UDM：基于NFV的防止DDoS攻击SDN控制器的机制

doi:10.11959/j.issn.1000-436x.2019067

Abstract

Abstract:

DDoS attack extensively existed have been mortal threats for the software-defined networking (SDN) controllers and there is no any security mechanism which can prevent them yet.Combining SDN and network function virtualization (NFV),a novel preventing mechanism against DDoS attacks on SDN controller called upfront detection middlebox (UDM) was proposed.The upfront detection middlebox was deployed between SDN switch interfaces and user hosts distributed,and DDoS attack packets were detected and denied.An NFV-based method of implementing the upfront middlebox was put forward,which made the UDM mechanism be economical and effective.A prototype system based on this mechanism was implemented and lots experiments were tested.The experimental results show that the UDM mechanism based on NFV can real-time and effectively detect and prevent against DDoS attacks on SDN controllers.

Key words: DDoS attack, controller security, SDN and NFV, upfront detection middlebox

CLC Number:

TP393

Hongyan QIAN,Hao XUE,Ming CHEN. UDM:NFV-based prevention mechanism against DDoS attack on SDN controller[J]. Journal on Communications, 2019, 40(3): 116-124.

Figures/Tables 7

References 18

[1]	MCKEOWN N , ANDERSON T , BALAKRISHNAN H ,et al. OpenFlow:enabling innovation in campus networks[J]. ACM SIGCOMM Computer Communication Review, 2008,38(2): 69-74.
[2]	MIJUMBI R , SERRAT J , GORRICHO J L ,et al. Network function virtualization:state-of-the-art and research challenges[J]. IEEE Communications Surveys ＆ Tutorials, 2017,18(1): 236-262.
[3]	TOOTOONCHIAN A , GORBUNOV S , SHERWOOD R ,et al. On controller performance in software-defined networks[C]// Usenix Conference on Hot Topics in Management of Internet,Cloud,and Enterprise Networks and Services. 2012:10.
[4]	JARSCHEL M , OECHSNER S , SCHLOSSER D ,et al. Modeling and performance evaluation of an OpenFlow architecture[C]// Teletraffic Congress. 2011: 1-7.
[5]	ZHANG P , WANG H , HU C ,et al. On denial of service attacks in software defined networks[J]. IEEE Network, 2016,30(6): 28-33.
[6]	SHIN S , YEGNESWARAN V , PORRAS P ,et al. AVANT-GUARD:scalable and vigilant switch flow management in software-defined networks[C]// ACM Sigsac Conference on Computer ＆ Communications Security. 2013: 413-424.
[7]	WANG H , XU L , GU G . FloodGuard:a DoS attack prevention extension in software-defined networks[C]// IEEE/IFIP International Conference on Dependable Systems and Networks. 2015: 239-250.
[8]	KEROMYTIS A D , MISRA V , RUBENSTEIN D . SOS:secure overlay services[C]// ACM SIGCOMM ’02 Conference. 2002: 61-72.
[9]	ZHOU L , GUO H . Applying NFV/SDN in mitigating DDoS attacks[C]// 2017 IEEE Region 10 Conference. 2017: 2061-2066.
[10]	FUNG C J , MCCORMICK B . VGuard:a distributed denial of service attack mitigation method using network function virtualization[C]// International Conference on Network and Service Management. 2015: 64-70.
[11]	JAKARIA A H M , YANG W , RASHIDI B ,et al. VFence:a defense against distributed denial of service attacks using network function virtualization[C]// Computer Software and Applications Conference. 2016: 431-436.
[12]	FUTAMURA K , KARASARIDIS A , NOEL E ,et al. vDNS closed-loop control:a framework for an elastic control plane service[C]// Network Function Virtualization and Software Defined Network. 2016: 170-176.
[13]	WANG R , JIA Z , JU L . An entropy-based distributed DDoS detection mechanism in software-defined networking[C]// IEEE Trustcom/bigdatase/ispa. 2015: 310-317.
[14]	KUMAR K , JOSHI R C , SINGH K . A distributed approach using entropy to detect DDoS attacks in ISP domain[C]// International Conference on Signal Processing,Communications and Networking. 2007: 331-337.
[15]	BERNSTEIN D . Containers and cloud:from LXC to docker to kubernetes[J]. IEEE Cloud Computing, 2015,1(3): 81-84.
[16]	YANG Y , WANG Y . A software implementation for a hybrid firewall using linux netfilter[C]// Software Engineering. 2011: 18-21.
[17]	PFAFF B , PETTIT J , KOPONEN T . The design and implementation of open vSwitch[C]// USENIX Networked System Design and Implementation. 2015: 117-130.
[18]	DOULIGERIS C , MITROKOTSA A . DDoS attacks and defense mechanisms:classification and state-of-the-art[J]. Computer Networks, 2004,44(5): 643-666.

Metrics

Recommended 0

No Suggested Reading articles found!

UDM:NFV-based prevention mechanism against DDoS attack on SDN controller

RichHTML

PDF

Knowledge

Abstract

Cite this article

share this article

Figures/Tables 7

References 18

Related Articles 7

Metrics

Recommended 0

[1]	CHEN Xingshu,HUA Qiang,WANG Yitong,GE Long,ZHU Yi. Research on low-rate DDoS attack of SDN network in cloud environment [J]. Journal on Communications, 2019, 40(6): 210-222.
[2]	Junfeng TIAN,Liuling QI. DDoS attack detection method based on conditional entropy and GHSOM in SDN [J]. Journal on Communications, 2018, 39(8): 140-149.
[3]	Heng HE,Yan HU,Lianghan ZHENG,Zhengyuan XUE. Efficient DDoS attack detection and prevention scheme based on SDN in cloud environment [J]. Journal on Communications, 2018, 39(4): 139-151.
[4]	Miao WANG,Li-ming WANG,Zhen XU,Duo-he MA. Research on DDoS detection in multi-tenant cloud based on entropy change [J]. Journal on Communications, 2016, 37(Z1): 204-210.
[5]	Guang JIN,Fei ZHANG,Jiang-bo QIAN,Hong-hao ZHANG. DDoS defense with IP traceback and path identification [J]. Journal on Communications, 2011, 32(2): 61-67.
[6]	Jun-feng TIAN,Hong-tao ZHU,Dong-dong SUN,Zhi-ming BI,Qian LIU. Model of coorperation defense DDoS attack based on client reputation [J]. Journal on Communications, 2009, 30(3): 12-20.
[7]	Guang JIN,Jian-gang YANG,Yuan LI,Hui-zhan ZHANG. Optimal path identification to defend against DDoS attacks [J]. Journal on Communications, 2008, 29(9): 46-53.