Denial-of-Service (DoS) Attacks in an

SDN Environment
Contents
Experiment Task Design:.............................................................................................................................. 3
Submission: .................................................................................................................................................. 3
Start the Experiment ................................................................................................................................... 3
Conduct the Experiment .............................................................................................................................. 6
Section 1.1: Installing Dependencies ...................................................................................................... 6
Section 1.2: Installing Mininet ................................................................................................................ 8
Section 1.3: Installing Hping3 ................................................................................................................. 8
Section 2: Running Floodlight ................................................................................................................. 9
Conclusions ................................................................................................................................................ 15
Experiment Task Design:
In this lab, students are able to launch a DoS attack on the SDN data plane and explain
the attack consequences. This lab provides step-by-step instructions to assist students in
setting up the profile, creating the experimental topology and conducting the DoS attack in the
data plane of SDN.

Submission:
Students should submit screenshots of step 1 and step 2 and explain each screenshot in
a paragraph.

Start the Experiment

Click the “Experiments” button on the upper-left corner and choose “Start Experiment”.
 Click “Change Profile” to select a proper profile for this experiment.

In the page, search the profile “DoSServer” and click the name to select it. Then Click
“Select Profile”.
 Proceed by click “Next”. Before finalize the configuration, choose a cluster. E.g., choose
“Emulab” as the cluster.

Below is the configuration of the profile for your reference. You may also be able to
create your own profile by following the instructions in Lab 1.
Conduct the Experiment
Section 1.1: Installing Dependencies

The following dependencies need to be installed on the instantiated node: Floodlight,

Mininet, Hping

Mininet
[Link] mininet

Floodlight
[Link] with its pre-requisites

hping3

(Note) These installations will not be saved when the Cloudlab Experiment has been terminated.
Cloudlab allows users to request additional leasing time through of the ‘Extend’ button.
1) Open a new terminal. Click the icon and choose “Shell”

2) Run ‘sudo apt-get update’

3) Run ‘sudo apt-get install default-jdk -y; sudo apt-get install default-jre -y’ to install java.
4) Run ‘sudo apt-get install build-essential maven ant python- dev’ to install the pre-
requisites to be able to build Floodlight

5) Run ‘git clone git://[Link]/floodlight/[Link] -b v1.2’ to clone Floodlight from

Github

6) cd into the floodlight directory ‘cd floodlight’

7) Run ‘git submodule update’

8) Run ‘ant’ to build Floodlight.

9) Run ‘sudo mkdir /var/lib/floodlight’

10) Run ‘sudo chmod 777 /var/lib/floodlight’ to provide proper Linux File execution
permissions to be able to run Floodlight properly

Note: You can download and run our script (set_floodlight.sh) to execute the above commands
automatically.
Run ‘wget [Link] .’ to download the
script.
Run ‘sudo /bin/sh set_floodlight.sh; cd floodlight’ to build Floodlight.

Section 1.2: Installing Mininet

1) Change directory to your home directory by running ‘cd ~’

2) Run ‘git clone git://[Link]/mininet/mininet’ to clone Mininet from Github

3) After cloning Mininet, cd into the Mininet directory

4) Run ‘git tag’ to list the available branches of Mininet

5) Run ‘git checkout -b 2.2.1 2.2.1’ to install Mininet version 2.2.1

6) cd out of the Mininet directory and install Mininet by running ‘mininet/util/[Link] -a’.
Choose “Yes” if an option is prompted.

Note: You can download and run our script (set_mininet.sh) to execute the above commands
automatically.
Run ‘wget [Link] .’ to download the script.
Run ‘sudo /bin/sh set_mininet.sh’ to install Mininet.

Section 1.3: Installing Hping3

1) Run ‘sudo apt-get install hping3’ to install Hping3

Section 2: Running Floodlight

1) Open a new terminal

2) cd into the floodlight directory shell.

3) Run ‘java -jar target/[Link]’ to run the Floodlight Controller

4) Open another new terminal

5) Run ‘sudo mn --controller=remote,ip=[Link],port=6653 --switch ovsk,

protocols=OpenFlow13’ to run a Mininet Topology

Note: The command in step 5 has the following parameters and explanations:

-2 hosts are created by default

-The 2 hosts will be connected via an OVS bridge (Switch)
-The OVS bridge will be connected to the controller based on the specified IP address
([Link])
6) Run ‘pingall’ to confirm that the host(s) are reachable to each other

7) Open a new terminal

8) Run ‘sudo ovs-ofctl dump-flows s1 -O OpenFlow13’ to print the current flow-rules inside
the switch

Task 1: What can be seen after running this command? Take a screenshot. This screenshot
will be needed to refer to further observations with outputs in the future steps.
9) On the Mininet terminal, run ‘h1 hping3 h2 -c 10000 -S –flood –rand-source -V’ to flood a
lot of packets to h2.

Every packet sent to h2 will invoke an OFPT_PACKET_IN which will forward the first incoming
packet to the controller. After receiving the packet-in message, the controller then sends an
OFPT_FLOW_MOD message to the switch to install a new flow-rule.

10) On a separate terminal, check the flow entries in switch S1.

Task 2: What can be seen observed in the flow-table now that hping3 is running? Any
noticeable differences in output?
11) On the Mininet terminal, stop hping3 by using ctrl + C.

12) Ping h1 from h2. What can be observed on here?

13) Wait 2 – 3 mins and repeat the previous step

14) On an empty terminal, check the flow-table rules of OVS Switch S1

Conclusions
When the flow table of OVS switches is full, any additional flow-rule installation will be
failed due to insufficient space in the flow table. A switch that cannot install a flow-entry will
send an OFPT_ERROR message to the controller along with OFPFMFC_TABLE_FULL. The switch
then drops the packet since it is unable to receive instructions to install a flow-entry due to the
resource exhaustion. This is a DoS attack in the data plane of SDN.