基于OpenFlow交換機(jī)洗牌的DDoS攻擊動(dòng)態(tài)防御方法

武澤慧; 魏強(qiáng); 任開(kāi)磊; 王清賢

doi:10.11999/JEIT160449

基于OpenFlow交換機(jī)洗牌的DDoS攻擊動(dòng)態(tài)防御方法

doi: 10.11999/JEIT160449

基金項(xiàng)目:

國(guó)家863計(jì)劃項(xiàng)目(2012AA012902)，國(guó)家杰出青年科學(xué)基金(61402526)

計(jì)量
- 文章訪問(wèn)數(shù): 1270
- HTML全文瀏覽量: 148
- PDF下載量: 570
- 被引次數(shù): 0
出版歷程
- 收稿日期: 2016-05-03
- 修回日期: 2016-09-27
- 刊出日期: 2017-02-19

Dynamic Defense for DDoS Attack Using OpenFlow-based Switch Shuffling Approach

Funds:

The National 863 Program of China (2012AA012902), The National Science Fund for Distinguished Young Scholars (61402526)

摘要

摘要: 網(wǎng)絡(luò)資源的有限性和網(wǎng)絡(luò)管理的分散性是傳統(tǒng)網(wǎng)絡(luò)難以解決分布式拒絕服務(wù)攻擊問(wèn)題的重要原因。當(dāng)前的防御方法存在靜態(tài)性、滯后性的不足，并且難以定位攻擊者。針對(duì)上述問(wèn)題，該文提出一種動(dòng)態(tài)防御的方法。利用軟件定義網(wǎng)絡(luò)(SDN)集中控制和動(dòng)態(tài)管理的特性構(gòu)建OpenFlow交換機(jī)洗牌模型，使用貪心算法實(shí)現(xiàn)用戶-交換機(jī)連接的動(dòng)態(tài)映射，通過(guò)多輪洗牌區(qū)分出用戶群中的攻擊者和合法用戶，對(duì)合法用戶提供低延遲不間斷服務(wù)。在開(kāi)源SDN控制器Ryu上實(shí)現(xiàn)原型系統(tǒng)，并在SDN環(huán)境下進(jìn)行測(cè)試。性能測(cè)試結(jié)果表明采用該方法可以通過(guò)有限次的洗牌篩選出攻擊者，降低DDoS攻擊對(duì)合法訪問(wèn)的影響；能力測(cè)試結(jié)果則說(shuō)明了在由一個(gè)控制器組成的環(huán)形拓?fù)浣Y(jié)構(gòu)下該方法的防御效果與攻擊流的大小無(wú)關(guān)，而是僅與攻擊者的數(shù)目有關(guān)。
- 網(wǎng)絡(luò)安全 /
- 軟件定義網(wǎng)絡(luò) /
- 分布式拒絕服務(wù)攻擊 /
- 動(dòng)態(tài)防御
Abstract: The limitations of network resource and the dispersion of network management are the two major difficulties for traditional networks to address the Distributed Denial of Service (DDoS) attacks. However, current defense methods are static and hysteresis, which are unable to locate the attackers accurately. Therefore, a dynamic defense using the two pivotal features, centralized control and dynamic management, of Software Defined Networks (SDN) is proposed. An OpenFlow-based switch shuffling model is built which employs greedy algorithm to remap user-switch link dynamically. After several shuffling, attacker could be differentiated from legitimate users and provide the latter with low latency uninterrupted services. The proposed approach is implemented in Ryu, the open source SDN controller, and the prototype is tested in a real SDN. The results of performance test show that with this approach attackers in limited times of shuffling can be isolated and the effects of DDoS attacks on legal flows can be reduced. The outcomes of defense ability test demonstrate that the efficiency of the proposed dynamic approach has nothing to do with the size of attack flow, but is only related to the number of attackers in the ring topology structure which is composed of a single controller.
- Cyber security /
- Software Defined Networks (SDN) /
- Distributed Denial of Service (DDoS) /
- Dynamic defense

HTML全文

參考文獻(xiàn)(11)

PRAS A, SANTANNA J, and STEINBERGER J. DDoS 3.0-How Terrorists Bring Down the Internet[M]. New York: Springer, 2016: 1-4. doi: 10.1007/978-3-319-31559-1_1.

YADAV V K, TRIVEDI C, and MEHTRE M. DDA: an approach to handle DDoS (Ping Flood) attack[C]. International Conference on ICT for Sustainable Development, Singapore, 2016: 11-23. doi: rg/10.1007/978- 981-10-0129-1_2.

NAGPAL B, SHARMA P, and CHAUHAN N. DDoS tools: classification, analysis and comparison[C]. IEEE International Conference on Computing for Sustainable Global Development, New Delhi, India, 2015: 342-346.

LIU Xia, YANG Xin, and XIA Yu. Netfence: preventing internet denial of service from inside out[C]. ACM Sigcomm Computer Communication Review, New York, NY, USA, 2010: 255-266. doi: 10.1145/1851182.1851214.

BRAGA R, MOTA E, and PASSITO A. Lightweight DDoS flooding attack detection using NOX/OpenFlow[C]. International Conference on Local Computer Networks, Washington, DC, USA, 2010: 408-415. doi: 10.1109/lcn. 2010.5735752.

YEGANEH S and CANJALI Y. Kandoo: a framework for efficient and scalable offloading of control applications[C]. ACM Workshop on Hot Topics in Software Defined Networks, Helsinki, Finland, 2012: 19-24. doi: 10.1145/ 2342441. 2342446.

SHIN S and PORRAS P. AVANT-GUARD: scalable and vigilant switch flow management in software-defined networks[C]. International Conference on Computer and Communications Security. Berlin, Germany, 2013: 413-424. doi: 10.1145 /2508859.2516684.

LIM S, HA J, KIM H, et al. A SDN-oriented DDoS blocking scheme for botnet-based attacks[C]. International Conference on Ubiquitous and Future Networks, Shanghai, China, 2014: 63-68. doi: 10.1109/icufn.2014.6876752.

JOHNSON N and KOTZ S. Urn models and their applications: an approach to modern discrete probability theory[J]. Journal of International Statistical Review, 1978, 20(4): 104-119. doi: 10.2307/3617688.

EGER S. Stirlings approximation for central extended binomial coefficients[J]. Journal of American Mathematica, 2014, 121(4): 344-349. doi: 10.4169/amer.math.monthly.121. 04.344.

MATSUMOTO M and NISHIMURA T. Mersenne twister: a 623-dimensionally equidistributed uniform pseudo-random number generator[J], Journal of Model, 1998, 8(1): 3-30. doi: 10.1145/272991.272995.

相關(guān)文章

施引文獻(xiàn)

資源附件(0)

訪問(wèn)統(tǒng)計(jì)