计算机应用 ›› 2019, Vol. 39 ›› Issue (4): 1066-1072.DOI: 10.11772/j.issn.1001-9081.2018091852

• 网络空间安全 • 上一篇    下一篇

动态主机配置协议泛洪攻击在软件定义网络中的实时防御

邹承明1,2, 刘攀文2, 唐星1,2   

  1. 1. 交通物联网技术湖北省重点实验室(武汉理工大学), 武汉 430000;
    2. 武汉理工大学 计算机科学与技术学院, 武汉 430000
  • 收稿日期:2018-09-05 修回日期:2018-11-26 发布日期:2019-04-10 出版日期:2019-04-10
  • 通讯作者: 刘攀文
  • 作者简介:邹承明(1975-),男,广东徐闻人,教授,博士,CCF会员,主要研究方向:计算机视觉、嵌入式系统;刘攀文(1994-),男,湖北天门人,硕士研究生,主要研究方向:软件定义网络;唐星(1983-),男,湖北武汉人,讲师,博士,主要研究方向:无线网络、并行与分布式计算。

Real-time defence against dynamic host configuration protocol flood attack in software defined network

ZOU Chengming1,2, LIU Panwen2, TANG Xing1,2   

  1. 1. Hubei Key Laboratory of Transportation Internet of Things(Wuhan University of Technology), Wuhan Hubei 430000, China;
    2. College of Computer Science and Technology, Wuhan University of Technology, Wuhan Hubei 430000, China
  • Received:2018-09-05 Revised:2018-11-26 Online:2019-04-10 Published:2019-04-10

摘要: 在软件定义网络(SDN)中,动态主机配置协议(DHCP)泛洪攻击报文通常能通过reactive方式主动地进入控制器,对SDN危害巨大。针对传统的DHCP泛洪攻击防御方法无法阻止SDN中该攻击带来的控制链路阻塞这一问题,提出一种DHCP泛洪攻击的动态防御机制(DDM)。DDM包含检测模型和缓解模型。在检测模型中,不同于他人提出的静态阈值检测方法,采用DHCP流量均速和IP池余量两个关键参数建立动态峰值估计模型来评估端口是否受到攻击,若受到攻击则交由缓解模型进行防御。在缓解模型中,利用地址解析协议(ARP)的应答特点进行IP池清洗,并设计了周期内分时段拦截机制对攻击源进行截流,在缓解阻塞的同时,最大限度减少拦截对用户正常使用的影响。仿真实验结果表明,相对静态阈值检测,DDM检测误差平均降低18.75%。DDM缓解模型能高效地拦截流量,同时将用户在拦截期正常接入网络的等待时间平均缩短81.45%。

关键词: 动态主机配置协议, 软件定义网络, IP池, 地址解析协议, 异常流量

Abstract: In Software Defined Network (SDN), Dynamic Host Configuration Protocol (DHCP) flood attack packets can actively enter the controller in reactive mode, which causes a huge hazard to SDN. Aiming at the promblem that the traditional defense method against DHCP flood attack cannot keep the SDN network from control link blocking caused by the attack, a Dynamic Defense Mechanism (DDM) against DHCP flood attacks was proposed. DDM is composed of a detection model and mitigation model. In the detection model, different from the static threshold detection method, a dynamic peak estimation model was constructed by two key parameters - DHCP average traffic seed and IP pool surplus to evaluate whether the ports were attacked. If the ports were attacked, the mitigation model would be informed. In the mitigation model, the IP pool cleaning was performed based on the response character of Address Resolution Protocol (ARP), and an interval interception mechanism was designed to intercept the attack source, mitigating the congestion and minimizing the impact on users during interception. Simulation experimental results show that the detection error of DDM is averagely 18.75%, lower than that of the static threshold detection. The DDM mitigation model can effectively intercept traffic and reduce the waiting time for users to access the network during the interception by an average of 81.45%.

Key words: Dynamic Host Configuration Protocol (DHCP), Software Defined Network (SDN), IP pool, Address Resolution Protocol (ARP), anomaly traffic

中图分类号: