Research On DoS Based Topology Amnesia Attack And Its Defense In Software-defined Networking

In the rapidly developing world of networks,the existing IP network structure toughly satisfies the demands of the times because of its closed characteristics.In this case,a novel and open Software-Defined Networking(SDN)appears.By separating the control logic from the forwarding function in the traditional network,SDN makes it easier to possess a global network view,since the control logic resides in the controller.Although SDN presents many opportunities for accelerating network development,it also poses new security concerns.On the one hand,due to the inherent performance bottleneck of SDN,attackers can easily launch denial of service(Do S)attacks on SDN components,so that victims can no longer access network resources;On the other hand,attackers can use the core services in SDN controller to fictitious network links,disrupt the global network view of the controller,hijack legitimate traffic and damage normal network services.Although there have been many studies on Do S attacks and network topology attacks in SDN,no comprehensive study has been conducted from the characteristics of the two types of attacks.Accordingly,this paper provides the following work and innovation:(1)From the perspective of attack,in order to better use the unique traffic forwarding mechanism in SDN to launch Do S attack,this paper first systematically measures the performance bottlenecks of each SDN component to select the best attack target.Once the Do S attack is successful,the real link between Open Flow switches will be overtimed and disconnected,resulting in a split of the network topology.In order to further expand the impact of the attack on the global topology view of the controller,this paper constructs a special link in the split topology to trigger the implementation vulnerability of the core application inside the controller,which makes the topology of the whole network fall into large area paralysis.This paper names this attack as Do S based switch clusters amnesia attack.(2)From the perspective of defense,this paper analyzes the characteristics of the new attack in detail.Based on this analysis,a defense system Robust Topo is designed to detect and defense the two stages of the new attack.For the Do S attack stage,a detection algorithm based on the change of source address of each switch port is designed,which can locate the location of the attack in real-time and accurately,and send the wildcard flow rules to forward the attack flows;For the link fictitious attack stage,the false links are quickly detected from multiple perspectives to prevent the generation of false links and effectively protect the global topology view of the controller.(3)By extending the Floodlight controller,this paper integrates Robust Topo as an application module,deploys Robust Topo in the actual environment,and tests and evaluates it in detail.The experimental results show that Robust Topo can not only effectively alleviate Do S attacks,but also prevent attackers from malicious fictitious links,the overhead on the controller is also negligible.