استفاده از معماری SAHAR جهت مقاوم کردن سطح کنترلی شبکه نرمافزار محور در برابر حملات منع سرویس
محورهای موضوعی : مهندسی برق و کامپیوترمهران شتابی 1 , احمد اکبری 2 *
1 - دانشگاه علم و صنعت ایران
2 - دانشگاه علم و صنعت ایران
کلید واژه: پروتکل OpenFlow حمله منع سرویسشبکه نرمافزار محور,
چکیده مقاله :
شبکه نرمافزار محور (SDN) نسل بعدی معماری شبکه است که با جداکردن سطح داده و سطح کنترلی، کنترل متمرکزی را با هدف بهبود قابلیت مدیریت و سازگاری شبکه امکانپذیر میسازد. با این حال به دلیل سیاست کنترل متمرکز، این نوع شبکه مستعد از دسترس خارج شدن سطح کنترلی در مقابل حمله منع سرویس است. در حالت واکنشی، افزایش قابل توجه رخدادهای ناشی از ورود جریانهای جدید به شبکه فشار زیادی به سطح کنترلی اعمال میکند. همچنين، وجود رخدادهای مكرر مانند جمعآوری اطلاعات آماری از سراسر شبكه كه باعث تداخل شدید با عملکرد پایه سطح کنترلی میشود، ميتواند به شدت بر کارایی سطح كنترلی اثر بگذارد. برای مقاومت در برابر حمله و جلوگیری از فلجشدن شبکه، در این مقاله معماری جدیدی به نام SAHAR معرفی شده که از یک جعبه کنترلی متشکل از یک کنترلکننده هماهنگکننده، یک کنترلکننده اصلی نصاب قوانین جریان و یک یا چند کنترلکننده فرعی نصاب قوانین جریان (بر حسب نیاز) استفاده میکند. اختصاص وظایف نظارتی و مدیریتی به کنترلکننده هماهنگکننده باعث کاهش بار کنترلکنندههای نصاب قوانین جریان میشود. علاوه بر آن، تقسیم ترافیک ورودی بین کنترلکنندههای نصاب قوانین جریان توسط کنترلکننده هماهنگکننده بار را در سطح کنترلی توزیع میکند. بدین ترتیب، با تخصیص بار ترافیکی ناشی از حمله منع سرویس به یک یا چند کنترلکننده فرعی نصاب قوانین جریان، معماری SAHAR میتواند از مختلشدن عملکرد کنترلکننده اصلی نصاب قوانین جریان جلوگیری کرده و در برابر حملات منع سرویس مقاومت کند. آزمایشهای انجامشده نشان میدهند که SAHAR در مقایسه با راهکارهای موجود، کارایی بهتری در مواجهه با حمله منع سرویس از خود نشان میدهد.
Software-defined network (SDN) is the next generation of network architecture thatby separating the data plane and the control plane enables centralized control with the aim of improving network management and compatibility. However, due to the centralized control policy, this type of network is prone to Inaccessibility of control plane against a denial of service (DoS) attack. In the reactive mode, a significant increase in events due to the entry of new flows into the network puts a lot of pressure on the control plane. Also, the presence of recurring events such as the collection of statistical information from the network, which severely interferes with the basic functionality of the control plane, can greatly affect the efficiency of the control plane. To resist attack and prevent network paralysis, this paper introduces a new architecture called SAHAR, which consists of a control box consisting of a coordinator controller, a primary flow setup controller, and one or more (as needed) secondary flow setup controller(s). Assigning monitoring and managing tasks to the coordinator controller reduces the load of flow setup controllers. In addition, dividing the incoming traffic between the flow setup controllers by the coordinator controller distributes the load at the control plane. Thus, by assigning the traffic load resulting from a denial-of-service attack to one or more secondary flow setup controller(s), the SAHAR architecture can prevent the primary flow setup controller from impairment and resist DoS attacks. Tests show that SAHAR performs better in the face of a DoS attack than existing solutions.
[1] N. McKeown, et al., "OpenFlow: enabling innovation in campus networks," SIGCOMM Comput Commun Rev., vol. 38, no. 2, pp. 69-74, Apr. 2008.
[2] H. Farhady, H. Lee, and N. Akihiro, "Software-defined networking: a survey," Computer Networks, vol. 81, pp. 79-95, 2015.
[3] I. Ahmad, S. Namal, M. Ylianttila, and A. Gurtov, "Security in software defined networks: a survey," IEEE Commun Surveys Tutorials, vol. 17, no. 4, pp. 2317-2346, 4th Quarter 2015.
[4] W. Li, W. Meng, and L. F. Kwok, "A survey on OpenFlow-based software defined networks: security challenges and countermeasures," J. Network Comput Appl., vol. 68, pp. 126-139, 2016.
[5] J. Benabbou, K. Elbaamrani, and N. Idboufker, "Security in OpenFlow-based SDN, opportunities and challenges," Photon Netw Commun, vol. 37, no. 1, pp. 1-23, 2019.
[6] S. Shin and G. Gu, "Attacking software-defined networks: a first feasibility study," in Proc. of the 2nd ACM SIGCOMM Workshop on Hot Topics in Software Defined Networking, HotSDN '13, pp. 165-166, New York, NY, USA, Aug. 2013.
[7] S. Dong, K. Abbas, and R. Jain, "A survey on distributed denial of service (DDoS) attacks in SDN and cloud computing environments," IEEE Access, vol. 7, pp. 80813-80828, 2019.
[8] R. Swami, M. Dave, and V. Ranga, "Software defined networking based DDoS defense mechanisms," ACM Computing Surveys, vol. 52, no. 2, Article No.: 28, May 2019.
[9] Open Networking Foundation, OpenFlow Switch Specification, version 1.2, Dec. 2011.
[10] H. Wang, L. Xu, and G. Gu, OF-GUARD: a DoS attack prevention extension in software-defined networks. Poster presented at: The Open Networking Summit 2014; 2014; Santa Clara, CA.
[11] S. Shin, V. Yegneswaran, P. Porras, and G. Gu, "AVANT-GUARD: scalable and vigilant switch flow management in software-defined networks," in Proc. ACM SIGSAC Conf. on Computer & Communications Security, CCS'13, pp. 413-424, New York, NY, USA, Nov. 2013.
[12] M. Ambrosin, M. Conti, F. De Gaspari, and R. Poovendran, "LineSwitch: tackling control plane saturation attacks in software-defined networking," IEEE/ACM Trans. Networking, vol. 25, no. 2, pp. 1206-1219, Apr. 2017.
[13] K. Y. Chen, A. R. Junuthula, I. K. Siddhrau, Y. Xu, and H. J. Chao, "SDNShield: towards more comprehensive defense against DDoS attacks on SDN control plane," in Proc. IEEE Conf. on Communications and Network Security, CNS'16, pp. 28-36, Philadelphia, PA, USA, 17-19 Oct. 2016.
[14] H. Wang, L. Xu, and G. Gu, "FloodGuard: a DoS attack prevention extension in software-defined networks," in Proc. 45th Annual IEEE/IFIP Int. Conf. on Dependable Systems and Networks, pp. 239-250, Rio de Janeiro, Brazil, 22-25 Jun. 2015.
[15] L. Wei and C. Fung, "FlowRanger: a request prioritizing algorithm for controller DoS attacks in software defined networks," in Proc. IEEE Int. Conf. on Communications, ICC'15, pp. 5254-5259, London, UK, 8-12 Jun. 2015.
[16] T. Wang and H. Chen, "SGuard: a lightweight SDN safe-guard architecture for DoS attacks," China Commun., vol. 14, no. 6, pp. 113-125, 2017.
[17] S. Lim, S. Yang, Y. Kim, S. Yang, and H. Kim, "Controller scheduling for continued SDN operation under DDoS attacks," Electron Lett., vol. 51, no. 16, pp. 1259-1261, Aug. 2015.
[18] P. Zhang, H. Wang, C. Hu, and C. Lin, "On denial of service attacks in software defined networks," IEEE Network, vol. 30, no. 6, pp. 28-33, Nov./Dec. 2016.
[19] S. Gao, Z. Peng, B. Xiao, A. Hu, and K. Ren, "FloodDefender: protecting data and control plane resources under SDN-aimed DoS attacks," in Proc. INFOCOM IEEE Conf. on Computer Communications, 9 pp., Atlanta, GA, USA, 1-4 May 2017.
[20] P. Wu, L. Yao, C. Lin, G. Wu, and M. S. Obaidat, "FMD: a DoS mitigation scheme based on flow migration in software-defined-networking," Int. J. Commun. Syst., vol. 31, no. 9, Article No.: e3543, Jun. 2018.
[21] Y. Wang, T. Hu, G. Tang, J. Xie, and J. Lu, "SGS: safe-guard scheme for protecting control plane against DDoS attacks in software-defined networking," IEEE Access, vol. 7, pp. 34699-34710, 2019.
[22] Open Networking Foundation, OpenFlow Switch Specification, Version 1.3.5, Mar. 2015.
[23] https://se.mathworks.com/products/new_products/release2018b.html (Accessed Apr. 2019)
[24] Y. Han, J. H. Yoo, and J. Won-Ki Hong, "Poisson shot-noise process based flow-level traffic matrix generation for data center networks," in Proc. IFIP/IEEE Int. Symp. on Integrated Network Management, IM'15, pp. 450-457, Ottawa, Canada, 11-15 May 2015.
[25] B. Y. Yu, G. Yang, and C. Yoo, "Comprehensive prediction models of control traffic for SDN controllers," in Proc. IEEE Int. Conf. on Network Softwarization (NetSoft)-Technical Sessions, pp. 62-266, Montreal, Canada, 25-29 Jun. 2018.
[26] K. Kuroki, et al., "Redundancy method for highly available openflow controller," International J. on Advances in Internet Technology, vol. 7, no. 1-2, pp. 114-123, 2014.
[27] http://ryu.readthedocs.io/en/latest/nicira_ext_ref.html, (Accessed Apr. 2019).
[28] M. Faizul Bari, et al., "Dynamic controller provisioning in software defined networks," in Proc. of the 9th Int.l Conf. on Network and Service Management, CNSM'13, pp. 18-25, Zurich, Switzerland, 14-18 Oct. 2013.
[29] L. Peng, B. Yang, Y. Chen, and Z. Chen, "Effectiveness of statistical features for early stage internet traffic identification," Int. J. Parallel Program., vol. 44, no. 1, pp. 181-197, 2016.
[30] A. S. da Silva, C. C. Machado, R. V. Bisol, L. Z. Granville, and A. Schaeffer-Filho, "Identification and selection of flow features for accurate traffic classification in SDN," in Proc. IEEE 14th Int. Symp. Netw. Comput. Appl., pp. 134-141, Cambridge, MA, USA, 28-30 Sept. 2015.
[31] M. Hayes, B. Ng, A. Pekar, and W. K. G. Seah, "Scalable architecture for SDN traffic classification," IEEE Systems J., vol. 12, no. 4, pp. 3203-3214, Dec. 2017.
[32] M. Al-Maolegi and B. Arkok, "An improved apriori algorithm for association rules," International J. on Natural Language Computing, vol. 3, no. 1, pp. 22-29, Feb. 2014.
[33] Y. Zhao and Y. Zhang, "Comparison of decision tree methods for finding active objects," Advances in Space Research, vol. 41, no. 12, pp. 1955-1959, 2008.
[34] R. Quinlan, C4.5: Programs for Machine Learning, Morgan Kaufmann Publishers, 1993.
[35] N. Shelly, E. J. Jackson, T. Koponen, N. McKeown, and J. Rajahalme, "Flow caching for high entropy packet fields," ACM SIGCOMM Computer Communication Review., vol. 44, no. 4, pp. 151-156, Oct. 2014.
[36] S. Luo, H. Yu, and L. M. Li, "Fast incremental flow table aggregation in SDN," in Proc. 23rd Int. Conf. Computer Communication and Networks, ICCCN'14, 8 pp., Shanhai, China, 4-7 Aug. 2014.
[37] M. Rifai, et al., "Too many SDN rules? Compress them with MINNIE," in Proc. IEEE Global Communications Conference, GLOBECOM'15, 7 pp., San Diego, CA, USA, 6-10 Dec. 2015.
[38] Mininet Team 2018, "Mininet: an Instant Virtual Network on your Laptop (or other PC)," Available: http://mininet.org/
[39] B. Lantz, B. Heller, and N. McKeown, "A network in a laptop: rapid prototyping for software-defined networks," in Proc. 9th ACM SIGCOMM Workshop on Hot Topics in NetworksArticle No.: 19, 6 pp., Oct. 2010.
[40] RYU SDN Framework, Ryubook 1.0 Documentation, Available: http://osrg.github.io/ryu/ (Accessed Apr. 2019).
[41] B. Pfaff, et al., "Extending networking into the virtualization layer," in Proc. of the ACM SIGCOMM HotNets Workshop, 6 pp., 2009.
[42] J. Dugan, et al., "Iperf-The TCP, UDP and SCTP network bandwidth measurement tool," [Online]. Available: https://iperf.fr/
[43] Robin Richter, Hyenae, Available: https:// sourceforge.net/projects/hyenae/ (Dec. 2010)
[44] bwm-ng v0.6.2 Copyright (C) 2004-2019 Volker Gropp (bwmng@gropp.org) http://www.gropp.org/?id=projects&sub=bwm-ng, Available: https://github.com/vgropp/bwm-ng