Research On Defense Mechanism For Distributed Denial Of Service Attack For OpenFlow Controller

Currently,with the rise of emerging technologies such as mobile Internet,cloud computing,large data and software defined network(SDN),security issues are attracting more and more attention.With the rapid development of SDN,more and more attention has been paid to the security of SDN.Because the SDN separates the control plane from the forwarding plane,the centralized control of controller is implemented,once the controller is attacked and the single point of failure occurred,and then lead to network congestion blocking and business paralysis,it is possible to bring huge economic losses.As the mainstream of today's network attacks,Distributed denial of service(DDoS)attacks have the ability to cause a single point of failure of the controller,and then the denial of service,affecting the normal operation of the whole system.The proposed DDoS attack detection and defense scheme for OpenFlow controller does not make good use of OpenFlow's advantages.Most of the researches are about DDoS attack on network host,but the research on prevention of DDoS attack against the controller is very little.For this situation,this paper presents a OpenFlow oriented,traceable DDoS attack detection and defense scheme.The proposed scheme and its innovation are as follows:Firstly,proposing to obtain a preliminary detection mechanism for global network topology information and port rate information by using the characteristics of OpenFlow collect switch information.Compared with the way getting the topology information only to get the device link information in the network,the method for obtaining global network topology information proposed in this paper can not only get the device link information in the network,but also can get host information in network connected to an edge switch.Then,proposing a DDoS attack detection mechanism based on weighted average entropy and packet symmetry analysis.Weighted average entropy is used to get the weighted entropy which can mostly reflect the current state of the network,this solves the problem of threshold setting in complex network environment.For attack packets' “no return” characteristic,using packet symmetry analysis can well distinguish attack traffic and legitimate traffic.Finally,proposing to issue the corresponding attack blocking flow table according to the obtained characteristics of the attack packet,and take attack blocking mechanism of attack trace-back according to obtained global network topology information.By issuing block flow table,the detected attack packet has been discarded and the pressure of the controller is reduced.Based on obtained global network topology information and port rate information,take attack trace back,locate the attack source host and then do it offline,prevent the attacker using the puppet master again for a new round of attacks on the controller,and truly to resist DDoS attacks from the source.In order to verify the feasibility and effectiveness of the DDoS attack defense scheme proposed in this paper.First of all,to realize the scheme presented in this paper is based on programmable API interface design of POX controller.And then take experimental verification by using the Mininet Virtual experiment platform to create the OpenFlow virtual network based on the POX controller.The experimental results show that compared with the traditional network defense for DDoS attack,the DDoS attack defense scheme proposed for OpenFlow controller can detect and defend DDoS attacks effectively and timely,finish the detection and cleaning of attack traffic within the time range that the controller can bear.As far as possible to minimize the loss of the entire system caused by the attack.