Journal of Frontiers of Computer Science and Technology ›› 2020, Vol. 14 ›› Issue (4): 566-577.DOI: 10.3778/j.issn.1673-9418.1905043

Previous Articles     Next Articles

Detection and Defense Mechanism of LDoS Attack in SDN Environment

YAN Tong, BAI Zhihua, GAO Zhen, YAN Lina, ZHOU Lei   

  1. 1. School of Electrical and Information Engineering, Tianjin University, Tianjin 300072, China
    2. Beijing Smartchip Microelectronics Technology Co., Ltd., Beijing 102200, China
  • Online:2020-04-01 Published:2020-04-10

SDN环境下的LDoS攻击检测与防御技术

颜通白志华高镇闫丽娜周蕾   

  1. 1.天津大学 电气自动化与信息工程学院,天津 300072
    2.北京智芯微电子科技有限公司,北京 102200

Abstract:

Low-rate denial of service (LDoS) attack is a new type of network attack, which is characterized by low attack cost and strong concealment. As a new type of network architecture, software defined network (SDN) is also threatened by LDoS attacks. The control and forwarding separation of the SDN network and the programmable net-work behavior provide new ideas for the detection and defense of LDoS attacks. This paper proposes a new LDoS attack detection and defense method based on OpenFlow protocol. The rate of each OpenFlow data stream is separately counted, and the double-sliding-window method in signal detection is used to detect the attack traffic. Once the attack traffic is detected, the controller can implement real-time defense against the attack behavior by sending a flow table. Experi-ments show that this method can effectively detect LDoS attacks and can defend against LDoS attacks in a short time.

Key words: low-rate denial of service (LDoS) attack, software-defined network (SDN), detection, defense, open network operating system (ONOS)

摘要:

低速率拒绝服务(LDoS)攻击是一种新型的网络攻击方式,其特点是攻击成本低,隐蔽性强。作为一种新型的网络架构,软件定义网络(SDN)同样面临着LDoS攻击的威胁。但SDN网络的控制与转发分离、网络行为可编程等特点又为LDoS攻击的检测和防御提供了新的思路。提出了一种基于OpenFlow协议的LDoS攻击检测和防御方法。通过对每条OpenFlow数据流的速率单独进行统计,并利用信号检测中的双滑动窗口法实现对攻击流量的检测,一旦检测到攻击流量,控制器便可以通过下发流表的方式实现对攻击行为的实时防御。实验表明,该方法能够有效检测出LDoS攻击,并能够在较短时间内实现对攻击行为的防御。

关键词: 低速率拒绝服务(LDoS)攻击, 软件定义网络(SDN), 检测, 防御, 开放式网络操作系统(ONOS)