高级检索

    SDN网络拓扑污染攻击防御机制研究

    Defending Against SDN Network Topology Poisoning Attacks

    • 摘要: 软件定义网络(software-defined networking, SDN)是一种新型的网络体系结构,SDN网络将传统网络的数据层和控制层进行分离,数据层由支持OpenFlow协议的交换机实现,控制层由控制器来实现.控制器维护全网拓扑信息,集中管理网络流的路由决策.现有研究表明,在控制器的拓扑服务管理中存在严重的漏洞,主要存在于主机发现服务和链路发现服务中,攻击者利用这类漏洞可以进行网络拓扑污染攻击.目前研究者们提出的拓扑污染防御方案存在设计漏洞,很容易被攻击者绕过.故提出一种轻量级的符合SDN场景的防御方案——SecTopo——实现拓扑污染防御.通过在Floodlight控制器上测试SecTopo表明,SecTopo不仅能有效防御攻击,而且仅引入的开销极小.

       

      Abstract: Software-defined networking (SDN) is a new network paradigm. Unlike the conventional network, SDN separates the control plane from the data plane. The function of the data plane is enabled in switches while only the controller provides the functions of the control plane. The controller learns topologies of the whole networks and makes the traffic forwarding decisions. However, recent studies show that there exist some serious vulnerabilities in topology management services of the current SDN controller designs, which mainly exists in host tracking service and link discovery service. Attackers can exploit these vulnerabilities to poison the network topology information in the SDN controllers. What’s more, attackers can even make the whole network down. Fortunately, researchers have paid some attention to this serious problem and proposed their defense solution. However, the existing countermeasures can be easily evaded by the attackers. In this paper, we propose an effective approach called SecTopo, to defend against the network topology poisoning attacks. Our evaluation on SecTopo in the Floodlight controller shows that the defense solution can effectively secure network topology with a minor impact on normal operations of OpenFlow controllers.

       

    /

    返回文章
    返回