PrNet:一种应对链路洪泛攻击的机制  

作　　者：杨智威 林梓钘 李睿 YANG Zhi-wei;LIN Zi-xing;LI Rui(School of Cyberspace Security,Dongguan University of Technology,Dongguan 523808,China)

机构地区：[1]东莞理工学院网络空间安全学院,广东东莞523808

出　　处：《计算机技术与发展》2023年第8期108-115,共8页Computer Technology and Development

基　　金：国家重点研发计划(2021YFB3101300);国家自然科学基金面上项目(61972089)。

摘　　要：网络拓扑的特性造成了拓扑中会出现大多数流量汇聚到少部分关键节点和链路的情况,这部分节点和链路会成为链路洪泛攻击所针对的网络瓶颈。现有的防御工作主要围绕隐藏网络瓶颈展开,但对于网络瓶颈的计算度量标准较为单一,且无法应对攻击者发起的盲攻击。为了解决这些问题,提出了一种基于SDN的应对机制PrNet。PrNet首先从静态和动态的角度定义了形成网络瓶颈的度量指标,然后生成针对测绘流量的混淆拓扑,通过识别测绘流量并将其引向绕开网络瓶颈的混淆路径,使攻击者得到错误的信息,最后通过概率路径转发算法为节点之间的所有可达路径分配概率,主动分散网络拓扑中的流量,从而减少网络瓶颈的产生。仿真实验表明,PrNet能够生成具有良好安全性的混淆拓扑,能够根据流量及时调整数据包的转发路径,在应对攻击者发起链路洪泛攻击时具有可行性,并且能够有效缓解盲攻击。The nature of the network topology causes the situation that most traffic in the topology converges to a small number of critical nodes and links,which become network bottlenecks targeted by link flooding attacks.Existing defense works focus on hiding network bottlenecks,but their calculation metrics for network bottlenecks are relatively single and cannot cope with blind attacks launched by attackers.We propose an SDN-based mechanism called PrNet to solve the above problems.The metrics that form network bottlenecks from both static and dynamic perspectives is defined,then an obfuscation topology for mapping traffic is generated,which gives attackers misinformation by identifying mapping traffic and directing it to an obfuscation path that bypasses network bottlenecks.Finally,the probabilistic path forwarding algorithm assigns probabilities to all reachable paths between nodes and actively disperses the traffic in the network topology,thus reducing the generation of network bottlenecks.The simulations shows that PrNet can generate an obfuscated topology with good security and can adjust the forwarding path of packet in time according to the traffic,which is feasible in response to attackers launching link flooding attacks,and can effectively mitigate blind attacks.

关 键 词：链路洪泛攻击 网络瓶颈 拓扑混淆 流量分散 软件定义网络 

分 类 号：TP393[自动化与计算机技术—计算机应用技术]