English abstract
Everyday more devices with network capabilities are being added to existing networks. This, in turn, makes networks larger and more susceptible to attacks, and at the same time, requiring a robust and dynamic configuration approach. One approach to alleviate the control and management issues in such large networks is to consolidate the control in a centralized device as done in Software-Defined Networking (SDN) technologies. However, centralizing management and decision-making mandates taking many aspects into consideration, prominently, security. One security aspect with particular interest to us is protecting SDN networks from DHCP attacks, whose impact does not stop at the DHCP service level, but also extends to the switching devices and the SDN controller.
The main objective of this thesis is to develop and evaluate a comprehensive approach for detecting and mitigating of different DHCP attacks in SDN networks. This is achieved by conducting the first detailed study and classification of the different DHCP attacks that target the DHCP service in networks. Moreover, the thesis introduces a novel approach to detect and mitigate these attacks. The proposed multi-stage detection approach used several mechanisms for detecting DHCP attacks: against signatures, by behavior and by validation against historical data or configured parameters.
The proposed approach was evaluated through emulation against thirteen DHCP attacks from nine different attack tools in an SDN network. The results showed that the proposed approach had high effectiveness in detecting and mitigating the DHCP attacks against three different DHCP service implementations. Moreover, the approach had the capability to detect and mitigate DHCP attacks from the first packet, and to stop the most malicious attack from the first half minute and took much less for the other attacks. In addition to dropping attack traffic, a multi-step mechanism was proposed to heal the controller and the DHCP service by: removing spoofed hosts from ONOS hosts database, releasing IP addresses leased by the attack and reassigning IP addresses released by the attack to their original clients.
