 2016
Who am I?

Lecturer at
Victoria
University of
Wellington

Victoria University
 Who am I
• Drive-by-download detection & javascript
deobfuscation (unpacking?)

• Machine learning applied to malware detection

• A new project called “trusting strangers” ...

• Teach cloud computing, programming and a

general security course
 Motivation
• Not everyone has a big security team.

• Might be one security person/system

admin/developer …

• They don't want to be woken at 2am when the

IDS goes off.

• Could it be possible to buy some more time to

allow later response?
 DIY Solution

Net Control
Framework
 Bro-IDS
• Domain specific Network
programming language Traffic
• Event driven programming Protocol
model
Parsing
• Built in protocol parsing
Scripting
• Low level context free events Language
Work here!
• Scalable deployment model
 Active Response
• Bro is passive, how implement active response?

• Place it in-line
• Performance costs
• Reliability

• Control channel from IDS to gateway

• Tied to network configuration
• Ad-hoc solution
 Netcontrol
• Developed in 2015 by Johanna Amann (Berkley)

• Generic framework for control channels to variety

of network devices

• Based on traffic observed by Bro

• Simple to use by flexible API including high-level

commands
 High-level commands
Dynamically block/allow addresses.

Flow shunt large data transfers (GridFTP).

Quarantine hosts from each other and direct all

web requests to a “you have been compromised”
site.
 Architecture
port mirroring
active response
 Architecture
port mirroring
Current backends

Command line applications

Iptables
Bro packet filter
Openflow
 Openflow
• Open Specification for protocol
between control and forwarding
layers of a software defined
network

• Allows Software to insert rules into

switch flow tables

• Match (and change) characteristics

like

• IPv4/6 addresses, ports, etc.

• Vlans
Netcontrol & Openflow
 Problems
Can we use current system out of the box?

#1 Ryu simple switch is too simple:

• Layer 2 learning
• Not tested operationally

#2 Quarantine is too heavy handed:

• Stops any communication.
• Obvious to the attacker.
 Problem #1: Use Faucet
• Layer 2 switching with vlans, ACLs, port
mirroring, static routing

• Small enterprise, focus on easy deployability

• Focus on testability (unit tests)

• Deployed by ONF Menlo Park, REANNZ and

VUW
 #1 Hardware Support
• Open vSwitch v2.1+ - Open source available at
http://www.OpenVSwitch.Org
• Lagopus OpenFlow Switch - Open source
available at https://lagopus.github.io/
• Allied Telesis x510 and x930 series
• NoviFlow 1248
• Northbound Networks Zodiac FX
• Aruba 3810
Waikato, REANNZ, ONF,
Anarchkiwi and VUW
 #1 Solution
• Faucet has a different table structure

• Implement a OpenFlow module aware of structure

• Integrate port mirroring into Faucet (redefine at

runtime to redirect flows)

ETH ETH
VLAN ACL FLOOD
SRC DST
 #2 Enhanced NetControl
• Quarantine is black and white.

• What if we want to capture malware traffic?

• What if behavioural based and might be false

positive?

• Allow device to keep functioning but limit

outgoing traffic while storing it for later analysis?
 #2 Solution
• Extend NetControl functions.

• Add observe and delay functions.

• Implement observe by mirroring to storage.

• Delay implemented using QoS support in

switches (maybe?).
 Where from here?
• We have a roadmap established.

• Port mirroring implemented (June).

• Aim to have integration with Faucet complete by

end of December.

• Will be eating own dog food throughout as my

own office runs off Faucet.
 Links
https://sdn-vuw.blogspot.com.nz/

https://github.com/REANNZ/faucet
Example Table
Switch MAC MAC Eth VLAN IP IP IP TCP TCP
Action
Port src dst type ID Src Dst Prot sport dport

* * 00:1f:.. * * * * * * * port6
port3 00:20.. 00:1f.. 0800 vlan1 1.2.3.4 5.6.7.8 4 17264 80 port6
* * * * * * * * * 22 drop

More exact matches have priority.

Table miss sends packet to controller over secure TLS

connection.

Table entries have idle and hard timeouts.

O-65,535 seconds (0 = no timeouts).

 OpenFlow Switch
Performs packet lookup and forwarding

Flow 1. Rule
(exact & wildcard)
Action Statistics

Flow 2. Rule
Action Statistics
(exact & wildcard)

Flow 3. Rule
Action Statistics
(exact & wildcard)

Rule
Flow N. Default Action Statistics
(exact & wildcard)

Figures from Chao HC & Y. Liang with permissions.

 Flow Entry (OF 1.x)
•A flow entry consists of
1. Packet
–Match fields 2. Byte counters
•Match against packets
–Action
–Modify the action set or pipeline
•processing
–Stats Match
Fields
Action Stats
• Update the matching packets

Src Dst Eth IP TCP Src TCP Dst

In Port Vlan Id IP Tos IP Src IP Dst
MAC MAC Type Proto Port Port

Layer 2 Layer 3 Layer 4

1.Forward packet to port(s)

2.Encapsulate and forward to controller
3.Drop packet
4.Send to normal processing pipeline
5.Modify MAC and IP addresses Figures from Chao HC & Y. Liang with permissions.
 Traditional network node: Router
Changing protocols is hard, monolithic implementation, vendor specific
protocols

Adjacent Router Router Adjacent Router

Management/Policy plane
Configuration / CLI / GUI
Routing
Control plane Control plane Static routes s
OSPF OSPF OSPF
Link state IP routing
Neighbor table
database table
Switching
Data plane Data plane Data plane
Forwarding table

Shamelessly copied from ONF© , J Rexford and Chao HC with

permissions.
 Software Defined Networking

Applications deal with abstract

logically centralised network view

Decides where packets should be

forwarded

Data plane does forwarding and metering

Figure from ONF White Paper: Software Defined Networking – The New Norm for Networks
(2011)