基于API调用管理的SDN应用层DDoS攻击防御机制

doi:10.11959/j.issn.2096-109x.2022017

Abstract

Abstract:

Due to thelack of strict access control, identity authentication and abnormal call detection, attackers may develop malicious applications easily and then it leads to theabuse of the northbound interface API (application programming interface) accordingly.There are mainly two patterns of DDoS (distributed denial-of-service) attacks against application layer.1) malicious App bypass the security review of the northbound interface and make a large number of calls to some API in a short time, thus causing the controller to crash and paralyzing the whole network; 2) attackers take a legitimate SDN (software defined network) application as the target and make a large number of short-time calls to the specific API needed by the application, which makes the legitimate App unable to call the API normally.Compared with the first pattern, the second one is more subtle.Therefore, it’s necessary to distinguish whether the App is malicious or not, effectively clean the App running on the attacked controller, and redistribute the controller to the legitimate App.Based on the in-depth analysis of the development trend of the current northbound interface, the possible DDoS attack patterns were simulated and practiced.Then a DDoS defense mechanism for SDN application layer was proposed.This mechanism added an App management layer between SDN application layer and control layer.Through reputation management, initial review, mapping allocation, anomaly detection and identification migration of the App, the malicious App attack on SDN can be predicted and resisted.The proposal focused on pre-examination of malicious App before attacks occur, so as to avoid attacks.If the attack has already happened, the operation of cleaning and separating the legitimate App from the malicious App is triggered.Theoretical and experimental results show that the proposed mechanism can effectively avoid DDoS attacks in SDN application layer, and the algorithm runs efficiently.

Key words: DDoS, network security, SDN, northbound interface

CLC Number:

TP393

Yang WANG, Guangming TANG, Shuo WANG, Jiang CHU. Defense mechanism of SDN application layer against DDoS attack based on API call management[J]. Chinese Journal of Network and Information Security, 2022, 8(2): 73-87.

Figures/Tables 14

References 28

[1]	JAIN R , . Internet 30:ten problems with current Internet architecture and solutions for the next generation[C]// Proceedings of MILCOM 2006 IEEE Military Communications Conference. 2006: 1-9.
[2]	王涛, 陈鸿昶, 程国振 . 基于网络资源管理技术的 SDN DoS 攻击动态防御机制[J]. 计算机研究与发展, 2017,54(10): 2356-2368.
	WANG T , CHEN H C , CHENG G Z . A dynamic defense mechanism for SDN DoS attacks based on network resource management technology[J]. Journal of Computer Research and Development, 2017,54(10): 2356-2368.
[3]	张朝昆, 崔勇, 唐翯祎 ,等. 软件定义网络(SDN)研究进展[J]. 软件学报, 2015,26(1): 62-81.
	ZHANG C K , CUI Y , TANG H Y ,et al. State-of-the-art survey on software-defined networking (SDN)[J]. Journal of Software, 2015,26(1): 62-81.
[4]	王蒙蒙, 刘建伟, 陈杰 ,等. 软件定义网络:安全模型、机制及研究进展[J]. 软件学报, 2016,27(4): 969-992.
	WANG M M , LIU J W , CHEN J ,et al. Software defined networking:security model,threats and mechanism[J]. Journal of Software, 2016,27(4): 969-992.
[5]	龚庆祥 . 软件定义网络中分布式拒绝服务攻击研究[D]. 深圳:深圳大学, 2017.
	GONG Q X . Research on distributed denial of service attacks in software defined networking[D]. Shenzhen,China:Shenzhen University, 2017.
[6]	WU X T , LIU M , DOU W C ,et al. DDoS attacks on data plane of software-defined network:are they possible[J]. Security and Communication Networks, 2016,9(18): 5444-5459.
[7]	徐玉华, 孙知信 . 软件定义网络中的异常流量检测研究进展[J]. 软件学报, 2020,31(1): 183-207.
	XU Y H , SUN Z X . Research development of abnormal traffic detection in software defined networking[J]. Journal of Software, 2020,31(1): 183-207.
[8]	DAYAL N , MAITY P , SRIVASTAVA S ,et al. Research trends in security and DDoS in SDN[J]. Security and Communication Networks, 2016,9(18): 6386-6411.
[9]	张龙, 王劲松 . SDN中基于信息熵与DNN的DDoS攻击检测模型[J]. 计算机研究与发展, 2019,56(5): 909-918.
	ZHANG L , WANG J S . DDoS attack detection model based on information entropy and DNN in SDN[J]. Journal of Computer Research and Development, 2019,56(5): 909-918.
[10]	田俊峰, 齐鎏岭 . SDN中基于条件熵和GHSOM的DDoS攻击检测方法[J]. 通信学报, 2018,39(8): 140-149.
	TIAN J F , QI L L . DDoS attack detection method based on conditional entropy and GHSOM in SDN[J]. Journal on Communications, 2018,39(8): 140-149.
[11]	李传煌, 吴艳, 钱正哲 ,等. SDN 下基于深度学习混合模型的DDoS攻击检测与防御[J]. 通信学报, 2018,39(7): 176-187.
	LI C H , WU Y , QIAN Z Z ,et al. DDoS attack detection and defense based on hybrid deep learning model in SDN[J]. Journal on Communications, 2018,39(7): 176-187.
[12]	BRAGA R , MOTA E , PASSITO A . Lightweight DDoS flooding attack detection using NOX/OpenFlow[C]// Proceedings of IEEE Local Computer Network Conference. Piscataway:IEEE Press, 2010: 408-415.
[13]	KANDOI R , ANTIKAINEN M . Denial-of-service attacks in OpenFlow SDN networks[C]// Proceedings of 2015 IFIP/IEEE International Symposium on Integrated Network Management (IM). 2015: 1322-1326.
[14]	乔思祎, 胡成臣, 李昊 ,等. OpenFlow交换机流表溢出问题的缓解机制[J]. 计算机学报, 2018,41(9): 2003-2015.
	QIAO S Y , HU C C , LI H ,et al. A mechanism of taming the flow table overflow in OpenFlow switch[J]. Chinese Journal of Computers, 2018,41(9): 2003-2015.
[15]	武泽慧, 魏强, 任开磊 ,等. 基于OpenFlow交换机洗牌的DDoS攻击动态防御方法[J]. 电子与信息学报, 2017,39(2): 397-404.
	WU Z H , WEI Q , REN K L ,et al. Dynamic defense for DDoS attack using open flow-based switch shuffling approach[J]. Journal of Electronics ＆ Information Technology, 2017,39(2): 397-404.
[16]	WEN X T , CHEN Y , HU C C ,et al. Towards a secure controller platform for OpenFlow applications[C]// Proceedings of the Second ACM SIGCOMM Workshop on Hot Topics in Software Defined Networking. 2013: 171-172.
[17]	KLAEDTKE F , KARAME G O , BIFULCO R ,et al. Access control for SDN controllers[C]// Proceedings of the Third Workshop on Hot Topics in Software Defined Networking. 2014: 219-220.
[18]	崔乾 . SDN 北向资源访问安全方案研究与实现[D]. 北京:北京邮电大学, 2019.
	CUI Q . Research and implementation of SDN northbound resource security access scheme[D]. Beijing:Beijing University of Posts and Telecommunications, 2019.
[19]	王阿林 . 基于REST开放标准的北向接口动态API研究与实现[D]. 北京:北京邮电大学, 2017.
	WANG A L . Research and implementation of dynamic API based on REST northbound interface[D]. Beijing:Beijing University of Posts and Telecommunications, 2017.
[20]	任开磊 . 软件定义网络北向 REST 接口安全防御关键技术研究[D]. 郑州:信息工程大学, 2017.
	REN K L . Research on key technologies of SDN northbound REST API security defense[D]. Zhengzhou:Information Engineering University, 2017.
[21]	成静, 薛峰, 张逸飞 ,等. 移动应用众包测试人员信誉度的模糊评估方法研究[J]. 西北工业大学学报, 2018,36(4): 800-806.
	CHENG J , XUE F , ZHANG Y F ,et al. A reputation assessment approach based on fuzzy mathematics mobile application crowdsourced testers[J]. Journal of Northwestern Polytechnical University, 2018,36(4): 800-806.
[22]	沈丛麒, 陈双喜, 吴春明 ,等. 基于信誉度与相异度的自适应拟态控制器研究[J]. 通信学报, 2018,39(S2): 173-180.
	SHEN C Q , CHEN S X , WU C M ,et al. Adaptive mimic defensive controller framework based on reputation and dissimilarity[J]. Journal on Communications, 2018,39(S2): 173-180.
[23]	李婕, 王兴伟, 刘睿 . 社群智能系统中基于用户信誉度的激励机制[J]. 计算机科学与探索, 2015,9(12): 1471-1482.
	LI J , WANG X W , LIU R . User reputation- based participatory incentive mechanism in social and community intelligence systems[J]. Journal of Frontiers of Computer Science and Technology, 2015,9(12): 1471-1482.
[24]	于洋, 王之梁, 毕军 ,等. 软件定义网络中北向接口语言综述[J]. 软件学报, 2016,27(4): 993-1008.
	YU Y , WANG Z L , BI J ,et al. Survey on the languages in the northbound interface of software defined networking[J]. Journal of Software, 2016,27(4): 993-1008.
[25]	鲁垚光, 王兴伟, 李福亮 ,等. 软件定义网络中的动态负载均衡与节能机制[J]. 计算机学报, 2020,43(10): 1969-1982.
	LU Y G , WANG X W , LI F L ,et al. Dynamic load balancing and energy saving mechanism in software defined networking[J]. Chinese Journal of Computers, 2020,43(10): 1969-1982.
[26]	胡涛, 张建辉, 马腾 ,等. SDN中基于可靠性评估的多控制器均衡部署策略[J]. 通信学报, 2017,38(11): 188-198.
	HU T , ZHANG J H , MA T ,et al. Multi-controller balancing deployment strategy based on reliability evaluation in SDN[J]. Journal on Communications, 2017,38(11): 188-198.
[27]	JAFARIAN J H , AL-SHAER E , DUAN Q . An effective address mutation approach for disrupting reconnaissance attacks[J]. IEEE Transactions on Information Forensics and Security, 2015,10(12): 2562-2577.
[28]	OKTIAN Y E , LEE S , LEE H ,et al. Secure your northbound SDN API[C]// Proceedings of 2015 Seventh International Conference on Ubiquitous and Future Networks. 2015: 919-920.

Metrics

Recommended 0

No Suggested Reading articles found!

Defense mechanism of SDN application layer against DDoS attack based on API call management

RichHTML

PDF下载

Knowledge

Abstract

Cite this article

share this article

Figures/Tables 14

References 28

Related Articles 15

Metrics

Recommended 0

[1]	Heli WANG, Qiao YAN. Selfish mining detection scheme based on the characters of transactions [J]. Chinese Journal of Network and Information Security, 2023, 9(2): 104-114.
[2]	Dong LI, Yanni HAO, Shenghui PENG, Ruijie ZI, Ximeng LIU. Network security of the National Natural Science Foundation of China: today and prospects [J]. Chinese Journal of Network and Information Security, 2022, 8(6): 92-101.
[3]	Fukang XING, Zheng ZHANG, Ran SUI, Sheng QU, Xinsheng JI. Qualitative modeling and analysis of attack surface for process multi-variant execution software system [J]. Chinese Journal of Network and Information Security, 2022, 8(5): 121-128.
[4]	Zenan WANG, Jiahao LI, Chaohong TAN, Dechang PI. Design and analysis of intelligent service chain system for network security resource pool [J]. Chinese Journal of Network and Information Security, 2022, 8(4): 175-181.
[5]	Xinya WANG, Guang HUA, Hao JIANG, Haijian ZHANG. Survey on intellectual property protection for deep learning model [J]. Chinese Journal of Network and Information Security, 2022, 8(2): 1-14.
[6]	Lijuan LI, Man LI, Hongjun BI, Huachun ZHOU. Multi-type low-rate DDoS attack detection method based on hybrid deep learning [J]. Chinese Journal of Network and Information Security, 2022, 8(1): 73-85.
[7]	Tao WANG, Hongchang CHEN. Multi-objective optimization placement strategy for SDN security controller considering Byzantine attributes [J]. Chinese Journal of Network and Information Security, 2021, 7(3): 72-84.
[8]	Chenglei ZHANG, Yulong FU, Hui LI, Jin CAO. Research on security scenarios and security models for 6G networking [J]. Chinese Journal of Network and Information Security, 2021, 7(1): 28-45.
[9]	Guochun LI,Rui MA,Jichun MA,Bozhong Li,Huiming LIU,Guiyu ZHANG. Research on SDN deployment practice for WAN egress traffic scheduling [J]. Chinese Journal of Network and Information Security, 2020, 6(5): 148-157.
[10]	Wei HUANG, Ran LU, Cuncai LIU, Sibo QI. QoS routing algorithm based on multiple domain architecture of SDN [J]. Chinese Journal of Network and Information Security, 2019, 5(5): 21-31.
[11]	QIN Yuhai,LIU Luyuan,GAO Haohang,LIU Shengqiao,DONG Han. Innovative professional skills competition to create a police practice talents [J]. Chinese Journal of Network and Information Security, 2019, 5(3): 75-80.
[12]	Hao HU, Yuling LIU, Yuchen ZHANG, Hongqi ZHANG. Survey of attack graph based network security metric [J]. Chinese Journal of Network and Information Security, 2018, 4(9): 1-16.
[13]	Zijin JIN,Julong LAN,Yiming JIANG,Penghao SUN,Peng WEI. QLearning based business differentiating routing mechanism in SDN architecture [J]. Chinese Journal of Network and Information Security, 2018, 4(9): 17-22.
[14]	Juntai HU,Zhenyu WU,Xiao FU,Yichao WANG. Game model based security strategy of heterogeneous controllers in the cloud [J]. Chinese Journal of Network and Information Security, 2018, 4(9): 52-59.
[15]	Binghao YAN,Guodong HAN. Combinatorial intrusion detection model based on deep recurrent neural network and improved SMOTE algorithm [J]. Chinese Journal of Network and Information Security, 2018, 4(7): 48-59.