[1]张昭俊,韩 俐.基于 OpenFlow 交换机端口混淆的移动目标防御机制[J].计算机技术与发展,2020,30(12):106-111.[doi:10. 3969 / j. issn. 1673-629X. 2020. 12. 019]
 ZHANG Zhao-jun,HAN Li.Moving Target Defense Mechanism Based on OpenFlow Switch Port Obfuscation[J].,2020,30(12):106-111.[doi:10. 3969 / j. issn. 1673-629X. 2020. 12. 019]
点击复制

基于 OpenFlow 交换机端口混淆的移动目标防御机制()
分享到:

《计算机技术与发展》[ISSN:1006-6977/CN:61-1281/TN]

卷:
30
期数:
2020年12期
页码:
106-111
栏目:
安全与防范
出版日期:
2020-12-10

文章信息/Info

Title:
Moving Target Defense Mechanism Based on OpenFlow Switch Port Obfuscation
文章编号:
1673-629X(2020)12-0106-06
作者:
张昭俊韩 俐
天津理工大学 计算机科学与工程学院,天津 300384
Author(s):
ZHANG Zhao-junHAN Li
School of Computer Science and Engineering,Tianjin University of Technology,Tianjin 300384,China
关键词:
软件定义网络数据平面移动目标防御OpenFlow端口混淆
Keywords:
software defined networkdata planemoving target defenseOpenFlowport obfuscation
分类号:
TP393
DOI:
10. 3969 / j. issn. 1673-629X. 2020. 12. 019
摘要:
软件定义网络中数据平面节点非法接入会导致拒绝服务攻击或实施中间人攻击进行信息的窃取和篡改。为防范 OpenFlow 伪交换机对网络服务造成危害, 提出了一种利用网络中数据报文的包头信息,动态混淆 OpenFlow 交换机端口的移动目标防御机制。 交换机根据控制器流规则的下发次数进行动态端口混淆,并且根据端口生存时间以当前处理的数据报文包头中的端口和 IP 地址等信息作为下一轮端口混淆的种子信息,保证混淆端口具有充分的随机性,有效提高网络的动态性。 还提出了利用控制器和交换机间的通信消息 flow_mod 实现控制器与交换机之间的端口混淆同步,不仅保证双方数据转发端口的一致性,而且省却了双方在同步方面的开销。 经过仿真实验验证,伪交换机无法正确解析出包含混淆端口号的流表项,从而有效阻止伪交换机发动网络攻击。
Abstract:
Illegal access to data plane nodes in software defined network can lead to Denial of Service attack or Man-in-the-Middle attack which causes theft and tampering. In order to prevent the OpenFlow unauthorized switch from accessing the network and causing harm to network services,we propose a moving target defense mechanism,which uses the header information of packets in the network  to dynamically obfuscate ports of OpenFlow switch. The switch dynamically obfuscates port number based on times flow rules are delivered by controller,and uses the information such as the port and IP address in the currently processed packet header as the seed information for the next round of port obfuscation based on the port lifetime to ensure sufficient randomness of obfuscated port number and improve network dynamics. We also propose to implement port obfuscation synchronization between the controller and the switch by using the communication message flow_mod message,which not only ensures the consistency of the data forwarding ports of both parties,but also saves the cost of synchronization. Simulation results show that unauthorized switch cannot correctly parse flow entries with obfuscated port number,which can effectively prevent unauthorized switch from launching network attacks.

相似文献/References:

[1]郭文刚. 基于SDN的大型企业网络研究[J].计算机技术与发展,2014,24(08):179.
 GUO Wen-gang. Research on Large Enterprise Network Based on SDN[J].,2014,24(12):179.
[2]孔祥彬,沈苏彬,李 莉.一种基于 SDN 网络的 QoS 路由选择方案[J].计算机技术与发展,2018,28(02):102.[doi:10.3969/j.issn.1673-629X.2018.02.023]
 KONG Xiangbin,SHEN Subin,LI Li.A QoS Routing Scheme Based on Software-defined Networking[J].,2018,28(12):102.[doi:10.3969/j.issn.1673-629X.2018.02.023]
[3]季一木,谈海宇,孙延鹏,等. 基于Openflow的Flash P2P流媒体传输协议研究[J].计算机技术与发展,2015,25(11):82.
 JI Yi-mu,TAN Hai-yu,SUN Yan-peng,et al. Research on Flash P2P Streaming Media Transmission Protocol Based on Openflow[J].,2015,25(12):82.
[4]王莉. 面向QoE驱动的软件定义网络业务流控制模型[J].计算机技术与发展,2015,25(11):125.
 WANG Li. Model of Software Defined Network Service-flow Control to QoE-driven[J].,2015,25(12):125.
[5]孙茂鑫,钱红燕. SDN网络环境下的MPTCP的移动切换机制[J].计算机技术与发展,2016,26(06):11.
 SUN Mao-xin,QIAN Hong-yan. Mobile Handover Mechanism Based on MPTCP in SDN Environment[J].,2016,26(12):11.
[6]孙杰,李莉,沈苏彬. 一种基于QoS和动态负载均衡的路由策略[J].计算机技术与发展,2016,26(11):188.
 SUN Jie,LI Li,SHEN Su-bin. A Routing Strategy Based on QoS and Dynamic Load Balancing[J].,2016,26(12):188.
[7]朱向阳,陈兵. 软件定义网络中可扩展的流表项处理机制[J].计算机技术与发展,2016,26(12):12.
 ZHU Xiang-yang,CHEN Bing. Scalable Flow Table Entries Processing Mechanism in Software-defined Networks[J].,2016,26(12):12.
[8]孙冬冬,杨龙祥. 基于软件定义的未来网络节能算法[J].计算机技术与发展,2017,27(03):70.
 SUN Dong-dong,YANG Long-xiang. Future Network Energy Saving Algorithm Based on Software Definition[J].,2017,27(12):70.
[9]钟耿辉[],唐加山[]. 基于VXLAN的EVPN技术研究与实现[J].计算机技术与发展,2017,27(05):46.
 ZHONG Geng-hui[],TANG Jia-shan[]. Research and Implementation of EVPN Technology with VXLAN[J].,2017,27(12):46.
[10]侯 文,陈 佳,王洪超.SDN 控制平面功能模块化研究[J].计算机技术与发展,2017,27(12):23.[doi:10.3969/ j. issn.1673-629X.2017.12.006]
 HOU Wen,CHEN Jia,WANG Hong-chao.Research on Modular and Functional SDN Control Plane[J].,2017,27(12):23.[doi:10.3969/ j. issn.1673-629X.2017.12.006]

更新日期/Last Update: 2020-12-10