基于API调用管理的SDN应用层DDoS攻击防御机制

doi:10.11959/j.issn.2096-109x.2022017

摘要/Abstract

摘要：

软件定义网络（SDN，software defined network）针对北向接口安全研究少，加之缺乏严格的访问控制、身份认证及异常调用检测等机制，导致攻击者有机会开发恶意的应用程序，造成北向应用程序接口（API，application programming interface）的滥用，不利于SDN的全面推广。针对应用层的分布式拒绝服务（DDoS，distributed denial-of-service）主要有两种样态：一是攻击者设计恶意App，绕过北向接口的安全审查，对某些 API 进行短时间大量调用，进而导致控制器崩溃，使整个网络瘫痪；二是攻击者以某个合法SDN应用程序作为攻击目标，对该应用程序所需用的特定API进行短时间大量调用，使该合法App无法正常调用API，进而使该合法App无法正常工作。与第一种攻击相比，第二种攻击更为隐蔽。因而，如何分辨App是恶意的还是合法的、如何对受攻击控制器上运行的App进行快速清洗以分离出恶意App、如何对合法App重新分配控制器以保证其正常运行，成为必须。在深入分析当前北向接口发展趋势的基础上，模拟并实践了对其可能的DDoS攻击样态，并据此提出了基于API调用管理的SDN应用层DDoS防御机制。该机制在SDN应用层和控制层之间增加了一层App管理层。通过对App的信誉管理、初始审查、映射分配、异常检测和识别迁移，来预判和抵抗恶意App对SDN的攻击。机制侧重于在攻击发生前对恶意App进行事先审查，以避免攻击的发生。若攻击已然发生，则对合法 App 和恶意 App 进行清洗分离。理论与实验验证表明，所提安全机制有效避免了SDN应用层的DDoS攻击，且算法运行效率高。

关键词: 拒绝服务攻击, 网络安全, 软件定义网络, 北向接口

Abstract:

Due to thelack of strict access control, identity authentication and abnormal call detection, attackers may develop malicious applications easily and then it leads to theabuse of the northbound interface API (application programming interface) accordingly.There are mainly two patterns of DDoS (distributed denial-of-service) attacks against application layer.1) malicious App bypass the security review of the northbound interface and make a large number of calls to some API in a short time, thus causing the controller to crash and paralyzing the whole network; 2) attackers take a legitimate SDN (software defined network) application as the target and make a large number of short-time calls to the specific API needed by the application, which makes the legitimate App unable to call the API normally.Compared with the first pattern, the second one is more subtle.Therefore, it’s necessary to distinguish whether the App is malicious or not, effectively clean the App running on the attacked controller, and redistribute the controller to the legitimate App.Based on the in-depth analysis of the development trend of the current northbound interface, the possible DDoS attack patterns were simulated and practiced.Then a DDoS defense mechanism for SDN application layer was proposed.This mechanism added an App management layer between SDN application layer and control layer.Through reputation management, initial review, mapping allocation, anomaly detection and identification migration of the App, the malicious App attack on SDN can be predicted and resisted.The proposal focused on pre-examination of malicious App before attacks occur, so as to avoid attacks.If the attack has already happened, the operation of cleaning and separating the legitimate App from the malicious App is triggered.Theoretical and experimental results show that the proposed mechanism can effectively avoid DDoS attacks in SDN application layer, and the algorithm runs efficiently.

Key words: DDoS, network security, SDN, northbound interface

中图分类号:

TP393

王洋, 汤光明, 王硕, 楚江. 基于API调用管理的SDN应用层DDoS攻击防御机制[J]. 网络与信息安全学报, 2022, 8(2): 73-87.

Yang WANG, Guangming TANG, Shuo WANG, Jiang CHU. Defense mechanism of SDN application layer against DDoS attack based on API call management[J]. Chinese Journal of Network and Information Security, 2022, 8(2): 73-87.

图/表 14

图1

图2

图3

图4

图5

图6

图7

图8

图9

图10

图11

图12

图13

图14

参考文献 28

[1]	JAIN R , . Internet 30:ten problems with current Internet architecture and solutions for the next generation[C]// Proceedings of MILCOM 2006 IEEE Military Communications Conference. 2006: 1-9.
[2]	王涛, 陈鸿昶, 程国振 . 基于网络资源管理技术的 SDN DoS 攻击动态防御机制[J]. 计算机研究与发展, 2017,54(10): 2356-2368.
	WANG T , CHEN H C , CHENG G Z . A dynamic defense mechanism for SDN DoS attacks based on network resource management technology[J]. Journal of Computer Research and Development, 2017,54(10): 2356-2368.
[3]	张朝昆, 崔勇, 唐翯祎 ,等. 软件定义网络(SDN)研究进展[J]. 软件学报, 2015,26(1): 62-81.
	ZHANG C K , CUI Y , TANG H Y ,et al. State-of-the-art survey on software-defined networking (SDN)[J]. Journal of Software, 2015,26(1): 62-81.
[4]	王蒙蒙, 刘建伟, 陈杰 ,等. 软件定义网络:安全模型、机制及研究进展[J]. 软件学报, 2016,27(4): 969-992.
	WANG M M , LIU J W , CHEN J ,et al. Software defined networking:security model,threats and mechanism[J]. Journal of Software, 2016,27(4): 969-992.
[5]	龚庆祥 . 软件定义网络中分布式拒绝服务攻击研究[D]. 深圳:深圳大学, 2017.
	GONG Q X . Research on distributed denial of service attacks in software defined networking[D]. Shenzhen,China:Shenzhen University, 2017.
[6]	WU X T , LIU M , DOU W C ,et al. DDoS attacks on data plane of software-defined network:are they possible[J]. Security and Communication Networks, 2016,9(18): 5444-5459.
[7]	徐玉华, 孙知信 . 软件定义网络中的异常流量检测研究进展[J]. 软件学报, 2020,31(1): 183-207.
	XU Y H , SUN Z X . Research development of abnormal traffic detection in software defined networking[J]. Journal of Software, 2020,31(1): 183-207.
[8]	DAYAL N , MAITY P , SRIVASTAVA S ,et al. Research trends in security and DDoS in SDN[J]. Security and Communication Networks, 2016,9(18): 6386-6411.
[9]	张龙, 王劲松 . SDN中基于信息熵与DNN的DDoS攻击检测模型[J]. 计算机研究与发展, 2019,56(5): 909-918.
	ZHANG L , WANG J S . DDoS attack detection model based on information entropy and DNN in SDN[J]. Journal of Computer Research and Development, 2019,56(5): 909-918.
[10]	田俊峰, 齐鎏岭 . SDN中基于条件熵和GHSOM的DDoS攻击检测方法[J]. 通信学报, 2018,39(8): 140-149.
	TIAN J F , QI L L . DDoS attack detection method based on conditional entropy and GHSOM in SDN[J]. Journal on Communications, 2018,39(8): 140-149.
[11]	李传煌, 吴艳, 钱正哲 ,等. SDN 下基于深度学习混合模型的DDoS攻击检测与防御[J]. 通信学报, 2018,39(7): 176-187.
	LI C H , WU Y , QIAN Z Z ,et al. DDoS attack detection and defense based on hybrid deep learning model in SDN[J]. Journal on Communications, 2018,39(7): 176-187.
[12]	BRAGA R , MOTA E , PASSITO A . Lightweight DDoS flooding attack detection using NOX/OpenFlow[C]// Proceedings of IEEE Local Computer Network Conference. Piscataway:IEEE Press, 2010: 408-415.
[13]	KANDOI R , ANTIKAINEN M . Denial-of-service attacks in OpenFlow SDN networks[C]// Proceedings of 2015 IFIP/IEEE International Symposium on Integrated Network Management (IM). 2015: 1322-1326.
[14]	乔思祎, 胡成臣, 李昊 ,等. OpenFlow交换机流表溢出问题的缓解机制[J]. 计算机学报, 2018,41(9): 2003-2015.
	QIAO S Y , HU C C , LI H ,et al. A mechanism of taming the flow table overflow in OpenFlow switch[J]. Chinese Journal of Computers, 2018,41(9): 2003-2015.
[15]	武泽慧, 魏强, 任开磊 ,等. 基于OpenFlow交换机洗牌的DDoS攻击动态防御方法[J]. 电子与信息学报, 2017,39(2): 397-404.
	WU Z H , WEI Q , REN K L ,et al. Dynamic defense for DDoS attack using open flow-based switch shuffling approach[J]. Journal of Electronics ＆ Information Technology, 2017,39(2): 397-404.
[16]	WEN X T , CHEN Y , HU C C ,et al. Towards a secure controller platform for OpenFlow applications[C]// Proceedings of the Second ACM SIGCOMM Workshop on Hot Topics in Software Defined Networking. 2013: 171-172.
[17]	KLAEDTKE F , KARAME G O , BIFULCO R ,et al. Access control for SDN controllers[C]// Proceedings of the Third Workshop on Hot Topics in Software Defined Networking. 2014: 219-220.
[18]	崔乾 . SDN 北向资源访问安全方案研究与实现[D]. 北京:北京邮电大学, 2019.
	CUI Q . Research and implementation of SDN northbound resource security access scheme[D]. Beijing:Beijing University of Posts and Telecommunications, 2019.
[19]	王阿林 . 基于REST开放标准的北向接口动态API研究与实现[D]. 北京:北京邮电大学, 2017.
	WANG A L . Research and implementation of dynamic API based on REST northbound interface[D]. Beijing:Beijing University of Posts and Telecommunications, 2017.
[20]	任开磊 . 软件定义网络北向 REST 接口安全防御关键技术研究[D]. 郑州:信息工程大学, 2017.
	REN K L . Research on key technologies of SDN northbound REST API security defense[D]. Zhengzhou:Information Engineering University, 2017.
[21]	成静, 薛峰, 张逸飞 ,等. 移动应用众包测试人员信誉度的模糊评估方法研究[J]. 西北工业大学学报, 2018,36(4): 800-806.
	CHENG J , XUE F , ZHANG Y F ,et al. A reputation assessment approach based on fuzzy mathematics mobile application crowdsourced testers[J]. Journal of Northwestern Polytechnical University, 2018,36(4): 800-806.
[22]	沈丛麒, 陈双喜, 吴春明 ,等. 基于信誉度与相异度的自适应拟态控制器研究[J]. 通信学报, 2018,39(S2): 173-180.
	SHEN C Q , CHEN S X , WU C M ,et al. Adaptive mimic defensive controller framework based on reputation and dissimilarity[J]. Journal on Communications, 2018,39(S2): 173-180.
[23]	李婕, 王兴伟, 刘睿 . 社群智能系统中基于用户信誉度的激励机制[J]. 计算机科学与探索, 2015,9(12): 1471-1482.
	LI J , WANG X W , LIU R . User reputation- based participatory incentive mechanism in social and community intelligence systems[J]. Journal of Frontiers of Computer Science and Technology, 2015,9(12): 1471-1482.
[24]	于洋, 王之梁, 毕军 ,等. 软件定义网络中北向接口语言综述[J]. 软件学报, 2016,27(4): 993-1008.
	YU Y , WANG Z L , BI J ,et al. Survey on the languages in the northbound interface of software defined networking[J]. Journal of Software, 2016,27(4): 993-1008.
[25]	鲁垚光, 王兴伟, 李福亮 ,等. 软件定义网络中的动态负载均衡与节能机制[J]. 计算机学报, 2020,43(10): 1969-1982.
	LU Y G , WANG X W , LI F L ,et al. Dynamic load balancing and energy saving mechanism in software defined networking[J]. Chinese Journal of Computers, 2020,43(10): 1969-1982.
[26]	胡涛, 张建辉, 马腾 ,等. SDN中基于可靠性评估的多控制器均衡部署策略[J]. 通信学报, 2017,38(11): 188-198.
	HU T , ZHANG J H , MA T ,et al. Multi-controller balancing deployment strategy based on reliability evaluation in SDN[J]. Journal on Communications, 2017,38(11): 188-198.
[27]	JAFARIAN J H , AL-SHAER E , DUAN Q . An effective address mutation approach for disrupting reconnaissance attacks[J]. IEEE Transactions on Information Forensics and Security, 2015,10(12): 2562-2577.
[28]	OKTIAN Y E , LEE S , LEE H ,et al. Secure your northbound SDN API[C]// Proceedings of 2015 Seventh International Conference on Ubiquitous and Future Networks. 2015: 919-920.