软件定义网络流表溢出脆弱性分析及防御方法  被引量：4

作　　者：周亚东[1] 陈凯悦 冷俊园 胡成臣[1] ZHOUYadong;CHENKaiyue;LENGJunyuan;HU Chengchen(MOE Key Laboratory for Intelligent Networks and Network Security, Xi’ an Jiaotong University, Xi’an 710049,China)

机构地区：[1]西安交通大学智能网络与网络安全教育部重点实验室,西安710049

出　　处：《西安交通大学学报》2017年第10期53-58,共6页Journal of Xi'an Jiaotong University

基　　金：国家自然科学基金资助项目(61572397);陕西省自然科学基础研究计划资助项目(2016JM6066)

摘　　要：软件定义网络交换机非常有限的流表容量使其存在严重的流表溢出脆弱性问题,为此利用软件定义网络易于管理路由规则的新特性,提出一种基于装箱优化的路由聚合算法,并进一步提出了流表溢出攻击的防御方法。采用传统的基于基数树的路由聚合算法产生初步聚合后的流表项节点,将其划分为包含不同数量节点的若干个流表项规则组,并基于装箱优化问题求解得到每个流表项规则组的新转发地址,再将转发地址修改后的流表项规则进行二次聚合,从而有效减少交换机流表中的流表项数量,达到防御流表溢出攻击的效果。实验结果表明:流表聚合率达到了54.9%,优于传统的基于基数树的路由聚合算法,并使得达成流表溢出攻击的攻击数据包数增加了125.8%;该方法可显著增加流表溢出攻击的实现难度,有效缓解流表溢出脆弱性问题,提升软件定义网络对该类攻击的防御能力。The capacity of flow tables of software defined network switches is very limited and thus there exists a serious problem of flow table overflow vulnerability.A routing algorithm based on packing optimization is proposed to solve the problem and the algorithm uses new characteristics of software defined networks.A method to defense overflow attacks of flow tables is also presented based on the proposed route aggregation algorithm.Firstly,the traditional algorithm of route aggregation based on radix tree is used to generate initial aggregated nodes of flow tables.Then,the nodes are divided into several different groups with flow table rules,and the new forwarding address for each group is then obtained based on the solution of a packing optimization problem.Finally,the flow table rules are aggregated again after modifying the forwarding addresses,so that the number of flow entries in flow tables of a switch is effectively reduced,and the effect of defensing overflow attack of flow tables is achieved.It is found from experimental results of the proposed defense method that the aggregation rate of flow tables is 54.9%,and is better than that of the classical algorithm based on the radix tree,and that the number of attack packets reaching the overflow attack increases 125.8%.The experimentalresults show that the proposed method significantly increases the difficulty to reach the flow table overflow attack,so that the problem of flow table overflow vulnerability is effectively alleviated,and the defense ability to related attacks is enhanced.

关 键 词：软件定义网络 流表溢出 装箱优化 防御方法 

分 类 号：TP391[自动化与计算机技术—计算机应用技术]