ISSN 1000-1239 CN 11-1777/TP

计算机研究与发展 ›› 2017, Vol. 54 ›› Issue (10): 2356-2368.doi: 10.7544/issn1000-1239.2017.20170389

• 信息安全 • 上一篇    下一篇

基于网络资源管理技术的SDN DoS攻击动态防御机制

王涛,陈鸿昶,程国振   

  1. (国家数字交换系统工程技术研究中心 郑州 450002) (wangtaogenuine@163.com)
  • 出版日期: 2017-10-01
  • 基金资助: 
    国家自然科学基金创新群体项目(61521003);国家重点研发计划项目(2016YFB0800101);国家自然科学基金青年科学基金项目(61602509);河南省科技攻关计划项目(172102210615);信息工程大学新兴方向培育基金项目(2016610708)

A Dynamic Defense Mechanism for SDN DoS Attacks Based on Network Resource Management Technology

Wang Tao, Chen Hongchang, Cheng Guozhen   

  1. (National Digital Switching System Engineering and Technological Research Center, Zhengzhou 450002)
  • Online: 2017-10-01

摘要: 软件定义网络(software defined networking, SDN)已经迅速成为一种新的网络通信管理模式,极大地改变了传统网络架构.SDN可以通过将控制层与数据层分离来实现更细粒度的网络控制与管理.但是,转控分离的SDN架构也使得控制器极易成为DoS攻击的目标.为解决这一问题,现对SDN中的DoS攻击进行全面的研究,并提出一种轻量有效的MinDoS防御机制,该机制主要由简化的DoS攻击探测模块和优先级管理模块这2个核心模块实现.该机制可以根据用户信任值将流请求分类并将其划分到具有不同优先级的多个缓冲队列,然后使用SDN控制器以双轮询机制来调度处理这些流请求,从而在DoS攻击下更好地保护控制器.另外,MinDoS还结合了多控制器动态调度策略来降低全局响应时间,提高用户服务质量.最后,分别在SDN单控制器和多控制器实验环境中对MinDoS防御性能进行综合评估,实验结果表明:MinDoS防御效果良好,系统设计满足预期目标.

关键词: 软件定义网络, 拒绝服务攻击, 优先级队列, 控制器双轮询机制, 服务质量

Abstract: Software defined networking (SDN) has quickly emerged as a new communication network management paradigm and greatly changed the traditional network architecture. It provides fine-grained network management service by decoupling the control plane from the data plane. However, due to the separation of control plane from data plane, controller is easy to be the attacking target of DoS. To address this problem, we make a comprehensive research on DoS attacks in SDN, and propose MinDoS, a lightweight and effective DoS mitigation method. MinDoS mainly contains two key techniques/modules: simplified DoS detection module and priority manager. MinDoS can divide flow requests into multiple buffer queues with different priorities according to the users’ trust values. For a better protection towards controller under DoS attacks, this method then uses the SDN controller to schedule processing these flow requests by a dual polling mechanism. In addition, the design of MinDoS is also combined with dynamic controller assignment strategy so as to minimize the average response time of the control plane and improve the quality of service. Finally, we evaluate the performance of MinDoS in the single controller experimental environment and multi-controller experimental environment respectively. The experimental results show that the defense effect of MinDoS works well and the designed system meets the design objective basically.

Key words: software defined networking (SDN), denial-of-service (DoS) attacks, multi-priority queues, dual polling mechanism, quality of service (QoS)

中图分类号: