ISSN 1000-1239 CN 11-1777/TP

计算机研究与发展 ›› 2018, Vol. 55 ›› Issue (1): 207-215.doi: 10.7544/issn1000-1239.2018.20160740

• 信息安全 • 上一篇    下一篇

SDN网络拓扑污染攻击防御机制研究

郑正1,徐明伟2,李琦1,张云1   

  1. 1(清华大学深圳研究生院 广东深圳 518055);2(清华大学计算机科学与技术系 北京 100084) (13222026288@163.com)
  • 出版日期: 2018-01-01
  • 基金资助: 
    国家自然科学基金项目(61572278,61625203);国家重点研发计划项目(2016YFC0901605,2016YFB0800102);深圳基础研究基金项目(JCYJ20170307153259323)

Defending Against SDN Network Topology Poisoning Attacks

Zheng Zheng1, Xu Mingwei2, Li Qi1, Zhang Yun1   

  1. 1(Graduate School at Shenzhen, Tsinghua University, Shenzhen, Guangdong 518055);2(Department of Computer Science and Technology, Tsinghua University, Beijing 100084)
  • Online: 2018-01-01

摘要: 软件定义网络(software-defined networking, SDN)是一种新型的网络体系结构,SDN网络将传统网络的数据层和控制层进行分离,数据层由支持OpenFlow协议的交换机实现,控制层由控制器来实现.控制器维护全网拓扑信息,集中管理网络流的路由决策.现有研究表明,在控制器的拓扑服务管理中存在严重的漏洞,主要存在于主机发现服务和链路发现服务中,攻击者利用这类漏洞可以进行网络拓扑污染攻击.目前研究者们提出的拓扑污染防御方案存在设计漏洞,很容易被攻击者绕过.故提出一种轻量级的符合SDN场景的防御方案——SecTopo——实现拓扑污染防御.通过在Floodlight控制器上测试SecTopo表明,SecTopo不仅能有效防御攻击,而且仅引入的开销极小.

关键词: 软件定义网络, 控制器, 交换机, 网络拓扑污染, 网络安全

Abstract: Software-defined networking (SDN) is a new network paradigm. Unlike the conventional network, SDN separates the control plane from the data plane. The function of the data plane is enabled in switches while only the controller provides the functions of the control plane. The controller learns topologies of the whole networks and makes the traffic forwarding decisions. However, recent studies show that there exist some serious vulnerabilities in topology management services of the current SDN controller designs, which mainly exists in host tracking service and link discovery service. Attackers can exploit these vulnerabilities to poison the network topology information in the SDN controllers. What’s more, attackers can even make the whole network down. Fortunately, researchers have paid some attention to this serious problem and proposed their defense solution. However, the existing countermeasures can be easily evaded by the attackers. In this paper, we propose an effective approach called SecTopo, to defend against the network topology poisoning attacks. Our evaluation on SecTopo in the Floodlight controller shows that the defense solution can effectively secure network topology with a minor impact on normal operations of OpenFlow controllers.

Key words: software-defined networking (SDN), controller, switch, network topology poisoning, network security

中图分类号: