Research On Tracing Strategies For SDN Networks Based On OpenFlow

SDN,Software-Defined Networking,is a most popular network architecture,which separates the control plane of the network from the forwarding plane,centralizes the control of the whole network,and brings innovation to the network development.No matter how the network is formed,network security is a problem which can never be ignored.With the popularity of SDN,network security has become an important factor restricting its development,and security issues have become a hot research area of SDN.The network protection schemes can be divided into two kinds,one is to find the attack and deal it at the place where the attack found.The other one is to find the source of the attack and process it at the source.The former approach can respond quickly to an attack,but can't handle the root of the attack.In the case of network attacks,only by finding the source of the attack can the attack be effectively restrained.In SDN networks,special attention needs to be paid to a class of DoS attacks and Seungwon Shin calls it the saturation attack of data layer to control layer,shorted as saturation attack.This type of attack generates a large number of new data flows in the SDN network,and many attack flows originate from a same source.This thesis studies SDN network architecture and working principle of the OpenFlow protocol.In view of the saturation attack,this thesis designs SDN network attack traceability scheme and the traceability scheme applicable for large SDN networks.The main work and results are as follows:(1)This thesis analyzes the characteristics of saturation attack.The attacker by changing the source IP,source MAC address information,such as the ability to produce a large number of SDN network attack packets,each attack message via OpenFlow switch,can make the switch to create a Packet-In message and sent to the controller.This article designs ID information,which contains the source IP of the packet,the destination IP,the source MAC,and the destination MAC,to identify the data flow in the network.The controller collects the Packet-In message from the network and extracts the ID information In the message.An attack source generates multiple attacks with different ids,but for each attack message,the ID information is constant;Using the traceability algorithm,you can find the physical location of the attack source.(2)This thesis designs the attack traceability scheme based on Packet-In message for SDN networks.Unlike traditional networks,the attack traceability of SDN can be done in the controller.SDN controller collectes ID information from Packet-In messages,and obtains the network OpenFlow switch forwarding rules and extracts ID information from rules at the same time.With the ID,controller can judge whether the Packet flowing through a specific switche and find one whose contains the rule matches the ID.Forwarding according to the rules by jumping back,controller can traceback messages and find suspicious sources of attack.(3)This thesis designs SDN attack traceability scheme based on monitoring node.With the size of networks increasing,scheme in work(1)needs to parse and match the forwarding rules of a large number of switching devices,resulting in huge overhead.The scheme selects the temporary monitoring node in the vicinity of the suspected attack source in the network,and selects the node with the smallest monitoring cost per round,and monitors the suspicious nodes by Packet-In message rate change.When message rate change is abnormal.,the suspicious attack source can be traced back from the temporary monitoring node,which achieves the purpose of rapid traceability.(4)This thesis uses Mininet and Floodlight controller to make simulations.Mininet simulates SDN network to connect external Floodlight controller.Use iPerf tool to generate network background flows,and use attack script to simulate Do S attack flows.Add the Packet-In message parsing and statistical modules for Floodlight controller to collect data information and analyze the collected information.Simulation results show that the SDN attack traceability scheme is feasible and by choosing proper temporary monitoring nodes,traceability efficiency can be improved.