UDM：基于NFV的防止DDoS攻击SDN控制器的机制

doi:10.11959/j.issn.1000-436x.2019067

通信学报 ›› 2019, Vol. 40 ›› Issue (3): 116-124.doi: 10.11959/j.issn.1000-436x.2019067

UDM：基于NFV的防止DDoS攻击SDN控制器的机制

钱红燕,薛昊,陈鸣()

南京航空航天大学计算机科学与技术学院，江苏南京 211106

修回日期:2019-01-03 出版日期:2019-03-01 发布日期:2019-04-04
作者简介:钱红燕（1973- ），女，江苏常州人，博士，南京航空航天大学副教授、硕士生导师，主要研究方向为计算机网络、信息安全等。|薛昊（1991- ），男，安徽宁国人，南京航空航天大学硕士生，主要研究方向为计算机网络、网络安全。|陈鸣（1956- ），男，江苏无锡人，博士，南京航空航天大学教授、博士生导师，主要研究方向为未来网络、网络功能虚拟化、无人机网络、网络安全等。
基金资助:
国家自然科学基金资助项目(61772271);国家自然科学基金资助项目(61379149)

UDM:NFV-based prevention mechanism against DDoS attack on SDN controller

Hongyan QIAN,Hao XUE,Ming CHEN()

College of Computer Science and Technology,Nanjing University of Aeronautics and Astronautics,Nanjing 211106,China

Revised:2019-01-03 Online:2019-03-01 Published:2019-04-04
Supported by:
The National Natural Science Foundation of China(61772271);The National Natural Science Foundation of China(61379149)

摘要/Abstract

摘要：

广泛存在的分布式拒绝服务（DDoS）攻击对于软件定义网络（SDN）的控制器形成了致命威胁，至今还没有一种安全机制能够防御。将SDN和网络功能虚拟化（NFV）结合，提出了一种新颖的防范DDoS攻击SDN控制器的前置检测中间盒（UDM）机制，在SDN交换机端口与用户主机之间分布式部署UDM以检测并拒止DDoS攻击报文。此外，还提出了一种基于NFV的前置中间盒的实现方法，使这种UDM机制更为经济和有效，实现了基于该机制的原型系统，并对其进行大量测试。实验结果表明，基于NFV的UDM机制能够实时有效地检测和防止对控制器的DDoS攻击。

关键词: DDoS攻击, 控制器安全, 软件定义网络与网络功能虚拟化, 前置检测中间盒

Abstract:

DDoS attack extensively existed have been mortal threats for the software-defined networking (SDN) controllers and there is no any security mechanism which can prevent them yet.Combining SDN and network function virtualization (NFV),a novel preventing mechanism against DDoS attacks on SDN controller called upfront detection middlebox (UDM) was proposed.The upfront detection middlebox was deployed between SDN switch interfaces and user hosts distributed,and DDoS attack packets were detected and denied.An NFV-based method of implementing the upfront middlebox was put forward,which made the UDM mechanism be economical and effective.A prototype system based on this mechanism was implemented and lots experiments were tested.The experimental results show that the UDM mechanism based on NFV can real-time and effectively detect and prevent against DDoS attacks on SDN controllers.

Key words: DDoS attack, controller security, SDN and NFV, upfront detection middlebox

中图分类号:

TP393

钱红燕,薛昊,陈鸣. UDM：基于NFV的防止DDoS攻击SDN控制器的机制[J]. 通信学报, 2019, 40(3): 116-124.

Hongyan QIAN,Hao XUE,Ming CHEN. UDM:NFV-based prevention mechanism against DDoS attack on SDN controller[J]. Journal on Communications, 2019, 40(3): 116-124.

图/表 7

图1

图2

图3

图4

图5

图6

图7

参考文献 18

[1]	MCKEOWN N , ANDERSON T , BALAKRISHNAN H ,et al. OpenFlow:enabling innovation in campus networks[J]. ACM SIGCOMM Computer Communication Review, 2008,38(2): 69-74.
[2]	MIJUMBI R , SERRAT J , GORRICHO J L ,et al. Network function virtualization:state-of-the-art and research challenges[J]. IEEE Communications Surveys ＆ Tutorials, 2017,18(1): 236-262.
[3]	TOOTOONCHIAN A , GORBUNOV S , SHERWOOD R ,et al. On controller performance in software-defined networks[C]// Usenix Conference on Hot Topics in Management of Internet,Cloud,and Enterprise Networks and Services. 2012:10.
[4]	JARSCHEL M , OECHSNER S , SCHLOSSER D ,et al. Modeling and performance evaluation of an OpenFlow architecture[C]// Teletraffic Congress. 2011: 1-7.
[5]	ZHANG P , WANG H , HU C ,et al. On denial of service attacks in software defined networks[J]. IEEE Network, 2016,30(6): 28-33.
[6]	SHIN S , YEGNESWARAN V , PORRAS P ,et al. AVANT-GUARD:scalable and vigilant switch flow management in software-defined networks[C]// ACM Sigsac Conference on Computer ＆ Communications Security. 2013: 413-424.
[7]	WANG H , XU L , GU G . FloodGuard:a DoS attack prevention extension in software-defined networks[C]// IEEE/IFIP International Conference on Dependable Systems and Networks. 2015: 239-250.
[8]	KEROMYTIS A D , MISRA V , RUBENSTEIN D . SOS:secure overlay services[C]// ACM SIGCOMM ’02 Conference. 2002: 61-72.
[9]	ZHOU L , GUO H . Applying NFV/SDN in mitigating DDoS attacks[C]// 2017 IEEE Region 10 Conference. 2017: 2061-2066.
[10]	FUNG C J , MCCORMICK B . VGuard:a distributed denial of service attack mitigation method using network function virtualization[C]// International Conference on Network and Service Management. 2015: 64-70.
[11]	JAKARIA A H M , YANG W , RASHIDI B ,et al. VFence:a defense against distributed denial of service attacks using network function virtualization[C]// Computer Software and Applications Conference. 2016: 431-436.
[12]	FUTAMURA K , KARASARIDIS A , NOEL E ,et al. vDNS closed-loop control:a framework for an elastic control plane service[C]// Network Function Virtualization and Software Defined Network. 2016: 170-176.
[13]	WANG R , JIA Z , JU L . An entropy-based distributed DDoS detection mechanism in software-defined networking[C]// IEEE Trustcom/bigdatase/ispa. 2015: 310-317.
[14]	KUMAR K , JOSHI R C , SINGH K . A distributed approach using entropy to detect DDoS attacks in ISP domain[C]// International Conference on Signal Processing,Communications and Networking. 2007: 331-337.
[15]	BERNSTEIN D . Containers and cloud:from LXC to docker to kubernetes[J]. IEEE Cloud Computing, 2015,1(3): 81-84.
[16]	YANG Y , WANG Y . A software implementation for a hybrid firewall using linux netfilter[C]// Software Engineering. 2011: 18-21.
[17]	PFAFF B , PETTIT J , KOPONEN T . The design and implementation of open vSwitch[C]// USENIX Networked System Design and Implementation. 2015: 117-130.
[18]	DOULIGERIS C , MITROKOTSA A . DDoS attacks and defense mechanisms:classification and state-of-the-art[J]. Computer Networks, 2004,44(5): 643-666.

UDM：基于NFV的防止DDoS攻击SDN控制器的机制

UDM:NFV-based prevention mechanism against DDoS attack on SDN controller

在线阅读

PDF下载

可视化

摘要/Abstract

引用本文

使用本文

图/表 7

参考文献 18

相关文章 4

Metrics

推荐阅读 0

[1]	陈兴蜀,滑强,王毅桐,葛龙,朱毅. 云环境下SDN网络低速率DDoS攻击的研究[J]. 通信学报, 2019, 40(6): 210-222.
[2]	田俊峰,齐鎏岭. SDN中基于条件熵和GHSOM的DDoS攻击检测方法[J]. 通信学报, 2018, 39(8): 140-149.
[3]	何亨,胡艳,郑良汉,薛正元. 云环境中基于SDN的高效DDoS攻击检测与防御方案[J]. 通信学报, 2018, 39(4): 139-151.
[4]	田俊峰,朱宏涛,孙冬冬,毕志明,刘倩. 基于用户信誉值防御DDoS攻击的协同模型[J]. 通信学报, 2009, 30(3): 12-20.