论文笔记:SDN-adimed DoS Attacks

FloodDefender

Posted by chochi on June 5, 2018

1 摘要

FloodDefender:Protecting data and control plane resources under SDN-aimed DoS attacks
提出FloodDefender框架抵抗SDN下的DOS的TCP、UDP攻击,协议无关,在数据层面和控制层面之间的架构。
在控制器内提出四个北向模块,交换机内流表架构划分为两个区域,cache region不断刷新存放恶意流量的流表项。
不知道会不会被栋哥Q汇报,我是不想汇报的,看了太多东西学的太杂没有成形的思想。
之前论文看了没总结也忘记其中细节,拿了手头还在看的一篇强行总结了一下。
其实感觉还没有搞清楚,很多细节我也没看懂。脑子里面没有那个宏观的框架。

2 INTRODUCTION

2.1 问题

  • The limited communication bandwidth between the control and data planes could be a bottleneck of the whole network, and lead to security problems.
  • the attacker can first generate table-miss packets by randomly forging some or all fields, making them hard to match any existing flow rules on a victim switch.

  交换机与控制器之间的OpenFlow通道带宽资源有限,攻击者地生成大量的 table-miss packets 以导致交换机生成众多的 packet_in 消息上报给控制器,造成拥塞。

  无法单纯的使用 drop 动作,可能将良性流量一并丢弃。

2.2 挑战

  • How to efficiently handle table-miss packets while maintaining short packet delay, low packet loss rate and normal packet forwarding operation?
  • How to precisely distinguish attack traffic from benign traffic without straining computational resources?

  保持低时延的情况下快速解决恶意流量。精确分类恶意流量与良性流量。

2.3 提出

  • FloodDefender stands between the controller platform and other controller apps, and is protocol-independent against different types of attack traffic (e.g. TCP-based attacks or UDP-based attacks).
  • FloodDefender detours table-miss packets to neighbor switches with wildcard flow rules to protect the communication link from being jammed.

  受攻击的交换机将流量分摊给相近交换机,缓解拥塞。

2 SYSTEM DESIGN

2.1 系统架构

image   当 攻击检测模块 检测到攻击时,激活其他模块,并将packet_in消息转发给 数据包过滤模块

  • 流规则管理模块逻辑上将交换机中存储流表的内存划分为两块:flow table region、 cache region。前者主要用来检测网络状态和保持良性流量的正常高速转发,后者用于恶意流量的流规则安装,5s刷新。
  • table-miss engineering 安装 保护规则,将恶意流量分摊给相邻有与控制器直连的交换机。(一个的OpenFlow通道带宽有限,使用多个交换机的OpenFlow通道来平台packet-in消息带来的负载)。
  • 控制器收到 packet-in 消息时,数据包过滤模块存储当前消息,挑出恶意流量并传送给其他apps。

2.2 Attack Detaction Module

  论文里面没有详细说明如何检测到网络出现攻击。大概就是:1.阈值,2.流量不对称性

  该模块的三个执行动作:

  1.检测攻击   2.激活其他模块   3.检测攻击结束,停止其他模块

2.3 Table-miss Engineering Module

  • 问题

    massive table-miss packets will be triggered to exhaust the available bandwidth between the controller and a victim switch.

  • 解决

    the table-miss engineering module offloads some table-miss packets to neighbor switches to save the bandwidth of the victim switch.

Protecting rules are wildcard flow entries with the lowest priority to split the table-miss traffic into several parts to different neighbor switches.

  当某个交换机成为受害者的时候,尽可能多的让周边的交换机参与进来,分摊流量。该文只考虑一个每个受害者和其相邻的交换机的集合是不想交的。即,相邻的受害者只承载一个受害者的流量。该设计可能产生两个问题:INPORT loss problem and Packet bouncing problem。

2.3.1 INPORT loss problem

image

INPORT information indicates the controller’s input port, and is contained in a packet in message.

  • 受害交换机将流量分摊给其他交换机时,packet-in消息由其他交换机发送给控制器,这样控制器收到的消息报文的inport端口记录的就不是受害交换机。
  • 使用Tos字段记录受害交换机,在受害交换机分流之前编辑Tos字段。

2.3.2 Packet bouncing problem

Since the neighbor switch may have some flow rules to process the detoured table-miss traffic, some table-miss packet could bounce between the neighbor and victim switches.

Specifically, the table-miss engineering adds “ToS is not encoded” into the match field of the protecting rule.

  • 为解决分摊的流量一直在相邻交换机和受害交换直接来回传送,保护规则增加Tos未被编辑的匹配字段。

2.4 Packet Filter Module

It contains two components, packet in buffer to store packet in messages, and two-phase filter to identify attack traffic.

  • packet in buffer

  以协议为分类,各自创建B+树存储packet-in消息,记录该消息出现的频次。叶子节点为频次最高的,每个树5S刷新。以频次过滤恶意流量,大多数恶意流量为攻击者使用程序伪造的源地址,故频次只为一次。

2.4.1 Two-phase filter

  • 问题

    attackers are smart enough to resend these packets to increase the frequency of each flow

  • 解决

    we use traffic rate asymmetry features in the classification.

  当恶意流量并非出现频率为1的特性时,使用不对称流量特性来识别恶意流量。从该恶意源有大量的流量涌入,但因为该恶意源为伪造地址,传送给该恶意源的流量远小于传入流量。

  但是该出现其他情况论文中没有其他情况的说明,如从远方服务器下载电影文件,这种情况下满足传入流量 >> 传出流量。

  该文提出可能因为链接为建立的原因导致流量不对称特性,使用数据包、字节计数,采用SVM分类器,但没有明确说明。

2.5 Flow Table Management Module

image

  本人认为这是该篇论文提出的所有模块中最为精妙的一部分。

  将交换机的内存分为两部分,Flow table region and cache region,cache region 跟踪恶意流量不断刷新 。

Specifically, the flow table management uses the first k tables (table 0 to k−1) and the last table (table n) as “flow table region”, and other tables (table k to n − 1) as “cache region”.

Processing flow rules in the cache region and all monitoring flow rules will be flushed after traffic-based filtering to save the space of the flow table.

To activate protecting rules in the last flow table, the default table-miss instructions of all but the last flow table should be set to “Goto Table n”.