| Software Defined Networking(SDN)is a new technology,which can effectively solve some problems in traditional networks.However,the new features of SDN also bring new security challenges.The control plane is the core of the SDN.Once the control plane has security issues,it will affect the entire network.Thus,the security of the control plane is the most important part of SDN.This thesis deeply analyzes the security issues existing in the control plane,and divides the security issues into southbound security and northbound security issues according to whether the attacker comes from the data plane or the application plane.This thesis focus on DoS/DDoS attacks and third-party SDN application management problems in the control plane,the main work of this thesis is as follows:(1)Research on DoS/DDoS attacks,which is one of the most threatening attacks in southbound security issues.In order to study Do S/DDoS attacks more systematically,the attack method was first discussed,and a network scanning-based attack method was proposed.Then defend the attack from three phases: attack filtering,attack detection,and attack defense.The attack filtering phase is mainly used to reduce the load of the controller,we can filter attack packets with fake source IP/MAC and redundant Packet-in messages in this phrase.The attack detection phase adopts a lightweight detection algorithm based on Packet-in rate,entropy and switch statistical data,which can detect the attack and locate the attack source.In the attack defense phrase,the number of flow tables in the switch is reduced by delivering flow entries with a smaller timeout value,so that the attack can be effectively prevented.Finally,the proposed defense mechanism was simulated on the Mininet+Ryu-based simulation platform.Compared with the existing defense mechanisms,the defense mechanisms proposed in this thesis has better performance,since the number of Packet-in packets received on the controller and flow entries in the switch are reduced.(2)Research on third-party SDN application management and DoS/DDoS attacks in northbound security issues.First,a SDN application management mechanism is proposed to monitor the third-party SDN application,and the third-party SDN application must be authenticated and authorized to access the controller.At the same time,the application behavior is monitored during the application running process.Then we consider the DoS/DDoS attacks from application plane,especially defends against the DoS/DDoS attacks that are caused by a large number of REST requests and malicious flow entry injection.For a large number of REST request attacks,a queue-based defense mechanism is proposed to defend against it.The controller polls the REST requests based on the WRR(Weighted Round Robin)mechanism so that the controller will not overloaded.At the same time,normal SDN applications can share more controller's resources.For attacks caused by malicious flow entry injection,a filtering mechanism is proposed to filter malicious flow entries to defend such attack.Finally,the proposed defense mechanism is verified on the simulation platform.The simulation results show that the mechanism proposed in this thesis effectively defends the northbound attacks. |
PDF Full Text Request