Please wait a minute...
 首页  期刊介绍 期刊订阅 联系我们 横山亮次奖 百年刊庆
 
最新录用  |  预出版  |  当期目录  |  过刊浏览  |  阅读排行  |  下载排行  |  引用排行  |  横山亮次奖  |  百年刊庆
清华大学学报(自然科学版)  2019, Vol. 59 Issue (1): 36-43    DOI: 10.16511/j.cnki.qhdxxb.2018.25.062
  信息安全 本期目录 | 过刊浏览 | 高级检索 |
链路洪泛攻击的SDN移动目标防御机制
谢丽霞, 丁颖
中国民航大学 计算机科学与技术学院, 天津 300300
Software defined network moving target defense mechanism against link flooding attacks
XIE Lixia, DING Ying
School of Computer Science and Technology, Civil Aviation University of China, Tianjin 300300, China
全文: PDF(1292 KB)  
输出: BibTeX | EndNote (RIS)      
摘要 针对Crossfire分布式拒绝服务(distributed denial of service,DDoS)攻击,该文提出一种基于软件定义网络(software defined network,SDN)的攻击防御机制。在对Crossfire攻击分析基础上,设计一个SDN流量层级的集中监测及分流控制模型并部署到防御机制中,利用SDN的重路由策略疏解被攻击链路的拥塞负载,通过对流量的灵活调度缓解拥塞并避免关键链路中断对网络业务造成严重干扰。利用SDN的移动目标防御(mobile target defense,MTD)机制动态调整网络配置和网络行为并诱使攻击者对攻击流量进行调整,提高诱饵服务器对攻击的检测效率。实验结果表明:该机制可以有效防御Crossfire攻击且SDN的防御机制和重路由策略不会造成显著开销。
服务
把本文推荐给朋友
加入引用管理器
E-mail Alert
RSS
作者相关文章
谢丽霞
丁颖
关键词 Crossfire分布式拒绝服务(DDoS)攻击软件定义网络(SDN)重路由    
Abstract:This paper presents a software defined network (SDN) based defense mechanism to detect and mitigate a new distributed denial of service (DDoS) attack named Crossfire. An SDN traffic-level centralized monitoring and shunt control model was defined based on the Crossfire characteristics for the defense mechanism. The SDN re-routing strategy was used to resolve the congestion load of the attacked link with flexible traffic scheduling used to alleviate the congestion and avoid critical link interruption that could seriously interfere with network service. The SDN mobile target defense mechanism was used to dynamically adjust the network configuration and network behavior to induce the attacker to adjust the attack traffic; thereby improving the attack detection efficiency of the bait server. Tests show that this mechanism can effectively defend against Crossfire attacks and that the SDN defense mechanism and rerouting strategy does not require significant overhead.
Key wordsCrossfire    distributed denial of service (DDoS) attack    software defined network (SDN)    re-routing
收稿日期: 2018-09-27      出版日期: 2019-01-16
基金资助:国家自然科学基金民航联合研究基金项目(U1833107);中央高校基本科研业务费项目(ZYGX2018028)
引用本文:   
谢丽霞, 丁颖. 链路洪泛攻击的SDN移动目标防御机制[J]. 清华大学学报(自然科学版), 2019, 59(1): 36-43.
XIE Lixia, DING Ying. Software defined network moving target defense mechanism against link flooding attacks. Journal of Tsinghua University(Science and Technology), 2019, 59(1): 36-43.
链接本文:  
http://jst.tsinghuajournals.com/CN/10.16511/j.cnki.qhdxxb.2018.25.062  或          http://jst.tsinghuajournals.com/CN/Y2019/V59/I1/36
  图1 Crossfire攻击实现过程
  图2 拥塞监控和重路由控制流程
  图3 MTD防御机制架构
  图4 响应过程
  图5 实验网络拓扑
  表1 实验参数设置
  图6 Crossfire攻击设置时间
  图7 Crossfire攻击完成时间
  图8 Crossfire攻击者响应时间
  图9 Crossfire防御者响应时间
  表2 每轮重路由后各诱饵服务器攻击流量分布
  图10 包的平均传输时延
  图11 传输数据包总量
[1] SAMI I U, AHMAD M B, ASIF M, et al. DoS/DDoS detection for e-healthcare in Internet of things[J]. International Journal of Advanced Computer Science & Applications, 2018, 9(1):297-300.
[2] BHARDWAJ A, SUBRAHMANYAM G V B, AVASTHI V, et al. DDoS attacks, new DDoS taxonomy and mitigation solutions-A survey[C]//The Proceedings of the International Conference on Signal Processing, Communication, Power and Embedded System. Paralakhemundi, India:IEEE, 2017:793-798.
[3] KANG M S, LEE S B, GLIGOR V D. The crossfire attack[C]//Proceedings of IEEE Symposium on Security and Privacy. Berkeley, USA:IEEE, 2013:127-141.
[4] MAHALE V V, PAREEK N P, UTTARWAR V U. Alleviation of DDoS attack using advance technique[C]//Proceedings of 2017 International Conference on Innovative Mechanisms for Industry Applications. Bangalore, India:IEEE, 2017:172-176.
[5] LEE Y J, BAIK N K, KIM C, et al. Study of detection method for spoofed IP against DDoS attacks[J]. Personal and Ubiquitous Computing, 2018, 22(1):35-44.
[6] HOQUE N, BHATTACHARYYA D K, KALITA J K. An alert analysis approach to DDoS attack detection[C]//Proceedings of 2016 International Conference on Accessibility to Digital World. Guwahati, India:IEEE, 2017:33-38.
[7] KHADKE A, MADANKAR M, MOTGHARE M. Review on mitigation of distributed denial of service (DDoS) attacks in cloud computing[C]//Proceedings of the 10th International Conference on Intelligent Systems and Control. Coimbatore, India:IEEE, 2016:1-5.
[8] AYDEGER A, SAPUTRO N, AKKAYA K, et al. Mitigating crossfire attacks using SDN-based moving target defense[C]//The Proceedings of the 41st IEEE Conference on Local Computer Networks. Dubai, United Arab Emirates:IEEE, 2016:627-630.
[9] GKOUNIS D, KOTRONIS V, DIMITROPOULOS X. Towards defeating the crossfire attack using SDN, 1412.2013v1[R]. Vassilika Vouton, Greece:The Foundation for Research and Technology-Hellas, 2014.
[10] 张朝昆, 崔勇, 唐翯祎, 等. 软件定义网络(SDN)研究进展[J]. 软件学报, 2015, 26(1):62-81. ZHANG C K, CUI Y, TANG H Y, et al. State-of-the art survey on software-defined networking (SDN)[J]. Journal of Software, 2015, 26(1):62-81. (in Chinese)
[11] MCKEOWN N, ANDERSON T, BALAKRISHNAN H, et al. OpenFlow:Enabling innovation in campus networks[J]. ACM SIGCOMM Computer Communication Review, 2008, 38(2):69-74.
[12] KALKAN K, GUR G, ALAGOZ F. Defense mechanisms against DDoS attacks in SDN environment[J]. IEEE Communications Magazine, 2017, 55(9):175-179.
[13] KANAGEVLU R, AUNG K M M. SDN controlled local re-routing to reduce congestion in cloud data center[C]//Proceedings of 2015 International Conference on Cloud Computing Research and Innovation. Singapore:IEEE, 2016:80-88.
[14] LAI J, FU Q, MOORS T. Rapid IP rerouting with SDN and NFV[C]//Proceedings of Global Communications Conference. San Diego, USA:IEEE, 2016:1-7.
[15] BASTA A, BLENK A, DUDYCZ S, et al. Efficient Loop-free rerouting of multiple SDN flows[J]. IEEE/ACM Transactions on Networking, 2018, 26(2):948-961.
[16] MAIER D. The complexity of some problems on subsequences and supersequences[M]. New York, USA:ACM, 1978.
[1] 杨洋, 杨家海, 秦董洪. 数据中心网络多路径路由算法[J]. 清华大学学报(自然科学版), 2016, 56(3): 262-268.
Viewed
Full text


Abstract

Cited

  Shared   
  Discussed   
版权所有 © 《清华大学学报(自然科学版)》编辑部
本系统由北京玛格泰克科技发展有限公司设计开发 技术支持:support@magtech.com.cn