基於軟體定義網路架構並利用封包關係分析以偵測分散式阻斷服務攻擊

Abstract

軟體定義網路將傳統的網路功能切割成兩個部分:控制層和資料層，並利用OpenFlow做為之間溝通的協定。軟體定義網路可以集中化管理網路狀態以及網路拓樸，雖然它有種種的好處，但有帶來許多新的威脅。在分散式阻斷服務的攻擊下軟體定義網路的特性就會變成它的攻擊弱點，更甚至造成整個網路架構崩毀。因此，本研究提出一個針對分散式阻斷服務攻擊的完整防禦系統，本系統分為四個模組。首先，我們會先利用packet_in訊息來計算封包的速率以及亂度以偵測是否有異常發生。接下來，我們利用最近鄰居法來判斷flow是否為分散式阻斷服務攻擊。最後，我們可以根據這些以分類的flow來找出攻擊的來源，來進行更進一步的處理。經過實驗後，我們的演算法可以達到99%的準確率，以及我們的系統可以有效的減少CPU的負擔。

Software Defined Network (SDN) decouples control function from traditional data plane and use OpenFlow as the communication protocol between the control plane and data plane. It can centralize the network control to decrease the complexity of network topology. But, this SDN characteristic makes the controller become vulnerable since attackers may launch Distributed Denial of Service (DDoS) attacks against the controller. In this paper, we propose a complete protection system for DDoS attack with four major modules: anomaly detection module, attack detection module, traceback module and attack mitigation module. We use packet_in message query the controller for routing rule to implemented anomaly detection module. Then, we use K-nearest neighbors with correlation features selection (CKNN) to classify whether the flow is an attack flow in attack detection module. Because of the extracting feature from correlation information, the classification efficiency is increased. The accuracy of CKNN using our feature can achieve 99%. Finally, we find the attack path in traceback module and block the attack traffic by attack mitigation module. This system we proposed can effectively reduce the load (CPU) of the controller and switches by quickly find out attack source.