一种基于NFV的检测OSPF双LSA攻击的方法

NFV Based Detection Method Against Double LSAs Attack on OSPF Protocol

OSPF协议是因特网中使用最广泛和最成功的内部网关路由协议之一。尽管当前对OSPF协议的安全性已有许多研究,但仍缺乏有效的检测路由欺骗攻击的方法,难以保证网络中OSPF路由的安全性。通过研究OSPF双链路状态通告(LSA)攻击方法的原理,给出了用于确定攻击者的3个必要条件,提出了一种检测OSPF双LSA攻击的方法。基于网络功能虚拟化(NFV)技术,设计实现了检测中间盒与分析服务器用于检测攻击与消除路由污染。检测中间盒负责从各链路捕获相关OSPF分组,将trace记录发送给分析服务器;分析服务器调用检测算法分析处理接收到的trace记录流,若检测到攻击则告警,同时指令检测中间盒来恢复污染路由。原型系统的实验结果表明,所提方法能够在IP网络或NFV网络中准确高效地检测出OSPF双LSA攻击,并且实现的系统具有性价比高、易于部署等优良特点。

The OSPF protocol is one of the most widely used and successful interior gateway routing protocols in the Internet.Although there have been lots of investigations on the security of the OSPF protocol,there is still a lack of effective detection methods against the route spoofing attacks,so it is difficult to ensure the security of the OSPF routing in networks.By studying the principle of the double link state advertisements(LSAs)attack on the OSPF protocol,this paper presented three necessary conditions that are used to detect the attack,and proposed a detection method against the double LSAs attack on the OSPF protocol.Then,a corresponding detection middle box and analysis server used to detect attacks and clear up their routing pollution were designed and implemented based on the network function virtualization(NFV)technology.The detection middle box is responsible for capturing relevant OSPF packets from various links,sending the trace records to the analysis server,and receiving instructions from the analysis server to restore the polluted routes.The analysis server invokes the detection algorithm to analyze and process the trace record stream,and an alarm is given and an instruction is sent to the detection middle box to restore the contaminated routes if an attack is detected.The experimental results of the prototype show that the proposed method can detect the OSPF double LSAs attack in both IP networks or NFV networks accurately and efficiently,and the prototype has excellent characteristics such as high cost performance and easy to deploy.