CG - Pwning Software-Defined Networking (SDN) - Tommy Chin

all right so was an evening right yeah it's evening time six o'clock no seven o'clock now so what's going on my name is Tommy topics on boning Software Defined Networking I did actually like to find word ponying to a marketing person today it was actually really complicated anyways don't care let's disco let's get started clicker it's very useful so usually in the talk I talk about myself something about Sdn I can walk right yes are you good so component breakdowns of st in itself and you know VR and the whole angles of like we're not trying to do what i found and what maybe you could find in the future who knows right so about myself so much curvature at grim

has anyone heard of grim henry's no one I really said no okay okay boom was it no okay anyways alright so first time presenting up besides Las Vegas holy cow also of these sites in general so a lot of check marks and achievements right being in Las Vegas as well I mean since like day two I think and I just got to the strip I think order this is called no idea but you know I'm learning new things here in Vegas and being on the west coast right now kind of west coast if you're West coaster this is my view of the west coast so I'm sorry but you know give me suggestions on what you

think you know I should do I love suggestions right background backgrounds always kinda useful I guess you know I started networking long time ago in phone networks so I I had a job long time ago wiring t1 lines there's going what t1 line is has he won a wire it's a t1 line has anyone liked doing that hell no right I think I was crap but yes I spent some time there six months don't like that as much so switch to load switch gears went to a different place and they're like oh you'd be uh you know net net admin yes cool awesome what kind network all we can't tell you yet get there like oh hi

it's a Novell shop but 2010 by the lace I'm you know I'm like what is this you don't even learn this in school anymore or or less and if you do it there's something wrong there but they haven't you know IPX SPX said oh you know I don't understand this at that time I was kinda like all right whatever let's go with this research focus so my background is of course in networking because networking presentation always useful I also do a little bit of machine learning signal processing target tracking but we don't care about that kind of stuff networking so fast-forward like I like questions you know if you have a question just you know raise your hand

be adults right asked I don't care and there are things you know I like to talk over drinks right double was always good that's my to go you can't really mess that up unless it's like a really bad dive bar concept right and if you don't drink you know I like steak so that's always delicious so motivation here Sdn so when I first heard that Sdn angle you know I I hated wiring you know I I had a lot of jobs for like you know I wired something up and then an ignorant on tractor with like accidentally cut like five lines down the ceiling and other rewire like hundreds of lines because they made a mistake right so I got a lot

of stories too and wiring and networking in general but that's related things anyway so now it's computers getting super beefy you know huge not physically huge well maybe physically huge fight but resources wise you're getting like the whole like you know five 12 gigs memory one terabyte gigs memory the huge like con 20 cores plus depending on where you go right and the biggest thing is you know you make these computers into like some sort of hypervisor solution plop some vm's in you know support your infrastructure and drop some buzzwords like SAS and pass and whatever you want to call it right check marks on the assist things right well the biggest thing here is you know as

you your infrastructure grows and you have VMs here you want to be healthy you want to have the ability to you know customize and tailor your network to you know whatever you need right you know quality servers fault tolerance you name it there's some circuit abilities and you know for those who don't know about 25 pair of wire is this is like one giant fat wires fanned out in a punch block I hated this and it worse than like you're colorblind let's see if you can't match colors that well alright no offensive you are great so stn suffer Defined Networking so I had a thing a long time ago work I try to put a paper to a conference right and

it was rejected because I didn't add the hyphen in Sdn and that was the only reason and I'm like are you kidding me right so like either a fantasy or a reason I'm sorry but so here's my primers right lots of primers so you know vm's it's like everywhere you know VMware virtual box parallels you name it we got something right and the big things like I said before is you know a VM has some limitations right you can't really you know apply quality service to some VMs maybe you can nowadays depending on hypervisor but there's still a lot of different like limitations in your hypervisor solution you know pad selection like finding like the best optimal path for routing or you

need sort of like flow control and you know customisation like if you want to drop your own networking protocol because you know you're super fancy like that then you can't really do that right and like off-the-shelf product right but the biggest thing is like Sdn you know there are two major marketing terms is of course global view and programmability as you know a lot of customization so you know there are many vendors out there that do the whole Sdn inkle nowadays here's some lists like Cisco HP you name it and there's of course software like floodlight almost and etc right you know a lot of like you google something and boom helps on top like five ten lists right so in the

whole Sdn angle there are things called planes right so I I had someone look over the slides earlier and they thought an airplane and I'm like no no this is like a networking thing right so there are three planes and networking an application control and infrastructure and we kind of kind of think of it as like three separate networks here kind of think about that but each plane by itself has a purpose of Business Administration and your actual communication control for your clock tell or your servers or whatever you call it what three planes through purposes remember that not an airplane so here's a you know lovely diagram I drew right always nice blocks of course

it's always good so what happens is in Sdn there are two major components that controllers and switches you guys others as well but what is called switches for now right and each device is serviced in a plane so controllers will be on controller and control plane your switches computers and point servers you name it it's all in your infrastructure data plane and what happens is you know your business people love and of littlez like next fancy graphs the spinny dials and like trend marks you get the idea right so they need some sort of an API function to like query that kind of visualization right and you can begin for like a threat map or you know

projector screen for all your you know fancy people so in the SDNS switches very side switches before and so what up my view for the whole switching angle you know there's a lot of difference which is out there you're off the shelf or you know online and get help so open V switch does anyone use open V switch before and raised on to Canada hand raised two and a half points to seven five ish I don't know depending there's a lot of switching technologies out there and I think open V switch is my my V array so I can't be right so this is you take it at you like learn right but I think open pieces just like

the most popular one because aids you know open source you know I love free things because who doesn't versus like going to Cisco like hi Cisco wait does even work at Cisco my good very good not the bashing landing but you know I don't want to go to some some vendor product company and be like I want this switch all it cost like $5,000 or the service contract support fee and no and you can't do all the stuff right so I don't like I I hate all the rigidity nonsense but no open source is always a good thing you know big community I like making new friends right you can be all my friends later if you want to doesn't matter

remember drinks and steak that's my thing but yeah so the biggest thing is you know open thesis is software and if it's plopped into a VM that runs some sort of like Knicks environment of your choice right and the biggest thing is it you know traffic it's how your traffic in your network moves from A to B so in the switch itself they have flow tables and that's how basically when traffic goes into the switch it looks at this kind of a table scheme and it's like oh this traffic profile matches this line entry and the route in a flow table has like oh I'll go from port a to port B and it goes to

my destination so here's an example of a flow table structure so every time you have a you know network sequence or a flow or some sort of communication channel whatever you call it on a network a flow is inserted into this table right so every like everything that moves has a rule somewhere if it does have a rule it can't move so remember that so this is an example rule where I had two boxes on a thought 10 Network and all I did was pink right so on one of the rules the traffic goes into the switch the switch looks over the table and it's like okay that got it from you know box 11 right and oh it's a

you know ping some sort so let's just shoot it out to 12 because you know 12 was the destination marker and it says port port 5 4 4 5 you get the idea it moves it virtually in virtual space software right so with pee-hole Sdn angle there are controllers so controllers by itself you know there's a lot of controllers out there you know a lot of software everyone makes software nowadays on github you got floodlight floodlight stuff you know the big thing that I wouldn't talk about but you know major competitor is you know ryu does anyone else use a fan controller scheme know any cisco people or is it contrail no idea if I I will

try remember that or I just talk to me later and will I look it up so there's a lot of things all right so I talked about floodlight because you know I was introduced to a much older software called pox NOx but I've moved along and the world and went to more fancier looking things right so floodlights there and it follows a similar scheme of the whole application control and infrastructure yeah you know a lot of times when you buy a product from like a vendor they'll start relabeling certain extremes and they're like oh this is business marketing families fantasy so we leave this stack or rename something like this and they get our terms and you

know put some copyright trademark nonsense on that right but so like flatly it's good because you know learning wise you know they do follow the scheme you know they match the protocol to some standard right and these when you do the analysis or investigate and you're like oh okay so this is application control on infrastructure so they do follow things so this is important here so capabilities you know the controller is the brain of the operation you know like you have switches and routers in the global infrastructure right and they individually can you know act by themselves but the biggest thing is like you know if this controller is like dead you got no rule network I mean you have

switches that can kind of move but over time you know over a certain period of time it doesn't know how to move traffic anymore because it doesn't have the decisive control of the controller the controllers point of view or the controller's function here is basically just to say okay I got some traffic I have to figure out how to get from A to B I do some you know some math nonsense in the background and then this is how it routes and it goes but when the crow chiller is down your packet goes in switched which is like help me I don't know what to do let's just blast it everywhere and hope it gets there

broadcast right so the biggest thing is to you know like what happened to the whole like eggs in a basket right we try to avoid you know security some angles risk risk analysis I don't know so like if your infrastructure is so dependent on a box or two and one of them goes down all right no bueno so closer than Java you know I get a lot like a view points that people don't like Java here and there right it's not really that bad maybe I don't know does anyone like Java boom like this guy I don't know what's your name Mike that's his pseudo name it could be really James don't know but so in Java it's not that bad right

so it has the whole rest API function for you know your business people but then also within the REST API you can manipulate and control your controller as like you know administrative nonsense the big thing is hey I got the service it's a REST API interface it's listening on every interface I have on this controller and all by the way there's no one encryption encryption or authentication to it so you know as long as you find a controller in the network if you're doing some scans and it looks like one that has an API function to it you can just send commands to it and it magically accepts and listens to you whoops right so with that so there's a

Alain in traffic called southbound traffic so what happens is when the controller gives you instruction set to the switch wouldn't you know inserts flows and rules to it it's called southbound traffic it's kind of like a visual diagram right so what happens is that traffic by default is in plain text and you can you know do some magic you know wizardry replaying whatever you wanna call it and your switches and the other side will kind of like say okay sounds good I'll take that any questions so far by the way I love questions you know your questions just raise your hand right so the OpenFlow protocol and fuzzing so you know I um I would say my

network person by trade I guess depends on that angle but Sdn I've been doing a student feel like I don't know probably five years ago I think I have no idea a long time right but it's kind like relatively new nowadays in the market so we'll just go with it so in the you know your first packet in networking right you know your client sends the traffic to network it does this whole art thing right as this resolution protocol what does a network seal make for a noise Network seal think think protocol Formica what does this protocol this guy all right this guy right ARP ARP ARP you know it's really corny but the funny

thing is like I think like six years ago seven years ago I actually got someone's phone number with that corny joke so that didn't end well the end of course but you know it's still a good achievement for me I think to say this kind of quirky like nerd joke that actually worked anyways don't care so an all Engel Sdn is a little bit different in the sense that you know when you communicate on your network from you know Peter a to computer B it takes a very first packet in your network flow your stream of traffic right and what happens is that initial packet is sent to the controller and the controller is like okay I'll look at this packet and I

let me try to find a profile to pack and determine what those computer I need to go to how does it need to route what's the purpose of it that's the idea based on the first packet and so what happens is that initial packets it's encapsulated into an open flow message right this guy seems kind of confused what's up boom so we'll get to that okay so yeah the guy was thinking about port scanning we'll get to that kind of interesting thing later a good good visual eye contact thing anyways so first packet goes to the controller control looks at it and I was like okay I know where this goes and goes boom so

the flow gets inserted into a switch switches like oh cool I can then afford all the other like 900 bajillion packets do the rest of the network and you know we basically have a happy network at the end and it says that you know both clients at the endpoints are communicating but what happens is so the other thing of with Sdn is is everything is virtualized you know we don't have a actual visual map of a network as everything's software driven so one thing with Sdn by itself is it uses two techniques to identify links in a network right because we don't have cables anymore everything is just you know bits flying so uses to discovery

protocols to identify links and all those is layer two broadcasts everywhere spams all your switches all your ports and you know it gets really noisy so you know anything like cisco serve protocols or juniper discovery protocols people same idea just you know different marketing term and people stamp you get the idea but the biggest goal is with their dysentry protocol is it finds paths finds the shape of your like network graph anyone colleague graphs right math people graph and it determines the best path based on latency so what happens is when did this here protocols are broadcasting in a network that time it takes to measure between switches is your measurement of latency and then the

controller's like okay they get from a switch a to switch B it took me like five milliseconds that is my latency for the link so that when it does calculations that determine the best path it starts adding numbers to get in is like Oh to get from I am from one point position network to the other it does some crazy math and it's like this is the best path can't like you know when you're driving the car and use Google Maps and Google Maps kind of screams that use like oh they'll take a right turn down this like sketchy alleyway and hope you don't get shot right but what happens is Google Maps in the background does some calculations

determine you know how do you meet your you know goal of getting to a destination fastest right and what about in having traffic or congestion so there's some like weird things in Sdn so what happens is in the southbound communication right so like I said first packet goes the controller rule comes down right what happens is the rule the flow rule so when the controller sis rule into the controller so to speak right there are timers there as well to maintain say okay after certain amount of time will keep this rule into a switch so that all the remaining traffic goes through but then once the you know an expiration timer comes up or I'll

time comes out that flow rule or like disappear so somewhere midstream in your traffic one random Packer will shoot back up to the controller to get reanalyzed to say okay this is the path again but what happens is sometimes depending on how your NOAA's configured your traffic mate mid should be rerouted in a different path depending on how it's constructed because everything software driven right you can't really I mean you could do that in like real networking but there's a lot more like issues like telecom issues right so rather than thinks I've found interesting so you know this is about vulnera so Rendon Pisa file interesting using escapees so this guy what's your name again Richard so that's a pseudo

name Richard could be like Bob or something I don't know anyways I'm saying and what's your name because I have no idea right but so port scanning you know port scanning you can send scan all day of course and you can even change like so match even like you know syn flooding DNA you know now service you just changed like your source address field or a destination address field right so the interesting thing about syn flooding and other things is like each packet fills a role in the table so your tape so basically if you just change an address field or it just changed a little bit something like that each packet will fill the table so your

tail becomes huge and a switch so like when the switch starts reading this table it gets slower and slower and slower and slower because now my like ten rules and this table becomes like a million and switch is not happy and you know all your customers so speaker and happy so I mean it's kind of a it's not lame but you know it some mention the bullet thing because thing I thought it was kind of like a interesting setup see the thing too is I found it's kind of interesting was that so with the whole like you know first packet going to the controller as like the way the profile networks stream right if you send a

super large packet like a huge like next cell all that feels possible packet concept it actually like starts sinking your CPU on the controller down there like 10% um I guess I use this kind of you know like machine so like you can you know do some racial calculations in term of the rest but I mean I think that it looks pretty beefy but like all the cores when tons like 10% lower just because I sent one large packet so that's kind of like a that's a little different right but the other thing was like you know because for rules they do expire over time like I said and default is like five seconds so like if you're

straight like a really slow loop you know like I'll true sleep five send packets sleep five you repeat this cycle but speak you can kind of like start slowing down the control of their and you know if you have like five clients or you have one client and change the source or hydrous feel our source or destination address field you can kind of like start really rolling down the controller just because you you know follow the de facto standard it's just you use it in a much interesting way so northbound REST API so that almost the other like angle and the whole controller angle so it's no web web stuff right so you can use curl all day

so I try to funds the API on your face and Java was really upset with me as it was kind of like trying to process my request and what happened was it literally just locked up in general so you know a lot of times is it's like why like why is this happening and you know people say it's Java right but I don't know I this guy likes Java right mike-mike boom Mike likes Java but I don't care it's just like public you know public static void main string args blah right but anyways so it would periodically locked up then network didn't do so well because you know controller wasn't really functioning well and switches can't get instructions

so it's like what to do right so it got even worse because I had to throttle down the fuzz the point where like it was like 200 Gatchaman 200 200 I could request a second the most it was like that was a fasiq again but it's so unthinkable a debt so like you just you know Senate command and it accepts all right so you know someone needs to put our password there that's kind of useful right the Sierra Protocol what happens is yes

boom a good question so what happens is when you are a client in Sdn you're in that infrastructure data plane right what happens is the rest api resides in the northbound the application plane so you have to reside in that particular network interface but what happens is in the virtual scheme now your VM still has a you know an interface that listens to some sort of internet access network or another internal network right but in the SDA angle use your virtualized entire network within the VM or within some set vm's you need to reside in a you know a similar level of like networking but going from like your infrastructure data plan it's not that

really easy but so I have two minutes print that guys so I'm going to speed this up a bit so past elections a certain protocol if you spam that thing you can basically force a network to redraw the pathing by itself so it's like you don't need to men really man the million I think you can just force the network to say hey move everything there because if you what happens is because it uses Dussehra protocols to measure latency and greet you know inform the controller controls are seeing these you know packets but they have like weird timestamps right it's gonna measure them like oh this link took me an hour to go through so let's

just go everything in our direction so it's like a like a really weird way to like move things in the whole networking scheme without doing any sellout rules anyway so hiccups that happened so when you try to move actually mihrab traffic from one box to another i have switching between but Wi-Fi mirroring it you know layer two dropped everything on the switch because it isn't matching the fields so my solution here was this really janky way that kind of worked TCP dump pipe to it net chat tunnel dive piped into a replay thing this guy was like what the hell you doing but it works it's just not really practical I mean it was practical I guess with this

angle so it kind of worked summary a CPI stop now boom summary I am done hushed questions hit me up on Twitter there's my Twitter here's a QR code you can scan me wants you it's legit don't worry about that follow up room always good right that's why work thank you [Applause]