Research And Implementation Of Key Technology For SDN Flow Table Overloading Defense

Software-Defined Networking(SDN)realizes the separation of network control and forwarding,and provides global perception and programmability.With the continuous expansion of the network scale,massive data forwarding requirements have led to the need to install a large number of flow entries in the switch.However,the Ternary Content Addressable Memory(TCAM)used in the switch is very expensive so that it can only store a few thousand flow rules,which makes switch the target of overload attacks.When a flow table overload attack occurs,the network latency will rise sharply and the throughput will drop sharply.In the absence of an appropriate defense mechanism,the entire SDN network may be paralyzed.The flow table overload attack defense solution needs to be able to increase the network's ability to resist attacks,and minimize the additional costs for controllers and switches.There is still room for improvement in the resistance and computing efficiency of the existing defense solutions.Based on the OpenFlow protocol,this paper designs a flow table overflow defense system for different stages of the flow table overflow attack.First,this paper proposes a dynamic routing scheme to mitigate the probability of flow table overflow attacks;second,we propose a proactive detection scheme to predict the number of the flow table,delete suspicious flow entry,trace attackers,and discard malicious traffic.The two sub-solutions work together to ensure the availability of the data plane and enhance the security of the network.The main work and innovations of this paper are as follows:(1)This paper proposes a dynamic routing scheme based on the usage of the flow table.First,we measure and collect the count of flow table usage,bandwidth and delay on the controller side.Then use a comprehensive weighting method combining entropy method and fuzzy analytic hierarchy process to calculate the weights of three attributes.Finally,use real-time attribute values and weights to calculate an optimal path from the K paths selected through Yen's algorithm for packet forwarding;(2)This paper proposes a proactive detection scheme based on flow entry attributes,which consists suspicious flow entry deletion and malicious traffic disposal.First,we use the quadratic exponential smoothing prediction algorithm to predict the number of flow entry usage in each switch,and when the predicted value exceeds the threshold,obtain the flow table entries in the switch for analysis.Then,the designed scoring standard is used to evaluate the suspiciousness of the flow entry for the low-rate flow table overflow attack,and the abnormal flow entry is proactively deleted.At the same time,according to the obtained suspicious flow entries,the reverse strategy is used to trace back the source.We combine the suspicious frequency of each host and switch backtracked to find the attacker.Finally,the controller sends designed flow entries to discard subsequent malicious traffic from the attacker.(3)Based on the Ryu controller for secondary development,we realize the flow table overflow defense system including the above two sub-schemes.The functional test shows that the overall survival time of the system is increased by about 20%compared to the rerouting scheme proposed by Yuan Bin et al.,and the performance test shows that the performance loss is increased by less than 8%compared with the peer-support scheme.Therefore,the system can prolong the lifetime of the network and ensure the security of the data plane with a small performance loss.