针对SDN基础设施的拒绝服务攻击防护框架  被引量：1

作　　者：张梦豪 毕军[1,3] 白家松 王旸旸[1,3] 

机构地区：[1]清华大学网络科学与网络空间研究院,北京100084 [2]清华大学计算机科学与技术系,北京100084 [3]清华信息科学与技术国家实验室,北京100084

出　　处：《东南大学学报（自然科学版）》2017年第A01期1-8,共8页Journal of Southeast University：Natural Science Edition

基　　金：国家重点研发计划"网络空间安全"重点专项资助项目(2017YFB0801701);赛尔网络下一代互联网技术创新资助项目(NGII20160123);国家自然科学基金资助项目(61472213)

摘　　要：为了进一步缓解针对SDN基础设施的典型拒绝服务攻击(数据-控制平面饱和攻击),提出了一种控制器和交换机协作式的安全防护框架,即FloodShield.在该攻击中,攻击者通过洪泛伪造数据包,使数据平面产生大量表项缺失和packet-in数据包,从而消耗SDN基础设施不同层次的资源:数据平面的TCAM资源、控制通道的带宽资源和控制器的CPU资源等.通过对这种攻击的详尽分析,提出并设计了易部署、全面性和轻量化的FloodShield防护框架.该框架主要使用了2个关键技术:1)源地址验证,用于在数据平面过滤源地址伪造的数据包;2)有状态数据包监控,用于监控源地址真实流量的状态,并基于流量评价打分和网络资源使用量采用动态的防护措施.实验结果表明,相比于之前的防护框架,FloodShield在消耗更少系统资源的同时,对SDN架构的数据平面、控制通道和控制平面都提供了有效的保护.To further mitigate the dedicated denial-of-service( DoS) attack( data-to-control plane saturation attack) against SDN infrastructure,a controller and switch cooperative defense framework,that is,FloodShield,is presented. In this attack,a large number of packets are flooded by attacker to trigger massive table-misses and packet-in messages in the data plane,which would exhaust resources of different components of SDN infrastructure,including TCAM in the data plane,bandwidth of the control channel,and CPU cycles of the controller. With the extensive analysis of the vulnerability of SDN against the saturation attack,a deployable,comprehensive and lightweight SDN defense framework,FloodShield,is proposed and designed. The following two techniques are combined with FloodShield: 1) source address validation for filtering forged packets directly in the data plane,and 2) stateful packet supervision for monitoring traffic states of real addresses and performing dynamic countermeasures based on evaluation scores and network resource usage. Experimental results show that,compared with previous defense framework,FloodShield provides an effective protection for data plane,control channel and control plane of SDN infrastructure,meanwhile consuming less resource.

关 键 词：软件定义网络 拒绝服务攻击 源地址验证 有状态数据包监控 

分 类 号：TP393.0[自动化与计算机技术—计算机应用技术]