计算机工程与应用 ›› 2020, Vol. 56 ›› Issue (10): 88-93.DOI: 10.3778/j.issn.1002-8331.1902-0058

• 网络、通信与安全 • 上一篇    下一篇

面向SDN拓扑发现的LDoS攻击防御技术研究

谢升旭,魏伟,邢长友,张国敏   

  1. 1.陆军工程大学 指挥控制工程学院,南京 210007
    2.中国人民解放军31106部队
  • 出版日期:2020-05-15 发布日期:2020-05-13

Research on LDoS Attack Defense Technology for SDN Topology Discovery

XIE Shengxu, WEI Wei, XING Changyou, ZHANG Guomin   

  1. 1.College of Command & Control Engineering, Army Engineering University of PLA, Nanjing 210007, China
    2.Unit 31106 of PLA, China
  • Online:2020-05-15 Published:2020-05-13

摘要:

准确获取网络拓扑是软件定义网络(Software?Defined?Network,SDN)中控制器进行有效决策的前提,而现有拓扑发现机制难以有效应对低速率拒绝服务(Low rate Denial of Service,LDoS)攻击等行为。通过理论和实验分析LDoS攻击对SDN拓扑发现造成的影响,提出了一种面向SDN拓扑发现的LDoS攻击防御机制TopoGuard。TopoGuard根据LDoS攻击的周期性特征,通过连续突发检测快速发现存在的疑似攻击场景,并基于主动链路识别策略避免攻击行为造成网络拓扑中断。最后,在OpenDaylight控制器上实现了TopoGuard。实验结果显示,TopoGuard能够有效检测和防御LDoS攻击行为,保证控制器获取全局拓扑信息的正确性。

关键词: 低速率DoS攻击, SDN架构, 拓扑发现, 连续突发检测

Abstract:

Acquiring network topology accurately is important for Software?Defined?Network(SDN) controller to make effective control decisions. However, the current network topology discovery mechanisms are vulnerable to attacks such as the Low rate Denial of Service(LDoS) attack. In this paper, the influence of LDoS attack on the SDN topology discovery mechanism is analyzed theoretically and experimentally, and an LDoS attack defense mechanism for SDN topology discovery named TopoGuard is proposed. According to the periodic characteristics of LDoS attacks, TopoGuard uses the continuous burst detection method to detect the suspected attack scenarios quickly, and then avoids the network topology interruption caused by attacks based on the active link identification method. Finally, the TopoGuard mechanism is implemented on OpenDaylight controller. The experimental results show that TopoGuard can effectively detect and defend against LDoS attacks and ensure the correctness of the global topology information acquired by the controller.

Key words: low rate DoS attack, SDN architecture, topology discovery, continuous burst detection