Beytüllah Yiğit, Gürkan Gür, Bernhard Tellenbach, Fatih Alagöz
{"title":"揭开 SDN 流量表饱和的面纱:指纹识别、攻击与防御","authors":"Beytüllah Yiğit, Gürkan Gür, Bernhard Tellenbach, Fatih Alagöz","doi":"10.1007/s10207-024-00897-x","DOIUrl":null,"url":null,"abstract":"<p>Software-Defined Networking stands as a pivotal technology in attaining the essential levels of flexibility and scalability demanded by pervasive and high-performance network infrastructure required for digital connected services. Nonetheless, its disaggregated and layered architecture makes it open to the time-based fingerprinting attacks. Besides, limited flow table capacity of the switches alleviates table saturation attacks. In this paper, an automated attacker tool called <i>TASOS</i> is proposed to infer flow table utilization rate, size and replacement algorithm. With this set of information, the attacker can conduct intelligent saturation attacks. Furthermore, a lightweight defense mechanism (<i>LIDISA</i>) for proactively deleting flow rules is described. A comprehensive simulation setup with different network conditions shows that the proposed techniques achieve superior success rate in diverse settings.\n</p>","PeriodicalId":50316,"journal":{"name":"International Journal of Information Security","volume":"2013 1","pages":""},"PeriodicalIF":2.4000,"publicationDate":"2024-08-04","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"","citationCount":"0","resultStr":"{\"title\":\"Unmasking SDN flow table saturation: fingerprinting, attacks and defenses\",\"authors\":\"Beytüllah Yiğit, Gürkan Gür, Bernhard Tellenbach, Fatih Alagöz\",\"doi\":\"10.1007/s10207-024-00897-x\",\"DOIUrl\":null,\"url\":null,\"abstract\":\"<p>Software-Defined Networking stands as a pivotal technology in attaining the essential levels of flexibility and scalability demanded by pervasive and high-performance network infrastructure required for digital connected services. Nonetheless, its disaggregated and layered architecture makes it open to the time-based fingerprinting attacks. Besides, limited flow table capacity of the switches alleviates table saturation attacks. In this paper, an automated attacker tool called <i>TASOS</i> is proposed to infer flow table utilization rate, size and replacement algorithm. With this set of information, the attacker can conduct intelligent saturation attacks. Furthermore, a lightweight defense mechanism (<i>LIDISA</i>) for proactively deleting flow rules is described. A comprehensive simulation setup with different network conditions shows that the proposed techniques achieve superior success rate in diverse settings.\\n</p>\",\"PeriodicalId\":50316,\"journal\":{\"name\":\"International Journal of Information Security\",\"volume\":\"2013 1\",\"pages\":\"\"},\"PeriodicalIF\":2.4000,\"publicationDate\":\"2024-08-04\",\"publicationTypes\":\"Journal Article\",\"fieldsOfStudy\":null,\"isOpenAccess\":false,\"openAccessPdf\":\"\",\"citationCount\":\"0\",\"resultStr\":null,\"platform\":\"Semanticscholar\",\"paperid\":null,\"PeriodicalName\":\"International Journal of Information Security\",\"FirstCategoryId\":\"94\",\"ListUrlMain\":\"https://doi.org/10.1007/s10207-024-00897-x\",\"RegionNum\":4,\"RegionCategory\":\"计算机科学\",\"ArticlePicture\":[],\"TitleCN\":null,\"AbstractTextCN\":null,\"PMCID\":null,\"EPubDate\":\"\",\"PubModel\":\"\",\"JCR\":\"Q3\",\"JCRName\":\"COMPUTER SCIENCE, INFORMATION SYSTEMS\",\"Score\":null,\"Total\":0}","platform":"Semanticscholar","paperid":null,"PeriodicalName":"International Journal of Information Security","FirstCategoryId":"94","ListUrlMain":"https://doi.org/10.1007/s10207-024-00897-x","RegionNum":4,"RegionCategory":"计算机科学","ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":null,"EPubDate":"","PubModel":"","JCR":"Q3","JCRName":"COMPUTER SCIENCE, INFORMATION SYSTEMS","Score":null,"Total":0}
Unmasking SDN flow table saturation: fingerprinting, attacks and defenses
Software-Defined Networking stands as a pivotal technology in attaining the essential levels of flexibility and scalability demanded by pervasive and high-performance network infrastructure required for digital connected services. Nonetheless, its disaggregated and layered architecture makes it open to the time-based fingerprinting attacks. Besides, limited flow table capacity of the switches alleviates table saturation attacks. In this paper, an automated attacker tool called TASOS is proposed to infer flow table utilization rate, size and replacement algorithm. With this set of information, the attacker can conduct intelligent saturation attacks. Furthermore, a lightweight defense mechanism (LIDISA) for proactively deleting flow rules is described. A comprehensive simulation setup with different network conditions shows that the proposed techniques achieve superior success rate in diverse settings.
期刊介绍:
The International Journal of Information Security is an English language periodical on research in information security which offers prompt publication of important technical work, whether theoretical, applicable, or related to implementation.
Coverage includes system security: intrusion detection, secure end systems, secure operating systems, database security, security infrastructures, security evaluation; network security: Internet security, firewalls, mobile security, security agents, protocols, anti-virus and anti-hacker measures; content protection: watermarking, software protection, tamper resistant software; applications: electronic commerce, government, health, telecommunications, mobility.
求助内容:
应助结果提醒方式:
京公网安备 11010802042870号
