Design And Implement Of The NFV-Based Detection And Defense System Against Routing Spoofing Attack On The OSPF Protocol

With the deep integration of the Internet and human politics,economy,culture,military and other fields,people are increasingly relying on the Internet.At the same time,the Internet is subject to more and more security threats and attacks,which seriously endanger national security and social stability.Open Shortest Path First(OSPF)is a widely used routing protocol in the Internet.Because there are many kinds of route spoofing attacks on OSPF,and there is no comprehensive and effective way to detect and defend against these attacks.Therefore,which is critical to the security of the Internet is that research of methods to detect and defend against OSPF route spoofing attacks.This thesis focuses on the detection and defense mechanism of OSPF route spoofing attacks.By building a NFV-based security test platform,this thesis designs and implements the detection and defense technology of OSPF route spoofing attacks.The main work of this thesis is as follows:1.In this thesis,it is analyzed that the attack principle of OSPF disguised LSA attacks,and three necessary conditions for determining attackers are proposed.A method based on NFV detection and defense against OSPF disguised LSA attacks is proposed.Based on NFV technology,the detection middle box and analysis server are designed to be used for attacking detection and eliminating route pollution.The detection middle box is responsible for capturing relevant OSPF packets from each link,and sending the OSPF packet trace record to the analysis server;the analysis server invokes the detection algorithm to analyze and process the received OSPF packet trace record stream,and an alarm is given and an instruction is sent to the detection middle box to restore the contaminated routes if an attack is detected.The results of experiments show the effectiveness of the proposed method.2.In this thesis,the current major OSPF route spoofing attacks is analyzed and compared,and the attacks are separated into with counterattacks and without counterattacks respectively,then two types of OSPF route spoofing attack detection algorithms and defense mechanisms ARSAO(Against the Routing Spoofing Attacks on the OSPF protocol)are proposed.A general system architecture is designed to support both detection and defense OSPF route spoofing attacks.Finally,experimental verification is performed.3.In this thesis,a system for automatically deploying the OSPF security network test platform is designed and implemented.The system is used to verify the detection and defense against routing spoofing attack on the OSPF Protocol.It is divided into an application plane and a control plane.The application plane is responsible for defining network topology deployment files,Virtual Middle Box(VMB)deployment files,and control policy files.The control plane is responsible for parsing andexecuting the network topology and VMB deployment files to set up the network topology and deploy VMB,and controlling the specific behavior of virtual network function(VNF)in the VMB by parsing and scheduling the policy file.The results of experiments show the feasibility of the proposed method.