Ask Your Question

Revision history [back]

click to hide/show revision 1
initial version

Our thoughts: the right direction is to go with OpenDaylight and see how the integration is proceeding with OpenStack.

Today we could read this news from Radware:

Radware Releases Defense4All, Industry-First Open SDN Security Application for OpenDaylight Project. http://www.radware.com/NewsEvents/PressReleases/Radware-Releases-Defense4All-Industry-First-Open-SDN-Security-Application-for-OpenDaylight-Project/?jujrtyghfud207025a2343832a999a3699a6067

But till the solution is implemented and fully tested, we might have a faster solution.

Thanks to Ashish Chaudhari, who provided some great suggestions on this issue, I'll paste a conclusion from our yesterday's conversation here:

From what we have learnt to perform DDoS attack on swift, cinder and nova, attackers will need temp key or session key. Attacker can get this session key via keystone as it is the entry point to the cloud. So one of the solution can be, we will have to filter the request addresses using firewall at keystone or we can give access to the certified users only. OpenStack has build in firewall. But from the description given it seems that, firewall filter rules are only limited to virtual information i.e. id, tenant_id, name and password.

We are not sure if OS can filter user request based on IP addresses. That way a certificate system can be used for trusted users at keystone level. But it will still not limit the multiple number of requests sent to firewall by anonymous packets. We think we can tackle this by implementing one more layer of daemon, which has dynamic thread pool system to pass the trusted packets on priority basis.