SDN跨层回环攻击的检测与防御

doi:10.3969/j.issn.0372-2112.2019.05.023

电子学报 ›› 2019, Vol. 47 ›› Issue (5): 1146-1151.DOI: 10.3969/j.issn.0372-2112.2019.05.023

所属专题：网络空间及网络通信中的安全问题

SDN跨层回环攻击的检测与防御

张云^1,3, 江勇², 郑靖^1,3, 庞春辉^1,3, 李琦^1,2

1. 清华大学网络科学与网络空间研究院, 北京 100084;
2. 清华大学深圳研究生院, 广东深圳 518055;
3. 清华大学计算机科学与技术系, 北京 100084

收稿日期:2017-04-17 修回日期:2017-12-18 出版日期:2019-05-25
- 通讯作者:
- 李琦
- 作者简介:
- 张云女,1992年生,清华大学硕士研究生,主要研究领域为SDN安全等.E-mail:zhangyun15@mails.tsinghua.edu.cn;江勇男,1975年生,教授,博士生导师,主要研究领域为计算机网络体系结构.E-mail:jiangy@sz.tsinghua.edu.cn;郑靖男,1985年生,清华大学硕士研究生,主要研究领域为网络安全.E-mail:zhengj14@mails.tsinghua.edu.cn;庞春辉 男,1993年生,清华大学硕士研究生,主要研究领域为网络安全、网络调试和网络测量.Email:chunhui.pang@outlook.com
- 基金资助:
- 国家重点研发计划 (No.2016YFB0800102）; 国家自然科学基金 (No.61572278，No.U1736209）; 深圳市基础研究基金 (No.JCYJ20170307153259323）

Detecting and Defending Against Controller-to-Switch Loop Attacks in SDN

ZHANG Yun^1,3, JIANG Yong², ZHENG Jing^1,3, PANG Chun-hui^1,3, LI Qi^1,2

1. Institute for Network Sciences and Cyberspace, Tsinghua University, Beijing 100084, China;
2. Graduate School at Shenzhen, Tsinghua University, Shenzhen, Guangdong 518055, China;
3. Department of Computer Science and Techonlogy, Tsinghua University, Beijing 100084, China

Received:2017-04-17 Revised:2017-12-18 Online:2019-05-25 Published:2019-05-25
- Supported by:
- National Key Research and Development Program of China (No.2016YFB0800102); National Natural Science Foundation of China (No.61572278, No.U1736209); Shenzhen Basic Research Fund of Guangdong Province (No.JCYJ20170307153259323)

摘要/Abstract

摘要： 软件定义网络（Software Define Network，SDN）将控制层和数据层进行分离，给网络带来灵活性、开放性以及可编程性.然而，分离引入了新的网络安全问题.我们发现通过构造特定规则可以构造跨层回环攻击，使得数据包在控制器和交换机之间不断循环转发.跨层回环会造成控制器拥塞，并导致控制器无法正常工作.现有的策略一致性检测方案并不能检测跨层回环攻击.为此，本文提出了一种实时检测和防御跨层回环的方法.通过构造基于Packet-out的转发图分析规则路径，从而快速检测和防御回环.我们在开源控制器Floodlight上实现了我们提出的回环检测和防御方案，并在Mininet仿真器上对其性能进行了评估，结果表明本方案能够实时检测并有效防御跨层回环攻击.

关键词: 软件定义网络, 控制层, 数据层, 跨层回环检测, 策略一致性检测

Abstract: Software-Defined Networking (SDN) separates data plane from control plane,which makes it more flexible,opening and programmable,compared with traditional IP networks.However,the separation incurs many security problems.In this paper,we find that we can construct controller-to-switch loop (CSL) attacks by leveraging dedicated rules and well constructed packets.The attacks can effectively exhaust controller resource,which leads to denial of service (DoS).The existing OpenFlow policy verification schemes only focus on detecting data plane loop,and cannot detect such controller-to-switch loops.In order to detect CSL attacks,we proposed a novel policy verification scheme.The scheme constructs a packet forwarding graph by analyzing network update events and packet-out messages,and efficiently identifies the forwarding loops by traversing the graph.In order to evaluate our defense,we implement it in the Floodlight controller,and perform experiments with Mininet.The experimental results show that our defense can precisely detect the loop attacks and effectively throttle them.

Key words: software-defined networking, control plane, data plane, controller-to-switch loop detection, policy consistency check

中图分类号:

TN915.8

张云, 江勇, 郑靖, 等. SDN跨层回环攻击的检测与防御[J]. 电子学报, 2019, 47(5): 1146-1151.

ZHANG Yun, JIANG Yong, ZHENG Jing, et al. Detecting and Defending Against Controller-to-Switch Loop Attacks in SDN[J]. Acta Electronica Sinica, 2019, 47(5): 1146-1151.

参考文献

[1] Kazemian P,Chang M,Zeng H,et al.Real time network policy checking using header space analysis[A].NSDI'13:Usenix Conference on Networked Systems Design and Implementation[C].Lombard,IL:ACM,2013.99-112.
[2] Mai H,Khurshid A,Agarwal R,et al.Debugging the data plane with anteater[J].ACM Sigcomm Computer Communication Review,2011,41(4):290-301.
[3] Khurshid A,Zhou W,Caesar M,et al.Veriflow:verifying network-wide invariants in real time[J].ACM Sigcomm Computer Communication Review,2012,42(4):467-472.
[4] Al-Shaer E,Al-Haj S.FlowChecker:configuration analysis and verification of federated openflow infrastructures[A].SafeConfig'10:ACM Workshop on Assurable and Usable Security Configuration[C].Chicago:ACM,2010.37-44.
[5] Kazemian P,Varghese G,Mckeown N.Header Space Analysis:Static Checking For Networks[A].NSDI'12:Usenix Conference on Networked Systems Design and Implementation[C].San Jose,CA:ACM,2012.9-9.
[6] Zhou W,Jin D,Croft J,et al.Enforcing customizable consistency properties in software-defined networks[A].NSDI'15:Usenix Conference on Networked Systems Design and Implementation[C].Oakland,CA:ACM,2015.73-85.
[7] Yang H,Lam S S.Real-time verification of network properties using Atomic Predicates[A].ICNP'13:IEEE International Conference on Network Protocols[C].Germany:IEEE,2013.1-11.
[8] Prakash C,Turner Y,Turner Y,et al.PGA:Using Graphs to Express and Automatically Reconcile Network Policies[A].SIGCOMM'15:ACM Conference on Special Interest Group on Data Communication[C].London:ACM,2015.29-42.
[9] Porras P,Shin S,Yegneswaran V,et al.A Security Enforcement Kernel for OpenFlow Networks[A].HotSDN'12:Hot Topics in Software Defined Networking (HotSDN)[C].Helsinki:ACM.2012.121-126.
[10] Monsanto C,Reich J,Foster N,et al.Composing software-defined networks[A].NSDI'13:Networked Systems Design and Implementation[C].Lombard,IL:ACM,2013.1-13
[11] Son S,Shin S,Yegneswaran V,et al.Model checking invariant security properties in OpenFlow[A].ICC'13:IEEE International Conference on Communications[C].Hungary:IEEE,2013.1974-1979.
[12] Hu H,Han W,Ahn G J,et al.FLOWGUARD:building robust firewalls for software-defined networks[A].SIGCOMM'14:ACM Special Interest Group on Data Communication[C].Chicago:ACM,2014.1-3.
[13] Porras P,Cheung S,Fong M,et al.Securing the software defined network control layer[A].NSDI'15:Network and Distributed System Security Symposium[C].Oakland:ACM,2015.
[14] 刘艺,张红旗,杨英杰.基于启发式调度的OpenFlow网络规则一致更新方案[J].电子学报,2017,45(7):1637-1645. LIU Yi,ZHANG Hong-Qi,YANG Ying-Jie.Consistent rule update scheme based on heuristic scheduling for openflow networks[J].Acta Electronica Sinica,2017,45((7):1637-1645.(in Chinese)

[1]	柴蓉, 谢德胜, 陈前斌. 基于成本及功耗联合优化的SDN虚拟网络映射算法[J]. 电子学报, 2021, 49(8): 1615-1624.
[2]	徐川, 胡渝, 韩珍珍, 熊郑英, 赵国锋. 基于链路效用的3D-VANET可靠路由算法[J]. 电子学报, 2021, 49(5): 872-878.
[3]	王莅晟, 伊鹏, 胡涛, 江逸茗, 胡静萍, 胡宗魁. SDN中基于全局拓扑感知的自适应流量均衡算法[J]. 电子学报, 2021, 49(5): 964-974.
[4]	陈亮, 李峰, 任保全, 杨建喜. 软件定义物联网研究综述[J]. 电子学报, 2021, 49(5): 1019-1032.
[5]	车向北, 康文倩, 邓彬, 杨柯涵, 李剑. 一种基于图神经网络的SDN路由性能预测模型[J]. 电子学报, 2021, 49(3): 484-491.
[6]	孙鹏浩, 兰巨龙, 申涓, 胡宇翔. 一种基于深度增强学习的智能路由技术[J]. 电子学报, 2020, 48(11): 2170-2177.
[7]	黄美根, 郁滨. 软件定义WSN规则一致更新研究[J]. 电子学报, 2019, 47(9): 1965-1971.
[8]	姚蓝, 胡涛, 伊鹏, 胡宇翔, 兰巨龙, 李子勇. SDN中基于效能优化的交换机动态迁移策略[J]. 电子学报, 2019, 47(7): 1482-1489.
[9]	王鹏超, 陈福才, 程国振, 陈扬, 谷允捷. 软件定义的L2/L3地址协同拟态伪装策略研究[J]. 电子学报, 2019, 47(10): 2032-2039.
[10]	韩珍珍, 徐川, 王倩云, 王新恒, 赵国锋. 基于贝叶斯博弈的WLAN节能机制研究[J]. 电子学报, 2019, 47(10): 2083-2088.
[11]	黄建洋, 兰巨龙, 胡宇翔, 马腾. 一种基于分段路由的多路径流传输机制[J]. 电子学报, 2018, 46(6): 1488-1495.
[12]	胡涛, 张建辉, 邬江, 何为伟, 江逸茗, 赵伟. SDN中基于分布式决策的控制器负载均衡机制[J]. 电子学报, 2018, 46(10): 2316-2324.
[13]	杨洋, 杨家海, 秦董洪, 王于丁, 凌晓. DraLCD:一种新的数据中心流量工程方法[J]. 电子学报, 2017, 45(5): 1261-1267.
[14]	张栋, 郭俊杰, 吴春明. 层次型多中心的SDN控制器部署[J]. 电子学报, 2017, 45(3): 680-686.
[15]	黄建洋, 兰巨龙, 胡宇翔, 马腾. 一种SDN中基于SR的多故障恢复与规避机制[J]. 电子学报, 2017, 45(11): 2761-2768.

SDN跨层回环攻击的检测与防御

Detecting and Defending Against Controller-to-Switch Loop Attacks in SDN

PDF

可视化

摘要/Abstract

引用本文

使用本文

参考文献

相关文章 15

编辑推荐

Metrics