网络与信息安全学报 ›› 2022, Vol. 8 ›› Issue (2): 73-87.doi: 10.11959/j.issn.2096-109x.2022017

• 专栏:网络攻击与防御技术 • 上一篇    下一篇

基于API调用管理的SDN应用层DDoS攻击防御机制

王洋1, 汤光明1, 王硕2, 楚江2   

  1. 1 信息工程大学,河南 郑州 450001
    2 中国西安卫星测控中心,陕西 西安 710043
  • 修回日期:2021-10-20 出版日期:2022-04-15 发布日期:2022-04-01
  • 作者简介:王洋(1985− ),女,陕西西安人,信息工程大学博士生,主要研究方向为网络与信息安全
    汤光明(1963− ),女,湖南常德人,信息工程大学教授、博士生导师,主要研究方向为网络与信息安全、信息安全管理、信息隐藏
    王硕(1991− ),男,河南南阳人,中国西安卫星测控中心工程师,主要研究方向为网络与信息安全、机器学习
    楚江(1980− ),男,江苏南京人,中国西安卫星测控中心高级工程师,主要研究方向为网络与信息安全、密码应用安全
  • 基金资助:
    国家自然科学基金(61802438)

Defense mechanism of SDN application layer against DDoS attack based on API call management

Yang WANG1, Guangming TANG1, Shuo WANG2, Jiang CHU2   

  1. 1 Information Engineering University, Zhengzhou 450001, China
    2 China Xi’an Satellite Control Center, Xi’an 710043, China
  • Revised:2021-10-20 Online:2022-04-15 Published:2022-04-01
  • Supported by:
    The National Natural Science Foundation of China(61802438)

摘要:

软件定义网络(SDN,software defined network)针对北向接口安全研究少,加之缺乏严格的访问控制、身份认证及异常调用检测等机制,导致攻击者有机会开发恶意的应用程序,造成北向应用程序接口(API,application programming interface)的滥用,不利于SDN的全面推广。针对应用层的分布式拒绝服务(DDoS,distributed denial-of-service)主要有两种样态:一是攻击者设计恶意App,绕过北向接口的安全审查,对某些 API 进行短时间大量调用,进而导致控制器崩溃,使整个网络瘫痪;二是攻击者以某个合法SDN应用程序作为攻击目标,对该应用程序所需用的特定API进行短时间大量调用,使该合法App无法正常调用API,进而使该合法App无法正常工作。与第一种攻击相比,第二种攻击更为隐蔽。因而,如何分辨App是恶意的还是合法的、如何对受攻击控制器上运行的App进行快速清洗以分离出恶意App、如何对合法App重新分配控制器以保证其正常运行,成为必须。在深入分析当前北向接口发展趋势的基础上,模拟并实践了对其可能的DDoS攻击样态,并据此提出了基于API调用管理的SDN应用层DDoS防御机制。该机制在SDN应用层和控制层之间增加了一层App管理层。通过对App的信誉管理、初始审查、映射分配、异常检测和识别迁移,来预判和抵抗恶意App对SDN的攻击。机制侧重于在攻击发生前对恶意App进行事先审查,以避免攻击的发生。若攻击已然发生,则对合法 App 和恶意 App 进行清洗分离。理论与实验验证表明,所提安全机制有效避免了SDN应用层的DDoS攻击,且算法运行效率高。

关键词: 拒绝服务攻击, 网络安全, 软件定义网络, 北向接口

Abstract:

Due to thelack of strict access control, identity authentication and abnormal call detection, attackers may develop malicious applications easily and then it leads to theabuse of the northbound interface API (application programming interface) accordingly.There are mainly two patterns of DDoS (distributed denial-of-service) attacks against application layer.1) malicious App bypass the security review of the northbound interface and make a large number of calls to some API in a short time, thus causing the controller to crash and paralyzing the whole network; 2) attackers take a legitimate SDN (software defined network) application as the target and make a large number of short-time calls to the specific API needed by the application, which makes the legitimate App unable to call the API normally.Compared with the first pattern, the second one is more subtle.Therefore, it’s necessary to distinguish whether the App is malicious or not, effectively clean the App running on the attacked controller, and redistribute the controller to the legitimate App.Based on the in-depth analysis of the development trend of the current northbound interface, the possible DDoS attack patterns were simulated and practiced.Then a DDoS defense mechanism for SDN application layer was proposed.This mechanism added an App management layer between SDN application layer and control layer.Through reputation management, initial review, mapping allocation, anomaly detection and identification migration of the App, the malicious App attack on SDN can be predicted and resisted.The proposal focused on pre-examination of malicious App before attacks occur, so as to avoid attacks.If the attack has already happened, the operation of cleaning and separating the legitimate App from the malicious App is triggered.Theoretical and experimental results show that the proposed mechanism can effectively avoid DDoS attacks in SDN application layer, and the algorithm runs efficiently.

Key words: DDoS, network security, SDN, northbound interface

中图分类号: 

No Suggested Reading articles found!