SDN跨层回环攻击的检测与防御

doi:10.3969/j.issn.0372-2112.2019.05.023

摘要
图/表
参考文献(0)
相关文章 (8)

全文: PDF (1279 KB) HTML (1 KB)
输出: BibTeX | EndNote (RIS)

摘要软件定义网络（Software Define Network，SDN）将控制层和数据层进行分离，给网络带来灵活性、开放性以及可编程性.然而，分离引入了新的网络安全问题.我们发现通过构造特定规则可以构造跨层回环攻击，使得数据包在控制器和交换机之间不断循环转发.跨层回环会造成控制器拥塞，并导致控制器无法正常工作.现有的策略一致性检测方案并不能检测跨层回环攻击.为此，本文提出了一种实时检测和防御跨层回环的方法.通过构造基于Packet-out的转发图分析规则路径，从而快速检测和防御回环.我们在开源控制器Floodlight上实现了我们提出的回环检测和防御方案，并在Mininet仿真器上对其性能进行了评估，结果表明本方案能够实时检测并有效防御跨层回环攻击.

	服务

	把本文推荐给朋友
	加入我的书架
	加入引用管理器
	E-mail Alert
	RSS
	作者相关文章
	张云
	江勇
	郑靖
	庞春辉
	李琦

关键词 ：软件定义网络, 控制层, 数据层, 跨层回环检测, 策略一致性检测

Abstract：Software-Defined Networking (SDN) separates data plane from control plane,which makes it more flexible,opening and programmable,compared with traditional IP networks.However,the separation incurs many security problems.In this paper,we find that we can construct controller-to-switch loop (CSL) attacks by leveraging dedicated rules and well constructed packets.The attacks can effectively exhaust controller resource,which leads to denial of service (DoS).The existing OpenFlow policy verification schemes only focus on detecting data plane loop,and cannot detect such controller-to-switch loops.In order to detect CSL attacks,we proposed a novel policy verification scheme.The scheme constructs a packet forwarding graph by analyzing network update events and packet-out messages,and efficiently identifies the forwarding loops by traversing the graph.In order to evaluate our defense,we implement it in the Floodlight controller,and perform experiments with Mininet.The experimental results show that our defense can precisely detect the loop attacks and effectively throttle them.

Key words： software-defined networking control plane data plane controller-to-switch loop detection policy consistency check

收稿日期: 2017-04-17

ZTFLH:

TN915.8

基金资助:国家重点研发计划（No.2016YFB0800102）；国家自然科学基金（No.61572278，No.U1736209）；深圳市基础研究基金（No.JCYJ20170307153259323）

通讯作者: 李琦 E-mail: qi.li@sz.tsinghua.edu.cn

作者简介: 张云女,1992年生,清华大学硕士研究生,主要研究领域为SDN安全等.E-mail:zhangyun15@mails.tsinghua.edu.cn;江勇男,1975年生,教授,博士生导师,主要研究领域为计算机网络体系结构.E-mail:jiangy@sz.tsinghua.edu.cn;郑靖男,1985年生,清华大学硕士研究生,主要研究领域为网络安全.E-mail:zhengj14@mails.tsinghua.edu.cn;庞春辉 男,1993年生,清华大学硕士研究生,主要研究领域为网络安全、网络调试和网络测量.Email:chunhui.pang@outlook.com

引用本文:

张云, 江勇, 郑靖, 庞春辉, 李琦. SDN跨层回环攻击的检测与防御[J]. 电子学报, 2019, 47(5): 1146-1151. ZHANG Yun, JIANG Yong, ZHENG Jing, PANG Chun-hui, LI Qi. Detecting and Defending Against Controller-to-Switch Loop Attacks in SDN. Acta Electronica Sinica, 2019, 47(5): 1146-1151.

链接本文:

http://www.ejournal.org.cn/CN/10.3969/j.issn.0372-2112.2019.05.023 或 http://www.ejournal.org.cn/CN/Y2019/V47/I5/1146

[1] Kazemian P,Chang M,Zeng H,et al.Real time network policy checking using header space analysis[A].NSDI'13:Usenix Conference on Networked Systems Design and Implementation[C].Lombard,IL:ACM,2013.99-112.
[2] Mai H,Khurshid A,Agarwal R,et al.Debugging the data plane with anteater[J].ACM Sigcomm Computer Communication Review,2011,41(4):290-301.
[3] Khurshid A,Zhou W,Caesar M,et al.Veriflow:verifying network-wide invariants in real time[J].ACM Sigcomm Computer Communication Review,2012,42(4):467-472.
[4] Al-Shaer E,Al-Haj S.FlowChecker:configuration analysis and verification of federated openflow infrastructures[A].SafeConfig'10:ACM Workshop on Assurable and Usable Security Configuration[C].Chicago:ACM,2010.37-44.
[5] Kazemian P,Varghese G,Mckeown N.Header Space Analysis:Static Checking For Networks[A].NSDI'12:Usenix Conference on Networked Systems Design and Implementation[C].San Jose,CA:ACM,2012.9-9.
[6] Zhou W,Jin D,Croft J,et al.Enforcing customizable consistency properties in software-defined networks[A].NSDI'15:Usenix Conference on Networked Systems Design and Implementation[C].Oakland,CA:ACM,2015.73-85.
[7] Yang H,Lam S S.Real-time verification of network properties using Atomic Predicates[A].ICNP'13:IEEE International Conference on Network Protocols[C].Germany:IEEE,2013.1-11.
[8] Prakash C,Turner Y,Turner Y,et al.PGA:Using Graphs to Express and Automatically Reconcile Network Policies[A].SIGCOMM'15:ACM Conference on Special Interest Group on Data Communication[C].London:ACM,2015.29-42.
[9] Porras P,Shin S,Yegneswaran V,et al.A Security Enforcement Kernel for OpenFlow Networks[A].HotSDN'12:Hot Topics in Software Defined Networking (HotSDN)[C].Helsinki:ACM.2012.121-126.
[10] Monsanto C,Reich J,Foster N,et al.Composing software-defined networks[A].NSDI'13:Networked Systems Design and Implementation[C].Lombard,IL:ACM,2013.1-13
[11] Son S,Shin S,Yegneswaran V,et al.Model checking invariant security properties in OpenFlow[A].ICC'13:IEEE International Conference on Communications[C].Hungary:IEEE,2013.1974-1979.
[12] Hu H,Han W,Ahn G J,et al.FLOWGUARD:building robust firewalls for software-defined networks[A].SIGCOMM'14:ACM Special Interest Group on Data Communication[C].Chicago:ACM,2014.1-3.
[13] Porras P,Cheung S,Fong M,et al.Securing the software defined network control layer[A].NSDI'15:Network and Distributed System Security Symposium[C].Oakland:ACM,2015.
[14] 刘艺,张红旗,杨英杰.基于启发式调度的OpenFlow网络规则一致更新方案[J].电子学报,2017,45(7):1637-1645. LIU Yi,ZHANG Hong-Qi,YANG Ying-Jie.Consistent rule update scheme based on heuristic scheduling for openflow networks[J].Acta Electronica Sinica,2017,45((7):1637-1645.(in Chinese)