基于API调用管理的SDN应用层DDoS攻击防御机制  被引量：4

作　　者：王洋 汤光明[1] 王硕 楚江 WANG Yang;TANG Guangming;WANG Shuo;CHU Jiang(Information Engineering University,Zhengzhou 450001,China;China Xi’an Satellite Control Center,Xi’an 710043,China)

机构地区：[1]信息工程大学,河南郑州450001 [2]中国西安卫星测控中心,陕西西安710043

出　　处：《网络与信息安全学报》2022年第2期73-87,共15页Chinese Journal of Network and Information Security

基　　金：国家自然科学基金(61802438)。

摘　　要：软件定义网络(SDN,software defined network)针对北向接口安全研究少,加之缺乏严格的访问控制、身份认证及异常调用检测等机制,导致攻击者有机会开发恶意的应用程序,造成北向应用程序接口(API,application programming interface)的滥用,不利于SDN的全面推广。针对应用层的分布式拒绝服务(DDoS,distributed denial-of-service)主要有两种样态:一是攻击者设计恶意App,绕过北向接口的安全审查,对某些API进行短时间大量调用,进而导致控制器崩溃,使整个网络瘫痪;二是攻击者以某个合法SDN应用程序作为攻击目标,对该应用程序所需用的特定API进行短时间大量调用,使该合法App无法正常调用API,进而使该合法App无法正常工作。与第一种攻击相比,第二种攻击更为隐蔽。因而,如何分辨App是恶意的还是合法的、如何对受攻击控制器上运行的App进行快速清洗以分离出恶意App、如何对合法App重新分配控制器以保证其正常运行,成为必须。在深入分析当前北向接口发展趋势的基础上,模拟并实践了对其可能的DDoS攻击样态,并据此提出了基于API调用管理的SDN应用层DDoS防御机制。该机制在SDN应用层和控制层之间增加了一层App管理层。通过对App的信誉管理、初始审查、映射分配、异常检测和识别迁移,来预判和抵抗恶意App对SDN的攻击。机制侧重于在攻击发生前对恶意App进行事先审查,以避免攻击的发生。若攻击已然发生,则对合法App和恶意App进行清洗分离。理论与实验验证表明,所提安全机制有效避免了SDN应用层的DDoS攻击,且算法运行效率高。Due to the lack of strict access control,identity authentication and abnormal call detection,attackers may develop malicious applications easily and then it leads to the abuse of the northbound interface API(application programming interface)accordingly.There are mainly two patterns of DDoS(distributed denial-of-service)attacks against application layer.1)malicious App bypass the security review of the northbound interface and make a large number of calls to some API in a short time,thus causing the controller to crash and paralyzing the whole network;2)attackers take a legitimate SDN(software defined network)application as the target and make a large number of short-time calls to the specific API needed by the application,which makes the legitimate App unable to call the API normally.Compared with the first pattern,the second one is more subtle.Therefore,it’s necessary to distinguish whether the App is malicious or not,effectively clean the App running on the attacked controller,and redistribute the controller to the legitimate App.Based on the in-depth analysis of the development trend of the current northbound interface,the possible DDoS attack patterns were simulated and practiced.Then a DDoS defense mechanism for SDN application layer was proposed.This mechanism added an App management layer between SDN application layer and control layer.Through reputation management,initial review,mapping allocation,anomaly detection and identification migration of the App,the malicious App attack on SDN can be predicted and resisted.The proposal focused on pre-examination of malicious App before attacks occur,so as to avoid attacks.If the attack has already happened,the operation of cleaning and separating the legitimate App from the malicious App is triggered.Theoretical and experimental results show that the proposed mechanism can effectively avoid DDoS attacks in SDN application layer,and the algorithm runs efficiently.

关 键 词：拒绝服务攻击 网络安全 软件定义网络 北向接口 

分 类 号：TP393[自动化与计算机技术—计算机应用技术]