基于端口跳变的SDN网络防御技术
|
摘要
端口跳变是移动目标防御典型技术,通过持续改变服务端口来隐藏服务标志和迷惑攻击者。利用SDN逻辑集中控制与网络可编程特性,提出基于端口跳变的SDN网络防御技术。使用SDN控制器承担服务端的端口跳变功能,不但可以减轻服务端负载,而且能提前检测过滤恶意数据包,并能抵御内部攻击者。理论分析与实验结果表明,所提技术对SDN控制器负载增加较少,可有效抵御Do S攻击。
Port hopping was a typical technology of moving target defense,which constantly changed service port number to hide service identifications and confused potential attackers. Using SDN logically centralized control and network programmable features,this paper proposed a port hopping based SDN network defense technology,which utilized SDN controller to implement port hopping function. This proposed technology not only could reduce protected server 's load caused by port hopping,but also could detect and early filter malicious packets. At the same time,it could defend against internal attackers.Theoretical analysis and experimental results show that this proposed technology can effectively resist Do S attack without adding much load on SDN controller in SDN.
Port hopping was a typical technology of moving target defense,which constantly changed service port number to hide service identifications and confused potential attackers. Using SDN logically centralized control and network programmable features,this paper proposed a port hopping based SDN network defense technology,which utilized SDN controller to implement port hopping function. This proposed technology not only could reduce protected server 's load caused by port hopping,but also could detect and early filter malicious packets. At the same time,it could defend against internal attackers.Theoretical analysis and experimental results show that this proposed technology can effectively resist Do S attack without adding much load on SDN controller in SDN.
引文
[1]Hansman S,Hunt R.A taxonomy of network and computer attacks[J].Computers&Security,2005,24(1):31-43.
[2]Hoque N,Bhuyan M H,Baishya R C,et al.Network attacks:taxonomy,tools and systems[J].Journal of Network and Computer Applications,2014,40:307-324.
[3]Raza M H,Sivakumar S C,Nafarieh A,et al.A comparison of software defined network(SDN)implementation strategies[J].Procedia Computer Science,2014,32:1050-1055.
[4]Jarraya Y,Madi T,Debbabi M.A survey and a layered taxonomy of software-defined networking[J].IEEE Communications Surveys&Tutorials,2014,16(1):1-29.
[5]Nunes B A A,Mendonca M,Nguyen X,et al.A survey of softwaredefined networking:past,present,and future of programmable networks[J].IEEE Communications Surveys&Tutorials,2014,16(3):1617-1634.
[6]Xia Wenfeng,Wen Yonggang,Foh C H,et al.A survey on softwaredefined networking[J].IEEE Communications Surveys&Tutorials,2014,17(1):27-51.
[7]Jammal M,Singh T,Shami A,et al.Software defined networking:state of the art and research challenges[J].Computer Networks,2014,72:74-98.
[8]Farhady H,Lee H,Nakao A.Software-defined networking:a survey[J].Computer Networks,2015,81:79-95.
[9]左青云,陈鸣,赵广松,等.基于Open Flow的SDN技术研究[J].软件学报,2013,24(5):1078-1097.
[10]张朝昆,崔勇,唐翯祎,等.软件定义网络(SDN)研究进展[J].软件学报,2015,26(1):62-81.
[11]Akhunzada A,Ahmed E,Gani A,et al.Securing software defined networks:taxonomy,requirements,and open issues[J].IEEE Communications Magazine,2015,53(4):36-44.
[12]Alsmadi I,Xu D.Security of software defined networks:a survey[J].Computers&Security,2015,53:79-108.
[13]Kloti R,Kotronis V,Smith P.Openflow:a security analysis[C]//Proc of the 21st IEEE International Conference on Network Protocols.[S.l.]:IEEE Press,2013:1-6.
[14]Braga R,Mota E,Passito A.Lightweight DDo S flooding attack detection using NOX/Open Flow[C]//Proc of the 35th Annual IEEE Conference on Local Computer Networks.[S.l.]:IEEE Press,2010:408-415.
[15]Wang Bing,Zheng Yao,Lou Wenjing,et al.DDo S attack protection in the era of cloud computing and software-defined networking[J].Computer Networks,2015,81:308-319.
[16]Mousavi S M.Early detection of DDo S attacks in software defined networks controller[D].Ottawa:Carleton University,2014.
[17]Lim S,Ha J,Kim H,et al.A SDN-oriented DDo S blocking scheme for botnet-based attacks[C]//Proc of the 6th International Conference on Ubiquitous and Future Networks.[S.l.]:IEEE Press,2014:63-68.
[18]Sathyanarayana S M.Software defined network defense[D].Philadelphia:University of Pennsylvania,2011.
[19]崔竞松,郭迟,陈龙,等.创建软件定义网络中的进程级纵深防御体系结构[J].软件学报,2014,25(10):2251-2265.
[20]Wang Haopei,Xu Lei,Gu Guofei.Floodguard:a Do S attack prevention extension in software-defined networks[C]//Proc of the 45th Annual IEEE/IFIP International Conference on Dependable Systems and Networks.[S.l.]:IEEE Press,2015.
[21]Carvalho M,Richard F.Moving-target defenses for computer networks[J].IEEE Security&Privacy,2014,12(2):73-76.
[22]Xu Jun,Guo Pinyao,Zhao Mingyi,et al.Comparing different moving target defense techniques[C]//Proc of the 1st ACM Workshop on Moving Target Defense.New York:ACM Press,2014:97-107.
[23]Atighetchi M,Pal P,Webber F,et al.Adaptive use of network-centric mechanisms in cyber-defense[C]//Proc of the 6th IEEE International Symposium on Object-Oriented Real-Time Distributed Computing.[S.l.]:IEEE Press,2003:183-192.
[24]Lee H C J,Thing V L L.Port hopping for resilient networks[C]//Proc of the 60th IEEE Vehicular Technology Conference.[S.l.]:IEEE Press,2004:3291-3295.
[25]Badishi G,Herzberg A,Keidar I.Keeping denial-of-service attackers in the dark[J].IEEE Trans on Dependable and Secure Computing,2007,4(3):191-204.
[26]Badishi G,Herzberg A,Keidar I.Keeping denial-of-service attackers in the dark[C]//Proc of the 19th International Symposium on Distributed Computing.Berlin:Springer-Verlag,2005:18-32.
[27]Hari K,Dohi T.Sensitivity analysis of random port hopping[C]//Proc of Symposia and Workshops on Ubiquitous,Autonomic and Trusted Computing.Washington DC:IEEE Computer Society,2010:316-321.
[28]Hari K,Dohi T.Dependability modeling and analysis of random port hopping[C]//Proc of the 9th International Conference on Ubiquitous Intelligence and Computing and the 9th International Conference on Autonomic and Trusted Computing.Washington DC:IEEE Computer Society,2012:586-593.
[29]Xu Guo,Xu Na.A research of the port-hopping telecommunication techniques based on non-linear feedback shift register(NLFSR)[C]//Proc of IEEE International Conference on Automation and Logistics.[S.l.]:IEEE Press,2011:336-338.
[30]范晓诗,李成海,王昊.基于可变时隙与动态同步的端口跳变技术研究[J].计算机工程与设计,2013,34(10):3465-3469.
[31]Siva T,Krishna E S P.Controlling various network based ADo S attacks in cloud computing environment:by using port hopping technique[J].International Journal of Engineering Trends and Technology,2013,4(5):2099-2104.
[32]Luo Yuebin,Wang Baosheng,Cai Guilin.Effectiveness of port hopping as a moving target defense[C]//Proc of the 7th International Conference on Security Technology.Washington DC:IEEE Computer Society,2014:7-10.
[33]Luo Yuebin,Wang Baosheng,Cai Guilin.Analysis of port hopping for proactive cyber defense[J].International Journal of Security and Its Applications,2015,9(2):123-134.
[34]Lin Kai,Jia Chunfu,Weng Chen.Distributed timestamp synchronization for end hopping[J].China Communications,2011,8(4):164-169.
[35]De Oliveira R L S,Schweitzer C M,Shinoda A A,et al.Using Mininet for emulation and prototyping software-defined networks[C]//Proc of IEEE Colombian Conference on Communications and Computing.[S.l.]:IEEE Press,2014:1-6.
[36]Gude N,Koponen T,Pettit J,et al.NOX:towards an operating system for networks[J].ACM SIGCOMM Computer Communication Review,2008,38(2):105-110.
[2]Hoque N,Bhuyan M H,Baishya R C,et al.Network attacks:taxonomy,tools and systems[J].Journal of Network and Computer Applications,2014,40:307-324.
[3]Raza M H,Sivakumar S C,Nafarieh A,et al.A comparison of software defined network(SDN)implementation strategies[J].Procedia Computer Science,2014,32:1050-1055.
[4]Jarraya Y,Madi T,Debbabi M.A survey and a layered taxonomy of software-defined networking[J].IEEE Communications Surveys&Tutorials,2014,16(1):1-29.
[5]Nunes B A A,Mendonca M,Nguyen X,et al.A survey of softwaredefined networking:past,present,and future of programmable networks[J].IEEE Communications Surveys&Tutorials,2014,16(3):1617-1634.
[6]Xia Wenfeng,Wen Yonggang,Foh C H,et al.A survey on softwaredefined networking[J].IEEE Communications Surveys&Tutorials,2014,17(1):27-51.
[7]Jammal M,Singh T,Shami A,et al.Software defined networking:state of the art and research challenges[J].Computer Networks,2014,72:74-98.
[8]Farhady H,Lee H,Nakao A.Software-defined networking:a survey[J].Computer Networks,2015,81:79-95.
[9]左青云,陈鸣,赵广松,等.基于Open Flow的SDN技术研究[J].软件学报,2013,24(5):1078-1097.
[10]张朝昆,崔勇,唐翯祎,等.软件定义网络(SDN)研究进展[J].软件学报,2015,26(1):62-81.
[11]Akhunzada A,Ahmed E,Gani A,et al.Securing software defined networks:taxonomy,requirements,and open issues[J].IEEE Communications Magazine,2015,53(4):36-44.
[12]Alsmadi I,Xu D.Security of software defined networks:a survey[J].Computers&Security,2015,53:79-108.
[13]Kloti R,Kotronis V,Smith P.Openflow:a security analysis[C]//Proc of the 21st IEEE International Conference on Network Protocols.[S.l.]:IEEE Press,2013:1-6.
[14]Braga R,Mota E,Passito A.Lightweight DDo S flooding attack detection using NOX/Open Flow[C]//Proc of the 35th Annual IEEE Conference on Local Computer Networks.[S.l.]:IEEE Press,2010:408-415.
[15]Wang Bing,Zheng Yao,Lou Wenjing,et al.DDo S attack protection in the era of cloud computing and software-defined networking[J].Computer Networks,2015,81:308-319.
[16]Mousavi S M.Early detection of DDo S attacks in software defined networks controller[D].Ottawa:Carleton University,2014.
[17]Lim S,Ha J,Kim H,et al.A SDN-oriented DDo S blocking scheme for botnet-based attacks[C]//Proc of the 6th International Conference on Ubiquitous and Future Networks.[S.l.]:IEEE Press,2014:63-68.
[18]Sathyanarayana S M.Software defined network defense[D].Philadelphia:University of Pennsylvania,2011.
[19]崔竞松,郭迟,陈龙,等.创建软件定义网络中的进程级纵深防御体系结构[J].软件学报,2014,25(10):2251-2265.
[20]Wang Haopei,Xu Lei,Gu Guofei.Floodguard:a Do S attack prevention extension in software-defined networks[C]//Proc of the 45th Annual IEEE/IFIP International Conference on Dependable Systems and Networks.[S.l.]:IEEE Press,2015.
[21]Carvalho M,Richard F.Moving-target defenses for computer networks[J].IEEE Security&Privacy,2014,12(2):73-76.
[22]Xu Jun,Guo Pinyao,Zhao Mingyi,et al.Comparing different moving target defense techniques[C]//Proc of the 1st ACM Workshop on Moving Target Defense.New York:ACM Press,2014:97-107.
[23]Atighetchi M,Pal P,Webber F,et al.Adaptive use of network-centric mechanisms in cyber-defense[C]//Proc of the 6th IEEE International Symposium on Object-Oriented Real-Time Distributed Computing.[S.l.]:IEEE Press,2003:183-192.
[24]Lee H C J,Thing V L L.Port hopping for resilient networks[C]//Proc of the 60th IEEE Vehicular Technology Conference.[S.l.]:IEEE Press,2004:3291-3295.
[25]Badishi G,Herzberg A,Keidar I.Keeping denial-of-service attackers in the dark[J].IEEE Trans on Dependable and Secure Computing,2007,4(3):191-204.
[26]Badishi G,Herzberg A,Keidar I.Keeping denial-of-service attackers in the dark[C]//Proc of the 19th International Symposium on Distributed Computing.Berlin:Springer-Verlag,2005:18-32.
[27]Hari K,Dohi T.Sensitivity analysis of random port hopping[C]//Proc of Symposia and Workshops on Ubiquitous,Autonomic and Trusted Computing.Washington DC:IEEE Computer Society,2010:316-321.
[28]Hari K,Dohi T.Dependability modeling and analysis of random port hopping[C]//Proc of the 9th International Conference on Ubiquitous Intelligence and Computing and the 9th International Conference on Autonomic and Trusted Computing.Washington DC:IEEE Computer Society,2012:586-593.
[29]Xu Guo,Xu Na.A research of the port-hopping telecommunication techniques based on non-linear feedback shift register(NLFSR)[C]//Proc of IEEE International Conference on Automation and Logistics.[S.l.]:IEEE Press,2011:336-338.
[30]范晓诗,李成海,王昊.基于可变时隙与动态同步的端口跳变技术研究[J].计算机工程与设计,2013,34(10):3465-3469.
[31]Siva T,Krishna E S P.Controlling various network based ADo S attacks in cloud computing environment:by using port hopping technique[J].International Journal of Engineering Trends and Technology,2013,4(5):2099-2104.
[32]Luo Yuebin,Wang Baosheng,Cai Guilin.Effectiveness of port hopping as a moving target defense[C]//Proc of the 7th International Conference on Security Technology.Washington DC:IEEE Computer Society,2014:7-10.
[33]Luo Yuebin,Wang Baosheng,Cai Guilin.Analysis of port hopping for proactive cyber defense[J].International Journal of Security and Its Applications,2015,9(2):123-134.
[34]Lin Kai,Jia Chunfu,Weng Chen.Distributed timestamp synchronization for end hopping[J].China Communications,2011,8(4):164-169.
[35]De Oliveira R L S,Schweitzer C M,Shinoda A A,et al.Using Mininet for emulation and prototyping software-defined networks[C]//Proc of IEEE Colombian Conference on Communications and Computing.[S.l.]:IEEE Press,2014:1-6.
[36]Gude N,Koponen T,Pettit J,et al.NOX:towards an operating system for networks[J].ACM SIGCOMM Computer Communication Review,2008,38(2):105-110.