Detecting and Defending Against Controller-to-Switch Loop Attacks in SDN

ZHANG Yun; JIANG Yong; ZHENG Jing; PANG Chun-hui; LI Qi

doi:10.3969/j.issn.0372-2112.2019.05.023

您当前的位置：

首页 >

文章列表页 >

Detecting and Defending Against Controller-to-Switch Loop Attacks in SDN

更新时间：2025-07-16

- Detecting and Defending Against Controller-to-Switch Loop Attacks in SDN
- Acta Electronica Sinica Vol. 47, Issue 5, Pages: 1146-1151(2019)
- 作者机构：
  
  1. 清华大学网络科学与网络空间研究院,北京,100084
  2. 清华大学深圳研究生院,广东,深圳,518055
  3. 清华大学计算机科学与技术系,北京,100084
  4. 清华大学网络科学与网络空间研究院,北京,100084
  5. 清华大学深圳研究生院,广东,深圳,518055
  6. 清华大学计算机科学与技术系,北京,100084
- 作者简介：
- 基金信息：
  
  National Key Research and Development Program of China (No.2016YFB0800102);National Natural Science Foundation of China (No.61572278, No.U1736209);Shenzhen Basic Research Fund of Guangdong Province (No.JCYJ20170307153259323)
- DOI：10.3969/j.issn.0372-2112.2019.05.023
  CLC： TN915.8
- Published Online：25 May 2019，
  
  Published：2019
- 稿件说明：
移动端阅览
ZHANG Yun, JIANG Yong, ZHENG Jing, et al. Detecting and Defending Against Controller-to-Switch Loop Attacks in SDN[J]. Acta Electronica Sinica, 2019, 47(5): 1146-1151.
DOI：

ZHANG Yun, JIANG Yong, ZHENG Jing, et al. Detecting and Defending Against Controller-to-Switch Loop Attacks in SDN[J]. Acta Electronica Sinica, 2019, 47(5): 1146-1151. DOI： 10.3969/j.issn.0372-2112.2019.05.023.

摘要

软件定义网络（Software Define Network，SDN）将控制层和数据层进行分离，给网络带来灵活性、开放性以及可编程性.然而，分离引入了新的网络安全问题.我们发现通过构造特定规则可以构造跨层回环攻击，使得数据包在控制器和交换机之间不断循环转发.跨层回环会造成控制器拥塞，并导致控制器无法正常工作.现有的策略一致性检测方案并不能检测跨层回环攻击.为此，本文提出了一种实时检测和防御跨层回环的方法.通过构造基于Packet-out的转发图分析规则路径，从而快速检测和防御回环.我们在开源控制器Floodlight上实现了我们提出的回环检测和防御方案，并在Mininet仿真器上对其性能进行了评估，结果表明本方案能够实时检测并有效防御跨层回环攻击.

Abstract

Software-Defined Networking (SDN) separates data plane from control plane

which makes it more flexible

opening and programmable

compared with traditional IP networks.However

the separation incurs many security problems.In this paper

we find that we can construct controller-to-switch loop (CSL) attacks by leveraging dedicated rules and well constructed packets.The attacks can effectively exhaust controller resource

which leads to denial of service (DoS).The existing OpenFlow policy verification schemes only focus on detecting data plane loop

and cannot detect such controller-to-switch loops.In order to detect CSL attacks

we proposed a novel policy verification scheme.The scheme constructs a packet forwarding graph by analyzing network update events and packet-out messages

and efficiently identifies the forwarding loops by traversing the graph.In order to evaluate our defense

we implement it in the Floodlight controller

and perform experiments with Mininet.The experimental results show that our defense can precisely detect the loop attacks and effectively throttle them.

关键词

Keywords

references

Views

292

下载量

CSCD

Alert me when the article has been cited

提交

Tools

Publicity Resources

Cost and Power Consumption Joint Optimization Based Virtual Network Embedding Algorithm for Software-Defined Networking

Research on Consistent Rule Update in Software-Defined WSN

Related Author

CHAI Rong

XIE De-sheng

CHEN Qian-bin

HUANG Mei-gen

YU Bin

Related Institution

School of Communication and Information Engineering, Chongqing University of Post and Telecommunications

Information Engineering University

⁰