ARSAO:一种通用的检测与防御 OSPF 路由欺骗的机制-《计算机技术与发展》

文章信息/Info

Title:: ARSAO:A General Detection and Defense Mechanism Against Routing Spoofing Attacks on OSPF Protocol

Author(s):: LI Peng-fei; CHEN Ming; QIAN Hong-yan; School of Computer Science and Technology,Nanjing University of Aeronautics and Astronautics,Nanjing 211106,China

Keywords:: OSPF route spoofing attack; detection and defense method; system structure; network function virtualization

摘要:: OSPF 路由欺骗对 OSPF 路由协议构成严重的安全威胁,目前还没有全面有效的攻击检测和防御方法。文中首先分析比较了目前主要的 OSPF 路由欺骗攻击,将攻击分为引起反击和不引起反击两类,由此提出了两类 OSPF 路由欺骗攻击的检测算法和防御机制 ARSAO(against the routing spoofing attacks on the OSPF protocol);其次,提出了一种通用的系统结构,能够支持检测与防御这两类 OSPF 路由欺骗攻击;并且基于网络功能虚拟化(NFV)技术设计实现了具有上述系统架构的原型系统。实验结果表明,在网络时延和丢包非极端的情况下,该系统和相关技术不仅能够准确、高效地检测出多种OSPF 路由欺骗攻击,并且能够及时防御与恢复污染路由;基于 NFV 的 ARSAO 系统具有经济性、灵活性和易于部署等优点,能够用于 NFV 网络以保障该网络 OSPF 协议的安全性。

Abstract:: OSPF route spoofing poses a serious security threat to OSPF routing protocols. Currently,there is no comprehensive and effective attack detection and defense method yet. We first analyze and compare the current major OSPF route spoofing attacks,and separate the attacks into having counterattacks and having no counterattacks respectively,and then propose two types of OSPF route spoofing attack detection algorithms and defense mechanisms ARSAO (against the routing spoofing attacks on the OSPF protocol). Secondly,a general system structure is proposed to support both detection and defense OSPF route spoofing attacks. Third,a prototype system with the above system architecture is designed based on network function virtualization (NFV) technology. The experiment shows that in the case of network delay and packet loss are not extreme,the system and related technologies can not only detect multiple OSPF route spoofing attacks accurately and efficiently,but also defend and recover pollution routes in time. The NFV-based ARSAO system is economical,flexible and easy to deploy,which can be used in an NFV network to secure the OSPF protocol of the network.