软件定义网络抗拒绝服务攻击的流表溢出防护

Preventing flow table overflow against denial of service attack in software defined network

针对拒绝服务攻击导致软件定义网络交换机有限的流表空间溢出、正常的网络报文无法被安装流表规则、报文转发时延、丢包等情况,提出了抗拒绝服务攻击的软件定义网络流表溢出防护技术FloodMitigation,采用基于流表可用空间的限速流规则安装管理,限制出现拒绝服务攻击的交换机端口的流规则最大安装速度和占用的流表空间数量,避免了流表溢出。此外,采用基于可用流表空间的路径选择,在多条转发路径的交换机间均衡流表利用率,避免转发网络报文过程中出现网络新流汇聚导致的再次拒绝服务攻击。实验结果表明,FloodMitigation在防止交换机流表溢出、避免网络报文丢失、降低控制器资源消耗、确保网络报文转发时延等方面能够有效地缓解拒绝服务攻击的危害。

Aiming at denial of service attacks would cause overflow of the limited flow table space of the switch in software defined network,failure to install flow table rules for normal network packets,packet forwarding delay,and packet loss,FloodMitigation was proposed to prevent flow table overflow against denial of service attacks in software defined network.The management of the rate-limit flow rule installation based on available flow table space was adopted to limit the maximum installation speed of flow rules and the number of flow table space occupied by switch ports with denial-of-service attacks,and avoid flow table overflow.In addition,path selection based on available flow table space was adopted to balance flow table utilization of switches among multiple forwarding paths to avoid denial of service attacks on switches with less available flow table in the path.The experimental results demonstrate that FloodMitigation can effectively alleviate the harm of denial of service attacks in terms of preventing switch flow table overflow and packet loss,reducing resource consumption of controllers,and ensuring packet forwarding delay.