• 主题
高级搜索  >
历史搜索 清空历史
首页> 外文期刊>IEEE/ACM Transactions on Networking >Control Plane Reflection Attacks and Defenses in Software-Defined Networks
【24h】

Control Plane Reflection Attacks and Defenses in Software-Defined Networks

机译:软件定义网络中的控制平面反射攻击和防御

获取原文
获取原文并翻译 | 示例
           
页面导航
  • 摘要
  • 著录项
  • 相似文献
  • 相关主题

摘要

Software-Defined Networking (SDN) continues to be deployed spanning from enterprise data centers to cloud computing with the proliferation of various SDN-enabled hardware switches and dynamic control plane applications. However, state-of-the-art SDN-enabled hardware switches have rather limited downlink message processing capability, especially for Flow-Mod and Statistic Query, which may not suffice the huge need of dynamic control plane applications. In this paper, we systematically study the interactions between the control plane applications and the data plane switches, and present two new attacks, namely Control Plane Reflection Attacks, to exploit the limited processing capability of SDN-enabled hardware switches. The reflection attacks adopt direct and indirect data plane events to force the control plane to issue massive expensive downlink messages towards SDN switches. Moreover, we propose a two-phase probing-triggering attack strategy, which makes the reflection attacks much more efficient and powerful. Experiments on a testbed with 3 different physical OpenFlow switches demonstrate that the attacks can lead to catastrophic results such as hurting the establishment of new flows and even disruption of connection between SDN controller and switches. To mitigate such attacks, we present several countermeasures from different perspectives. In particular, we propose a novel, systematical defense framework, SwitchGuard, to detect anomalies of downlink messages and prioritize these messages based on a novel monitoring granularity, i.e., host-application pair (HAP). Implementations and evaluations demonstrate that SwitchGuard can effectively reduce the latency for legitimate hosts and applications under the control plane reflection attacks with only minor overheads.
机译:软件定义的网络(SDN)继续从企业数据中心部署到云计算,并通过各种支持SDN的硬件交换机和动态控制平面应用程序的增殖。但是,启用了最先进的SDN硬件交换机,相当有限的下行链路消息处理能力,特别是对于流程和统计查询,这可能不足以足够的动态控制平面应用程序。在本文中,我们系统地研究了控制平面应用程序和数据平面交换机之间的相互作用,并呈现了两个新的攻击,即控制平面反射攻击,利用了启用了SDN的硬件交换机的有限处理能力。反射攻击采用直接和间接数据平面事件来强制控制平面向SDN交换机发出大量昂贵的下行链路消息。此外,我们提出了一种两相探测触发攻击策略,使反射攻击更加效率和强大。用3个不同的物理开放流交换机的测试平台的实验表明,攻击可能导致灾难性的结果,例如损害新流程的建立,甚至在SDN控制器和交换机之间的连接中断。为了减轻这种攻击,我们提出了不同观点的几个对策。特别是,我们提出了一种新颖的系统防御框架,SwitchGuard,以检测下行链路消息的异常,并基于新颖的监视粒度,即主机应用对(HAP)优先考虑这些消息。实现和评估表明,SwitchGuard可以有效地降低了仅具有次要开销的控制平面反射攻击下的合法主机和应用程序的延迟。

著录项

  • 来源
    《IEEE/ACM Transactions on Networking》 |2021年第2期|623-636|共14页
  • 作者

    Zhang Menghao; Li Guanyu; Xu Lei; Bai Jiasong; Xu Mingwei; Gu Guofei; Wu Jianping;

  • 作者单位

    Tsinghua Univ Inst Network Sci & Cyberspace Beijing 100084 Peoples R China|Tsinghua Univ Dept Comp Sci & Technol Beijing 100084 Peoples R China|Beijing Natl Res Ctr Informat Sci & Technol BNRis Beijing 100084 Peoples R China;

    Tsinghua Univ Inst Network Sci & Cyberspace Beijing 100084 Peoples R China|Tsinghua Univ Dept Comp Sci & Technol Beijing 100084 Peoples R China|Beijing Natl Res Ctr Informat Sci & Technol BNRis Beijing 100084 Peoples R China;

    Texas A&M Univ Dept Comp Sci & Engn College Stn TX 77843 USA;

    Tsinghua Univ Inst Network Sci & Cyberspace Beijing 100084 Peoples R China|Tsinghua Univ Dept Comp Sci & Technol Beijing 100084 Peoples R China|Beijing Natl Res Ctr Informat Sci & Technol BNRis Beijing 100084 Peoples R China;

    Tsinghua Univ Inst Network Sci & Cyberspace Beijing 100084 Peoples R China|Tsinghua Univ Dept Comp Sci & Technol Beijing 100084 Peoples R China|Beijing Natl Res Ctr Informat Sci & Technol BNRis Beijing 100084 Peoples R China;

    Texas A&M Univ Dept Comp Sci & Engn College Stn TX 77843 USA;

    Tsinghua Univ Inst Network Sci & Cyberspace Beijing 100084 Peoples R China|Tsinghua Univ Dept Comp Sci & Technol Beijing 100084 Peoples R China|Beijing Natl Res Ctr Informat Sci & Technol BNRis Beijing 100084 Peoples R China;

  • 收录信息
  • 原文格式 PDF
  • 正文语种 eng
  • 中图分类
  • 关键词

    Control systems; Hardware; Process control; Downlink; Switches; Monitoring; Protocols; Software-Defined Networking (SDN); side-channel attacks; denial-of-service attacks;

    机译:控制系统;硬件;过程控制;下行链路;开关;监控;协议;软件定义的网络(SDN);侧通道攻击;拒绝服务攻击;

相似文献

  • 外文文献
  • 中文文献
  • 专利
获取原文

客服邮箱:kefu@zhangqiaokeyan.com

京公网安备:11010802029741号 ICP备案号:京ICP备15016152号-6 六维联合信息科技 (北京) 有限公司©版权所有

  • 客服微信

  • 服务号