Alexandre Passito

Lightweight DDoS flooding attack detection using NOX/OpenFlow

Distributed denial-of-service (DDoS) attacks became one of the main Internet security problems over the last decade, threatening public web servers in particular. Although the DDoS mechanism is widely understood, its detection is a very hard task because of the similarities between normal traffic and useless packets, sent by compromised hosts to their victims. This work presents a lightweight method for DDoS attack detection based on traffic flow features, in which the extraction of such information is made with a very low overhead compared to traditional approaches. This is possible due to the use of the NOX platform which provides a programmatic interface to facilitate the handling of switch information. Other major contributions include the high rate of detection and very low rate of false alarms obtained by flow analysis using Self Organizing Maps.

A replication component for resilient OpenFlow-based networking

Software-Defined Networking (SDN) provides a new paradigm for developing innovative management applications for networks and a new way to look for the resolution to the many problems which exist throughout the Internet today. The most popular approach to this paradigm is centralized network management. This approach aims to simplify the complex and difficult task of managing the services of a network. One of the problems raised by the centralized management approach is that the issue of a single point of failure can negatively compromise resilience of the whole network. The aim of this paper is to describe a novel mechanism that provides an increase of resilience in SDN using a component organization. In the SDN architecture, components run independently on top of the network OS, receiving updates from the network or updates generated from other components. Through the handling of these multiple types of updates, we have successfully developed a new component: the CPRecovery component. The CPRecovery component is based on the primary-backup mechanism which offers resilience against several types of failures in a centralized controlled network. Our results show that the building of such service for networks using SDN is straightforward, much less complex, and less prone to errors. Furthermore, it is possible to build management applications resilient to diverse types of failures using component organization approach.

An inter-AS routing component for software-defined networks

Network management is a challenging problem of wide impact with many enterprises suffering significant monetary losses, that can be of millions per hour, due to network issues, as downtime cost. The Software Defined Networks (SDN) approach is a new paradigm that enables the management of networks with low cost and complexity. The SDN architecture consists of a control plane, a forwarding plane and a protocol that enables communication with both planes. The control plane is composed by an Operating System and applications that run on top of it. The forwarding plane contains the switches, routers, and other network equipment. Nowadays, inter-domain routing system presents some critical problems, mainly due to its fully distributed model. Recent research has showed that it would be beneficial to apply the SDN approach to address some of those problems. But it became necessary to build a new mechanism to allow inter-domain routing using SDN. The aim of this paper is to present an inter-domain routing solution using a NOX-OpenFlow architecture, based on some characteristics of the today largely used inter-domain protocol, keeping the SDN architectural principles. Although NOX-OpenFlow was originally created for routing only in enterprise networks, we propose routing beyond those, lifting this undesirable restriction of the original architecture. Our tests show that the built of this kind of application provides a much less complex, less prone to errors, and scalable solution.

Synchronizing web browsing data with Browserver

People spend a lot of time navigating on the web. When moving from one computer device to another, it would be useful to have access to the navigation data produced in the previous web session. In this article, a synchronization service of navigation data, called Browserver, is presented. It is responsible for keeping user navigation information (tabs, history, forms, cookies, etc.) so that it can be recovered from any device connected to the Internet. Finally, Browserver performance is compared to a similar service, according to hardware and network consumption metrics.

Can I add a secure VoIP call

Voice over IP is a major trend in applications for wireless networks, but even so it is not immune to the risks usually related with IP networks. Proposed solutions for VoIP security are already in the market, but these solutions must take into account the real-time constraint of voice service and their mechanisms should address possible attacks and overhead associated with it. One of these solutions is to use IETF IPSec to guarantee confidentiality in order to address security design holes of wireless VoIP networks. This article performs an experimental comparison of the impact of encryption mechanisms on voice speech quality in widely deployed wireless technologies: 802.11 and Bluetooth. Evaluates the upper bound on number of simultaneous VoIP calls which can be placed in a single cell of both networks when security is applied and uses the computational model E-Model to assess quantitatively the quality of service

Innovating on Interdomain Routing with an Inter-SDN Component

The Internets interdomain routing architecture has undergone only minor changes since its inception. It presents issues difficult to solve such as the difficulty in deploying new features, understanding its behavior and dynamics, identification and faults correction. Efforts have been made to address these issues but implementation of new applications onto the Internet architecture is a hard task due to the need to deploy directly to routers, a task that is compounded by the requirement of global acceptance of new protocols and modifications. This work presents the Inter-SDN component, a novel mechanism to provide interdomain routing using the Software-Defined Networking (SDN) approach. We discuss the main issues of current interdomain routing, describe the Inter-SDN component, its behavior and experimental evaluation. We also demonstrate that building interdomain mechanisms through the SDN approach is not complex, and discuss how our solution takes advantage of the SDN features to address issues on interdomain routing.

Resilience of SDNs based On active and passive replication mechanisms

Software-Defined Networking is a new paradigm that allows the development of innovative network management applications and provides a new way to look for the resolution of problems which exist throughout the Internet today. In order to simplify the task of managing the network most of SDN architectures uses a centralized network management approach. However, such approach raises, among other problems, the issue of a single point of failure, that can compromise the proper functioning of the network. A proven method to achieve a higher level of network resilience is to use a replication technique. The aim of this work is to investigate: (1) how different replication techniques relate to each other, (2) how each one performs on the task of providing resilience to a SDN, and (3) which technique is the most suitable for different scenarios. Replication techniques are mainly classified in two types: passive and active replication. In the case of passive replication, the client connects with only one controller that processes the requests and updates the other controllers. In active replication, the client connects with multiple controllers that process the request. Our results show that replication is a suitable way to increase resilience in a SDN and to build these services for networks using SDN is straightforward and much less complex.

AgNOS: A Framework for Autonomous Control of Software-Defined Networks

Software-defined networks (SDN), an emergent paradigm for network management, define abstractions to represent network entities and logically centralize them in a network controller. We argue that SDNs abstraction is the most promising way to successfully create agent-based architectures to control and manage large-scale parts of the Internet. This article makes a strong case for these architectures by introducing a framework that integrates autonomous networks and SDN. First, we define autonomous SDN by complementary features of agent frameworks and those of SDN. Then we describe our agent approach, called AgNOS, which builds cooperative SDNs that extend their domains beyond enterprise networks. Finally, as a proof-of-concept, we present a case study on an important open issue of the Internet: mitigation of DDoS attacks when thousands of attackers perform malicious packet flooding and SDN domains must cooperate to cope with packet filtering at the source.

Analysis of the secure RTP protocol on voice over wireless networks using extended MedQoS

This paper presents an empirical investigation of the impact of Secure RTP (SRTP) on VoIP calls over wireless networks: 802.11 and Bluetooth. For the purpose of evaluating this impact we developed an analysis tool based on E-Model and security aspects of SRTP which attempts to determine the balance of quality of service versus security. The results demonstrate that the impact of SRTP to VoIP should not be disregarded. MOS scores of secure calls computed from E-Model pointed out an undesirable level of quality of service on single calls using wireless channels. This quality degradation also leads to the reduction of channel capacity to offer simultaneous calls. The developed analysis tool indicated three important factors to this degradation: time to encrypt, time to authenticate and time to form a cryptographic context for each SRTP packet sent and received.

Management of VoWLAN security parameters using a QoS tool

Voice over IP is becoming an important application for wireless networks based in the IEEE 802.11 standard, but many problems must be addressed for the success of this combination, such as providing high number of connections with acceptable speech quality and minimal level of security. This paper presents the results related with a QoS evaluation tool implementation and its utilization in a VoWLAN environment in order to evaluate the performance of the VoIP system with the IPSec used to guarantee confidentiality. In addition, we demonstrate how this QoS tool can be deployed inside the network operation to assist network nodes on selecting more accurate IPSec parameters to reduce the security impact on the real-time traffic