簡易檢索 / 詳目顯示
| 研究生: |
吳偵平 Wu, Jhen-Ping |
|---|---|
| 論文名稱: |
在 SDN 資料平面上藉由 SYN/ACK 封包偵測並以黑白名單防禦 SYN Flooding 攻擊 SYN Flooding Detection Through SYN/ACK Packets and Mitigation by Black and White Lists in SDN Data Plane |
| 指導教授: |
蔡孟勳
Tsai, Meng-Hsun |
| 學位類別: |
碩士 Master |
| 系所名稱: |
電機資訊學院 - 資訊工程學系 Department of Computer Science and Information Engineering |
| 論文出版年: | 2022 |
| 畢業學年度: | 110 |
| 語文別: | 英文 |
| 論文頁數: | 38 |
| 中文關鍵詞: | 軟體定義網路 、可程式化資料平面 、網路安全 、SYN 洪水 |
| 外文關鍵詞: | Software-Defined Networks, Programmable Data Plane, Network Security, Syn Flooding |
| 相關次數: | 點閱:101 下載:7 |
| 分享至: |
| 查詢本校圖書館目錄 查詢臺灣博碩士論文知識加值系統 勘誤回報 |
軟體定義網絡 (SDN) 是一種新型態的網絡架構,與傳統網絡相比具有可編程性、更高效的網絡管理功能和控制中心化等優點。 然而,由於其控制中心化的特性,SDN 控制器成為容易受網絡攻擊的目標,例如 SYN 洪水。 藉由發送大量的SYN 封包,攻擊者會強迫交換機將這些封包轉發給控制器。 這樣的行為會增加控制器與交換器間的超載,也會導致控制器的效能下降。
因此,我們提出了一種防禦 SYN 洪水的方法,並將偵測實現在資料平面上,以避免交換器頻繁地向控制器轉發封包。 與其他相似方法相比,我們的方法減少了通過交換機的流量。 在偵測方面,我們的方法提高了準確性。 此外,在相近的準確率下,我們的方法所需的寄存器大小約為 9 KB,是其他方法的兩百分之一。
Software-defined Networking (SDN), is a novel network architecture, provides advantages compared to traditional networking, such as programmable network, more efficient network management and centralized control. However, due to its centralized control, SDN controller becomes a vulnerable target for cyber attacks, such as SYN flooding. By sending a number of SYN packets, the attacker forces the switch to forward them to the controller. It makes the controller-switch overload increase and the performance of the controller decrease.
Therefore, we propose a method to mitigate SYN flooding, and implement a detection module in the data plane in order to avoid forwarding packets to the controller frequently. Compared to related work, our method decreases the traffic passing through the switch. In terms of detection, our method improves the accuracy. Furthermore, under the same accuracy, the size of registers needed by our method is approximately 9KB which is about one-two hundredth size of the required register by related work.
[1] D. Kreutz, F. Ramos, P. Verı´ssimo, C. Rothenberg, S. Azodolmolky, and S. Uhlig,“Software-defined networking: A comprehensive survey,” Proceedings of the IEEE, vol. 103, pp. 14–76, 2014.
[2] S. Shin, V. Yegneswaran, P. Porras, and G. Gu, “Avant-guard: Scalable and vigilant switch flow management in software-defined networks,” Proceedings of the 2013 ACM SIGSAC conference on Computer communications security, p. 413–424, 2013.
[3] W. Eddy, “TCP SYN Flooding Attacks and Common Mitigations.” RFC 4987, Aug. 2007.
[4] P. Bosshart, D. Daly, G. Gibb, M. Izzard, N. McKeown, J. Rexford, C. Schlesinger, D. Talayco, A. Vahdat, G. Varghese, and D. Walker, “P4: programming protocol-independent packet processors,” ACM SIGCOMM Computer Communication Review, vol. 44, pp. 87–95, 2014.
[5] N. McKeown, T. Anderson, H. Balakrishnan, G. Parulkar, L. Peterson, and J. Rexford, “Openflow: enabling innovation in campus networks,” ACM SIGCOMM Computer Communication Review, vol. 38, pp. 69–74, 2008.
[6] E. Kfoury, J. Crichigno, and E. Bou-Harb, “An exhaustive survey on p4 programmable data plane switches: Taxonomy, applications, challenges, and future trends,” IEEE Access, vol. 9, pp. 87094 – 87155, 2021.
[7] The P4 Language Consortium, “P4 16 language specification.” https://p4.org/p4-spec/docs/P4-16-v1.0.0-spec.html, 2017.
[8] P. Kumar, M. Tripathi, A. Nehra, M. Conti, and C. Lal, “Safety: Early detection and mitigation of tcp syn flood utilizing entropy in sdn,” IEEE Transactions on Network and Service Management, vol. 15, pp. 1545 – 1559, 2018.
[9] C. E. Shannon, “Prediction and entropy of printed english,” Bell System Technical Journal, vol. 30, pp. 50–64, 1951.
[10] R. Mohammadi, R. Javidan, and M. Conti, “Slicots: An sdn-based lightweight countermeasure for tcp syn flooding attacks,” IEEE Transactions on Network and Service Management, vol. 14, pp. 487 – 497, 2017.
[11] F. Paolucci, F. Civerchia, A. Sgambelluri, A. Giorgetti, F. Cugini, and P. Castoldi,
“P4 edge node enabling stateful traffic engineering and cyber security,” Journal of Optical Communications and Networking, vol. 11, pp. A84 – A95, 2019.
[12] K. Friday, E. Kfoury, E. Bou-Harb, and J. Crichigno, “Towards a unified in-network ddos detection and mitigation strategy,” IEEE Conference on Network Softwarization (NetSoft), 2020.
[13] J. Hill, M. Aloserij, and P. Grosso, “Tracking network flows with p4,” IEEE/ACM Innovating the Network for Data-Intensive Science (INDIS), 2018.
[14] L. Luo, D. Guo, R. T. B. Ma, O. Rottenstreich, and X. Luo, “Optimizing bloom filter: Challenges, solutions, and comparisons,” IEEE Communications Surveys Tutorials, vol. 21, pp. 1912 – 1949, 2018.
[15] A. Broder and M. Mitzenmacher, “Network applications of bloom filters: A survey,” Internet Mathematics, vol. 1, no. 4, pp. 485–509, 2004.
[16] L. Luo, D. Guo, R. T. B. Ma, O. Rottenstreich, and X. Luo, “Network anti-spoofing with sdn data plane,” IEEE INFOCOM 2017 - IEEE Conference on Computer Communications, 2017.
[17] R. Pagh and F. F. Rodler, “Cuckoo hashing,” Journal of Algorithms, vol. 51, pp. 122–144, 2004.
[18] B. Fan, D. G. Andersen, M. Kaminsky, and M. D. Mitzenmacher, “Cuckoo filter: Practically better than bloom,” CoNEXT ’14: Proceedings of the 10th ACM International on Conference on emerging Networking Experiments and Technologies, p. 75–88, 2014.
[19] O. N. Foundation, “Mininet.” http://mininet.org/, 2014.
[20] O. N. Foundation, “Bmv2.” https://github.com/p4lang/behavioral-model, 2022.
[21] D. Stenberg, “Curl.” https://curl.se/, 1996.
[22] S. Sanfilippo, “Hping3.” http://www.hping.org/, 2006.
校內:立即公開校外:立即公開