基于OpenFlow的流量监控架构实践方案

为了解决基于OpenFlow的软件定义网络( software defined network, SDN)架构存在的潜在安全性问题,缓解特定的网络攻击对OpenFlow网络基础设施的威胁,保障OpenFlow网络在存在异常流量状态下的网络性能,在分析OpenFlow协议的安全缺陷的基础上,提出了一种流量监控方案.该方案使用 sFlow 流量采样技术,结合FloodLight开源控制器,通过上层应用更改控制器操作模式并对交换机执行端口限速.实验结果证明：提出的方案在网络受到特定攻击时可以降低控制器负载,过滤攻击产生的Packet In包达99.88%,有效地减小了异常流量对网络中主机及网络本身的影响；能及时监测网络攻击造成的网络异常,并缓解网络攻击对网络整体性能的影响.

Practice Scheme of a Traffic Monitor Architecture Based on OpenFlow

To address potential security issues in OpenFlow-based software defined network, which threat OpenFlow network infrastructures when they are under certain attacks and significantly affect network performance when abnormal traffic exists, this paper investigated security issues in the OpenFlow network and then proposed a traffic monitor architecture. Combining sFlow sampling technology with Floodlight controller, method which mitigated network attacks by changing the controller’ s operational mode and performing rate-limiting in the upper layer application was proposed. Based on the test results, it is proven that the proposed solution reduces controller load dramatically under certain attacks, as it filters 99. 88% Packet In packets originated from attacks, thus effectively reduces effects of abnormal traffic on hosts and network itself. The proposed solution provides real-time attack detection and mitigates attack effects on overall network performance.