计算机科学 ›› 2015, Vol. 42 ›› Issue (Z11): 341-344.

• 信息安全 • 上一篇    下一篇

一种针对基于OpenFlow的SDN网络中控制层面的DoS攻击研究

楼恒越,窦军   

  1. 西南交通大学信息科学与技术学院 成都610031,西南交通大学信息科学与技术学院 成都610031
  • 出版日期:2018-11-14 发布日期:2018-11-14

Research on DoS Attacks Against Control Level in OpenFlow-based SDN

LOU Heng-yue and DOU Jun   

  • Online:2018-11-14 Published:2018-11-14

摘要: 针对OpenFlow协议报文交换机制里所有非数据报文均需要通过PACKET_IN报文上传控制器的弱点,提出一种不停查询未知转发地址从而造成SDN网络控制层面资源耗尽的新型DoS攻击方式,同时基于SDN网络可编程性提出检测攻击与降低网络时延的解决策略。首先通过SDN控制器北向应用接口,使用Defense4ALL应用中自定义功能,针对DoS攻击特性检测网络中恶意流量。然后利用控制器动态配置特性,实时更新交换机配置文件,改变网络转发策略,从而减轻攻击对整个网络造成的影响。实验仿真表明,在大规模高速攻击中,该方法的检测成功率接近100%,在攻击源较少的慢速攻击中检测成功率低于80%,整体网络延迟降低10ms以上。所提出的解决策略可以有效减少针对控制平面的DoS攻击对整个网络的干扰。

关键词: SDN,OpenFlow,网络安全,控制层面,DoS攻击

Abstract: Based on OpenFlow protocol message exchange mechanism,all non-data packets need uploading by PACKET_IN message.Thus,a new DoS attack on the control plane was proposed.It uses non-stop forwarding unknown address packages to deplete resources in control plane.And a solution strategy was proposed to detect attacks and reduce network latency based on the programmability of SDN network.First,through SDN controller north application interface,Defense4ALL application was used to detect malicious traffic by characteristic of DoS attacks.Then by using the controller feature of dynamical configuration,switch configuration file was updated in real-time,and network forwarding policy was changed.Thereby it could reduce the damage caused by the attack on the entire network.The simulation shows that the success rate of this detection method closes to 100%.But in slow-speed less-source attack detection success rate is less than 80%.The overall network latency is reduced by 10ms or more.The proposed solution strategy can effectively reduce the interference of the DoS attacks against control level for entire network.

Key words: SDN,OpenFlow,Network security,Control level,DoS attack

[1] McKeown N,Anderson T,Balakrishnan H,et al.OpenFlow:enabling innovation in campus networks[J].ACM SIGCOMM Computer Communication Review,2008,38(2):69-74
[2] 左青云,陈鸣,赵广松,等.基于OpenFlow的SDN技术研究[J].软件学报,2013,24(5):1078-1097
[3] 李丹,陈贵海,任丰原,等.数据中心网络的研究进展与趋势[J].计算机学报,2014,37(2):259-274
[4] 窦军,陈文佳.SUPANET基OAM的保护交换研究[J].计算机科学,2011,38(4):87-92
[5] 窦军.单层用户数据交换平台体系结构研究[D].成都:西南交通大学,2011
[6] 林闯,贾子骁,孟坤.自适应的未来网络体系架构 [J].计算机学报,2012,35(6):1077-1093
[7] 戴彬,王航远,徐冠,等.SDN 安全探讨:机遇与威胁并存[J].计算机应用研究,2014,31(8):2254-2262
[8] 薛聪,马存庆,刘宗斌,等.一种安全SDN控制器架构设计[J].信息网络安全,2014(9):34-38
[9] ONF Market Education Committee.Software-Defined Networ-king:The new norm for networks[EB/OL].(2012-04-13).https://www.opennetworking.org/images/stories/downloads/sdn-resources/white-papers/wp-sdn-newnorm.pdf
[10] McKeown N,Anderson T,Balakrishnan H,et al.OpenFlow:enabling innovation in campus networks[J].ACM SIGCOMM Computer Communication Review,2008,38(2):69-74
[11] Tootoonchian A,Gorbunov S,Ganjali Y,et al.On controller performance in software-defined networks[C]∥USENIX Workshop on Hot Topics in Management of Internet,Cloud,and Enterprise Networks and Services(Hot-ICE).2012:10
[12] 江国龙,付斌章,陈明宇,等.SDN控制器的调研和量化分析[J].计算机科学与探索,2014,8(6):653-664
[13] Braga R,Mota E,Passito A.Lightweight DDoS flooding attack detection using NOX/OpenFlow[C]∥2010 IEEE 35th Conference on Local Computer Networks(LCN).IEEE,2010:408-415
[14] Wang B,Zheng Y,Lou W,et al.DDoS Attack Protection in the Era of Cloud Computing and Software-Defined Networking[C]∥2014 IEEE 22nd International Conference on Network Protocols(ICNP).IEEE,2014:624-629
[15] 陶冶,张尼,张云勇,等.SDN安全防护技术研究[J].电信技术,2014(6):14-17
[16] Jose L,Yu M,Rexford J.Online measurement of large traffic aggregates on commodity switches[C]∥Proc.of the USENIX HotICE workshop.2011:13-13
[17] Yao G,Bi J,Xiao P.Source address validation solution withOpenFlow/NOX architecture[C]∥2011 19th IEEE InternationalConference on Network Protocols(ICNP).IEEE,2011:7-12
[18] Dover J M.A denial of service attack against the Open Floodlight SDN controller[EB/OL].[2013-12-30].http://dovernetworks.com/wp-content/uploads/2013/12/OpenFloodlight-12302013.pdf

No related articles found!
Viewed
Full text


Abstract

Cited

  Shared   
  Discussed   
No Suggested Reading articles found!