Research And Implementation Of SDN Controller Security Technology Based On NFV

With the rapid development of Internet in the world,network security has become a focus of attention.Software-defined network(SDN)technology is favored by people due to its unique advantages,but its centralized control feature is vulnerable to network attacks.In particular,DDoS and other attacks have not been well solved for the security threats of SDN core components,namely SDN controller.On the other hand,network function virtualization(NFV)technology has the advantages of flexible sharing of resources,rapid development and deployment of new business and easy management,and has been highly valued by the industry.The combination of NFV and SDN has become a hot research topic.This thesis studies two kinds of security problems existing in the current SDN controller,proposes solutions based on NFV/SDN,and realizes the automatic deployment and control technology of detection and defense system.The main work and contribution of this thesis include:(1)A mechanism for SDN controller is proposed to prevent a large number of UDP redundant packet attacks.The detection intermediate box is set in front of the OpenFlow switch port to detect and filter the UDP redundant packet flows.An intermediate box detection algorithm is proposed.Before the flow table is issued by the SDN controller,only the first packet of a UDP flow is allowed to pass through the intermediate box,so as to ensure that relevant flow table items already exist when the subsequent packets of the UDP flow arrives at the OpenFlow switch.The prototype system is designed and implemented based on NFV technology,and the test results show that the system can effectively remove the threat of a large number of redundant UDP packets to the SDN controller.(2)A UDM is proposed to prevent DDoS attack on SDN controller,which deploys a UDM between SDN switch port and user host to detect and reject DDoS attack messages.A DDoS attack detection algorithm based on intermediate box is proposed,which can eliminate the effect of DDoS attack by adjusting the buffer space of intermediate box.The prototype system is designed and implemented based on NFV technology,and the test results show that the system can effectively detect and prevent DDoS attacks on the controller in real time.(3)The NFV-based network security experimental platform is implemented.the method of automatic deployment and control of network security experimental environment is studied and designed by means of software definition;Experiments were carried out on it,and the experimental results show that the method is feasible.