SDN跨层回环攻击的检测与防御

软件定义网络（Software Define Network，SDN）将控制层和数据层进行分离，给网络带来灵活性、开放性以及可编程性.然而，分离引入了新的网络安全问题.我们发现通过构造特定规则可以构造跨层回环攻击，使得数据包在控制器和交换机之间不断循环转发.跨层回环会造成控制器拥塞，并导致控制器无法正常工作.现有的策略一致性检测方案并不能检测跨层回环攻击.为此，本文提出了一种实时检测和防御跨层回环的方法.通过构造基于Packet-out的转发图分析规则路径，从而快速检测和防御回环.我们在开源控制器Floodlight上实现了我们提出的回环检测和防御方案，并在Mininet仿真器上对其性能进行了评估，结果表明本方案能够实时检测并有效防御跨层回环攻击.

Detecting and Defending Against Controller-to-Switch Loop Attacks in SDN

Software-Defined Networking (SDN) separates data plane from control plane,which makes it more flexible,opening and programmable,compared with traditional IP networks.However,the separation incurs many security problems.In this paper,we find that we can construct controller-to-switch loop (CSL) attacks by leveraging dedicated rules and well constructed packets.The attacks can effectively exhaust controller resource,which leads to denial of service (DoS).The existing OpenFlow policy verification schemes only focus on detecting data plane loop,and cannot detect such controller-to-switch loops.In order to detect CSL attacks,we proposed a novel policy verification scheme.The scheme constructs a packet forwarding graph by analyzing network update events and packet-out messages,and efficiently identifies the forwarding loops by traversing the graph.In order to evaluate our defense,we implement it in the Floodlight controller,and perform experiments with Mininet.The experimental results show that our defense can precisely detect the loop attacks and effectively throttle them.