电子学报 ›› 2019, Vol. 47 ›› Issue (5): 1146-1151.DOI: 10.3969/j.issn.0372-2112.2019.05.023

所属专题: 网络空间及网络通信中的安全问题

• 学术论文 • 上一篇    下一篇

SDN跨层回环攻击的检测与防御

张云1,3, 江勇2, 郑靖1,3, 庞春辉1,3, 李琦1,2   

  1. 1. 清华大学网络科学与网络空间研究院, 北京 100084;
    2. 清华大学深圳研究生院, 广东深圳 518055;
    3. 清华大学计算机科学与技术系, 北京 100084
  • 收稿日期:2017-04-17 修回日期:2017-12-18 出版日期:2019-05-25
    • 通讯作者:
    • 李琦
    • 作者简介:
    • 张云 女,1992年生,清华大学硕士研究生,主要研究领域为SDN安全等.E-mail:zhangyun15@mails.tsinghua.edu.cn;江勇 男,1975年生,教授,博士生导师,主要研究领域为计算机网络体系结构.E-mail:jiangy@sz.tsinghua.edu.cn;郑靖 男,1985年生,清华大学硕士研究生,主要研究领域为网络安全.E-mail:zhengj14@mails.tsinghua.edu.cn;庞春辉 男,1993年生,清华大学硕士研究生,主要研究领域为网络安全、网络调试和网络测量.Email:chunhui.pang@outlook.com
    • 基金资助:
    • 国家重点研发计划 (No.2016YFB0800102); 国家自然科学基金 (No.61572278,No.U1736209); 深圳市基础研究基金 (No.JCYJ20170307153259323)

Detecting and Defending Against Controller-to-Switch Loop Attacks in SDN

ZHANG Yun1,3, JIANG Yong2, ZHENG Jing1,3, PANG Chun-hui1,3, LI Qi1,2   

  1. 1. Institute for Network Sciences and Cyberspace, Tsinghua University, Beijing 100084, China;
    2. Graduate School at Shenzhen, Tsinghua University, Shenzhen, Guangdong 518055, China;
    3. Department of Computer Science and Techonlogy, Tsinghua University, Beijing 100084, China
  • Received:2017-04-17 Revised:2017-12-18 Online:2019-05-25 Published:2019-05-25
    • Supported by:
    • National Key Research and Development Program of China (No.2016YFB0800102); National Natural Science Foundation of China (No.61572278, No.U1736209); Shenzhen Basic Research Fund of Guangdong Province (No.JCYJ20170307153259323)

摘要: 软件定义网络(Software Define Network,SDN)将控制层和数据层进行分离,给网络带来灵活性、开放性以及可编程性.然而,分离引入了新的网络安全问题.我们发现通过构造特定规则可以构造跨层回环攻击,使得数据包在控制器和交换机之间不断循环转发.跨层回环会造成控制器拥塞,并导致控制器无法正常工作.现有的策略一致性检测方案并不能检测跨层回环攻击.为此,本文提出了一种实时检测和防御跨层回环的方法.通过构造基于Packet-out的转发图分析规则路径,从而快速检测和防御回环.我们在开源控制器Floodlight上实现了我们提出的回环检测和防御方案,并在Mininet仿真器上对其性能进行了评估,结果表明本方案能够实时检测并有效防御跨层回环攻击.

关键词: 软件定义网络, 控制层, 数据层, 跨层回环检测, 策略一致性检测

Abstract: Software-Defined Networking (SDN) separates data plane from control plane,which makes it more flexible,opening and programmable,compared with traditional IP networks.However,the separation incurs many security problems.In this paper,we find that we can construct controller-to-switch loop (CSL) attacks by leveraging dedicated rules and well constructed packets.The attacks can effectively exhaust controller resource,which leads to denial of service (DoS).The existing OpenFlow policy verification schemes only focus on detecting data plane loop,and cannot detect such controller-to-switch loops.In order to detect CSL attacks,we proposed a novel policy verification scheme.The scheme constructs a packet forwarding graph by analyzing network update events and packet-out messages,and efficiently identifies the forwarding loops by traversing the graph.In order to evaluate our defense,we implement it in the Floodlight controller,and perform experiments with Mininet.The experimental results show that our defense can precisely detect the loop attacks and effectively throttle them.

Key words: software-defined networking, control plane, data plane, controller-to-switch loop detection, policy consistency check

中图分类号: