基于OpenFlow交换机洗牌的DDoS攻击动态防御方法

doi:10.11999/JEIT160449

摘要
图/表
参考文献(11)
相关文章 (15)

全文: PDF (2461 KB)
输出: BibTeX | EndNote (RIS)

摘要

网络资源的有限性和网络管理的分散性是传统网络难以解决分布式拒绝服务攻击问题的重要原因。当前的防御方法存在静态性、滞后性的不足，并且难以定位攻击者。针对上述问题，该文提出一种动态防御的方法。利用软件定义网络(SDN)集中控制和动态管理的特性构建OpenFlow交换机洗牌模型，使用贪心算法实现用户-交换机连接的动态映射，通过多轮洗牌区分出用户群中的攻击者和合法用户，对合法用户提供低延迟不间断服务。在开源SDN控制器Ryu上实现原型系统，并在SDN环境下进行测试。性能测试结果表明采用该方法可以通过有限次的洗牌筛选出攻击者，降低DDoS攻击对合法访问的影响；能力测试结果则说明了在由一个控制器组成的环形拓扑结构下该方法的防御效果与攻击流的大小无关，而是仅与攻击者的数目有关。

	服务

	把本文推荐给朋友
	加入我的书架
	加入引用管理器
	E-mail Alert
	RSS
	作者相关文章
	武泽慧
	魏强
	任开磊
	王清贤

关键词 ：网络安全, 软件定义网络, 分布式拒绝服务攻击, 动态防御

Abstract：

The limitations of network resource and the dispersion of network management are the two major difficulties for traditional networks to address the Distributed Denial of Service (DDoS) attacks. However, current defense methods are static and hysteresis, which are unable to locate the attackers accurately. Therefore, a dynamic defense using the two pivotal features, centralized control and dynamic management, of Software Defined Networks (SDN) is proposed. An OpenFlow-based switch shuffling model is built which employs greedy algorithm to remap user-switch link dynamically. After several shuffling, attacker could be differentiated from legitimate users and provide the latter with low latency uninterrupted services. The proposed approach is implemented in Ryu, the open source SDN controller, and the prototype is tested in a real SDN. The results of performance test show that with this approach attackers in limited times of shuffling can be isolated and the effects of DDoS attacks on legal flows can be reduced. The outcomes of defense ability test demonstrate that the efficiency of the proposed dynamic approach has nothing to do with the size of attack flow, but is only related to the number of attackers in the ring topology structure which is composed of a single controller.

Key words： Cyber security Software Defined Networks (SDN) Distributed Denial of Service (DDoS) Dynamic defense

收稿日期: 2016-05-03 出版日期: 2016-11-14

PACS:

TP393.08

基金资助:

国家863计划项目(2012AA012902)，国家杰出青年科学基金(61402526)

通讯作者: 武泽慧 E-mail: wuzehui2010@foxmail.com

作者简介: 武泽慧：男，1988年生，博士，研究方向为网络安全. 魏强：男，1979年生，副教授，硕士生导师，研究方向为工控网络安全. 任开磊：男，1992年生，硕士，研究方向为SDN安全. 王清贤：男，1960年生，教授，博士生导师，研究方向为网络与信息安全.

引用本文:

武泽慧,魏强,任开磊,王清贤. 基于OpenFlow交换机洗牌的DDoS攻击动态防御方法[J]. 电子与信息学报, 2017, 39(2): 397-404. WU Zehui, WEI Qiang, REN Kailei, WANG Qingxian. Dynamic Defense for DDoS Attack Using OpenFlow-based Switch Shuffling Approach. JEIT, 2017, 39(2): 397-404.

链接本文:

http://jeit.ie.ac.cn/CN/10.11999/JEIT160449 或 http://jeit.ie.ac.cn/CN/Y2017/V39/I2/397

[1]	PRAS A, SANTANNA J, and STEINBERGER J. DDoS 3.0-How Terrorists Bring Down the Internet[M]. New York: Springer, 2016: 1-4. doi: 10.1007/978-3-319-31559-1_1.
[2]	YADAV V K, TRIVEDI C, and MEHTRE M. DDA: an approach to handle DDoS (Ping Flood) attack[C]. International Conference on ICT for Sustainable Development, Singapore, 2016: 11-23. doi: rg/10.1007/978- 981-10-0129-1_2.
[3]	NAGPAL B, SHARMA P, and CHAUHAN N. DDoS tools: classification, analysis and comparison[C]. IEEE International Conference on Computing for Sustainable Global Development, New Delhi, India, 2015: 342-346.
[4]	LIU Xia, YANG Xin, and XIA Yu. Netfence: preventing internet denial of service from inside out[C]. ACM Sigcomm Computer Communication Review, New York, NY, USA, 2010: 255-266. doi: 10.1145/1851182.1851214.
[5]	BRAGA R, MOTA E, and PASSITO A. Lightweight DDoS flooding attack detection using NOX/OpenFlow[C]. International Conference on Local Computer Networks, Washington, DC, USA, 2010: 408-415. doi: 10.1109/lcn. 2010.5735752.
[6]	YEGANEH S and CANJALI Y. Kandoo: a framework for efficient and scalable offloading of control applications[C]. ACM Workshop on Hot Topics in Software Defined Networks, Helsinki, Finland, 2012: 19-24. doi: 10.1145/ 2342441. 2342446.
[7]	SHIN S and PORRAS P. AVANT-GUARD: scalable and vigilant switch flow management in software-defined networks[C]. International Conference on Computer and Communications Security. Berlin, Germany, 2013: 413-424. doi: 10.1145 /2508859.2516684.
[8]	LIM S, HA J, KIM H, et al. A SDN-oriented DDoS blocking scheme for botnet-based attacks[C]. International Conference on Ubiquitous and Future Networks, Shanghai, China, 2014: 63-68. doi: 10.1109/icufn.2014.6876752.
[9]	JOHNSON N and KOTZ S. Urn models and their applications: an approach to modern discrete probability theory[J]. Journal of International Statistical Review, 1978, 20(4): 104-119. doi: 10.2307/3617688.
[10]	EGER S. Stirling’s approximation for central extended binomial coefficients[J]. Journal of American Mathematica, 2014, 121(4): 344-349. doi: 10.4169/amer.math.monthly.121. 04.344.
[11]	MATSUMOTO M and NISHIMURA T. Mersenne twister: a 623-dimensionally equidistributed uniform pseudo-random number generator[J], Journal of Model, 1998, 8(1): 3-30. doi: 10.1145/272991.272995.