Research On DDoS Attack Detection In SDN Programmable Data Plane

Software Defined Networking(SDN)is a novel network architecture,which decouples the data plane and the control plane,so as to achieve centralized control of the whole network,as well as improves the network scalability and programming,also provides great advantages in network flexibility,automation and resource utilization.However,as the network developmenting explosively,there are many network security issues occured,SDN also faces many network security threats.For example,the SDN controller will inevitably be a critical failure point of the entire network,when under malicious network attacks such as the distributed denial of Service(DDoS).In order to solve this problem,this work investigated the detection of abnormal traffic in the programmable data plane,and a DDoS attack detection prototype based on information entropy is presented in SDN data plane,which is implemented by P4(programming protocol-independent packet processors)language.This paper first investigates the research background and significance of the subject,analyzes the current research situation and the basic research methods at home and abroad,and designs a DDoS attack detection scheme based on the SDN programmable data surface.The main contributions of this work are as follows:(1)Analyzed the basic architecture of software defined network,the main functions and working modes of data plane.Introduces the P4 language and the basic concept of information entropy.Also proposes a prototype of DDoS attack detection based on information entropy in data plane by P4,and explores the detection of network abnormal traffic in SDN data plane.(2)Proposed an optimization algorithm of DDoS attack detection mechanism based on information entropy in SDN environment.A packet processing pipeline is designed for DDoS attack scenarios,which estimates the entropy of source and destination host addresses and the entropy of the source IP address of incoming packets for the host.Further detecting attacks based on the information entropy value of port access.The measurement of entropy can be used not only to characterize the flow rate,but also to calculate the anomaly detection threshold(as a function of the sensitivity coefficient that can be referenced).Considering the strict time and memory limitation of forwarding equipment and the existing detection mechanism based on information entropy,the entropy value of the source and destination IP address of each data packet is calculated and analyzed in each observation window,this kind of high-speed link entropy traversing a large amount of data will reduce the accuracy.In the experiment,the frequency of different IP addresses is estimated by counting hash table set,and the entropy value of all source IP addresses targeting the destination host is stored,which greatly reduces the overhead.Based on the data sets of legitimate traffic and DDoS attacks,this paper evaluates the entropy estimation error,the detection performance is evaluated according to the accuracy and resource consumption.Through the flexible entropy estimation method based on hash table,the goal of DDoS attack detection in data plane is achieved.(3)Built a verification platform and verify the proposed method: built a software-defined network security experiment platform with Virtual Box open source virtual machine software,SDN switches and controller to test the detection rate and false alarm rate of the attack detection mechanism in attack scenarios.Experimental results show that the proposed attack detection mechanism is feasible and can detect attacks in time and effectively,and the attack rate is over99%.The experimental evaluation proves that the proposed security detection mechanism can be implemented in the data plane and obtain performance advantages..By fully enabling DDoS attack detection in the data plane,our proposed mechanism has been improved compared with previous work.Taking TCP SYN flooding attack as an example,we only need to calculate the entropy of all source IP addresses with the host as the destination address.If the entropy of the source IP address of the packet is high,we can judge that the network is attacked.There is no need to calculate the entropy value of the source and destination IP address of each packet,and then compare it with the entropy value of the source and destination of the host,which greatly saves the calculation overhead.