软件定义网络抗拒绝服务攻击的流表溢出防护

doi:10.11959/j.issn.1000-436x.2023036

Abstract

Abstract:

Aiming at denial of service attacks would cause overflow of the limited flow table space of the switch in software defined network, failure to install flow table rules for normal network packets, packet forwarding delay, and packet loss, FloodMitigation was proposed to prevent flow table overflow against denial of service attacks in software defined network.The management of the rate-limit flow rule installation based on available flow table space was adopted to limit the maximum installation speed of flow rules and the number of flow table space occupied by switch ports with denial-of-service attacks, and avoid flow table overflow.In addition, path selection based on available flow table space was adopted to balance flow table utilization of switches among multiple forwarding paths to avoid denial of service attacks on switches with less available flow table in the path.The experimental results demonstrate that FloodMitigation can effectively alleviate the harm of denial of service attacks in terms of preventing switch flow table overflow and packet loss, reducing resource consumption of controllers, and ensuring packet forwarding delay.

Key words: software defined network, denial of service attack, flow table overflow, path selection

CLC Number:

TP393

Dongbin WANG, Dongzhe WU, Hui ZHI, Kun GUO, Xu ZHANG, Jinqiao SHI, Yu ZHANG, Yueming LU. Preventing flow table overflow against denial of service attack in software defined network[J]. Journal on Communications, 2023, 44(2): 1-11.

Figures/Tables 9

References ［22］

［1］	JAIN R , ． Internet 3.0:ten problems with current Internet architecture and solutions for the next generation［C］// Proceedings of IEEE Military Communications Conference． Piscataway:IEEE Press, 2007: 1-9．
［2］	MCKEOWN N , ANDERSON T , BALAKRISHNAN H ,et al． OpenFlow［J］． ACM SIGCOMM Computer Communication Review, 2008,38(2): 69-74．
［3］	张朝昆, 崔勇, 唐翯翯 ,等．软件定义网络(SDN)研究进展［J］．软件学报, 2015,26(1): 62-81．
	ZHANG C K , CUI Y , TANG H H ,et al． State-of-the-art survey on sofware-defined networking (SDN)［J］． Journal of Software, 2015,26(1): 62-81．
［4］	QI Y Z , WANG D B , YAO W B ,et al． Towards multi-controller placement for SDN based on density peaks clustering［C］// Proceedings of IEEE International Conference on Communications． Piscataway:IEEE Press, 2019: 1-6．
［5］	YUAN B , ZOU D Q , YU S ,et al． Defending against flow table overloading attack in software-defined networks［J］． IEEE Transactions on Services Computing, 2019,12(2): 231-246．
［6］	KAUR S , KUMAR K , AGGARWAL N ,et al． A comprehensive survey of DDoS defense solutions in SDN:taxonomy,research challenges,and future directions［J］． Computers and Security, 2021,110: 1-39．
［7］	SWAMI R , DAVE M , RANGA V ． Software-defined networking-based DDoS defense mechanisms［J］． ACM Computing Surveys, 2020,52(2): 1-36．
［8］	ZHANG P , WANG H Z , HU C C ,et al． On denial of service attacks in software defined networks［J］． IEEE Network, 2016,30(6): 28-33．
［9］	王蒙蒙, 刘建伟, 陈杰 ,等．软件定义网络:安全模型、机制及研究进展［J］．软件学报, 2016,27(4): 969-992．
	WANG M M , LIU J W , CHEN J ,et al． Software defined networking:security model,threats and mechanism［J］． Journal of Software, 2016,27(4): 969-992．
［10］	TANG D , ZHANG S Q , YAN Y D ,et al． Real-time detection and mitigation of LDoS attacks in the SDN using the HGB-FP algorithm［J］． IEEE Transactions on Services Computing, 2022,15(6): 3471-3484．
［11］	SHIN S , YEGNESWARAN V , PORRAS P ,et al． AVANT-GUARD:scalable and vigilant switch flow management in software-defined networks［C］// Proceedings of the 2013 ACM SIGSAC Conference on Computer ＆ Communications Security． New York:ACM Press, 2013: 413-424．
［12］	AMBROSIN M , CONTI M , GASPARI F D ,et al． LineSwitch:tackling control plane saturation attacks in software-defined networking［J］． IEEE/ACM Transactions on Networking, 2017,25(2): 1206-1219．
［13］	ZHANG M H , BI J , BAI J S ,et al． FloodShield:securing the SDN infrastructure against denial-of-service attacks［C］// Proceedings of the 17th IEEE International Conference on Trust,Security and Privacy in Computing and Communications/ 12th IEEE International Conference on Big Data Science and Engineering (TrustCom/BigDataSE)． Piscataway:IEEE Press, 2018: 687-698．
［14］	LI J S , TU T F , LI Y S ,et al． DoSGuard:mitigating denial-of-service attacks in software-defined networks［J］． Sensors (Basel,Switzerland), 2022,22(3): 1061．
［15］	WANG H P , XU L , GU G F ． FloodGuard:a DoS attack prevention extension in software-defined networks［C］// Proceedings of the 45th Annual IEEE/IFIP International Conference on Dependable Systems and Networks． Piscataway:IEEE Press, 2015: 239-250．
［16］	WU P P , YAO L , LIN C ,et al． FMD:a DoS mitigation scheme based on flow migration in software defined networking［J］． International Journal of Communication Systems, 2018,31(9): 1206-1219．
［17］	GAO S , PENG Z , XIAO B ,et al． Detection and mitigation of DoS attacks in software defined networks［J］． IEEE/ACM Transactions on Networking, 2020,28(3): 1419-1433．
［18］	AHALAWAT A , BABU K S , TURUK A K ,et al． A low-rate DDoS detection and mitigation for SDN using Renyi entropy with packet drop［J］． Journal of Information Security and Applications, 2022,68: 2214-2226．
［19］	HE H , PENG Z Z , ZHOU X H ,et al． LFOD:a lightweight flow table optimization scheme in SDN based on flow length distribution in the Internet［C］// Proceedings of the 23rd Asia-Pacific Network Operations and Management Symposium． Piscataway:IEEE Press, 2022: 1-6．
［20］	LI X F , HUANG Y ． A flow table with two-stage timeout mechanism for SDN switches［C］// Proceedings of IEEE 21st International Conference on High Performance Computing and Communications; IEEE 17th International Conference on Smart City; IEEE 5th International Conference on Data Science and Systems (HPCC/SmartCity/DSS)． Piscataway:IEEE Press, 2019: 1804-1809．
［21］	LI Q , HUANG N Y , WANG D M ,et al． HQTimer:a hybrid Q-learning-based timeout mechanism in software-defined networks［J］． IEEE Transactions on Network and Service Management, 2019,16(1): 153-166．
［22］	XIE S X , XING C Y , ZHANG G M ,et al． A table overflow LDoS attack defending mechanism in software-defined networks［J］． Security and Communication Networks, 2021,2021: 1-16．

Metrics

Recommended 0

No Suggested Reading articles found!

[1]	Zongxuan SHA, Ru HUO, Chuang SUN, Shuo WANG, Tao HUANG. Forwarding efficiency aware traffic scheduling algorithm based on deep reinforcement learning [J]. Journal on Communications, 2022, 43(8): 30-40.
[2]	Binghao YAN, Qinrang LIU, Jianliang SHEN, Xiantuo TANG, Dong LIANG. Fast loop-free path migration strategy in software defined network [J]. Journal on Communications, 2022, 43(5): 24-35.
[3]	Chuanhuang LI, Yangting CHEN, Jingjing TANG, Jiali LOU, Renhua XIE, Chuntao FANG, Weiming WANG, Chao CHEN. QL-STCT: an intelligent routing convergence method for SDN link failure [J]. Journal on Communications, 2022, 43(2): 131-142.
[4]	Ru HUO, Xiangfeng CHENG, Chuang SUN, Shuo WANG, Tao HUANG, Yu F.Richard. Topology optimization and forwarding strategy design for blockchain network [J]. Journal on Communications, 2022, 43(12): 89-100.
[5]	Qizhao ZHOU, Junqing YU, Dong LI. Research on flood defense mechanism of SDN control layer:detection and mitigation [J]. Journal on Communications, 2021, 42(11): 41-53.
[6]	Shuopeng LI, Juan FANG, Ken CHEN. DetNet service share protection scheme based on SRv6 [J]. Journal on Communications, 2021, 42(10): 32-42.
[7]	Haibo ZHANG,Zixin WANG,Xiaofan HE. V2X offloading and resource allocation under SDN and MEC architecture [J]. Journal on Communications, 2020, 41(1): 114-124.
[8]	Fang DONG,Yuxiang HU,Ou LI. Routing framework and creation algorithm in Ad Hoc based SDN [J]. Journal on Communications, 2019, 40(9): 33-44.
[9]	Zhongnan ZHAO,Jian WANG,Hongwei GUO. Adaptive routing and wavelength assignment method based on SDN [J]. Journal on Communications, 2019, 40(9): 95-105.
[10]	CHEN Xingshu,HUA Qiang,WANG Yitong,GE Long,ZHU Yi. Research on low-rate DDoS attack of SDN network in cloud environment [J]. Journal on Communications, 2019, 40(6): 210-222.
[11]	Xianwei ZHU,Chaowen CHANG,Zhiqiang ZHU,Xi QIN. SDN control and forwarding method based on identity attribute [J]. Journal on Communications, 2019, 40(11): 1-18.
[12]	Junfeng TIAN,Liuling QI. DDoS attack detection method based on conditional entropy and GHSOM in SDN [J]. Journal on Communications, 2018, 39(8): 140-149.
[13]	Chuanhuang LI,Yan WU,Zhengzhe QIAN,Zhengjun SUN,Weiming WANG. DDoS attack detection and defense based on hybrid deep learning model in SDN [J]. Journal on Communications, 2018, 39(7): 176-187.
[14]	Tao HUANG,Jiang LIU,Chen ZHANG,Liang WEI,Yunjie LIU. Survey on SDN-based network testbeds [J]. Journal on Communications, 2018, 39(6): 155-168.
[15]	Heng HE,Yan HU,Lianghan ZHENG,Zhengyuan XUE. Efficient DDoS attack detection and prevention scheme based on SDN in cloud environment [J]. Journal on Communications, 2018, 39(4): 139-151.

Preventing flow table overflow against denial of service attack in software defined network

RichHTML

PDF

Knowledge

Abstract

Cite this article

share this article

Figures/Tables 9

References ［22］

Related Articles 15

Metrics

Recommended 0