基于嗅探技術(shù)的字段操縱攻擊研究

徐建峰; 張方韜; 徐震; 王利明

doi:10.11999/JEIT191047

基于嗅探技術(shù)的字段操縱攻擊研究

doi: 10.11999/JEIT191047

徐建峰^{1, 2},
張方韜¹,
徐震^1, ,,
王利明¹

1.
中國科學院信息工程研究所北京 100093
2.
中國科學院大學網(wǎng)絡(luò)空間安全學院北京 100049

基金項目: 北京市科技計劃項目(Z181100002718003)

詳細信息

作者簡介:
徐建峰：男，1995年生，博士生，研究方向為軟件定義網(wǎng)絡(luò)與網(wǎng)絡(luò)系統(tǒng)安全

張方韜：男，1982年生，博士生，研究方向為軟件定義網(wǎng)絡(luò)與網(wǎng)絡(luò)系統(tǒng)安全

徐震：男，1976年生，正高級工程師，研究方向為網(wǎng)絡(luò)系統(tǒng)安全與邊緣計算

王利明：男，1978年生，正高級工程師，研究方向為網(wǎng)絡(luò)系統(tǒng)安全與大數(shù)據(jù)安全分析

通訊作者:
徐震　xuzhen@iie.ac.cn

中圖分類號: TN918; TP393
計量
- 文章訪問數(shù): 1598
- HTML全文瀏覽量: 527
- PDF下載量: 78
- 被引次數(shù): 0
出版歷程
- 收稿日期: 2019-12-30
- 修回日期: 2020-07-23
- 網(wǎng)絡(luò)出版日期: 2020-07-28
- 刊出日期: 2020-10-13

Field Manipulation Attacks Based on Sniffing Techniques

Jianfeng XU^{1, 2},
Fangtao ZHANG¹,
Zhen XU^{1
, ,},
Liming WANG¹

1.
Institute of Information Engineering, Chinese Academy of Sciences, Beijing 100093, China
2.
School of Cyber Security, University of Chinese Academy of Sciences, Beijing 100049, China

Funds: Beijing Municipal Science and Technology Project (Z181100002718003)

摘要

摘要: 軟件定義網(wǎng)絡(luò)(SDN)為網(wǎng)絡(luò)基礎(chǔ)設(shè)施提供靈活性、可管理性以及可編程性的同時，引入了諸多新型的攻擊向量。該文介紹了攻擊者針對OpenFlow關(guān)鍵字段發(fā)起的惡意操縱攻擊，并設(shè)計了3種基于數(shù)據(jù)包轉(zhuǎn)發(fā)時延的嗅探技術(shù)以保證字段操縱攻擊在真實SDN網(wǎng)絡(luò)中的可實施性。實驗結(jié)果表明，字段操縱攻擊嚴重消耗了SDN網(wǎng)絡(luò)資源，進而導致合法用戶之間的通信性能明顯降低。
- 軟件定義網(wǎng)絡(luò) /
- OpenFlow /
- 字段操縱攻擊 /
- 嗅探
Abstract: The flexibility, manageability, and programmability brought by Software-Defined Networking (SDN), however come at the cost of new attack vectors. Malicious manipulation attacks against the key fields in OpenFlow is proposed, and three sniffing technologies based on forwarding delay to ensure the feasibility of manipulation attacks are designed. The experimental results show that the field manipulation attacks consume SDN resources greatly, leading to a significant decrease in the communication performance between legitimate users.
- Software-Defined Networking (SDN) /
- OpenFlow /
- Field manipulation attack /
- Sniffing

HTML全文

圖 1 OpenFlow協(xié)議中的標準流規(guī)則

下載: 全尺寸圖片幻燈片

圖 2 Ryu控制器2層轉(zhuǎn)發(fā)應(yīng)用的嗅探結(jié)果

下載: 全尺寸圖片幻燈片

圖 3 匹配操縱攻擊流程圖

下載: 全尺寸圖片幻燈片

圖 4 兩種類型的流量特征

下載: 全尺寸圖片幻燈片

圖 5 基于流量模型的嗅探技術(shù)

下載: 全尺寸圖片幻燈片

圖 6 實驗拓撲

下載: 全尺寸圖片幻燈片

圖 7 匹配操縱攻擊對控制器CPU的影響

下載: 全尺寸圖片幻燈片

圖 8 匹配操縱攻擊對合法用戶時延的影響

下載: 全尺寸圖片幻燈片

圖 9 超時操縱攻擊對交換機流表資源的影響

下載: 全尺寸圖片幻燈片

圖 10 超時操縱攻擊對合法用戶通信時延的影響

下載: 全尺寸圖片幻燈片

圖 11 計時器操縱攻擊對計時器操縱攻擊的影響

下載: 全尺寸圖片幻燈片

圖 12 計時器操縱攻擊對合法用戶時延的影響

下載: 全尺寸圖片幻燈片

表 1 基于二分法的嗅探技術(shù)

初始化：探測包序列$\{ {p_1},{p_2},···,{p_n}\}$；最小超時初始設(shè)置為0；最大超時初始設(shè)置為$t$(保證$t$時間后規(guī)則被剔除)；
(1) 注入${p_1}$數(shù)據(jù)包；
(2) 循環(huán)，對于探測包序列$\{ {p_1},{p_2},···,{p_n}\}$中的每一個數(shù)據(jù)包${p_i}$:
(3)　　設(shè)置等待時延為(最小超時+最大超時)/2；
(4)　　等待時延過后，注入${p_i}$數(shù)據(jù)包，并獲得${p_i}$數(shù)據(jù)包的往返時延；
(5)　　如果往返時延較大，說明${p_i}$數(shù)據(jù)包再次觸發(fā)了流規(guī)則安裝過程，則：
(6)　　　更新最大超時為(最小超時+最大超時)/2；
(7)　　否則，說明${p_i}$數(shù)據(jù)包沒有觸發(fā)了流規(guī)則安裝過程，然后：
(8)　　　更新最小超時為(最小超時+最大超時)/2；
(9) 當全部探測包發(fā)送完畢，返回得到的最小超時和最大超時；

下載: 導出CSV

參考文獻(18)

MCKEOWN N, ANDERSON T, BALAKRISHNAN H, et al. OpenFlow: Enabling innovation in campus networks[J]. ACM SIGCOMM Computer Communication Review, 2008, 38(2): 69–74. doi: 10.1145/1355734.1355746

ZENG Yue, GUO Songtao, and LIU Guiyan. Comprehensive link sharing avoidance and switch aggregation for software-defined data center networks[J]. Future Generation Computer Systems, 2019, 91: 25–36. doi: 10.1016/j.future.2018.08.034

WANG Haopei, SRIVASTAVA A, XU Lei, et al. Bring your own controller: Enabling tenant-de?ned SDN apps in IaaS clouds[C]. IEEE Conference on Computer Communications, Atlanta, USA, 2017: 1–9. doi: 10.1109/INFOCOM.2017.8057137.

SAHAY R, MENG Weizhi, ESTAY D A S, et al. CyberShip-IoT: A dynamic and adaptive SDN-based security policy enforcement framework for ships[J]. Future Generation Computer Systems, 2019, 100: 736–750. doi: 10.1016/j.future.2019.05.049

ZHENG Jing, LI Qi, GU Guofei, et al. Realtime DDoS defense using COTS SDN switches via adaptive correlation analysis[J]. IEEE Transactions on Information Forensics and Security, 2018, 13(7): 1838–1853. doi: 10.1109/TIFS.2018.2805600

姚琳元, 董平, 張宏科. 基于對象特征的軟件定義網(wǎng)絡(luò)分布式拒絕服務(wù)攻擊檢測方法[J]. 電子與信息學報, 2017, 39(2): 381–388. doi: 10.11999/JEIT160370

YAO Linyuan, DONG Ping, and ZHANG Hongke. Distributed denial of service attack detection based on object character in software defined network[J]. Journal of Electronics &Information Technology, 2017, 39(2): 381–388. doi: 10.11999/JEIT160370

武澤慧, 魏強, 任開磊, 等. 基于OpenFlow交換機洗牌的DDoS攻擊動態(tài)防御方法[J]. 電子與信息學報, 2017, 39(2): 397–404. doi: 10.11999/JEIT160449

WU Zehui, WEI Qiang, REN Kailei, et al. Dynamic defense for DDoS attack using OpenFlow-based switch shuffling approach[J]. Journal of Electronics &Information Technology, 2017, 39(2): 397–404. doi: 10.11999/JEIT160449

DENG Shuhua, GAO Xing, LU Zebin, et al. DoS vulnerabilities and mitigation strategies in software-defined networks[J]. Journal of Network and Computer Applications, 2019, 125: 209–219. doi: 10.1016/j.jnca.2018.10.011

SKOWYRA R, XU Lei, GU Guofei, et al. Effective topology tampering attacks and defenses in software-defined networks[C]. The 48th Annual IEEE/IFIP International Conference on Dependable Systems and Networks, Luxembourg City, 2018: 374–385. doi: 10.1109/dsn.2018.00047.

LI Qi, ZOU Xiaoyue, HUANG Qun, et al. Dynamic packet forwarding verification in SDN[J]. IEEE Transactions on Dependable and Secure Computing, 2019, 16(6): 915–929. doi: 10.1109/TDSC.2018.2810880

CAO Jiahao, LI Qi, XIE Renjie, et al. The crosspath attack: Disrupting the SDN control channel via shared links[C]. The 28th USENIX Conference on Security Symposium, Berkeley, USA, 2019: 19–36.

SHIN S and GU Guofei. Attacking software-defined networks: A first feasibility study[C]. The 2nd ACM SIGCOMM Workshop on Hot Topics in Software Defined Networking, Hong Kong, China, 2013: 165–166. doi: 10.1145/2491185.2491220.

CAO Jiahao, XU Mingwei, LI Qi, et al. Disrupting sdn via the data plane: A low-rate flow table overflow attack[C]. The 13th International Conference on Security and Privacy in Communication Networks, Niagara Falls, Canada, 2017: 356–376. doi: 10.1007/978-3-319-78813-5_18.

JAIN S, KUMAR A, MANDAL S, et al. B4: Experience with a globally-deployed software defined wan[J]. ACM SIGCOMM Computer Communication Review, 2013, 43(4): 3–14. doi: 10.1145/2486001.2486019

Open Networking Foundation. OpenFlow switch specification 1.5. 1[EB/OL]. https://www.opennetworking.org/software-defined-standards/specifications/, 2019.

ZHANG Mengtao, LI Guanyu, XU Lei, et al. Control plane reflection attacks in SDNs: New attacks and countermeasures[C]. The 21st International Symposium on Research in Attacks, Intrusions, and Defenses, Heraklion, Greece, 2018: 161–183. doi: 10.1007/978-3-030-00470-5_8.

XU Hongli, YU Zhuolong, QIAN Chen, et al. Minimizing flow statistics collection cost of SDN using wildcard requests[C]. IEEE Conference on Computer Communications, Atlanta, USA, 2017: 1–9. doi: 10.1109/INFOCOM.2017.8056992.

ZHU Huikang, FAN Hongbo, LUO Xuan, et al. Intelligent timeout master: Dynamic timeout for SDN-based data centers[C]. The 13th International Symposium on Integrated Network Management, Ottawa, Canada, 2015: 734–737. doi: 10.1109/INM.2015.7140363.

相關(guān)文章

施引文獻

資源附件(0)

訪問統(tǒng)計