ISSN 1000-1239 CN 11-1777/TP

• 信息安全 •

### SDN网络拓扑污染攻击防御机制研究

1. 1(清华大学深圳研究生院 广东深圳 518055);2(清华大学计算机科学与技术系 北京 100084) (13222026288@163.com)
• 出版日期: 2018-01-01
• 基金资助:
国家自然科学基金项目(61572278，61625203)；国家重点研发计划项目(2016YFC0901605，2016YFB0800102)；深圳基础研究基金项目(JCYJ20170307153259323)

### Defending Against SDN Network Topology Poisoning Attacks

Zheng Zheng1, Xu Mingwei2, Li Qi1, Zhang Yun1

1. 1(Graduate School at Shenzhen, Tsinghua University, Shenzhen, Guangdong 518055);2(Department of Computer Science and Technology, Tsinghua University, Beijing 100084)
• Online: 2018-01-01

Abstract: Software-defined networking (SDN) is a new network paradigm. Unlike the conventional network, SDN separates the control plane from the data plane. The function of the data plane is enabled in switches while only the controller provides the functions of the control plane. The controller learns topologies of the whole networks and makes the traffic forwarding decisions. However, recent studies show that there exist some serious vulnerabilities in topology management services of the current SDN controller designs, which mainly exists in host tracking service and link discovery service. Attackers can exploit these vulnerabilities to poison the network topology information in the SDN controllers. What’s more, attackers can even make the whole network down. Fortunately, researchers have paid some attention to this serious problem and proposed their defense solution. However, the existing countermeasures can be easily evaded by the attackers. In this paper, we propose an effective approach called SecTopo, to defend against the network topology poisoning attacks. Our evaluation on SecTopo in the Floodlight controller shows that the defense solution can effectively secure network topology with a minor impact on normal operations of OpenFlow controllers.