基于可编程交换机的DDoS攻击防御技术

您当前的位置：

首页 >

文章列表页 >

基于可编程交换机的DDoS攻击防御技术

更新时间：2023-11-15

- 基于可编程交换机的DDoS攻击防御技术
- Empowering DDoS Attack Mitigation with Programmable Switches
- 电子学报 2023年页码：1-9
- 作者机构：
  
  1.浙江大学计算机科学与技术学院，浙江杭州 310063
  2.北京大学计算机学院，多媒体信息处理全国重点实验室，北京 100021
  3.福州大学计算机与大数据学院，福建福州 350108
- 作者简介：
  
  [ "陈翔男，1997年11月出生于福建省莆田市.现为浙江大学计算机科学与技术学院博士生.主要研究方向为可编程网络、网络测量、网络安全.E-mail: wasdnsxchen@gmail.com" ]
  [ "刘宏岩男，1998年8月出生于辽宁省铁岭市.现为浙江大学计算机科学与技术学院博士生.主要研究方向为可编程网络、网络测量、网络安全. E-mail: hyliu20@zju.edu.cn" ]
  [ "黄群男，1988年4月出生于福建省福州市.现为北京大学计算机学院助理教授，博士生导师.主要研究方向为网络数据处理与分析、软件定义网络、网络功能虚拟化、高性能系统. E-mail: huangqun@pku.edu.cn" ]
  [ "张栋男，1982年10月出生于福建省福州市.现为福州大学计算机与大数据学院/软件学院教授，博士生导师.主要研究方向为软件定义网络、医学人工智能.E-mail: zhangdong@fzu.edu.cn" ]
  [ "吴春明（通讯作者）男，1966年6月出生于浙江省杭州市.现为浙江大学计算机科学与技术学院教授，博士生导师.主要研究方向为新一代互联网体系架构、可编程网络技术、网络系统内生安全." ]
- 基金信息：
  
  浙江省‘尖兵’‘领雁’研发攻关计划项目(2022C01243);浙江省重点研发计划项目(2021C01036)
- DOI：10.12263/DZXB.20220468
  中图分类号： TP393
- 收稿：2022-04-27，
  
  修回：2022-07-06，
  
  网络出版：2023-11-15，
- 稿件说明：
移动端阅览
陈翔, 刘宏岩, 黄群, 等. 基于可编程交换机的DDoS攻击防御技术[J/OL]. 电子学报, 2023,1-9.

CHEN Xiang, LIU Hong-yan, HUANG Qun, et al. Empowering DDoS Attack Mitigation with Programmable Switches[J/OL]. ACTA ELECTRONICA SINICA, 2023, 1-9.
陈翔, 刘宏岩, 黄群, 等. 基于可编程交换机的DDoS攻击防御技术[J/OL]. 电子学报, 2023,1-9. DOI： 10.12263/DZXB.20220468.

CHEN Xiang, LIU Hong-yan, HUANG Qun, et al. Empowering DDoS Attack Mitigation with Programmable Switches[J/OL]. ACTA ELECTRONICA SINICA, 2023, 1-9. DOI： 10.12263/DZXB.20220468.

摘要

分布式拒绝服务攻击（Distributed Denial-of-Service Attack， DDoS）一直是现代网络中最严峻且最具破坏性的攻击.传统解决方案基于网络中间件或网络功能虚拟化技术部署面向安全的网络功能（Security-oriented Network Function， SNF）以防御DDoS攻击.然而，基于网络中间件的SNFs不可编程，导致它们在面对动态变化的DDoS攻击时具有成本高和灵活性差的缺点；基于网络功能虚拟化技术的SNFs引入了较高的数据报处理时延，无法适配互联网服务提出的低时延要求.近年来，可编程交换机的出现为支持低成本、灵活且高性能的DDoS攻击防御技术带来了新的机遇.本文对基于可编程交换机的DDoS攻击防御技术进行综述，先对在可编程交换机上部署及运行DDoS攻击防御技术的一般过程进行描述；在此基础上分析与讨论现有基于可编程交换机的DDoS攻击防御技术的研究进展；最后指出了现有技术所面临的问题与挑战，包括对复杂SNF的兼容性、SNF的自动资源分配、不同SNF之间的部署冲突等方面.

Abstract

Distributed denial-of-service(DDoS) attacks have long been the most severe and destructive attack to modern networks. Existing solutions exploit middleboxes or network function virtualization(NFV) techniques to build the security-oriented network functions(SNFs) that defend against DDoS attacks. However

middleboxes are proprietary and fixed-function

making them costly and inflexible when handling attack dynamics. Moreover

NFV sacrifices packet processing performance and incurs non-trivial end-to-end latency

which is unacceptable for many latency-sensitive Internet services. Recently

the emergence of programmable switches provides new opportunities to the implementation of low-cost

flexible

and high-performance DDoS attack mitigation. This paper surveys the literature on the programmable switch-assisted techniques in DDoS attack mitigation. We first elaborate on the common process of building and running DDoS attack mitigation techniques atop programmable switches. Then we analyze and discuss the characteristics of state-of-the-art DDoS attack mitigation techniques built on programmable switches. Finally

we highlight the problems and challenges faced by existing techniques

including the compatibility with complex SNFs and the automatic SNF resource allocation

and possible conflicts(e.g.

resources and performance) between different SNFs.

关键词

Keywords

references

吴志军 , 岳猛 . 基于卡尔曼滤波的LDDoS攻击检测方法 [J]. 电子学报 , 2008 , 36 ( 8 ): 1590 - 1594 .

WU Z J , YUE M . Detection of LDDoS attack based on Kalman filtering [J]. Acta Electronica Sinica , 2008 , 36 ( 8 ): 1590 - 1594 . (in Chinese)

SHERRY J , HASAN S , SCOTT C . Making Middleboxes Someone Else's Problem: Network Processing as a Cloud Service [J]. Computer Communication Review: A Quarterly Publication of the Special Interest Group on Data Communication , 2012 , 42 ( 4 ): 13 - 24 .

王涛 , 陈鸿昶 . 基于多维异构特征与反馈感知调度的SDN内生安全控制平面 [J]. 电子学报 , 2021 , 49 ( 6 ): 1117 - 1124 .

WANG T , CHEN H C . An SDN endogenous security control plane based on multi-dimensional heterogeneous features and feedback-aware scheduling strategy [J]. Acta Electronica Sinica , 2021 , 49 ( 6 ): 1117 - 1124 . (in Chinese)

王秀磊 , 陈鸣 , 邢长友 , 等 . 一种防御DDoS攻击的软件定义安全网络机制 [J]. 软件学报 , 2016 , 27 ( 12 ): 3104 - 3119 .

WANG X L , CHEN M , XING C Y , et al . Software defined security networking mechanism against DDoS attacks [J]. Journal of Software , 2016 , 27 ( 12 ): 3104 - 3119 . (in Chinese)

FAYAZ S K , TOBIOKA Y , SEKAR V , et al . Bohatei: Flexible and elastic DDoS defense [C]// 24th USENIX Conference on Security Symposium . Washington, D C : USENIX Association , 2015 : 817 - 832 .

SMITH J M , SCHUCHARD M . Routing around congestion: Defeating DDoS attacks and adverse network conditions via reactive BGP routing [C]// 2018 IEEE Symposium on Security and Privacy (SP) . Piscataway : IEEE , 2018 : 599 - 617 .

RAMANATHAN S , MIRKOVIC J , YU M L , et al . SENSS against volumetric DDoS attacks [C]// Proceedings of the 34th Annual Computer Security Applications Conference . New York : ACM , 2018 : 266 - 277 .

MIRKOVIC J , REIHER P . A taxonomy of DDoS attack and DDoS defense mechanisms [J]. ACM SIGCOMM Computer Communication Review , 2004 , 34 ( 2 ): 39 - 53 .

DOULIGERIS C , MITROKOTSA A . DDoS attacks and defense mechanisms: Classification and state-of-the-art [J]. Computer Networks , 2004 , 44 ( 5 ): 643 - 666 .

ZARGAR S T , JOSHI J , TIPPER D . A survey of defense mechanisms against distributed denial of service (DDoS) flooding attacks [J]. IEEE Communications Surveys & Tutorials , 2013 , 15 ( 4 ): 2046 - 2069 .

何亨 , 胡艳 , 郑良汉 , 等 . 云环境中基于SDN的高效DDoS攻击检测与防御方案 [J]. 通信学报 , 2018 , 39 ( 4 ): 139 - 151 .

HE H , HU Y , ZHENG L H , et al . Efficient DDoS attack detection and prevention scheme based on SDN in cloud environment [J]. Journal on Communications , 2018 , 39 ( 4 ): 139 - 151 . (in Chinese)

PAOLUCCI F , CUGINI F , CASTOLDI P , et al . Enhancing 5G SDN/NFV edge with P4 data plane programmability [J]. IEEE Network , 2021 , 35 ( 3 ): 154 - 160 .

尼克·麦克欧文 , 金昶勳 , 高荣新 . 用P4对数据平面进行编程 [J]. 中国计算机学会通讯 , 2016 , 12 ( 7 ): 12 - 20 .

Barefoot , Inc . Barefoot Tofino [EB/OL]. [ 2022-04-21 ]. https://www.barefootnetworks.com/technology/#tofino https://www.barefootnetworks.com/technology/#tofino

孙长华 , 刘斌 . 分布式拒绝服务攻击研究新进展综述 [J]. 电子学报 , 2009 , 37 ( 7 ): 1562 - 1570 .

SUN C H , LIU B . Survey on new solutions against distributed denial of service attacks [J]. Acta Electronica Sinica , 2009 , 37 ( 7 ): 1562 - 1570 . (in Chinese)

岳猛 , 王怀远 , 吴志军 , 等 . 云计算中DDoS攻防技术研究综述 [J]. 计算机学报 , 2020 , 43 ( 12 ): 2315 - 2336 .

YUE M , WANG H Y , WU Z J , et al . A survey of DDoS attack and defense technologies in cloud computing [J]. Chinese Journal of Computers , 2020 , 43 ( 12 ): 2315 - 2336 . (in Chinese)

Securelist . Ddos attacks in q1 2020 [EB/OL]. [ 2022-04-21 ]. https://securelist.com/ddos-attacks-in-q1-2020/96837/ https://securelist.com/ddos-attacks-in-q1-2020/96837/ .

Optimization Gurobi . Gurobi [EB/OL]. [ 2022-04-21 ]. http://www.gurobi.com http://www.gurobi.com .

LIU Z X , NAMKUNG H , NIKOLAIDIS G , et al . Jaqen: A High-Performance Switch-Native Approach for Detecting and Mitigating Volumetric DDoS Attacks with Programmable Switches [C]// 30th USENIX Security Symposium (USENIX Security 21) . Berkley : USENIX Association 2021 : 3829 - 3846 .

ZHANG M H , LI G Y , WANG S C , et al . Poseidon: mitigating volumetric DDoS attacks with programmable switches [EB/OL]. [ 2022-04-21 ]. https://people.engr.tamu.edu/guofei/paper/Poseidon_NDSS20.pdf https://people.engr.tamu.edu/guofei/paper/Poseidon_NDSS20.pdf

AFEK Y , BREMLER-BARR A , SHAFIR L . Network anti-spoofing with SDN data plane [C]// IEEE INFOCOM 2017 - IEEE Conference on Computer Communications . Piscataway : IEEE , 2017 : 1 - 9 .

GRIGORYAN G , LIU Y Q . LAMP: prompt layer 7 attack mitigation with programmable data planes [C]// 2018 IEEE 17th International Symposium on Network Computing and Applications (NCA) . Piscataway : IEEE , 2018 : 1 - 4 .

LAPOLLI Â C , ADILSON MARQUES J , GASPARY L P . Offloading real-time DDoS attack detection to programmable data planes [C]// 2019 IFIP/IEEE Symposium on Integrated Network and Service Management (IM) . Piscataway : IEEE , 2019 : 19 - 27 .

LI G Y , ZHANG M H , LIU C , et al . NETHCF: enabling line-rate and adaptive spoofed IP traffic filtering [C]// 2019 IEEE 27th International Conference on Network Protocols (ICNP) . Piscataway : IEEE , 2019 : 1 - 12 .

CHEN X , ZHANG D , WANG X J , et al . P4SC: towards high-performance service function chain implementation on the P4-capable device [C]// 2019 IFIP/IEEE Symposium on Integrated Network and Service Management (IM) . Piscataway : IEEE , 2019 : 1 - 9 .

CHEN X , HUANG Q , WANG P Q , et al . LightNF: simplifying network function offloading in programmable networks [C]// 2021 IEEE/ACM 29th International Symposium on Quality of Service (IWQOS) . Piscataway : IEEE , 2021 : 1 - 10 .

LIU Z X , MANOUSIS A , VORSANGER G , et al . One sketch to rule them all: Rethinking network flow monitoring with UnivMon [C]// Proceedings of the 2016 ACM SIGCOMM Conference . New York : ACM , 2016 : 101 - 114 .

DING D M , SAVI M , PEDERZOLLI F , et al . In-network volumetric DDoS victim identification using programmable commodity switches [J]. IEEE Transactions on Network and Service Management , 2021 , 18 ( 2 ): 1191 - 1202 .

Nsfocus ads 8000 [EB/OL]. [ 2022-04-21 ]. https://nsfocusglobal.com/wp-content/uploads/2018/05/Anti-DDoS-Solution.pdf https://nsfocusglobal.com/wp-content/uploads/2018/05/Anti-DDoS-Solution.pdf

PALKAR S , LAN C , HAN S J , et al . E2: a framework for NFV applications [C]// Proceedings of the 25th Symposium on Operating Systems Principles . New York, NY, USA : ACM , 2015 : 121 - 136 .

0

浏览量

0

下载量

0

CSCD

文章被引用时，请邮件提醒。

提交

工具集

关联资源

相关文章

基于可编程交换机的网内灰色故障检测技术研究进展

相关作者

刘宏岩

张栋

吴春明

相关机构

浙江大学计算机科学与技术学院

福州大学计算机与大数据学院

⁰