Mitigating Broadcast Storm on Metro Ethernet Network Using PVST +

Broadcast storm attack continuously transmits duplicate packets in order to disrupt the service of the network. In this research, a Spanning Tree Protocol method, namely PVST+ (Per VLAN Spanning Tree Plus), is used to overcome the problem that is caused by the broadcast storm attack on the Metro Ethernet Network. The PVST+ serves as a redundant network management and it prevents looping on the network. The results obtained from this research are the following, PVST+ is able to mitigate broadcast storm that is shown by the decrease of number of packets and the decrease of the average packet per-second. The average packets per-second on VLAN 1 decrease to 274,041 and the average packets on VLAN 10 decrease to 267,794 packets per-second.


Introduction
Ethernet can be seen as standard for LAN (Local Area Network)/MAN (Metro Area Network)/WAN (Wide Area Network) connection as 98% of data traffic in worldwide network is based on the Ethernet.Metro Ethernet networks are designed to be able to provide up to 200.000 high-speed lines to end-users and organizations that need more capacity in their communications, thus, the Metro Ethernet networks are best to be connected with fiber optics.Emamjomeh, et al., [1] has proposed an optical system for the Metro Ethernet and MPLS (multi protocol label switching) technique is used for faster communication that meets the user's needs; however, there is no security analysis on their research.STP (Spanning Tree Protocol) manages and provides path redundancy while avoiding undesirable loops in the Ethernet networks, a new STP, namely Load Balanced Spanning Tree (LBST) has been proposed to to reduce the computational complexity of the previous BST algorithm [2].Moreover, Huu-Hung Phan et al. [3] has proposed a new model of Metro Ethernet Network as an undirected connectivity graph by using the Bridge Protocol Data Units (BPDUs) frame exchange to determine the shortest paths between network switches, however, both [2] and [3] did not analyze the security of their method.
The broadcast storm is an attack that utilizes sequence of broadcast operations from one or more devices that occur at rapid packets per-second rate, its goal is to bring down the network.The number of packets that is considered abnormal is more than 500 packets persecond [4].A method to control the network storm, as well as broadcast storm, has been proposed in [5], multiple static agents are used to control the network storm in order to improve the performance of Ethernet LAN network, however, it is not mentioned that their method is able to be implemented on Metro Ethernet.Various solutions to prevent broadcast storm also have been proposed in [6][7][8][9][10], however, all of those methods are implemented on VANETs (Vehicular Ad Hoc Networks), not on Metro Ethernet network.
Broadcast storm is one variant of DoS/DDoS attack, as mentioned above; its goal is to break down the target system by flooding the network with junk packets.Monitoring and detection system can be used to mitigate broadcast storm as early as possible, Ni et al. [11] proposed a monitoring detection to detect anomaly packets flow at the DNS server, it is shown that their solution can detect DDoS attack accurately.Another solution to prevent the broadcast storm is a firewall, Alfan Presekal and Riri Fitri Sari [12] proposed a firewall to prevent DoS attack that is implemented on a Host Identity Protocol (HIP), and its shown that HIP with their  ISSN: 1693-6930 TELKOMNIKA Vol.14, No. 4, December 2016 : 1559 -1564 1560 firewall still manage to work eventhough there was a DoS attack.Despite all of the above proposed systems, their solution does not handle the broadcast storm in particular, thus, a mitigation system for broadcast storm is still not available.
Based on the above previous researches, it can be concluded that there is no solution to mitigate the broadcast storm on a Metro Ethernet Network, thus, to overcome the problem, we propose an SPT method, namely PVST+ (Per VLAN Spanning Tree Plus) to be implemented on the Metro Ethernet network.The Graphical Network Simulator (GNS 3) is used for implementation and simulation process, and two VLAN, namely VLAN 1 and VLAN 10 are used in this research.The average packets per-second on both VLAN are measured before and after the implementation of PVST+ to show that the broadcast storm is mitigated.
The rest of the paper is organized as follows: Section 2 describes the implementation of PVST+ method on the Metro Ethernet network, Section 3 discusses the results, and Section 4 concludes the whole research.

Implementation of PVST+ on Metro Ethernet Network
This section described the processes of mitigating the broadcast storm attack by implementing the PVST+.The first processes are scanning and capturing the packets on the network to detect broadcast storm (described in sub-section 2,1), the second process is implementing the PVST+ to mitigate the broadcast storm (presented in sub-section 2.2), and the last process is optimizing the network to prevent the future attack of the broadcast storm (discussed in sub-section 2.3).

Scan and Capture Packets on the Metro Ethernet Network
For the initial process, the GNS 3 simulator equipped with Wireshark is used to scan the data packet on each interface to detect a broadcast storm, which is already set to occur.The topology that is used for the scanning process is shown in Figure 1.

Figure 1. Metro Ethernet Network Topology
Figure 1 represents the topology that is used in this research; such topology is used to simulate the broadcast storm attack that usually happens when there are a lot of switches.These switches generate a lot of duplicate packets to cause the broadcast storm attack.
To determine a network that is a victim of broadcast storm, the data packets, in the form of ping packets, are sent from the host to the gateway with minimum time limit of 60 seconds.Wireshark will monitor the traffic that occurs during the simulation time, the parameters that were monitored are number of packets and average packet per-second during.Based on [4], the broadcast storm attack occurs when the average packets per-second is above 500 packetssecond.

Implementation of the PVST+
The PVST+ is implemented in order to mitigate the broadcast storm.The implementation of PVST+ performed on Core A, Core B, and on all four access switches, the illustration of the implementation on the network elements can be seen in Figure 2. Figure 2 represents the simulation of our research in GNS 3 simulator.PVST+ implementation process for each network element consists of two processes, namely the configuration process and the verification process.The command that is used to configure the PVST+ on Core A is shown in Figure 3, while the command that is used to verify the process is shown in Figure 4.It is shown in Figure 3 and Figure 4 that there are two VLANs used for simulation, namely VLAN 1 and VLAN 10, these VLANs as well as the configuration and verification process are the same for all network elements.

Network Optimization
Network optimization is necessary if the broadcast storm still occurs after the implementation of PVST+, several options for network optimization are the following: 1. Port Fast Port Fast is a feature that is provided by the Cisco switch device for faster spanning tree formation.This feature is only performed on ports that are connected to the end user and is not recommended for port with "trunking" status because the duplicate packets forwarding will still occur.

Uplink Fast
This feature has similar function with Port Fast, it is to form the spanning tree faster, and moreover, this feature can be used on port with "trunking" status.

Bridge Protocol Data Unit (BPDU) Guard
The function of the command BPDU Guard is to maintain the spanning tree protocol algorithm that has been adapted to an integrated network.If a port that is connected to the end user, which already configured with Port Fast connection, is then replaced with the switch X, then the port will be shut down due to switch X will send BPDU message to the other switch to reset the algorithm.

Backbone Fast
Backbone Fast is a feature to accelerate the delivery of BPDU with the principles of using the Root Link Query (RLQ), RLQ has a function to detect inactive/inderict link.With Backbone Fast, the process of determining the root bridge can be accelerated.

Results and Analysis
In this section, the result and analysis of the obtained data are presented.Simulation and evaluation of the implementation of PVST+ are consists of the following steps: 1. Traffic monitoring before the implementation of PVST+ 2. Traffic monitoring after the implementation of PVST+

Traffic Monitoring before the Implementation of PVST+
Traffic monitoring is carried on VLAN 1 and VLAN 10 and it is performed at intervals of 90 seconds, 180 seconds, 270 seconds, 360 seconds and 450 seconds.The obtain results are the amounts of packets and the average packets per-second.The results of monitoring the traffic before the implementation of PVST+ on VLAN 1 and VLAN 10 can be seen in Table 1 and Table 2  It can be seen from Table 1 and Table 2 that the average packets per-second on both VLAN 1 and VLAN 10 is above 500 packets per-second, with the average number of packets per-second for VLAN 1 is 55852.334packets per-second and the average number of packets per-second for VLAN 10 is 6733.448packets per-second.From these results, it can be concluded that the broadcast storm occurred on both VLAN 1 and VLAN 10.Sub-section 3.2 presents the result of the average number of packets per-second after the implementation of PVST+.

Traffic Monitoring after the Implementation of PVST+
The results of monitoring the traffic after the implementation of PVST+ on VLAN 1 and VLAN 10 can be seen in Table 3 and Table 4 respectively.Table 3 and Table 4 show that after the implementation of PVST+, the number of packet and the average packes per-second have decreased, which the later being less than 500 packets per-second.The average number of packets per-second on VLAN 1 has decreased to 274.041 packets per-second, while the average packets per-second for VLAN 10 has decreased to 267.794 packets per second, therefore, it can be concluded that PVST+ is able to mitigate the broadcast storm.This result resolves the missing point that occur in research [5][6][7][8][9][10][11][12] where there is no mechanism to counter broadcast storm on the Metro Ethernet.

Conclusion
In the initial process of this research, a broadcast storm is simulated on Metro Ethernet Network, it is shown by the large number of average packets per-second, which are 55852,334 packets per-second on VLAN 1 and 6733,448 packets per-second on VLAN 10.In order to mitigate the broadcast storm, a variation of spanning tree protocol, namely the PVST+ is implemented on both VLAN 1 and VLAN 10.The results shown that the broadcast storm on both VLAN are able to be mitigated by PVST+, it is shown by the decrease of the average packets per-second on both VLAN, which are 274,041 packets per-second on VLAN 1 and 267,794 packets per-second on VLAN 10.PVST+ is able to mitigate broadcast storm due to its function to prevent loops occurring on the network and it is also able to handle a redundant path on the network.

Figure 2 .
Figure 2. PVST+ Implementation on Every Network Element

Figure 3 .Figure 4 .
Figure 3. Command to Configure PVST+ on Core A

Table 1 .
respectively.Traffic Monitoring on VLAN 1 before the implementation of PVST+

Table 2 .
Traffic Monitoring on VLAN 10 before the implementation of PVST+

Table 3 .
Traffic Monitoring on VLAN 1 after the implementation of PVST+

Table 4 .
Traffic Monitoring on VLAN 10 after the implementation of PVST+