Analysis and a Defense Method for Overflow Vulnerability of Flow Tables in Software Defined Networks

被引：0

作者：

Zhou Y. ^{[1
]}

Chen K. ^{[1
]}

Leng J. ^{[1
]}

Hu C. ^{[1
]}

机构：

[1] MOE Key Laboratory for Intelligent Networks and Network Security, Xi'an Jiaotong University, Xi'an

来源：

Hsi-An Chiao Tung Ta Hsueh/Journal of Xi'an Jiaotong University | 2017年 / 51卷 / 10期

关键词：

Defense method; Flow table overflow; Packing optimization; Software defined networks;

D O I：

10.7652/xjtuxb201710009

中图分类号：

学科分类号：

摘要：

The capacity of flow tables of software defined network switches is very limited and thus there exists a serious problem of flow table overflow vulnerability. A routing algorithm based on packing optimization is proposed to solve the problem and the algorithm uses new characteristics of software defined networks. A method to defense overflow attacks of flow tables is also presented based on the proposed route aggregation algorithm. Firstly, the traditional algorithm of route aggregation based on radix tree is used to generate initial aggregated nodes of flow tables. Then, the nodes are divided into several different groups with flow table rules, and the new forwarding address for each group is then obtained based on the solution of a packing optimization problem. Finally, the flow table rules are aggregated again after modifying the forwarding addresses, so that the number of flow entries in flow tables of a switch is effectively reduced, and the effect of defensing overflow attack of flow tables is achieved. It is found from experimental results of the proposed defense method that the aggregation rate of flow tables is 54.9%, and is better than that of the classical algorithm based on the radix tree, and that the number of attack packets reaching the overflow attack increases 125.8%. The experimental results show that the proposed method significantly increases the difficulty to reach the flow table overflow attack, so that the problem of flow table overflow vulnerability is effectively alleviated, and the defense ability to related attacks is enhanced. © 2017, Editorial Office of Journal of Xi'an Jiaotong University. All right reserved.

引用

页码：53 / 58

页数：5

共 10 条

[1]

Elliott C., Geni: exploring networks of the future

[2]

Mckeown N., Anderson T., Balakrishnan H., Et al., OpenFlow: enabling innovation in campus networks, ACM Sigcomm Computer Communication Review, 38, 2, pp. 69-74, (2008)

[3]

Jain S., Kumar A., Mandal S., Et al., B4: experience with a globally-deployed software defined WAN, ACM Sigcomm Computer Communication Review, 43, 4, pp. 3-14, (2013)

[4]

Benson T., Akella A., Maltz A., Network traffic characteristics of data centers in the wild, Proceedings of the 10th ACM Sigcomm Conference on Internet Measurement, pp. 267-280, (2010)

[5]

Zhang P., Wang H., Hu C., Et al., On denial of service attacks in software defined networks, IEEE Network, 30, 6, pp. 28-33, (2016)

[6]

Leng J., Zhou Y., Zhang J., Et al., An inference attack model for flow table capacity and usage: exploiting the vulnerability of flow table overflow in software-defined network

[7]

Uzmi Z., Nebel M., Tariq A., Et al., SMALTA: practical and near-optimal FIB aggregation, Proceedings of the 7th Conference on Emerging Networking Experiments and Technologies, pp. 1-12, (2011)

[8]

Li Q., Xu M., Chen M., NSFIB construction & aggregation with next hop of strict partial order, Proceedings of the 2013 IEEE INFOCOM, pp. 550-554, (2013)

[9]

Zhao X., Liu Y., Wang L., Et al., On the aggregatability of router forwarding tables, Proceedings of the 2010 IEEE INFOCOM, pp. 1-9, (2010)

[10]

Papadimitriou C., Steiglitz K., Combinatorial Optimization: Algorithms and Complexity, pp. 220-251, (1982)

← 1 →