Denial-of-Service Attack Defense In Software-Defined Networking

As a new network architecture,the software-defined networking separates the control plane from the data plane and provides centralized and programmable network control capabilities.Denial-of-service attacks,as the most common and effective attack method in traditional networks,are still hot topics in the security of software-defined networking.The research on security of software-defined networking for denial of service attacks is divided into two aspects: utilizing new features of software-defined networking to more effectively address traditional denial of service attacks;and defending against denial of service attacks where the software defines the network itself as an attack target.This article separately conducted security research on these two aspects.On the one hand,denial of service attacks against the SDN controller will cause channel congestion between the data plane and the control plane and overload the controller,eventually leading to the overall network failure.Therefore,this paper proposes the FMD(Flow Migration Defense),a security protection strategy that utilizes multiple controllers and suspicious flow migration.FMD migrates the suspicious flows to an extended controller alleviates the congestion problem of the main controller channel.The extended controller uses the request cache and request reforwarding to alleviate the main controller overload problem.On the other hand,feature collection can lead to excessive network resource cost in largescale network.Therefore,this paper proposes an adaptive monitoring method ADSS(Adaptive DDoS Sense Scheme),combining link-based coarse-grained monitoring and flow-based finegrained monitoring.ADSS uses a self-organizing mapping neural network to detect potential denial of service attacks based on the link characteristics and network flow characteristics respectively.In this paper,Ryu controller and Mininet network simulator are used to simulate the above two research schemes.The experimental results for FMD show that it can protect the controller's low response time and low network packet loss rate under high-traffic denial of service attacks,effectively protecting the control channel and controller resources.The experimental results for ADSS show that it can effectively locate DDoS attackers and victims in a complex network environment,counter source IP forgery attacks,and reduce the overhead of controller computing resources and switch cache resources.