Control Plane Saturation Attack Defense Method Based on Switch Migration
Software defined network,with flexible advantages,is widely applied in various network scenarios.However,due to the centralized control and limited resources of the control plane,control plane saturation attacks have become the biggest security threat in this network.Control plane saturation attacks as the special approach to DDoS attacks,aim to consume the computing resource of the controller,affect the flow rules issued by the controller,and ultimately achieve network paralysis.Unlike traditional networks,DDoS attacks mainly affect a single network node.In software defined networks,once a controller is attacked,the switches in the subdomain will lose their ability to function,and even trigger larger cascading failures.In recent years,scholars have made many innovations to improve the security of distributed software defined network.However,most of the research adopts elastic expansion and dynamic mapping methods,constantly adding and deleting devices or changing network mapping configurations,which increases defense costs and reduces network reliability.Moreover,complex network configurations violate the original intention of software defined networks and increase the difficulty of network management.This article proposes a defense method based on switch migration for control plane saturation attacks.First,we meticulously analyze the sources of load on controllers within software-defined networks to devise a comprehensive computational load model.This model encapsulates northbound,southbound,and horizontal overheads,providing a holistic view of controller load.By employing a sophisticated threshold detection mechanism,we continuously monitor the controller load,enabling real-time saturation detection within the control plane.Next,we integrate flow table statistics with spatial feature maps to develop an innovative migration coefficient.This coefficient is intricately tied to factors such as average packet counts,up and down traffic ratios,and the criticality of individual switches.This approach allows us to accurately pinpoint switches that lie on potential attack paths.Finally,leveraging a strategic switch migration policy,we swiftly and efficiently relocate these identified switches to subdomains governed by controllers with lower loads.This migration not only alleviates the risk of single-point-of-failure issues in compromised controllers but also significantly enhances the overall resilience and defense capabilities against attacks.In the experimental validation phase,this paper conclusively demonstrates that the offensive and defensive dynamics of a control plane saturation attack fundamentally constitute a resource competition game.By strategically allocating resources,the impact of such attacks can be effectively mitigated.Moreover,the proposed method showcases remarkable flexibility and adaptability,enabling it to dynamically select targets and execute migration operations in response to real-time resource and network conditions.Through multiple sets of experiments,this paper proves that the proposed method can effectively alleviate control plane saturation attacks of different topologies.The average number of controller saturation decreases by 90%and 65%,respectively.Moreover,the preferred migration target rate and single migration rate both exceed 70%,effectively avoiding cascading failures.Compared with other methods,the load standard deviation is the lowest in about 64%of the time,the total number of migrations has been reduced by at least 11%,and the migration time cost is at least 60%lower.
software defined networkcontrol planecontrol plane saturation attacksproactive defenseswitch migration
万方数据
维普
