软件定义网络DDoS攻击问题研究

doi:10.12267/j.issn.2096-5931.2025.01.009

摘要/Abstract

摘要：

作为一种新的网络体系架构,SDN已经得到业界广泛认可并被大规模应用和部署,但其本身却因集中控制等体系架构方面的原因成为DDoS攻击的主要目标,对SDN及有关应用造成较大危害。以SDN中的DDoS攻击问题为研究对象,首先总结了SDN体系架构存在的DDoS攻击潜在风险,分析了现阶段SDN所主要面临的DDoS攻击形式;其次,介绍了目前业界检测和防御DDoS攻击的主要解决方案,探讨了当前DDoS攻击检测和防御研究中主要存在的问题;最后,对下一步有关研究工作进行了展望。

关键词: 软件定义网络, 分布式拒绝服务, OpenFlow, 统计分析, 机器学习

Abstract:

As a new network architecture, SDN has been widely recognized in the industry and widely applied and deployed on a large scale. However, SDN has become the main target of DDoS attacks due to its centralized control mode, causing significant harm to SDN networks and related applications. This paper takes DDoS attacks in SDN as the research object. Firstly, the potential risks of DDoS attacks in SDN network architecture are summarized and the main forms of DDoS attacks faced by SDN at present are analyzed. Then, the main solutions for detecting and defending against DDoS attacks in the industry are introduced and the main problems in current research on DDoS attacks are discussed. Finally, the future research work of DDoS attack in SDN is discussed.

Key words: SDN, DDoS, OpenFlow, statistical analysis, machine learning

中图分类号:

TN929.11

张健, 朱丹. 软件定义网络DDoS攻击问题研究[J]. 信息通信技术与政策, 2025, 51(1): 56-63.

ZHANG Jian, ZHU Dan. Research on DDoS attack in SDN[J]. Information and Communications Technology and Policy, 2025, 51(1): 56-63.

导出引用管理器 EndNote|Ris|BibTeX

链接本文:

http://ictp.caict.ac.cn/CN/10.12267/j.issn.2096-5931.2025.01.009

http://ictp.caict.ac.cn/CN/Y2025/V51/I1/56

图/表 4

参考文献 28

[1]	KUMAR A, SOMANI G. DDoS at a glance: attack launch to solutions[J]. IT Professional, 2023, 25(3): 36-42.
[2]	SHARMA A K, KUMAR R. A comprehensive survey of DDoS attacks: evolution, mitigation and emerging trend[C]// 2024 3rd International Conference on Power Electronics and IoT Applications in Renewable Energy and its Control. Mathura:IEEE, 2024(3):185-188.
[3]	ZAYO. Protecting your business from cyber attacks: the state of DDoS attacks[R], 2024.
[4]	Stanford University. Clean slate program[EB/OL]. 2006[2024-05-10]. http://cleanslate.stanford.edu/.
[5]	JIMÉNEZ M B, FERNÁNDEZ D, JORGE E, et al. A survey of the main security issues and solutions for the SDN architecture[J]. IEEE Access, 2021, 9:122016-122038.
[6]	张健, 曹珩, 王哲. 软件定义网络体系架构安全问题研究[J]. 信息通信技术与政策, 2023, 49(2):35-42.
[7]	RASOOL R, WANG H, ASHRAF U. A survey of link flooding attacks in software defined network ecosystems[J]. Journal of Network and Computer Applications, 2020, 172: 102803.
[8]	VAUGHAN-NICHOLS S J. OpenFlow: the next generation of the network[J]. Computer, 2022, 44(8):13-15.
[9]	Open Networking Foundation. OpenFlow switch specification (Version 1.5.1)[R], 2015.
[10]	王丽君, 刘永强, 张健. 基于OpenFlow的未来互联网试验技术研究[J]. 电信网技术, 2011, 37(6):1-4.
[11]	TUSSHAR U, ANKIT K J. Survey on DDoS attack techniques and solutions in software-defined network[M]//GUPTA B B, PEREZ G M, AGRAWAL D P. Handbook of computer networks and cyber security. Berlin: Springer International Publishing, 2020:389-419.
[12]	KLYMASH M, SHPUR O, PELEH N, et al. Concept of intelligent detection of DDoS attacks in SDN networks using machine learning[C]// 2020 IEEE International Conference on Problems of Infocommunications, Science and Technology. Kharkiv:IEEE, 2020:609-612.
[13]	KAUR S, KUMAR K, AGGARWAL N, et al. A comprehensive survey of DDoS defense solutions in SDN: taxonomy, research challenges, and future directions[J]. Computers & Security, 2021, 110:102423.
[14]	SINGH J, BEHAL S. Detection and mitigation of DDoS attacks in SDN: a comprehensive review, research challenges and future directions[J]. Computer Science Review, 2020, 37:1-24.
[15]	陈豪杰, 贾创辉, 邵维专. SDN环境下DDoS攻击检测研究进展[J]. 现代计算机, 2019(2):47-51.
[16]	李传煌, 吴艳, 钱正哲, 等. SDN下基于深度学习混合模型的DDoS攻击检测与防御[J]. 通信学报, 2018, 39(7):1-12.
[17]	李春江, 尹少平, 池浩田, 等. SDN中基于统计与集成自编码器的DDoS攻击检测模型[J]. 计算机科学, 2024(3):1-13.
[18]	贾锟, 王君楠, 刘峰. SDN环境下的DDoS检测与缓解机制[J]. 信息安全学报, 2021, 6(1):18-29.
[19]	WANG H, LI Y. Overview of DDoS attack detection in software-defined networks[J]. IEEE Access, 2024, 12:38351-38381.
[20]	MISHRA A, GUPTA N, GUPTA B. Defense mechanisms against DDoS attack based on entropy in SDN-cloud using POX controller[J]. Telecommunication Systems, 2021, 77(1):47-62.
[21]	赵普, 赵文涛, 付章杰. 基于Renyi熵的SDN自主防护系统[J]. 网络与信息安全学报, 2021, 7(3): 85-94.
[22]	傅友, 邹东升. SDN中基于条件熵和决策树的DDoS攻击检测方法[J]. 重庆大学学报, 2023, 46(7):1-8.
[23]	REVATHI M, RAMALINGAM V, AMUTHA B. A machine learning based detection and mitigation of the DDoS attack by using SDN controller framework[J]. Wireless Personal Communications, 2022, 127(3):2417-2441.
[24]	ZHU L, TANG X, SHEN M, et al. Privacy-preserving DDoS attack detection using cross-domain traffic in software defined networks[J]. IEEE Journal on Selected Areas in Communications, 2018, 36(3):628-643.
[25]	XU Y, LIU Y. DDoS attack detection under SDN context[C]// The 35th Annual IEEE International Conference on Computer Communications. San Francisco: IEEE, 2016, 35:1-9.
[26]	ITAGI V, JAVALI M, MADHUKESHWAR H, et al. DDoS attack detection in SDN environment using bi-directional recurrent neural network[C]// 2021 IEEE International Conference on Distributed Computing, VLSI, Electrical Circuits and Robotics. Nitte:IEEE, 2021:123-128.
[27]	WANG J, LIU J. Deep learning for securing software-defined industrial internet of things: attacks and countermeasures[J]. IEEE Internet of Things Journal, 2022, 9(13):11179-11189.
[28]	白坚镜, 顾瑞春, 刘清河. SDN环境中基于Bi-LSTM的DDoS攻击检测方案[J]. 计算机工程与科学, 2023, 45(2):277-285.

攻击位置	主要攻击方式	主要危害
数据平面	缓冲区饱和	非法数据包转发至控制器,消耗控制器资源
	流表溢出	合法用户数据流规则无法被存储
	交换机欺骗	非法交换机取代合法交换机
控制平面	Packet_In数据包洪泛	向控制器发送大量Packet_In消息,导致控制器过载
	控制器饱和	消耗控制器资源,无法处理新请求,或导致网络宕机
	控制器劫持	伪造主机取代合法控制器调度和分配网络资源
应用平面	未授权应用程序	非法应用获得网络资源访问权限,致使网络性能下降
应用平面	应用程序级攻击	基于某种应用程序,通过资源密集型请求,造成攻击
接口	南向接口拥塞	向控制器转发数据,消耗带宽资源,造成接口堵塞
接口	北向接口带宽耗尽	非法应用发送大量资源请求消息,耗尽接口带宽资源

攻击位置	主要攻击方式	主要危害
数据平面	缓冲区饱和	非法数据包转发至控制器,消耗控制器资源
	流表溢出	合法用户数据流规则无法被存储
	交换机欺骗	非法交换机取代合法交换机
控制平面	Packet_In数据包洪泛	向控制器发送大量Packet_In消息,导致控制器过载
	控制器饱和	消耗控制器资源,无法处理新请求,或导致网络宕机
	控制器劫持	伪造主机取代合法控制器调度和分配网络资源
应用平面	未授权应用程序	非法应用获得网络资源访问权限,致使网络性能下降
应用平面	应用程序级攻击	基于某种应用程序,通过资源密集型请求,造成攻击
接口	南向接口拥塞	向控制器转发数据,消耗带宽资源,造成接口堵塞
接口	北向接口带宽耗尽	非法应用发送大量资源请求消息,耗尽接口带宽资源