UDM：基于NFV的防止DDoS攻击SDN控制器的机制

钱红燕; 薛昊; 陈鸣

doi:10.11959/j.issn.1000-436x.2019067

您当前的位置：

首页 >

文章列表页 >

UDM：基于NFV的防止DDoS攻击SDN控制器的机制

学术论文 | 更新时间：2024-06-05

- UDM：基于NFV的防止DDoS攻击SDN控制器的机制
- UDM:NFV-based prevention mechanism against DDoS attack on SDN controller
- 通信学报 2019年40卷第3期页码：116-124
- 作者机构：
  
  南京航空航天大学计算机科学与技术学院，江苏南京 211106
- 作者简介：
  
  [ "钱红燕（1973- ），女，江苏常州人，博士，南京航空航天大学副教授、硕士生导师，主要研究方向为计算机网络、信息安全等。" ]
  [ "薛昊（1991- ），男，安徽宁国人，南京航空航天大学硕士生，主要研究方向为计算机网络、网络安全。" ]
  [ "陈鸣（1956- ），男，江苏无锡人，博士，南京航空航天大学教授、博士生导师，主要研究方向为未来网络、网络功能虚拟化、无人机网络、网络安全等。" ]
- 基金信息：
  
  国家自然科学基金资助项目(61772271);国家自然科学基金资助项目(61379149)
- DOI：10.11959/j.issn.1000-436x.2019067
  中图分类号： TP393
- 网络出版日期：2019-03，
  
  纸质出版日期：2019-03-25
- 稿件说明：
移动端阅览
钱红燕, 薛昊, 陈鸣. UDM：基于NFV的防止DDoS攻击SDN控制器的机制[J]. 通信学报, 2019,40(3):116-124.

Hongyan QIAN, Hao XUE, Ming CHEN. UDM:NFV-based prevention mechanism against DDoS attack on SDN controller[J]. Journal on communications, 2019, 40(3): 116-124.
钱红燕, 薛昊, 陈鸣. UDM：基于NFV的防止DDoS攻击SDN控制器的机制[J]. 通信学报, 2019,40(3):116-124. DOI： 10.11959/j.issn.1000-436x.2019067.

Hongyan QIAN, Hao XUE, Ming CHEN. UDM:NFV-based prevention mechanism against DDoS attack on SDN controller[J]. Journal on communications, 2019, 40(3): 116-124. DOI： 10.11959/j.issn.1000-436x.2019067.

摘要

广泛存在的分布式拒绝服务（DDoS）攻击对于软件定义网络（SDN）的控制器形成了致命威胁，至今还没有一种安全机制能够防御。将SDN和网络功能虚拟化（NFV）结合，提出了一种新颖的防范DDoS攻击SDN控制器的前置检测中间盒（UDM）机制，在SDN交换机端口与用户主机之间分布式部署UDM以检测并拒止DDoS攻击报文。此外，还提出了一种基于NFV的前置中间盒的实现方法，使这种UDM机制更为经济和有效，实现了基于该机制的原型系统，并对其进行大量测试。实验结果表明，基于NFV的UDM机制能够实时有效地检测和防止对控制器的DDoS攻击。

Abstract

DDoS attack extensively existed have been mortal threats for the software-defined networking (SDN) controllers and there is no any security mechanism which can prevent them yet.Combining SDN and network function virtualization (NFV)

a novel preventing mechanism against DDoS attacks on SDN controller called upfront detection middlebox (UDM) was proposed.The upfront detection middlebox was deployed between SDN switch interfaces and user hosts distributed

and DDoS attack packets were detected and denied.An NFV-based method of implementing the upfront middlebox was put forward

which made the UDM mechanism be economical and effective.A prototype system based on this mechanism was implemented and lots experiments were tested.The experimental results show that the UDM mechanism based on NFV can real-time and effectively detect and prevent against DDoS attacks on SDN controllers.

关键词

Keywords

references

MCKEOWN N , ANDERSON T , BALAKRISHNAN H , et al . OpenFlow:enabling innovation in campus networks [J ] . ACM SIGCOMM Computer Communication Review , 2008 , 38 ( 2 ): 69 - 74 .

MIJUMBI R , SERRAT J , GORRICHO J L , et al . Network function virtualization:state-of-the-art and research challenges [J ] . IEEE Communications Surveys ＆ Tutorials , 2017 , 18 ( 1 ): 236 - 262 .

TOOTOONCHIAN A , GORBUNOV S , SHERWOOD R , et al . On controller performance in software-defined networks [C ] // Usenix Conference on Hot Topics in Management of Internet,Cloud,and Enterprise Networks and Services . 2012 :10.

JARSCHEL M , OECHSNER S , SCHLOSSER D , et al . Modeling and performance evaluation of an OpenFlow architecture [C ] // Teletraffic Congress . 2011 : 1 - 7 .

ZHANG P , WANG H , HU C , et al . On denial of service attacks in software defined networks [J ] . IEEE Network , 2016 , 30 ( 6 ): 28 - 33 .

SHIN S , YEGNESWARAN V , PORRAS P , et al . AVANT-GUARD:scalable and vigilant switch flow management in software-defined networks [C ] // ACM Sigsac Conference on Computer ＆ Communications Security . 2013 : 413 - 424 .

WANG H , XU L , GU G . FloodGuard:a DoS attack prevention extension in software-defined networks [C ] // IEEE/IFIP International Conference on Dependable Systems and Networks . 2015 : 239 - 250 .

KEROMYTIS A D , MISRA V , RUBENSTEIN D . SOS:secure overlay services [C ] // ACM SIGCOMM ’02 Conference . 2002 : 61 - 72 .

ZHOU L , GUO H . Applying NFV/SDN in mitigating DDoS attacks [C ] // 2017 IEEE Region 10 Conference . 2017 : 2061 - 2066 .

FUNG C J , MCCORMICK B . VGuard:a distributed denial of service attack mitigation method using network function virtualization [C ] // International Conference on Network and Service Management . 2015 : 64 - 70 .

JAKARIA A H M , YANG W , RASHIDI B , et al . VFence:a defense against distributed denial of service attacks using network function virtualization [C ] // Computer Software and Applications Conference . 2016 : 431 - 436 .

FUTAMURA K , KARASARIDIS A , NOEL E , et al . vDNS closed-loop control:a framework for an elastic control plane service [C ] // Network Function Virtualization and Software Defined Network . 2016 : 170 - 176 .

WANG R , JIA Z , JU L . An entropy-based distributed DDoS detection mechanism in software-defined networking [C ] // IEEE Trustcom/bigdatase/ispa . 2015 : 310 - 317 .

KUMAR K , JOSHI R C , SINGH K . A distributed approach using entropy to detect DDoS attacks in ISP domain [C ] // International Conference on Signal Processing,Communications and Networking . 2007 : 331 - 337 .

BERNSTEIN D . Containers and cloud:from LXC to docker to kubernetes [J ] . IEEE Cloud Computing , 2015 , 1 ( 3 ): 81 - 84 .

YANG Y , WANG Y . A software implementation for a hybrid firewall using linux netfilter [C ] // Software Engineering . 2011 : 18 - 21 .

PFAFF B , PETTIT J , KOPONEN T . The design and implementation of open vSwitch [C ] // USENIX Networked System Design and Implementation . 2015 : 117 - 130 .

DOULIGERIS C , MITROKOTSA A . DDoS attacks and defense mechanisms:classification and state-of-the-art [J ] . Computer Networks , 2004 , 44 ( 5 ): 643 - 666 .

浏览量

1029

下载量

CSCD

文章被引用时，请邮件提醒。

提交

工具集

关联资源

SDN中基于条件熵和GHSOM的DDoS攻击检测方法

云环境中基于SDN的高效DDoS攻击检测与防御方案

基于用户信誉值防御DDoS攻击的协同模型