This post describes PoC made by Dimension Data in their VCCAP (Virtualized Carrier Core Application Platform) platform.
DDoS attacks are ever growing threat to all connectivity dependent businesses. There are several approaches to protect against DDoS attacks, where the most cost efficient one is the out-of-path strategy to detect and mitigate the attacks. Such a solution consists of Flowmon DDoS Defender for out-of-path DDoS attack detection based on flow data and traffic rerouting for a mitigation in 3rd party solutions from vendors like Radware, F5 or A10 and potentially others. So far we are talking about hardware appliances and physical environment. However, the trend is to transition to SDN / NFV virtual environments and such environments does not usually provide with out of the box DDoS detection and mitigation capabilities. So let’s have a look on DDoS attack protection in SDN environment using Juniper Contrail Networking as a logical network overlay.
DDoS Protection in Contrail Networking
The absence of NetFlow generation and built-in mitigation capabilities in Contrail were overcome by Dimension Data ingenuity and ability of Flowmon DDoS Defender to trigger a script to start the attack mitigation in 3rd party solution.
Attack Detection
Each compute node in Contrail networking contains an instance of a virtual router that routes the traffic to and from VM instances. For each communication, virtual router collects the same 5-tuple statistics we know from traditional flow data (eg. NetFlow). However, these statistics are exported only in Sandesh protocol into the analytics node and then they are stored in Cassandra database. To overcome absence of out-of-the-box NetFlow exporting capabilities, Dimension Data engineers created Python script which that queries Contrail REST APIs, packages the statistics from database into NetFlow v5 and sends it to the Flowmon Collector with DDoS Defender module for processing and DDoS attack detection.
Attack Mitigation
Flowmon DDoS Defender provides multiple ways for traffic redirection and attack mitigation like BGP or ACLs, which can be used in physical environments. For example enter ACL configuration into the router or mitigate the attack using BGP Flowspec. ACL configuration in Contrail virtual networking is done using web GUI or REST API. So, to dynamically create ACL rules in Contrail, Dimension Data engineers created script which is triggered in Flowmon DDoS Defender upon attack detection and provides all necessary information about the attacked IPs, baselines and other attack characteristics. The script locates related virtual network using attacked IP address, creates an ACL rule in JSON representation that the Contrail API is capable to process and thus attack traffic is mitigated. After the attack ends, the script is triggered to clean up all previous configuration changes.
Described procedures make DDoS protection for Contrail networking with the same quality of detection and mitigation as in a physical environment. This PoC was performed in Dimension Data VCCAP utilizing Ixia load test tools for DDoS traffic generation.
Fig. 1: Solution architecture.
To have more granular attack mitigation, the network traffic can be redirected by Flowmon DDoS Defender to in-line scrubbing center. Dimension Data used the A10 Thunder TPS for mitigation which integrates with Flowmon DDoS Defender over a REST API. Engaging A10 Thunder TPS provides more granular attack mitigation including application layer attacks.
About Dimension Data
Dimension Data is a global leader in the provision and management of specialist IT infrastructure solutions and services. Dimension Data Germany is gold partner of Flowmon Networks.
Dimension Data VCCAP
The “Virtualized Carrier Core Application Platform” is a platform for PoC testing, R&D and demonstration purposes for early adopters of SDN and NFV technologies.
For more information contact eu.vccap@dimensiondata.com.