Research On Link Flooding Attack Defense Mechanism In Software-Defined Networking

With the continuous development of network technology,the diversity and complexity of network attacks are increasing.In recent years,researchers have proposed a new Distributed Denial of Service Attack-Link Flooding Attack(LFA),which is launched against network links.By flooding specific links with low-rate "legitimate traffic",attackers can destroy the availability of target servers and easily bypass firewalls and Intrusion Detection Systems(IDS)deployed at the edge of the network,which has high harmfulness and concealment.Therefore,how to effectively detect and mitigate LFA attack has gradually received extensive attention from industry and academia.In recent years,the flexible and programmable features provided by Software-Defined Networking(SDN)provide a new way to defend against LFA attack.However,there are still some defects in the existing LFA defense scheme based on SDN.First,the defender’s determination of the links to be protected still depends on prior knowledge,and it is difficult to provide timely protection in the multi-round LFA scenario where the target links are constantly changed.In addition,the feasibility of the deployment of SDN-based schemes on the public network is not discussed.To solve the above problems,this thesis proposes a high-performance defense scheme for complex LFA attack scenarios,so as to realize timely detection and rapid mitigation of LFA attacks.At the same time,this thesis also fully considers the actual deployment of SDN,and optimizes the deployment and control overhead of the existing LFA defense scheme.The main research content of this thesis is as follows:1.Research on high-performance defense scheme against Complex LFA:For the detection of LFA attack,this thesis proposes an LFA detection mechanism based on attack intent discovery,which completes the dynamic analysis of the target links before the establishment of the attack.It improves the timeliness and accuracy of the target links prediction.For the mitigation of LFA attack,this thesis deploys defense measures in advance according to the predicted results of the target links to reduce the time required for attack mitigation.At the same time,this thesis abstracts the traffic rerouting of the target links as an optimization problem with complex constraints,and proposes a greedy algorithm which can be solved in polynomial time.It can effectively mitigate the attack and avoid the conflict between rerouted paths.Finally,this thesis proves that these schemes have better overall defense performance through simulation experiment platform.2.Optimization Scheme of Deployment and Control Overhead for LFA Defense:In view of the high deployment overhead of the existing schemes,this scheme introduces the hybrid SDN scenario and proposes an SDN deployment node selection algorithm based on the thought of K-Means.It can achieve LFA detection using a small number of SDN nodes,which greatly reduces the cost of SDN devices without affecting the defense performance.To solve the limitation of flow table in SDN switches,this thesis proposes an SDN flow table management algorithm based on real-time load feedback.It dynamically allocates the timeouts of different flow entries according to the current load of switches,which can effectively improve the utilization efficiency of flow tables and reduce the control overhead.Finally,this thesis verifies the feasibility of the scheme using real network topology and traffic datasets.