计算机科学 ›› 2019, Vol. 46 ›› Issue (6A): 343-347.

• 信息安全 • 上一篇    下一篇

一种基于NFV的检测OSPF双LSA攻击的方法

李鹏飞, 陈鸣, 邓理, 钱红燕   

  1. 南京航空航天大学计算机科学与技术学院 南京211106
  • 出版日期:2019-06-14 发布日期:2019-07-02
  • 通讯作者: 陈 鸣(1957-),博士,教授,CCF高级会员,主要研究领域为计算机网络、无人机网络、网络测量、未来网络,E-mail:mingchen@nuaa.edu.cn
  • 作者简介:李鹏飞(1993-),男,硕士,主要研究方向为NFV、计算机网络,E-mail:lipfeinj@163.com;邓 理(1996-),男,硕士,主要研究方向为NFV、计算机网络;钱红燕(1973-),女,博士,副教授,CCF会员,主要研究方向为计算机网络、信息安全。
  • 基金资助:
    本文受国家自然科学基金项目(61772271,61379149)资助。

NFV Based Detection Method Against Double LSAs Attack on OSPF Protocol

LI Peng-fei, CHEN Ming, DENG Li, QIAN Hong-yan   

  1. Department of Computer Science and Technology,Nanjing University of Aeronautics and Astronautics,Nanjing 211106,China
  • Online:2019-06-14 Published:2019-07-02

摘要: OSPF协议是因特网中使用最广泛和最成功的内部网关路由协议之一。尽管当前对OSPF协议的安全性已有许多研究,但仍缺乏有效的检测路由欺骗攻击的方法,难以保证网络中OSPF路由的安全性。通过研究OSPF双链路状态通告(LSA)攻击方法的原理,给出了用于确定攻击者的3个必要条件,提出了一种检测OSPF双LSA攻击的方法。基于网络功能虚拟化(NFV)技术,设计实现了检测中间盒与分析服务器用于检测攻击与消除路由污染。检测中间盒负责从各链路捕获相关OSPF分组,将trace记录发送给分析服务器;分析服务器调用检测算法分析处理接收到的trace记录流,若检测到攻击则告警,同时指令检测中间盒来恢复污染路由。原型系统的实验结果表明,所提方法能够在IP网络或NFV网络中准确高效地检测出OSPF双LSA攻击,并且实现的系统具有性价比高、易于部署等优良特点。

关键词: OSPF, 路由协议攻击, 网络安全, 网络功能虚拟化, 检测方法

Abstract: The OSPF protocol is one of the most widely used and successful interior gateway routing protocols in the Internet.Although there have been lots of investigations on the security of the OSPF protocol,there is still a lack of effective detection methods against the route spoofing attacks,so it is difficult to ensure the security of the OSPF routing in networks.By studying the principle of the double link state advertisements (LSAs) attack on the OSPF protocol,this paper presented three necessary conditions that are used to detect the attack,and proposed a detection method against the double LSAs attack on the OSPF protocol.Then,a corresponding detection middle box and analysis server used to detect attacks and clear up their routing pollution were designed and implemented based on the network function virtualization (NFV) technology.The detection middle box is responsible for capturing relevant OSPF packets from various links,sending the trace records to the analysis server,and receiving instructions from the analysis server to restore the polluted routes.The analysis server invokes the detection algorithm to analyze and process the trace record stream,and an alarm is given and an instruction is sent to the detection middle box to restore the contaminated routes if an attack is detected.The experimental results of the prototype show that the proposed method can detect the OSPF double LSAs attack in both IP networks or NFV networks accurately and efficiently,and the prototype has excellent characteristics such as high cost performance and easy to deploy.

Key words: OSPF, Routing protocol attack, Network security, Network function virtualization, Detection method

中图分类号: 

  • TP393
[1] JIN L,XIE L.Internet network security [J].Computer Engineering And Design,2003,24(2):19-22.
[2] MOY J.OSPF version 2.RFC 2328 [S].Fremont,CA:IETF,1998.
[3] MOY J T.OSPF:Anatomy of an Internet routing protocol[J].IEEE Network,1998,12(6):4.
[4] JAYAKUMAR M,REKHA N R S,BHARATHI B.A comparative study on RIP and OSPF protocols[C]∥Proceedings of International Conference on Innovations in Information,Embedded and Communication Systems.NJ:IEEE,2015:1-5.
[5] NAKIBLY G,KIRSHON A,GONIKMAN D,et al.Persistent OSPF attacks [C]∥Proceedings of the 19th Annual Network and Distributed System Security Symposium.San Diego:Internet Society,2012.
[6] JONES E,LE MOIGNE O.OSPF Security Vulnerabilities Analysis [S].2006.
[7] NAKIBLY G,KIRSHON A,GONIKMAN D,et al.Owning the Routing Table-New OSPF Attacks[C]∥Proceedings of Black Hat .USA:Black Hat,2011.
[8] 夏云峰.基于OSPF路由协议的路由欺骗分析[D].南京:东南大学,2014.
[9] SONG Y,GAO S,HU A,et al.Novel attacks in OSPF networks to poison routing table[C]∥ICC 2017-2017 IEEE International Conference on Communications.IEEE,2017:1-6.
[10] KASAMSUWAN P,VISOOTTIVISETH V.OSV:OSPF vulnerability checking tool[C]∥Proceedings of International Joint Conference on Computer Science and Software Engineering.NJ:IEEE,2017:1-6.
[11] WANG M H.The Security Analysis and Attacks Detection of OSPF Routing Protocol[C]∥Proceedings of International Conference on Intelligent Computation Technology and Automation.NJ:IEEE,2015:836-839.
[12] MIJUMBI R,SERRAT J,GORRICHO J L,et al.Network Function Virtualization:State-of-the-art and Research Challenges[J].IEEE Communications Surveys & Tutorials,2017,18(1):236-262.
[13] MICHALSKI M,CIESLAK K,POLAK M.The system for large networks emulation with OSPF/BGP routers based on LXC[C]∥IEEE,International Conference on High PERFORMANCE Switching and Routing.IEEE,2016:1-4.
[14] BEMSTEIN D.Containers and Cloud:From LXC to Docker to Kubernetes[J].IEEE Cloud Computing,2015,1(3):81-84.
[15] JAKMA P,LAMPARTER D.Introduction to the quagga routing suite[J].IEEE Network,2014,28(2):42-48.
[16] DUMITRACHE C G,PREDUSCA G,CIRCIUMARESCU L D,et al.Comparative study of RIP,OSPF and EIGRPprotocols using Cisco Packet Tracer[C]∥Proceedings of International Symposium on Electrical and Electronics Engineering.NJ:IEEE,2017:1-6.
[1] 苏畅, 张定权, 谢显中, 谭娅. 面向5G通信网络的NFV内存资源管理方法[J]. 计算机科学, 2020, 47(9): 246-251.
[2] 白雪, 努尔布力, 王亚东. 网络安全态势感知研究现状与发展趋势的图谱分析[J]. 计算机科学, 2020, 47(6A): 340-343.
[3] 黄梅根, 汪涛, 刘亮, 庞瑞琴, 杜欢. 基于软件定义网络资源优化的虚拟网络功能部署策略[J]. 计算机科学, 2020, 47(6A): 404-408.
[4] 梁俊斌, 张敏, 蒋婵. 社交传感云安全研究进展[J]. 计算机科学, 2020, 47(6): 276-283.
[5] 白玮, 潘志松, 夏士明, 成昂轩. 基于遗传算法的网络安全配置自动生成框架[J]. 计算机科学, 2020, 47(5): 306-312.
[6] 刘海波,武天博,沈晶,史长亭. 基于GAN-LSTM的APT攻击检测[J]. 计算机科学, 2020, 47(1): 281-286.
[7] 齐斌,王宇,邹红霞,李冀兴. 基于认知诊断理论的网络安全自适应测试技术[J]. 计算机科学, 2019, 46(7): 102-107.
[8] 冯贵兰, 李正楠, 周文刚. 大数据分析技术在网络领域中的研究综述[J]. 计算机科学, 2019, 46(6): 1-20.
[9] 张洁卉, 潘超, 章勇. 最优化权值的网络系统风险组合评价模型[J]. 计算机科学, 2019, 46(6): 148-152.
[10] 付泽强, 王晓锋, 孔军. 高性能网络安全告警信息的关联分析方法[J]. 计算机科学, 2019, 46(5): 116-121.
[11] 韩忠明, 郑晨烨, 段大高, 董健. 基于多信息融合表示学习的关联用户挖掘算法[J]. 计算机科学, 2019, 46(4): 77-82.
[12] 赵梦瑶, 李晓宇. 基于洋葱路由的双向匿名秘密通信协议[J]. 计算机科学, 2019, 46(4): 164-171.
[13] 薛昊, 陈鸣, 钱红燕. 基于NFV的防范SDN控制器中UDP控制分组冗余的机制[J]. 计算机科学, 2019, 46(10): 135-140.
[14] 朱江, 陈森. 基于NAWL-ILSTM的网络安全态势预测方法[J]. 计算机科学, 2019, 46(10): 161-166.
[15] 南世慧, 魏伟, 吴华清, 邹金蓉, 赵志文. 基于KNN和GBDT的Web服务器指纹识别技术[J]. 计算机科学, 2018, 45(8): 141-145.
Viewed
Full text


Abstract

Cited

  Shared   
  Discussed   
[1] 雷丽晖,王静. 可能性测度下的LTL模型检测并行化研究[J]. 计算机科学, 2018, 45(4): 71 -75 .
[2] 孙启,金燕,何琨,徐凌轩. 用于求解混合车辆路径问题的混合进化算法[J]. 计算机科学, 2018, 45(4): 76 -82 .
[3] 张佳男,肖鸣宇. 带权混合支配问题的近似算法研究[J]. 计算机科学, 2018, 45(4): 83 -88 .
[4] 伍建辉,黄中祥,李武,吴健辉,彭鑫,张生. 城市道路建设时序决策的鲁棒优化[J]. 计算机科学, 2018, 45(4): 89 -93 .
[5] 史雯隽,武继刚,罗裕春. 针对移动云计算任务迁移的快速高效调度算法[J]. 计算机科学, 2018, 45(4): 94 -99 .
[6] 周燕萍,业巧林. 基于L1-范数距离的最小二乘对支持向量机[J]. 计算机科学, 2018, 45(4): 100 -105 .
[7] 刘博艺,唐湘滟,程杰仁. 基于多生长时期模板匹配的玉米螟识别方法[J]. 计算机科学, 2018, 45(4): 106 -111 .
[8] 耿海军,施新刚,王之梁,尹霞,尹少平. 基于有向无环图的互联网域内节能路由算法[J]. 计算机科学, 2018, 45(4): 112 -116 .
[9] 崔琼,李建华,王宏,南明莉. 基于节点修复的网络化指挥信息系统弹性分析模型[J]. 计算机科学, 2018, 45(4): 117 -121 .
[10] 王振朝,侯欢欢,连蕊. 抑制CMT中乱序程度的路径优化方案[J]. 计算机科学, 2018, 45(4): 122 -125 .