计算机科学 ›› 2015, Vol. 42 ›› Issue (Z11): 341-344.
楼恒越,窦军
LOU Heng-yue and DOU Jun
摘要: 针对OpenFlow协议报文交换机制里所有非数据报文均需要通过PACKET_IN报文上传控制器的弱点,提出一种不停查询未知转发地址从而造成SDN网络控制层面资源耗尽的新型DoS攻击方式,同时基于SDN网络可编程性提出检测攻击与降低网络时延的解决策略。首先通过SDN控制器北向应用接口,使用Defense4ALL应用中自定义功能,针对DoS攻击特性检测网络中恶意流量。然后利用控制器动态配置特性,实时更新交换机配置文件,改变网络转发策略,从而减轻攻击对整个网络造成的影响。实验仿真表明,在大规模高速攻击中,该方法的检测成功率接近100%,在攻击源较少的慢速攻击中检测成功率低于80%,整体网络延迟降低10ms以上。所提出的解决策略可以有效减少针对控制平面的DoS攻击对整个网络的干扰。
[1] McKeown N,Anderson T,Balakrishnan H,et al.OpenFlow:enabling innovation in campus networks[J].ACM SIGCOMM Computer Communication Review,2008,38(2):69-74 [2] 左青云,陈鸣,赵广松,等.基于OpenFlow的SDN技术研究[J].软件学报,2013,24(5):1078-1097 [3] 李丹,陈贵海,任丰原,等.数据中心网络的研究进展与趋势[J].计算机学报,2014,37(2):259-274 [4] 窦军,陈文佳.SUPANET基OAM的保护交换研究[J].计算机科学,2011,38(4):87-92 [5] 窦军.单层用户数据交换平台体系结构研究[D].成都:西南交通大学,2011 [6] 林闯,贾子骁,孟坤.自适应的未来网络体系架构 [J].计算机学报,2012,35(6):1077-1093 [7] 戴彬,王航远,徐冠,等.SDN 安全探讨:机遇与威胁并存[J].计算机应用研究,2014,31(8):2254-2262 [8] 薛聪,马存庆,刘宗斌,等.一种安全SDN控制器架构设计[J].信息网络安全,2014(9):34-38 [9] ONF Market Education Committee.Software-Defined Networ-king:The new norm for networks[EB/OL].(2012-04-13).https://www.opennetworking.org/images/stories/downloads/sdn-resources/white-papers/wp-sdn-newnorm.pdf [10] McKeown N,Anderson T,Balakrishnan H,et al.OpenFlow:enabling innovation in campus networks[J].ACM SIGCOMM Computer Communication Review,2008,38(2):69-74 [11] Tootoonchian A,Gorbunov S,Ganjali Y,et al.On controller performance in software-defined networks[C]∥USENIX Workshop on Hot Topics in Management of Internet,Cloud,and Enterprise Networks and Services(Hot-ICE).2012:10 [12] 江国龙,付斌章,陈明宇,等.SDN控制器的调研和量化分析[J].计算机科学与探索,2014,8(6):653-664 [13] Braga R,Mota E,Passito A.Lightweight DDoS flooding attack detection using NOX/OpenFlow[C]∥2010 IEEE 35th Conference on Local Computer Networks(LCN).IEEE,2010:408-415 [14] Wang B,Zheng Y,Lou W,et al.DDoS Attack Protection in the Era of Cloud Computing and Software-Defined Networking[C]∥2014 IEEE 22nd International Conference on Network Protocols(ICNP).IEEE,2014:624-629 [15] 陶冶,张尼,张云勇,等.SDN安全防护技术研究[J].电信技术,2014(6):14-17 [16] Jose L,Yu M,Rexford J.Online measurement of large traffic aggregates on commodity switches[C]∥Proc.of the USENIX HotICE workshop.2011:13-13 [17] Yao G,Bi J,Xiao P.Source address validation solution withOpenFlow/NOX architecture[C]∥2011 19th IEEE InternationalConference on Network Protocols(ICNP).IEEE,2011:7-12 [18] Dover J M.A denial of service attack against the Open Floodlight SDN controller[EB/OL].[2013-12-30].http://dovernetworks.com/wp-content/uploads/2013/12/OpenFloodlight-12302013.pdf |
No related articles found! |
|