Research On DoS Attack Defense Mechanism Of SDN Control Plane

Software-Defined Networking(SDN)is more flexible to manage networks due to its logically centralized architecture and programmable capabilities.Meanwhile,the centralized architecture of SDN also makes it to face the threat of denial of service attack(DoS).It has become a hot research topic to study the DoS attack detection and defense technology in SDN to ensure the normal operation of the controller and enhance the network security.Aiming at the problem of DoS attack targeting at the controller in SDN,we propose the detection and mitigation schemes of DoS attack in single-controller and multi-controller environments to ensure that the controller can respond to the request of normal users in time.In this thesis,an attack mitigation mechanism based on non-cooperative repeated game is proposed for DoS attacks in single controller.We propose a DoS attack detection mechanism based on information entropy,packet_in message rate and packet_in message response rate.By installing migration flow rules,the packet_in messages of the suspicious user are migrated to the data plane cache and forwarded to the controller by the data plane cache to relieve the pressure on the controller.At the same time,the priority and punishment time of users are set based on the penalty-incentive mechanism to ensure that the requests of normal users can be responded in time.Aiming at DoS attacks in multi-controller,we propose an attack mitigation scheme based on clustering algorithm and switch migration.We use the density peak clustering algorithm(DPCA)to cluster users,including normal users,suspicious users and malicious users.The traffic of malicious users is discarded.If the packet_in requests sent by the switch under the controller exceeds the capacity of the controller,the switch under the controller needs to be migrated.The flow rules of malicious users need to be statistically analyzed periodically to allow the attacker to return to the network after stopping the attack.In this thesis,Mininet network simulation platform and Ryu controller are adopted to build SDN network simulation environment,and the performance of the algorithm proposed in this thesis is tested under DoS attack.At the same time,the performance of the proposed algorithm and the existing algorithm is compared in terms of average response time,the number of packet_in messages received by the controller,and packet loss rate,etc.,which verifies the effectiveness of the proposed algorithm.