基于控制器的SDN流过滤策略缓解流表过载攻击

Proceedings of the 2019 9th International Conference on Communication and Network Security Pub Date : 2019-11-15 DOI:10.1145/3371676.3371706

Phan The Duy, Hoai An Le Thi, V. Pham

{"title":"基于控制器的SDN流过滤策略缓解流表过载攻击","authors":"Phan The Duy, Hoai An Le Thi, V. Pham","doi":"10.1145/3371676.3371706","DOIUrl":null,"url":null,"abstract":"Controller is a key component in the three layers of Software - Defined Networking (SDN), which is to process a huge number of flow requests from network devices. As a result, it puts a flow rule into flow table in switch according to every incoming packet. However, the capacity of flow table is limited and can be the target of malicious attacks by taking advantage of installing rules from controller. Specifically, malicious rules can be pushed from controller to occupy the available space for new benign traffic due to controlling and directing the packets in SDN relied on flow rules installation. These tables can be full of a massive number of flow entries populated from controller, leading to be out of space for new benign flows. This paper gives a method to mitigate flow table overloading attack after a DDoS attack notification. It can help the data plane to be more secured by improving the availability of flow table with a strategy of real-time packet monitoring and flow management in controller.","PeriodicalId":352443,"journal":{"name":"Proceedings of the 2019 9th International Conference on Communication and Network Security","volume":"43 1","pages":"0"},"PeriodicalIF":0.0000,"publicationDate":"2019-11-15","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"","citationCount":"3","resultStr":"{\"title\":\"Mitigating Flow Table Overloading Attack with Controller-based Flow Filtering Strategy in SDN\",\"authors\":\"Phan The Duy, Hoai An Le Thi, V. Pham\",\"doi\":\"10.1145/3371676.3371706\",\"DOIUrl\":null,\"url\":null,\"abstract\":\"Controller is a key component in the three layers of Software - Defined Networking (SDN), which is to process a huge number of flow requests from network devices. As a result, it puts a flow rule into flow table in switch according to every incoming packet. However, the capacity of flow table is limited and can be the target of malicious attacks by taking advantage of installing rules from controller. Specifically, malicious rules can be pushed from controller to occupy the available space for new benign traffic due to controlling and directing the packets in SDN relied on flow rules installation. These tables can be full of a massive number of flow entries populated from controller, leading to be out of space for new benign flows. This paper gives a method to mitigate flow table overloading attack after a DDoS attack notification. It can help the data plane to be more secured by improving the availability of flow table with a strategy of real-time packet monitoring and flow management in controller.\",\"PeriodicalId\":352443,\"journal\":{\"name\":\"Proceedings of the 2019 9th International Conference on Communication and Network Security\",\"volume\":\"43 1\",\"pages\":\"0\"},\"PeriodicalIF\":0.0000,\"publicationDate\":\"2019-11-15\",\"publicationTypes\":\"Journal Article\",\"fieldsOfStudy\":null,\"isOpenAccess\":false,\"openAccessPdf\":\"\",\"citationCount\":\"3\",\"resultStr\":null,\"platform\":\"Semanticscholar\",\"paperid\":null,\"PeriodicalName\":\"Proceedings of the 2019 9th International Conference on Communication and Network Security\",\"FirstCategoryId\":\"1085\",\"ListUrlMain\":\"https://doi.org/10.1145/3371676.3371706\",\"RegionNum\":0,\"RegionCategory\":null,\"ArticlePicture\":[],\"TitleCN\":null,\"AbstractTextCN\":null,\"PMCID\":null,\"EPubDate\":\"\",\"PubModel\":\"\",\"JCR\":\"\",\"JCRName\":\"\",\"Score\":null,\"Total\":0}","platform":"Semanticscholar","paperid":null,"PeriodicalName":"Proceedings of the 2019 9th International Conference on Communication and Network Security","FirstCategoryId":"1085","ListUrlMain":"https://doi.org/10.1145/3371676.3371706","RegionNum":0,"RegionCategory":null,"ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":null,"EPubDate":"","PubModel":"","JCR":"","JCRName":"","Score":null,"Total":0}

引用次数: 3

摘要

控制器(Controller)是三层软件定义网络(SDN)中的关键组件，它处理来自网络设备的大量流请求。因此，它根据每个传入数据包在交换机的流表中放入一个流规则。然而，流表的容量有限，并且可以利用从控制器安装规则的优势成为恶意攻击的目标。具体来说，通过安装流规则对SDN中的数据包进行控制和定向，可以将恶意规则从控制器中推送出去，占用新的良性流量的可用空间。这些表可能充满了从控制器填充的大量流条目，导致没有空间容纳新的良性流。本文提出了一种在DDoS攻击通知后减轻流表过载攻击的方法。采用实时数据包监控和控制器流管理策略，提高流表的可用性，提高数据平面的安全性。

本文章由计算机程序翻译，如有差异，请以英文原文为准。

查看原文本刊更多论文

Mitigating Flow Table Overloading Attack with Controller-based Flow Filtering Strategy in SDN

Controller is a key component in the three layers of Software - Defined Networking (SDN), which is to process a huge number of flow requests from network devices. As a result, it puts a flow rule into flow table in switch according to every incoming packet. However, the capacity of flow table is limited and can be the target of malicious attacks by taking advantage of installing rules from controller. Specifically, malicious rules can be pushed from controller to occupy the available space for new benign traffic due to controlling and directing the packets in SDN relied on flow rules installation. These tables can be full of a massive number of flow entries populated from controller, leading to be out of space for new benign flows. This paper gives a method to mitigate flow table overloading attack after a DDoS attack notification. It can help the data plane to be more secured by improving the availability of flow table with a strategy of real-time packet monitoring and flow management in controller.

求助全文

通过发布文献求助，成功后即可免费获取论文全文。去求助

来源期刊

Proceedings of the 2019 9th International Conference on Communication and Network Security

自引率

0.00%

发文量