基于动态限制策略的SDN中IP欺骗攻击缓解技术  

作　　者：王坤[1,2] 付钰[2] 段雪源[3] 刘涛涛 周静华 WANG Kun;FU Yu;DUAN Xueyuan;LIU Taotao;ZHOU Jinghua(Xinyang Vocational and Technical College,Xinyang 464000,China;Naval Univ.of Engineering,Wuhan 430033,China;Xinyang Normal Univ.,Xinyang 464000,China)

机构地区：[1]信阳职业技术学院,河南信阳464000 [2]海军工程大学,武汉430033 [3]信阳师范大学,河南信阳464000

出　　处：《海军工程大学学报》2025年第2期9-16,25,共9页Journal of Naval University of Engineering

基　　金：国家自然科学基金资助项目(62102422);河南省科技攻关基金资助项目(242102211070)。

摘　　要：针对传统的IP欺骗攻击缓解方法存在运算开销大、缺乏灵活性等问题,提出了一种基于动态限制策略的软件定义网络(software defined network,SDN)中IP欺骗攻击缓解方法。首先,利用Packet-In消息中三元组信息回溯攻击路径,定位IP欺骗攻击源头主机;然后,由控制器制定动态限制策略对连接攻击源头主机的交换机端口的新流转发功能进行限制,待限制期满再恢复其转发新流的功能,限制期的大小随着被检测为攻击源的次数而增长。研究结果表明:这种动态的限制策略可阻隔攻击流进入SDN网络,从而有效避免SDN交换机、控制器以及链路过载;由于在限制期间无需再对这些限制的交换机端口进行实时监测,该方法在应对长时攻击时较传统方法具有更高的缓解效率和更少的资源消耗。In response to the problems of high computational overhead and lack of flexibility in traditional IP spoofing attack mitigation methods,a method for mitigating IP spoofing attacks in SDN based on a dynamic restriction strategy was proposed.By using the triplet information in the Packet-In message to trace the attack path and locate the source host of the IP spoofing attack,the controller formulated a dynamic restriction strategy to limit the new flow forwarding function of the switch port connected to the attack source host,and then restored its function to forward new flows after the restriction period expires,the duration of the restriction period increased with the number of times it was detected as an attack source.The results of the study show that this dynamic restriction strategy can prevent attack traffic from entering the SDN network,thereby effectively avoiding the overload of SDN switches,controllers,and links.Additionally,since there is no need for real-time monitoring of these restricted switch ports during the restriction period.Compared to traditional methods,this one has higher mitigation efficiency and consumes fewer resources when dealing with long-duration attacks compared to traditional methods.

关 键 词：软件定义网络 IP欺骗 攻击溯源 动态缓解 

分 类 号：TP393[自动化与计算机技术—计算机应用技术]