软件定义网络抗拒绝服务攻击的流表溢出防护

doi:10.11959/j.issn.1000-436x.2023036

通信学报 ›› 2023, Vol. 44 ›› Issue (2): 1-11.doi: 10.11959/j.issn.1000-436x.2023036

• 学术论文 • 下一篇

软件定义网络抗拒绝服务攻击的流表溢出防护

王东滨¹^,², 吴东哲¹, 智慧³, 郭昆¹^,⁴^,⁵, 张勖¹, 时金桥¹, 张宇⁶^,⁷, 陆月明¹^,⁴

¹ 北京邮电大学网络空间安全学院，北京 100876
² 链网融合技术教育部工程研究中心，北京 100876
³ 中国民航信息网络股份有限公司，北京 100190
⁴ 移动互联网安全技术国家工程研究中心，北京 100876
⁵ 中关村实验室，北京 100094
⁶ 哈尔滨工业大学网络空间安全学院，黑龙江哈尔滨 150001
⁷ 鹏城实验室网络空间安全研究中心，广东深圳 518055

修回日期:2022-12-26 出版日期:2023-02-25 发布日期:2023-02-01
作者简介:王东滨（1978- ），男，黑龙江哈尔滨人，博士，北京邮电大学教授、博士生导师，主要研究方向为软件定义网络与安全、区块链、网络流量分析与模拟等
吴东哲（1998- ），男，河南三门峡人，北京邮电大学硕士生，主要研究方向为软件定义网络与安全等
智慧（1980- ），女，河北邯郸人，中国民航信息网络股份有限公司高级工程师，主要研究方向为物联网、RFID、分布式系统、民航信息系统等
郭昆（1986- ），男，河北沙河人，博士，中关村实验室助理研究员，主要研究方向为可信路由计算、异常流量检测
张勖（1973- ），女，北京人，博士，北京邮电大学副教授、硕士生导师，主要研究方向为移动自组织网络安全、物联网安全等
时金桥（1978- ），男，黑龙江哈尔滨人，博士，北京邮电大学教授、博士生导师，主要研究方向为分布式网络系统、匿名通信与隐私保护、区块链网络、信息智能处理、大数据智能分析、网络测量技术等
张宇（1979- ），男，黑龙江哈尔滨人，博士，哈尔滨工业大学副教授、博士生导师，主要研究方向为软件定义网络、网络拓扑测量、域间路由和复杂网络等
陆月明（1969- ），男，江苏苏州人，博士，北京邮电大学教授、博士生导师，主要研究方向为网络安全防护、信任体系等
基金资助:
国家重点研发计划基金资助项目(2020YFB1808100);中国高校产学研创新基金资助项目(2021FNA02004)

Preventing flow table overflow against denial of service attack in software defined network

Dongbin WANG¹^,², Dongzhe WU¹, Hui ZHI³, Kun GUO¹^,⁴^,⁵, Xu ZHANG¹, Jinqiao SHI¹, Yu ZHANG⁶^,⁷, Yueming LU¹^,⁴

¹ School of Cyberspace Engineering, Beijing University of Posts and Telecommunications, Beijing 100876, China
² Engineering Research Center of Blockchain and Network Convergence Technology, Ministry of Education, Beijing 100876, China
³ TravelSky Technology Limited, Beijing 100190, China
⁴ National Engineering Research Center for Mobile Network, Beijing 100876, China
⁵ Zhongguancun Laboratory, Beijing 100094, China
⁶ School of Cyberspace Science, Harbin Institute of Technology, Harbin 150001, China
⁷ Cyberspace Security Research Center, Peng Cheng Laboratory, Shenzhen 518055, China

Revised:2022-12-26 Online:2023-02-25 Published:2023-02-01
Supported by:
The National Key Research and Development Program of China(2020YFB1808100);China University Industry-University-Research Collaborative Innovation Fund(2021FNA02004)

摘要/Abstract

摘要：

针对拒绝服务攻击导致软件定义网络交换机有限的流表空间溢出、正常的网络报文无法被安装流表规则、报文转发时延、丢包等情况，提出了抗拒绝服务攻击的软件定义网络流表溢出防护技术 FloodMitigation，采用基于流表可用空间的限速流规则安装管理，限制出现拒绝服务攻击的交换机端口的流规则最大安装速度和占用的流表空间数量，避免了流表溢出。此外，采用基于可用流表空间的路径选择，在多条转发路径的交换机间均衡流表利用率，避免转发网络报文过程中出现网络新流汇聚导致的再次拒绝服务攻击。实验结果表明，FloodMitigation在防止交换机流表溢出、避免网络报文丢失、降低控制器资源消耗、确保网络报文转发时延等方面能够有效地缓解拒绝服务攻击的危害。

关键词: 软件定义网络, 拒绝服务攻击, 流表溢出, 路径选择

Abstract:

Aiming at denial of service attacks would cause overflow of the limited flow table space of the switch in software defined network, failure to install flow table rules for normal network packets, packet forwarding delay, and packet loss, FloodMitigation was proposed to prevent flow table overflow against denial of service attacks in software defined network.The management of the rate-limit flow rule installation based on available flow table space was adopted to limit the maximum installation speed of flow rules and the number of flow table space occupied by switch ports with denial-of-service attacks, and avoid flow table overflow.In addition, path selection based on available flow table space was adopted to balance flow table utilization of switches among multiple forwarding paths to avoid denial of service attacks on switches with less available flow table in the path.The experimental results demonstrate that FloodMitigation can effectively alleviate the harm of denial of service attacks in terms of preventing switch flow table overflow and packet loss, reducing resource consumption of controllers, and ensuring packet forwarding delay.

Key words: software defined network, denial of service attack, flow table overflow, path selection

中图分类号:

TP393

王东滨, 吴东哲, 智慧, 郭昆, 张勖, 时金桥, 张宇, 陆月明. 软件定义网络抗拒绝服务攻击的流表溢出防护[J]. 通信学报, 2023, 44(2): 1-11.

Dongbin WANG, Dongzhe WU, Hui ZHI, Kun GUO, Xu ZHANG, Jinqiao SHI, Yu ZHANG, Yueming LU. Preventing flow table overflow against denial of service attack in software defined network[J]. Journal on Communications, 2023, 44(2): 1-11.

图/表 9

图1

图2

图3

图4

图5

图6

图7

图8

图9

参考文献［22］

［1］	JAIN R , ． Internet 3.0:ten problems with current Internet architecture and solutions for the next generation［C］// Proceedings of IEEE Military Communications Conference． Piscataway:IEEE Press, 2007: 1-9．
［2］	MCKEOWN N , ANDERSON T , BALAKRISHNAN H ,et al． OpenFlow［J］． ACM SIGCOMM Computer Communication Review, 2008,38(2): 69-74．
［3］	张朝昆, 崔勇, 唐翯翯 ,等．软件定义网络(SDN)研究进展［J］．软件学报, 2015,26(1): 62-81．
	ZHANG C K , CUI Y , TANG H H ,et al． State-of-the-art survey on sofware-defined networking (SDN)［J］． Journal of Software, 2015,26(1): 62-81．
［4］	QI Y Z , WANG D B , YAO W B ,et al． Towards multi-controller placement for SDN based on density peaks clustering［C］// Proceedings of IEEE International Conference on Communications． Piscataway:IEEE Press, 2019: 1-6．
［5］	YUAN B , ZOU D Q , YU S ,et al． Defending against flow table overloading attack in software-defined networks［J］． IEEE Transactions on Services Computing, 2019,12(2): 231-246．
［6］	KAUR S , KUMAR K , AGGARWAL N ,et al． A comprehensive survey of DDoS defense solutions in SDN:taxonomy,research challenges,and future directions［J］． Computers and Security, 2021,110: 1-39．
［7］	SWAMI R , DAVE M , RANGA V ． Software-defined networking-based DDoS defense mechanisms［J］． ACM Computing Surveys, 2020,52(2): 1-36．
［8］	ZHANG P , WANG H Z , HU C C ,et al． On denial of service attacks in software defined networks［J］． IEEE Network, 2016,30(6): 28-33．
［9］	王蒙蒙, 刘建伟, 陈杰 ,等．软件定义网络:安全模型、机制及研究进展［J］．软件学报, 2016,27(4): 969-992．
	WANG M M , LIU J W , CHEN J ,et al． Software defined networking:security model,threats and mechanism［J］． Journal of Software, 2016,27(4): 969-992．
［10］	TANG D , ZHANG S Q , YAN Y D ,et al． Real-time detection and mitigation of LDoS attacks in the SDN using the HGB-FP algorithm［J］． IEEE Transactions on Services Computing, 2022,15(6): 3471-3484．
［11］	SHIN S , YEGNESWARAN V , PORRAS P ,et al． AVANT-GUARD:scalable and vigilant switch flow management in software-defined networks［C］// Proceedings of the 2013 ACM SIGSAC Conference on Computer ＆ Communications Security． New York:ACM Press, 2013: 413-424．
［12］	AMBROSIN M , CONTI M , GASPARI F D ,et al． LineSwitch:tackling control plane saturation attacks in software-defined networking［J］． IEEE/ACM Transactions on Networking, 2017,25(2): 1206-1219．
［13］	ZHANG M H , BI J , BAI J S ,et al． FloodShield:securing the SDN infrastructure against denial-of-service attacks［C］// Proceedings of the 17th IEEE International Conference on Trust,Security and Privacy in Computing and Communications/ 12th IEEE International Conference on Big Data Science and Engineering (TrustCom/BigDataSE)． Piscataway:IEEE Press, 2018: 687-698．
［14］	LI J S , TU T F , LI Y S ,et al． DoSGuard:mitigating denial-of-service attacks in software-defined networks［J］． Sensors (Basel,Switzerland), 2022,22(3): 1061．
［15］	WANG H P , XU L , GU G F ． FloodGuard:a DoS attack prevention extension in software-defined networks［C］// Proceedings of the 45th Annual IEEE/IFIP International Conference on Dependable Systems and Networks． Piscataway:IEEE Press, 2015: 239-250．
［16］	WU P P , YAO L , LIN C ,et al． FMD:a DoS mitigation scheme based on flow migration in software defined networking［J］． International Journal of Communication Systems, 2018,31(9): 1206-1219．
［17］	GAO S , PENG Z , XIAO B ,et al． Detection and mitigation of DoS attacks in software defined networks［J］． IEEE/ACM Transactions on Networking, 2020,28(3): 1419-1433．
［18］	AHALAWAT A , BABU K S , TURUK A K ,et al． A low-rate DDoS detection and mitigation for SDN using Renyi entropy with packet drop［J］． Journal of Information Security and Applications, 2022,68: 2214-2226．
［19］	HE H , PENG Z Z , ZHOU X H ,et al． LFOD:a lightweight flow table optimization scheme in SDN based on flow length distribution in the Internet［C］// Proceedings of the 23rd Asia-Pacific Network Operations and Management Symposium． Piscataway:IEEE Press, 2022: 1-6．
［20］	LI X F , HUANG Y ． A flow table with two-stage timeout mechanism for SDN switches［C］// Proceedings of IEEE 21st International Conference on High Performance Computing and Communications; IEEE 17th International Conference on Smart City; IEEE 5th International Conference on Data Science and Systems (HPCC/SmartCity/DSS)． Piscataway:IEEE Press, 2019: 1804-1809．
［21］	LI Q , HUANG N Y , WANG D M ,et al． HQTimer:a hybrid Q-learning-based timeout mechanism in software-defined networks［J］． IEEE Transactions on Network and Service Management, 2019,16(1): 153-166．
［22］	XIE S X , XING C Y , ZHANG G M ,et al． A table overflow LDoS attack defending mechanism in software-defined networks［J］． Security and Communication Networks, 2021,2021: 1-16．

[1]	徐明, 张保俊, 伍益明, 应晨铎, 郑宁. 面向网络攻击和隐私保护的多智能体系统分布式共识算法[J]. 通信学报, 2023, 44(3): 117-127.
[2]	沙宗轩, 霍如, 孙闯, 汪硕, 黄韬. 基于深度强化学习的转发效能感知流量调度算法[J]. 通信学报, 2022, 43(8): 30-40.
[3]	燕昺昊, 刘勤让, 沈剑良, 汤先拓, 梁栋. 软件定义网络中一种快速无循环路径迁移策略[J]. 通信学报, 2022, 43(5): 24-35.
[4]	吴平, 常朝稳, 左志斌, 马莹莹. 基于地址重载的SDN分组转发验证[J]. 通信学报, 2022, 43(3): 88-100.
[5]	李传煌, 陈泱婷, 唐晶晶, 楼佳丽, 谢仁华, 方春涛, 王伟明, 陈超. QL-STCT：一种SDN链路故障智能路由收敛方法[J]. 通信学报, 2022, 43(2): 131-142.
[6]	霍如, 程祥凤, 孙闯, 汪硕, 黄韬, F.Richard Yu. 区块链网络拓扑优化和转发策略设计[J]. 通信学报, 2022, 43(12): 89-100.
[7]	于斌, 张南, 陆旭, 段振华, 田聪. 基于运行时验证的边缘服务器DoS攻击检测方法[J]. 通信学报, 2021, 42(9): 75-86.
[8]	吴平, 常朝稳, 马莹莹. 基于端址重载的SDN包转发验证[J]. 通信学报, 2021, 42(7): 70-83.
[9]	常朝稳, 金建树, 韩培胜, 祝现威. 基于属性签名标识的SDN数据包转发验证方案[J]. 通信学报, 2021, 42(6): 131-144.
[10]	周启钊, 于俊清, 李冬. SDN控制层泛洪防御机制研究：检测与缓解[J]. 通信学报, 2021, 42(11): 41-53.
[11]	李硕朋, 方娟, 陈肯. 基于SRv6的确定性网络服务共享保护方案[J]. 通信学报, 2021, 42(10): 32-42.
[12]	姚蓝,兰巨龙. 基于联盟博弈的自适应SDN交换机迁移机制[J]. 通信学报, 2020, 41(8): 1-10.
[13]	王耀民,王霞,董易,张松海,施心陵. 基于斐波那契树优化算法的数据中心流量调度策略[J]. 通信学报, 2020, 41(6): 112-127.
[14]	韩珍珍,赵国锋,徐川,周文涛,周洋洋. 基于时延的LEO卫星网络SDN控制器动态放置方法[J]. 通信学报, 2020, 41(3): 126-135.
[15]	赖英旭,蒲叶玮,刘静. 基于最小代价路径的交换机迁移方法研究[J]. 通信学报, 2020, 41(2): 131-142.

软件定义网络抗拒绝服务攻击的流表溢出防护

Preventing flow table overflow against denial of service attack in software defined network

在线阅读

PDF下载

可视化

摘要/Abstract

引用本文

使用本文

图/表 9

参考文献［22］

相关文章 15

Metrics

推荐阅读 0

软件定义网络抗拒绝服务攻击的流表溢出防护

Preventing flow table overflow against denial of service attack in software defined network

在线阅读

PDF下载

可视化

摘要/Abstract

引用本文

使用本文

图/表 9

参考文献 ［22］

相关文章 15

Metrics

推荐阅读 0

参考文献［22］