SDN/Openflow网络中防止数据平面和控制平面饱和攻击的解决方案

Đ. Tuyên, Truong Thu Huong
{"title":"SDN/Openflow网络中防止数据平面和控制平面饱和攻击的解决方案","authors":"Đ. Tuyên, Truong Thu Huong","doi":"10.32913/mic-ict-research.v2019.n1.833","DOIUrl":null,"url":null,"abstract":"The SDN/Openflow architecture opens new opportunities for effective solutions to address network security problems; however, it also brings new security challenges compared to the traditional network. One of those is the mechanism of reactive installation for new flow entries that can make the data plane and control plane easily become a target for resource saturation attacks with spoofing technique such as SYN flood. There are a number of solutions to this problem such as Connection Migration (CM) mechanism in Avant-Guard solution. However, most of them increase load to the commodity switches and/or split benign TCP connections, which can cause increase of packet latency and disable some features of the TCP protocol. This paper presents a solution called SDN-based SYN Flood Guard (SSG), which takes advantages of Openflow’s ability to match TCP Flags fields and the RST Cookie technique to authenticate three-way handshake processes of TCP connections in a separated device from SDN/Openflow switches. The experiment results reveal that SSG solves the aforementioned problems and improves the SYN Flood.","PeriodicalId":432355,"journal":{"name":"Research and Development on Information and Communication Technology","volume":"80 1","pages":"0"},"PeriodicalIF":0.0000,"publicationDate":"2019-02-01","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"","citationCount":"0","resultStr":"{\"title\":\"SSG - A Solution to Prevent Saturation Attack on the Data Plane and Control Plane in SDN/Openflow Network\",\"authors\":\"Đ. Tuyên, Truong Thu Huong\",\"doi\":\"10.32913/mic-ict-research.v2019.n1.833\",\"DOIUrl\":null,\"url\":null,\"abstract\":\"The SDN/Openflow architecture opens new opportunities for effective solutions to address network security problems; however, it also brings new security challenges compared to the traditional network. One of those is the mechanism of reactive installation for new flow entries that can make the data plane and control plane easily become a target for resource saturation attacks with spoofing technique such as SYN flood. There are a number of solutions to this problem such as Connection Migration (CM) mechanism in Avant-Guard solution. However, most of them increase load to the commodity switches and/or split benign TCP connections, which can cause increase of packet latency and disable some features of the TCP protocol. This paper presents a solution called SDN-based SYN Flood Guard (SSG), which takes advantages of Openflow’s ability to match TCP Flags fields and the RST Cookie technique to authenticate three-way handshake processes of TCP connections in a separated device from SDN/Openflow switches. The experiment results reveal that SSG solves the aforementioned problems and improves the SYN Flood.\",\"PeriodicalId\":432355,\"journal\":{\"name\":\"Research and Development on Information and Communication Technology\",\"volume\":\"80 1\",\"pages\":\"0\"},\"PeriodicalIF\":0.0000,\"publicationDate\":\"2019-02-01\",\"publicationTypes\":\"Journal Article\",\"fieldsOfStudy\":null,\"isOpenAccess\":false,\"openAccessPdf\":\"\",\"citationCount\":\"0\",\"resultStr\":null,\"platform\":\"Semanticscholar\",\"paperid\":null,\"PeriodicalName\":\"Research and Development on Information and Communication Technology\",\"FirstCategoryId\":\"1085\",\"ListUrlMain\":\"https://doi.org/10.32913/mic-ict-research.v2019.n1.833\",\"RegionNum\":0,\"RegionCategory\":null,\"ArticlePicture\":[],\"TitleCN\":null,\"AbstractTextCN\":null,\"PMCID\":null,\"EPubDate\":\"\",\"PubModel\":\"\",\"JCR\":\"\",\"JCRName\":\"\",\"Score\":null,\"Total\":0}","platform":"Semanticscholar","paperid":null,"PeriodicalName":"Research and Development on Information and Communication Technology","FirstCategoryId":"1085","ListUrlMain":"https://doi.org/10.32913/mic-ict-research.v2019.n1.833","RegionNum":0,"RegionCategory":null,"ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":null,"EPubDate":"","PubModel":"","JCR":"","JCRName":"","Score":null,"Total":0}
引用次数: 0

摘要

SDN/Openflow架构为解决网络安全问题的有效解决方案提供了新的机会;但是,与传统网络相比,它也带来了新的安全挑战。其中之一是新流条目的响应式安装机制,它可以使数据平面和控制平面容易成为具有欺骗技术(如SYN flood)的资源饱和攻击的目标。这个问题有很多解决方案,比如Avant-Guard解决方案中的连接迁移(CM)机制。但是,它们中的大多数增加了商品交换机的负载和/或分裂良性TCP连接,这可能导致数据包延迟增加并禁用TCP协议的某些特性。本文提出了一种名为基于SDN的SYN Flood Guard (SSG)的解决方案,它利用Openflow匹配TCP Flags字段的能力和RST Cookie技术,在与SDN/Openflow交换机分离的设备中验证TCP连接的三次握手过程。实验结果表明,SSG解决了上述问题,提高了SYN Flood的性能。
本文章由计算机程序翻译,如有差异,请以英文原文为准。
SSG - A Solution to Prevent Saturation Attack on the Data Plane and Control Plane in SDN/Openflow Network
The SDN/Openflow architecture opens new opportunities for effective solutions to address network security problems; however, it also brings new security challenges compared to the traditional network. One of those is the mechanism of reactive installation for new flow entries that can make the data plane and control plane easily become a target for resource saturation attacks with spoofing technique such as SYN flood. There are a number of solutions to this problem such as Connection Migration (CM) mechanism in Avant-Guard solution. However, most of them increase load to the commodity switches and/or split benign TCP connections, which can cause increase of packet latency and disable some features of the TCP protocol. This paper presents a solution called SDN-based SYN Flood Guard (SSG), which takes advantages of Openflow’s ability to match TCP Flags fields and the RST Cookie technique to authenticate three-way handshake processes of TCP connections in a separated device from SDN/Openflow switches. The experiment results reveal that SSG solves the aforementioned problems and improves the SYN Flood.
求助全文
通过发布文献求助,成功后即可免费获取论文全文。 去求助
来源期刊
自引率
0.00%
发文量
0
×
引用
GB/T 7714-2015
复制
MLA
复制
APA
复制
导出至
BibTeX EndNote RefMan NoteFirst NoteExpress
×
提示
您的信息不完整,为了账户安全,请先补充。
现在去补充
×
提示
您因"违规操作"
具体请查看互助需知
我知道了
×
提示
确定
请完成安全验证×
copy
已复制链接
快去分享给好友吧!
我知道了
右上角分享
点击右上角分享
0
联系我们:info@booksci.cn Book学术提供免费学术资源搜索服务,方便国内外学者检索中英文文献。致力于提供最便捷和优质的服务体验。 Copyright © 2023 布克学术 All rights reserved.
京ICP备2023020795号-1
ghs 京公网安备 11010802042870号
Book学术文献互助
Book学术文献互助群
群 号:481959085
Book学术官方微信