Research On The Solution To ARP Attack In Software Defined Network

With the increasing dependence of people's production and life on network services,the network business type is becoming more and more abundant,data traffic and scale of network are growing rapidly.The traditional distributed network architecture appears to be complicated and bloated,difficult to manage and expand.To solve these problems,Nick Mc Keown et al.proposed SDN as new network architecture.With centralized control and programmability and other advantages,SDN has got great affirmation from the academic and business community.Research and applications based on SDN are endless.However,SDN promotes the development of the network and also brings a lot of security issues.Since SDN just changes the upper network architecture,accessed hosts still follow the TCP/IP protocol to communicate and traditional ARP attack can still affect SDN.ARP attack in SDN can deceive the controller to establish wrong network topology,thus result in more serious effect.Solutions to ARP attack in traditional network demanded the destination host check information for the received ARP packets.However,controllers receive ARP packets before the destination host in SDN,which results in solutions to ARP attack in traditional network don‘t apply to SDN.Additionally,the existed attack detection methods in SDN were not designed for ARP attack,thence they could‘t identify each ARP attack inaccurately.In order to solve the above problems,this paper proposed a solution to ARP attack for SDN.The solution requires each host share a hash chain with the controller before accessing the network and the controller establish a configuration information entry,which records the host‘s MAC,IP address and initial access location,for the host.When processing ARP packets,the controller can check the authenticity of the source host‘s MAC-IP mapping and MAC address,based on the information in the configuration information table,the hash chain information shared with the host,and even the DHCP server.And then the controller can accurately identify and drop each spoofed ARP packet,accordingly protect SDN network from ARP attack.The main work of this paper includes:1.This paper proposed a solution to ARP attack for SDN network.This solution can be used as a network application on the controller,by which the controller can check the authenticity of the source host‘s MAC-IP mapping and MAC address,finally identify and discard spoofed ARP packets when processing the ARP packets.2.To verify the solution's effectiveness and time performance,this paper established SDN networks by Mininet simulation platform.In a small-scale SDN network,the network state before and after running the solution under the same attack conditions were compared.And results showed that this solution could accurately detect each ARP attack.In several large-scale SDN networks,10 rounds of ARP interaction time before and after running the solution were tested.Experimental datas showed that operations of this solution don‘t affect the normal communication between hosts,and because of avoiding large amount of ARP broadcast communication,the ARP interaction time between hosts was reduced.