CN110247899B - System and method for detecting and relieving ARP attack based on SDN cloud environment - Google Patents

System and method for detecting and relieving ARP attack based on SDN cloud environment Download PDF

Info

Publication number
CN110247899B
CN110247899B CN201910448147.XA CN201910448147A CN110247899B CN 110247899 B CN110247899 B CN 110247899B CN 201910448147 A CN201910448147 A CN 201910448147A CN 110247899 B CN110247899 B CN 110247899B
Authority
CN
China
Prior art keywords
arp
sdn switch
port
packet
host
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Active
Application number
CN201910448147.XA
Other languages
Chinese (zh)
Other versions
CN110247899A (en
Inventor
伏晓
孙思娴
骆斌
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
Nanjing University
Original Assignee
Nanjing University
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Nanjing University filed Critical Nanjing University
Priority to CN201910448147.XA priority Critical patent/CN110247899B/en
Publication of CN110247899A publication Critical patent/CN110247899A/en
Application granted granted Critical
Publication of CN110247899B publication Critical patent/CN110247899B/en
Active legal-status Critical Current
Anticipated expiration legal-status Critical

Links

Images

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L61/00Network arrangements, protocols or services for addressing or naming
    • H04L61/09Mapping addresses
    • H04L61/10Mapping addresses of different types
    • H04L61/103Mapping addresses of different types across network layers, e.g. resolution of network layer into physical layer addresses or address resolution protocol [ARP]
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/14Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
    • H04L63/1408Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic by monitoring network traffic
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/14Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
    • H04L63/1441Countermeasures against malicious traffic
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/14Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
    • H04L63/1441Countermeasures against malicious traffic
    • H04L63/1483Countermeasures against malicious traffic service impersonation, e.g. phishing, pharming or web spoofing

Landscapes

  • Engineering & Computer Science (AREA)
  • Computer Security & Cryptography (AREA)
  • Computer Networks & Wireless Communication (AREA)
  • Signal Processing (AREA)
  • Computer Hardware Design (AREA)
  • Computing Systems (AREA)
  • General Engineering & Computer Science (AREA)
  • Data Exchanges In Wide-Area Networks (AREA)

Abstract

The invention provides a system and a method for detecting and relieving ARP attacks based on an SDN cloud environment, wherein the system comprises the following steps: the system comprises a network information maintenance module, a real-time detection and defense module, a timing monitoring and relieving module and a flow table item control module; the method comprises the following steps: a starting stage; obtaining network information; detecting and defending ARP attack stage in real time; and regularly monitoring and relieving the ARP attack stage. The invention uses SDN technology to detect ARP request packets and ARP reply packets, detects ARP spoofing attack in real time by analyzing the ARP packets, then discards the forged packets to prevent the ARP spoofing attack from damaging a host, and can detect the flow statistical data of the port of the edge SDN switch by regularly acquiring ARP flow to distinguish the ARP storm attack, and can block the flow of the corresponding port in time, relieve the influence of the ARP storm attack on a cloud network, and comprehensively protect the safety of the cloud computing network.

Description

System and method for detecting and relieving ARP attack based on SDN cloud environment
Technical Field
The invention belongs to the technical field of network security, relates to a cloud network security technology, and particularly relates to an Address Resolution Protocol (ARP) attack detection and mitigation system based on a Software Defined Network (SDN) and an implementation method thereof.
Background
Cloud computing is a widely used form of providing services, and users can obtain servers, platforms, applications and other computing resources from a resource pool provided by a cloud provider as needed. On the cloud, users can conveniently and safely store data and use services, because cloud providers are responsible for the maintenance of the cloud platform and various techniques are used to secure the services used by the users. Therefore, cloud computing is the most basic technology that companies depend on globally, and meanwhile, the security of a cloud network is also a current hotspot problem.
Conventional networks are distributed networks without centralized control nodes, where each network device uses its own configuration and algorithms to process data and forward network packets. However, SDN separates the control plane and the data plane in the network, where the controller is responsible for executing all algorithms and installing flow entries on the SDN switch to guide the behavior of the SDN switch; the network device (typically an SDN switch) only needs to be responsible for processing the received network packet according to its own flow entry. By using SDN, a manager of a cloud network can more conveniently control and manage all devices in the entire network. Moreover, the controller in the SDN provides an open source Application Programming Interface (API) for software developers, so that the developers can develop different applications to realize different network functions, and the requirements of users are met. Cloud computing has a great need for SDN's ability to quickly change network architecture using programmable devices, in which it can achieve network and computing resiliency. In addition, the administrator of the cloud network can improve the performance of the cloud computing by performing more detailed control on the whole network. Moreover, SDN can also be used to enhance network security in the cloud, as it can be used to analyze network traffic, control network devices to detect attacks and take countermeasures.
ARP is a protocol in the network layer of a TCP/IP protocol cluster that is responsible for finding the corresponding MAC address for an IP address. In a network, a host can communicate directly with other hosts only when the MAC address of the target host is known. The most basic functions of ARP are: when the IP address of the target host is known, the ARP can find out the corresponding MAC address to ensure the communication between the hosts. Each host installed with TCP/IP protocol possesses its own ARP cache table, which maintains the mapping of IP address and MAC address of other hosts. When the host receives an ARP request, it looks up in its ARP cache table and updates the mapping in the ARP request packet to the cache table. When the host receives the ARP reply, it updates the mapping in the ARP reply packet to its ARP cache table. In the process, the host cannot detect the authenticity of the ARP packet and updates the mapping to the ARP cache table of the host, namely, the ARP has no safety mechanism to ensure the safety and the integrity of data. As the underlying protocol is used by every host in the network, the negative impact ARP may have is large and it may lead to other more serious attacks such as: denial of service (DoS) attacks and man-in-the-middle attacks (MITM).
The existing methods for resisting ARP attacks in the network have the defects that the content of an ARP packet needs to be added or modified, the mechanism of the ARP needs to be modified, the encryption and decryption processes need to be added to ensure data security, the original portability of the ARP is damaged, and the performance of the whole network is also influenced. In the existing methods for solving ARP attacks, SDN technology is also used. Some solutions cannot satisfy the flexibility and variability of the cloud network for a specific dynamic IP allocation scenario or for a specific static IP allocation scenario. In some schemes, an independent server needs to be set to assist the controller in processing the ARP security in the cloud network, so that the complexity of a complex cloud network environment is increased. There are also solutions to detect ARP traffic security by extracting the traffic characteristics of the attack from a large number of ARP attacks, but the accuracy of such solutions is not one hundred percent. Obviously, the existing methods for preventing ARP attack have defects, and cannot meet the increasing network security requirements.
Disclosure of Invention
In order to solve the problems, the invention discloses a system and a method for detecting and relieving ARP attacks based on an SDN cloud environment, which realize a controller cluster, detect ARP packets in a network and prevent and relieve the ARP attacks.
In order to achieve the purpose, the invention provides the following technical scheme:
a system for detecting and relieving ARP attacks based on an SDN cloud environment comprises a network information maintenance module, a real-time detection and defense module, a timing monitoring and relieving module and a flow table item control module;
the network information maintenance module is used for extracting and storing network equipment and host information in the packet, updating the stored information according to host change in the network, and providing data for the real-time detection and defense module, the timing monitoring and relieving module and the flow table item control module;
the real-time detection and defense module is used for detecting the ARP packet received by the controller, detecting whether the ARP packet is a forged ARP packet or not and sending a control message to the SDN switch;
the timing monitoring and buffering module is used for regularly monitoring the flow information of each port, connected with the host, of each SDN switch, detecting whether ARP attacks exist or not and sending a control message to the SDN switch;
the flow entry control module is configured to install a flow entry on the SDN switch.
Further, the system is realized based on a mechanism composed of a host, a controller cluster and SDN switches, wherein each SDN switch is connected with a plurality of controllers.
Further, the SDN switches include edge SDN switches and internal SDN switches; the host in the edge SDN switch network is directly connected; the internal SDN switch is not connected to a host in a network.
Further, the SDN switch forwards the Packet to the controller via a 'Packet _ in' message, and the controller controls the behavior of the SDN switch by replying a 'Packet _ out' message to the SDN switch and installing a flow entry on the SDN switch.
Further, the timing monitoring and mitigation module comprises a timer, the timer is triggered periodically, and the timing monitoring and mitigation module is executed when the timer is triggered.
The invention also provides a method for detecting and relieving ARP attacks based on the SDN cloud environment, which comprises the following specific steps:
step one, a starting stage
Initializing a system, wherein a flow table entry control module installs a flow table entry on each SDN switch and requires the SDN switch to forward a network packet to a controller;
step two, obtaining network information stage
The network information maintenance module extracts host information and SDN switch port information in the network packet, detects whether the extracted information is stored in a database, and if the extracted information is stored in the database, the third step is executed; otherwise, storing the extracted information into a database and then entering the third step;
step three, detecting and defending ARP attack stage in real time
When the controller receives an ARP request packet or an ARP reply packet, the real-time detection and defense module compares address information in the ARP packet with address information in a database, when the comparison result is consistent, the controller sends a reply message to the SDN switch, and calls a flow entry control module to install a flow entry on the SDN switch, so that the SDN switch is required to forward the network packet according to a command; when the comparison result is inconsistent, the controller sends a reply message to the SDN switch, instructs the switch to discard the network packet, and increases the possibility that a source host sending the ARP packet is an attacker;
step four, regularly monitoring and relieving ARP attack stage
The method comprises the steps that a timing monitoring and relieving module sends a request for acquiring port flow to an edge SDN switch at regular time to acquire reply data of the edge SDN switch, whether ARP attack occurs or not is judged by using the reply data and the possibility that a host is an attacker, and if no ARP attack occurs, the possibility that the host is the attacker is cleared; otherwise, the flow table entry control module is called to install the flow table entry on the edge SDN switch, the edge SDN switch is required to block the flow of the port sending the ARP attack in a specified time period, and then the possibility that the host is an attacker is cleared.
Further, the information stored in the database includes:
address mapping table: the MAC address of the host, the IP address of the host;
a switch forwarding table: the ID of the SDN switch, the MAC address of the host, and the port of the SDN switch for forwarding the packet to the host;
device suspicion table: the method comprises the steps of ID of an edge SDN switch, ports connected with the SDN switch and a host, the number of port network packets and the number of times of sending error ARP packets by the host.
Further, the third stage of real-time detection and ARP attack defense includes a step of real-time detection and ARP request attack defense for an ARP request packet, and a step of real-time detection and ARP reply attack defense for an ARP reply packet;
the real-time detection and defense ARP request attack step specifically comprises the following substeps:
(1) searching a source host MAC address and an IP address pair in an ARP request packet in an address mapping table of a database, searching an MAC address mapped by a target host IP address, and entering the step (2) if both the MAC address and the IP address can be searched; otherwise, entering the step (3);
(2) the controller generates an ARP reply packet by using the searched MAC address of the target host and address information in the ARP request packet, sends a message to the SDN switch, orders the SDN switch to send the ARP reply packet to the source host, then acquires a port of the SDN switch forwarding packet to the target host according to a switch forwarding table in a database, and calls a flow entry control module to install a flow entry on the SDN switch to request the SDN switch to directly forward a network packet from the port when encountering the same source MAC address and IP address pair and the same target MAC address and IP address pair;
(3) the controller sends a message to the SDN switch, the SDN switch is instructed to discard the ARP request packet, and the frequency of sending error ARP packets by a host of a port, connected with the SDN switch and a source host, in an equipment suspicion table in the database is increased once;
the real-time detection and defense ARP reply attack step specifically comprises the following substeps:
(1) searching a source host MAC address and an IP address pair in the ARP reply packet in an address mapping table of the database, searching a target host MAC address and an IP address pair, and entering the step (2) if both the source host MAC address and the IP address pair can be searched; otherwise, entering the step (3);
(2) the controller acquires a port of an SDN switch forwarding packet to a target host according to a switch forwarding table in the database, sends a message to the SDN switch, commands the SDN switch to forward an ARP reply packet from the port, and then calls a flow table item control module to install a flow table item on the SDN switch, so that the SDN switch is required to encounter the same source MAC address and IP address pair and the same target MAC address and IP address pair in the future, and directly forwards a network packet from the port;
(3) the controller sends a message to the SDN switch, instructs the SDN switch to discard the ARP request packet, and increases the number of times of sending error ARP packets by a host of a port, connected with the SDN switch and the source host, in the device suspicion table in the database by one time.
Further, the fourth step of regularly monitoring and mitigating the ARP attack stage specifically includes the following substeps:
(1) the method comprises the steps that a controller sends requests for obtaining port flow to all edge SDN switches, and the edge SDN switches reply flow statistical data of each port to the controller;
(2) for each port of each edge SDN switch, the controller acquires the total number of network packets received by the port, reads the number of network packets of the port until the last monitoring from a device suspicion table in a database, wherein the difference between the two numbers is the packet flow of the port in a past period of time, then compares the packet flow of the port with a specific threshold, and if the packet flow is smaller than the specific threshold, the step (3) is carried out; otherwise, entering the step (4);
(3) the controller reads the times of sending error ARP packets by the host of the port from the equipment suspicion table in the database, compares the times of sending error ARP packets with a specific threshold, and enters the step (5) if the times are less than the specific threshold; otherwise, entering the step (4);
(4) the method comprises the steps that a port of an edge SDN switch is judged to initiate ARP attack, a controller calls a flow entry control module to install a flow entry on the SDN switch, and the SDN switch is required to discard network packets received from the port in a specific period of time in the future;
(5) the controller sets the number of network packets of the port of the SDN switch in the device suspicion table in the database to the total number of network packets monitored this time, and sets the number of times that the host of the port of the SDN switch sends a wrong ARP packet to 0.
Compared with the prior art, the invention has the following advantages and beneficial effects:
(1) the method and the device use SDN technology to detect the ARP request packet and also detect the ARP reply packet, thereby comprehensively protecting the safety of the cloud computing network and preventing the attack from influencing the safety of the whole cloud network. And a cluster controller is used for replacing a single controller and a method for dividing the SDN switch into an edge SDN switch and an internal SDN switch is adopted, so that the transmission and processing of redundant ARP packets in the network are reduced, and the fault tolerance and the performance of the cloud network are enhanced.
(2) The invention can not only detect ARP spoofing attack in real time by analyzing the ARP packet and then discard the forged packet to prevent the damage of the ARP spoofing attack to the host, but also can distinguish ARP storm attack by regularly acquiring ARP flow and detecting flow statistical data of the port of the edge SDN switch, and can timely block the flow of the corresponding port to relieve the influence of the ARP storm attack on the cloud network.
(3) The invention can adapt to dynamic and static IP address allocation in the cloud network at the same time, and monitor and manage the whole network by using the SDN technology, thereby not only preventing ARP spoofing attack in real time, but also regularly monitoring and relieving ARP storm attack. The method extracts information according to a first packet transmitted by a host in a network, stores the information into a database, and realizes attack detection based on data in the database. Moreover, the controller monitors events of ports of the SDN switch, so that when one host leaves the network or accesses the network, the controller can obtain related information and update the database, and the information accuracy on a flexible cloud is guaranteed.
(4) The invention does not need to modify the ARP mechanism or the ARP packet and does not need to change the network architecture of the SDN.
Drawings
Fig. 1 is a schematic diagram of a cloud network structure for implementing the scheme of the present invention.
Fig. 2 is a schematic diagram of a system architecture for detecting and mitigating ARP attacks provided by the present invention.
Fig. 3 is a flow chart of the real-time detection and protection against ARP attacks.
Fig. 4 is a flow chart of the stage of timing monitoring and mitigating ARP attack.
Detailed Description
The technical solutions provided by the present invention will be described in detail below with reference to specific examples, and it should be understood that the following specific embodiments are only illustrative of the present invention and are not intended to limit the scope of the present invention. Additionally, the steps illustrated in the flow charts of the figures may be performed in a computer system such as a set of computer-executable instructions and, although a logical order is illustrated in the flow charts, in some cases, the steps illustrated or described may be performed in an order different than here.
Fig. 1 shows the network topology formed when the present invention is implemented on the cloud. The invention is based on SDN technology, and the SDN switch is controlled and managed by using a controller cluster in a cloud network. The provider provides various services to the users in the form of virtual machines, but each user is independent of the other when using the services, as if using their own hosts. The SDN switch is the most basic and the most main device in the network device, and is divided into an edge SDN switch and an internal SDN switch. The edge SDN switch is directly connected with the host, each port is connected with different hosts, and receives packets transmitted by the hosts and forwards network packets to the hosts. The internal SDN switch is not connected to the host in the network. The network architecture for implementing the invention comprises a controller cluster, each SDN switch is connected with a plurality of controllers, and when one controller in the controller cluster fails, the system can still continue to operate normally. The controller used in this example was an Ryu controller. The Ryu controller is implemented in Python language, with clear architecture and easy understanding. The controller and the SDN switch communicate with each other through an OpenFlow protocol, the SDN switch forwards a Packet to the controller through a 'Packet _ in' message, and the controller processes the message and controls the behavior of the SDN switch by replying a 'Packet _ out' message to the SDN switch and installing flow entries on the SDN switch.
FIG. 2 is a schematic diagram of the overall system architecture of the present invention. Each host is connected with the SDN switch, the network packet is processed in the same way as in the traditional network, the sent packets are received by the SDN switch, and the ARP cache table of the host is updated according to the received ARP packets. The SDN switch is mainly responsible for processing data, receives packets of a host from each port, then inquires flow entries of the SDN switch, searches for operation of processing the packets, processes the packets according to the requirements of the flow entries if matched flow entries are found, and otherwise, sends the packets to the controller in a 'Packet _ in' message mode. Then, the SDN switch receives a 'Packet _ out' message from the controller and performs an operation according to the content in the message. The controller provides control over the network, and executes internal logic to process messages after receiving 'Packet _ in' messages sent by the SDN switch. The controller is loaded with implementation logic of the system for detecting and relieving ARP attacks based on the SDN cloud environment, and the system comprises a network information maintenance module, a real-time detection and defense module, a timing monitoring and relieving module and a flow table item control module. For the ARP Packet, a network information maintenance module, a real-time detection and defense module, and a timing monitoring and mitigation module in the controller cooperate to process, and then the controller may utilize a flow table entry control module to install a flow table entry on the SDN switch or reply an SDN switch 'Packet _ out' message to control its operation.
The network information maintenance module is used for extracting and storing the information of the network equipment and the host in the packet, updating the stored information according to the change of the host in the network, and providing data for the real-time detection and defense module, the timing monitoring and relieving module and the flow table item control module; specifically, when the network information module receives the network packet, the controller stores the device information in the database, so that implementation of attack detection is facilitated.
The real-time detection and defense module is used for detecting whether the ARP packet is a forged ARP packet or not by using the database aiming at the ARP packet received by the controller and sending a control message to the SDN switch so as to defend ARP spoofing;
the timing monitoring and relieving module is provided with a timer, monitors flow information of each port of each SDN switch connected with the host at fixed time, detects whether ARP attacks exist or not by combining a database, and sends a control message to the SDN switch to relieve ARP spoofing and storm attacks;
the flow table entry control module provides an interface for the detection module to use, so as to install the flow table entry on the SDN switch and manage the behavior of the SDN switch.
The invention also provides a method for detecting and relieving ARP attacks based on the SDN cloud environment, which comprises the following specific steps:
the method comprises the following steps that firstly, a system is initialized, a flow table entry control module installs a flow table entry on each SDN switch, and the SDN switch is required to forward a network packet to a controller;
step two, in the stage of acquiring network information, a network information maintenance module extracts host information and SDN switch port information in a network packet, detects whether the extracted information is stored in a database, and enters step three if the extracted information is stored in the database; otherwise, storing the extracted information into a database, and then entering the third step;
the information stored in the database is three tables, and the specific contents are as follows:
address mapping table: the MAC address of the host, the IP address of the host;
a switch forwarding table: the ID of the SDN switch, the MAC address of the host, and the port of the SDN switch for forwarding the packet to the host;
device suspicion table: the method comprises the steps of ID of an edge SDN switch, ports connected with the SDN switch and a host, the number of port network packets and the number of times of sending error ARP packets by the host.
Step three, detecting and defending ARP attack stage in real time
As shown in fig. 3, when the 'Packet _ in' message received by the controller is an ARP Packet (specifically, an ARP request Packet or an ARP reply Packet), it can extract information in the ARP Packet: the address of the source host and the address of the target host can also acquire the information of the SDN switch for transmitting the message and the information of the message inlet port. The real-time detection and defense module compares address information in the ARP packet with address information in a database, when the information matching comparison result is consistent, the controller sends a reply message to the SDN switch, generates an ARP reply packet for an ARP request, sends the ARP reply packet to the SDN switch, replies to a source host, commands the SDN switch to forward the ARP reply packet for ARP reply, calls a flow table item control module to install a flow table item on the SDN switch, and requires the SDN switch to forward a network packet from the source host to a target host according to the command; when the comparison result is not consistent, namely the information is not matched, the ARP packet is forged, and the ARP spoofing attack is occurring. The controller sends a 'Packet _ out' reply message to the SDN switch instructing the switch to discard the network Packet and increasing the probability that the source host sending the ARP Packet is an attacker, and the real-time detection and defense module increases the suspiciousness that the device of the source host initiating ARP spoofing (i.e., sending the ARP Packet) is an attacker and updates the device into the database.
Specifically, the specific steps of detection and defense for the ARP request packet and the ARP reply packet are different in the stage;
the specific steps for real-time detection and defense of ARP request attack are as follows:
(1) searching a source host MAC address and an IP address pair in an ARP request packet in an address mapping table of a database, searching an MAC address mapped by a target host IP address, and entering the step (2) if both the MAC address and the IP address can be searched; otherwise, entering the step (3);
(2) the controller generates an ARP reply packet by using the searched MAC address of the target host and address information in the ARP request packet, sends a message to the SDN switch, orders the SDN switch to send the ARP reply packet to the source host, then acquires a port of the SDN switch forwarding packet to the target host according to a switch forwarding table in a database, and calls a flow table item control module to install a flow table item on the SDN switch, so that the SDN switch is required to encounter the same source MAC address and IP address pair and the same target MAC address and IP address pair in the future, and directly forwards the network packet from the port;
(3) the controller sends a message to the SDN switch, the SDN switch is instructed to discard the ARP request packet, and the frequency of sending error ARP packets by a host of a port, connected with the SDN switch and a source host, in an equipment suspicion table in the database is increased once;
the specific steps for real-time detection and defense of ARP reply attack are as follows:
(1) searching a source host MAC address and an IP address pair in the ARP reply packet in an address mapping table of the database, searching a target host MAC address and an IP address pair, and entering the step (2) if both the source host MAC address and the IP address pair can be searched; otherwise, entering the step (3);
(2) the controller acquires a port of an SDN switch forwarding packet to a target host according to a switch forwarding table in the database, sends a message to the SDN switch, orders the SDN switch to forward an ARP reply packet from the port, and then calls a flow entry control module to install a flow entry on the SDN switch, so that the SDN switch is required to encounter the same source MAC address and IP address pair and the same target MAC address and IP address pair in the future and directly forwards a network packet from the port;
(3) the controller sends a message to the SDN switch, instructs the SDN switch to discard the ARP request packet, and increases the number of times of sending error ARP packets by a host of a port, connected with the SDN switch and the source host, in the device suspicion table in the database by one time.
Step four, regularly monitoring and relieving the ARP attack stage, and the flow is shown in figure 4. The controller has a timer that is triggered at specific intervals. When the timer is triggered over a specified period, the timing monitoring and mitigation module performs the task. The timing monitoring and relieving module sends requests for acquiring port flow to all edge SDN switches, requests for acquiring flow data of each port, and then receives flow statistical data of each port replied by the SDN switches. The module judges whether ARP storm attack occurs or not by detecting whether the flow of the SDN switch port is larger than a threshold value or not; the module judges whether ARP spoofing attack occurs or not by detecting whether the times of ARP spoofing initiated by a host connected with the port of the SDN switch is greater than a threshold value or not. If no attack occurs, the possibility that the host is an attacker is cleared; if the timing monitoring and relieving module detects that an attack occurs, the timing monitoring and relieving module calls a flow table item control module to install a new flow table item on the edge SDN switch, the edge SDN switch is required to block the flow of a port sending out ARP attack in a specified time period, the network safety is ensured, and then the possibility that a host is an attacker is cleared.
Specifically, the four steps of the stage of regularly monitoring and relieving the ARP attack comprise the following specific steps:
(1) the method comprises the steps that a controller sends requests for obtaining port flow to all edge SDN switches, and the edge SDN switches reply flow statistical data of each port to the controller;
(2) for each port of each edge SDN switch, the controller acquires the total number of network packets received by the port, reads the number of network packets of the port until the last monitoring from a device suspicion table in a database, wherein the difference between the two numbers is the packet flow of the port in a past period of time, then compares the packet flow of the port with a specific threshold, and if the packet flow is smaller than the specific threshold, the step (3) is carried out; otherwise, entering the step (4);
(3) the controller reads the times of sending error ARP packets by the host of the port from the equipment suspicion table in the database, compares the times of sending error ARP packets with a specific threshold, and enters the step (5) if the times are less than the specific threshold; otherwise, entering the step (4);
(4) the method comprises the steps that a port of an edge SDN switch is judged to initiate ARP attack, a controller calls a flow entry control module to install a flow entry on the SDN switch, and the SDN switch is required to discard network packets received from the port in a specific period of time in the future;
(5) the controller sets the number of network packets of the port of the SDN switch in the device suspicion table in the database to the total number of network packets monitored this time, and sets the number of times that the host of the port of the SDN switch sends a wrong ARP packet to 0.
The technical means disclosed in the invention scheme are not limited to the technical means disclosed in the above embodiments, but also include the technical scheme formed by any combination of the above technical features. It should be noted that those skilled in the art can make various improvements and modifications without departing from the principle of the present invention, and such improvements and modifications are also considered to be within the scope of the present invention.

Claims (8)

1. A system for detecting and relieving ARP attacks based on SDN cloud environment is characterized in that: the system comprises a network information maintenance module, a real-time detection and defense module, a timing monitoring and relieving module and a flow table item control module;
the network information maintenance module is used for extracting and storing network equipment and host information in the packet, updating the stored information according to host change in the network, and providing data for the real-time detection and defense module, the timing monitoring and relieving module and the flow table item control module;
the real-time detection and defense module is used for detecting the ARP packet received by the controller, detecting whether the ARP packet is a forged ARP packet or not and sending a control message to the SDN switch;
the timing monitoring and buffering module is used for regularly monitoring the flow information of each port, connected with the host, of each SDN switch, detecting whether ARP attacks exist or not and sending a control message to the SDN switch;
the timing monitoring and relieving module also realizes the following functional steps:
(1) the method comprises the steps that a controller sends requests for obtaining port flow to all edge SDN switches, and the edge SDN switches reply flow statistical data of each port to the controller;
(2) for each port of each edge SDN switch, the controller acquires the total number of network packets received by the port, reads the number of network packets of the port until the last monitoring from a device suspicion table in a database, wherein the difference between the two numbers is the packet flow of the port in a past period of time, then compares the packet flow of the port with a specific threshold, and if the packet flow is smaller than the specific threshold, the step (3) is carried out; otherwise, entering the step (4);
(3) the controller reads the times of sending error ARP packets by the host of the port from the equipment suspicion table in the database, compares the times of sending error ARP packets with a specific threshold, and enters the step (5) if the times are less than the specific threshold; otherwise, entering the step (4);
(4) the method comprises the steps that a port of an edge SDN switch is judged to initiate ARP attack, a controller calls a flow entry control module to install a flow entry on the SDN switch, and the SDN switch is required to discard network packets received from the port in a specific period of time in the future;
(5) the controller sets the number of network packets of the port of the SDN switch in the device suspicion table in the database as the total number of the monitored network packets, and sets the number of times that a host of the port of the SDN switch sends a wrong ARP packet as 0;
the flow entry control module is configured to install a flow entry on the SDN switch.
2. The system for detecting and mitigating ARP attacks based on SDN cloud environment of claim 1, wherein: the system is realized based on a mechanism consisting of a host, a controller cluster and SDN switches, wherein each SDN switch is connected with a plurality of controllers.
3. The system for detecting and mitigating ARP attacks based on SDN cloud environment of claim 2, wherein: the SDN switches comprise an edge SDN switch and an internal SDN switch; the edge SDN switch is directly connected with a host in a network; the internal SDN switch is not connected to a host in a network.
4. The system for detecting and mitigating ARP attacks based on SDN cloud environment of claim 1, wherein: the SDN switch forwards the Packet to the controller through a 'Packet _ in' message, and the controller controls the behavior of the SDN switch by replying a 'Packet _ out' message to the SDN switch and installing flow table entries on the SDN switch.
5. The system for detecting and mitigating ARP attacks based on SDN cloud environment of claim 1, wherein: the timing monitoring and mitigation module comprises a timer which is triggered periodically, and the timing monitoring and mitigation module is executed when the timer is triggered.
6. A method for detecting and relieving ARP attacks based on an SDN cloud environment is characterized by comprising the following specific steps:
step one, a starting stage
Initializing a system, wherein a flow table entry control module installs a flow table entry on each SDN switch and requires the SDN switch to forward a network packet to a controller;
step two, obtaining network information stage
The network information maintenance module extracts host information and SDN switch port information in the network packet, detects whether the extracted information is stored in a database, and if the extracted information is stored in the database, the third step is executed; otherwise, storing the extracted information into a database and then entering the third step;
step three, detecting and defending ARP attack stage in real time
When the controller receives an ARP request packet or an ARP reply packet, the real-time detection and defense module compares address information in the ARP packet with address information in a database, when the comparison result is consistent, the controller sends a reply message to the SDN switch, and calls a flow entry control module to install a flow entry on the SDN switch, so that the SDN switch is required to forward the network packet according to a command; when the comparison result is inconsistent, the controller sends a reply message to the SDN switch, instructs the switch to discard the network packet, and increases the possibility that a source host sending the ARP packet is an attacker;
step four, regularly monitoring and relieving ARP attack stage
The method comprises the steps that a timing monitoring and relieving module sends a request for acquiring port flow to an edge SDN switch at regular time to acquire reply data of the edge SDN switch, whether ARP attack occurs or not is judged by using the reply data and the possibility that a host is an attacker, and if no ARP attack occurs, the possibility that the host is the attacker is cleared; otherwise, the flow table entry control module is called to install the flow table entry on the edge SDN switch, the edge SDN switch is required to block the flow of a port sending the ARP attack in a period of specified time, and then the possibility that the host is an attacker is cleared;
the fourth step of regularly monitoring and relieving the ARP attack stage specifically comprises the following substeps:
(1) the method comprises the steps that a controller sends requests for obtaining port flow to all edge SDN switches, and the edge SDN switches reply flow statistical data of each port to the controller;
(2) for each port of each edge SDN switch, the controller acquires the total number of network packets received by the port, reads the number of network packets of the port until the last monitoring from a device suspicion table in a database, wherein the difference between the two numbers is the packet flow of the port in a past period of time, then compares the packet flow of the port with a specific threshold, and if the packet flow is smaller than the specific threshold, the step (3) is carried out; otherwise, entering the step (4);
(3) the controller reads the times of sending error ARP packets by the host of the port from the equipment suspicion table in the database, compares the times of sending error ARP packets with a specific threshold, and enters the step (5) if the times are less than the specific threshold; otherwise, entering the step (4);
(4) the method comprises the steps that a port of an edge SDN switch is judged to initiate ARP attack, a controller calls a flow entry control module to install a flow entry on the SDN switch, and the SDN switch is required to discard network packets received from the port in a specific period of time in the future;
(5) the controller sets the number of network packets of the port of the SDN switch in the device suspicion table in the database to the total number of network packets monitored this time, and sets the number of times that the host of the port of the SDN switch sends a wrong ARP packet to 0.
7. The method for detecting and mitigating ARP attacks based on an SDN cloud environment of claim 6, wherein the information stored in the database comprises:
address mapping table: the MAC address of the host, the IP address of the host;
a switch forwarding table: the ID of the SDN switch, the MAC address of the host, and the port of the SDN switch for forwarding the packet to the host;
device suspicion table: the method comprises the steps of ID of an edge SDN switch, ports connected with the SDN switch and a host, the number of port network packets and the number of times of sending error ARP packets by the host.
8. The method for detecting and mitigating ARP attacks based on SDN cloud environment of claim 6, wherein said step three real-time detection and ARP attack defense phases comprises a real-time detection and ARP request attack defense step for ARP request packets and a real-time detection and ARP reply attack defense step for ARP reply packets;
the real-time detection and defense ARP request attack step specifically comprises the following substeps:
(1) searching a source host MAC address and an IP address pair in an ARP request packet in an address mapping table of a database, searching an MAC address mapped by a target host IP address, and entering the step (2) if both the MAC address and the IP address can be searched; otherwise, entering the step (3);
(2) the controller generates an ARP reply packet by using the searched MAC address of the target host and address information in the ARP request packet, sends a message to the SDN switch, orders the SDN switch to send the ARP reply packet to the source host, then acquires a port of the SDN switch forwarding packet to the target host according to a switch forwarding table in a database, and calls a flow entry control module to install a flow entry on the SDN switch to request the SDN switch to directly forward a network packet from the port when encountering the same source MAC address and IP address pair and the same target MAC address and IP address pair;
(3) the controller sends a message to the SDN switch, the SDN switch is instructed to discard the ARP request packet, and the frequency of sending error ARP packets by a host of a port, connected with the SDN switch and a source host, in an equipment suspicion table in the database is increased once;
the real-time detection and defense ARP reply attack step specifically comprises the following substeps:
(1) searching a source host MAC address and an IP address pair in the ARP reply packet in an address mapping table of the database, searching a target host MAC address and an IP address pair, and entering the step (2) if both the source host MAC address and the IP address pair can be searched; otherwise, entering the step (3);
(2) the controller acquires a port of an SDN switch forwarding packet to a target host according to a switch forwarding table in the database, sends a message to the SDN switch, commands the SDN switch to forward an ARP reply packet from the port, and then calls a flow table item control module to install a flow table item on the SDN switch, so that the SDN switch is required to encounter the same source MAC address and IP address pair and the same target MAC address and IP address pair in the future, and directly forwards a network packet from the port;
(3) the controller sends a message to the SDN switch, instructs the SDN switch to discard the ARP request packet, and increases the number of times of sending error ARP packets by a host of a port, connected with the SDN switch and the source host, in the device suspicion table in the database by one time.
CN201910448147.XA 2019-05-27 2019-05-27 System and method for detecting and relieving ARP attack based on SDN cloud environment Active CN110247899B (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN201910448147.XA CN110247899B (en) 2019-05-27 2019-05-27 System and method for detecting and relieving ARP attack based on SDN cloud environment

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN201910448147.XA CN110247899B (en) 2019-05-27 2019-05-27 System and method for detecting and relieving ARP attack based on SDN cloud environment

Publications (2)

Publication Number Publication Date
CN110247899A CN110247899A (en) 2019-09-17
CN110247899B true CN110247899B (en) 2022-02-25

Family

ID=67885230

Family Applications (1)

Application Number Title Priority Date Filing Date
CN201910448147.XA Active CN110247899B (en) 2019-05-27 2019-05-27 System and method for detecting and relieving ARP attack based on SDN cloud environment

Country Status (1)

Country Link
CN (1) CN110247899B (en)

Families Citing this family (4)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN111541721B (en) * 2020-05-21 2022-05-27 四川英得赛克科技有限公司 Attack monitoring method and system applied to industrial control environment
CN112738018A (en) * 2020-11-30 2021-04-30 南方电网数字电网研究院有限公司 ARP spoofing attack detection method, device, computer equipment and storage medium
CN114640646B (en) * 2020-12-01 2024-01-02 天翼云科技有限公司 System, device and method for binding container public network IP based on ARP proxy
CN114826721B (en) * 2022-04-19 2023-06-06 广东工业大学 Detection method for man-in-the-middle attack of SDN network

Citations (4)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
WO2016023518A1 (en) * 2014-08-14 2016-02-18 Hangzhou H3C Technologies Co., Ltd. Migration of hosts
CN105474602A (en) * 2014-06-17 2016-04-06 华为技术有限公司 Method, device and equipment of identifying attack flow in software defined network
CN106506200A (en) * 2016-10-31 2017-03-15 中国工程物理研究院计算机应用研究所 A kind of ARP protocol submodel based on SDN
CN109428949A (en) * 2017-08-30 2019-03-05 杭州达乎科技有限公司 A kind of method and apparatus that ARP proxy is realized based on SDN

Patent Citations (4)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN105474602A (en) * 2014-06-17 2016-04-06 华为技术有限公司 Method, device and equipment of identifying attack flow in software defined network
WO2016023518A1 (en) * 2014-08-14 2016-02-18 Hangzhou H3C Technologies Co., Ltd. Migration of hosts
CN106506200A (en) * 2016-10-31 2017-03-15 中国工程物理研究院计算机应用研究所 A kind of ARP protocol submodel based on SDN
CN109428949A (en) * 2017-08-30 2019-03-05 杭州达乎科技有限公司 A kind of method and apparatus that ARP proxy is realized based on SDN

Non-Patent Citations (3)

* Cited by examiner, † Cited by third party
Title
基于SDN的可信网络技术的研究与实现;尤桂菊;《中国优秀硕士学位论文全文数据库 信息科技辑 2018年》;20180815(第8期);正文第7,10-13,31-40页 *
尤桂菊.基于SDN的可信网络技术的研究与实现.《中国优秀硕士学位论文全文数据库 信息科技辑 2018年》.2018,(第8期), *
软件定义网络中的ARP攻击解决方法研究;严敏瑞;《中国优秀硕士学位论文全文数据库 信息科技辑 2018年》;20180415(第4期);正文第17-22页 *

Also Published As

Publication number Publication date
CN110247899A (en) 2019-09-17

Similar Documents

Publication Publication Date Title
CN110247899B (en) System and method for detecting and relieving ARP attack based on SDN cloud environment
US11057404B2 (en) Method and apparatus for defending against DNS attack, and storage medium
US10616246B2 (en) SDN controller
EP3923551A1 (en) Method and system for entrapping network threat, and forwarding device
US8561188B1 (en) Command and control channel detection with query string signature
US8661522B2 (en) Method and apparatus for probabilistic matching to authenticate hosts during distributed denial of service attack
US11503073B2 (en) Live state transition using deception systems
CN105991655B (en) Method and apparatus for mitigating neighbor discovery-based denial of service attacks
CN101589595A (en) A containment mechanism for potentially contaminated end systems
CN110266650B (en) Identification method of Conpot industrial control honeypot
JP6256773B2 (en) Security system
US20180324212A1 (en) METHOD AND DEVICE FOR SIMULATING AND DETECTING DDoS ATTACKS IN SOFTWARE DEFINED NETWORKING
CN111800401A (en) Method, device and system for protecting service message and computer equipment
CN113890746B (en) Attack traffic identification method, device, equipment and storage medium
Prasad et al. Defending arp spoofing-based mitm attack using machine learning and device profiling
CN112702347A (en) SDN-based intrusion detection technology
US20190028479A1 (en) Relay apparatus
KR102046612B1 (en) The system for defending dns amplification attacks in software-defined networks and the method thereof
KR101358794B1 (en) Distributed denial of service attack protection system and method
US10182071B2 (en) Probabilistic tracking of host characteristics
KR101914831B1 (en) SDN to prevent an attack on the host tracking service and controller including the same
Gowda et al. Detection And Prevention of ARP Attack in Software Defined Networks
KR101419861B1 (en) Apparatus and Method for Managing Session and Protecting DDOS Attack Consuming Session Resource by Managing Session and Using Packet according to Refined Half-Close Order
KR101021948B1 (en) Apparatus for procesing of internet packet data by hardware
CN114553452B (en) Attack defense method and protection equipment

Legal Events

Date Code Title Description
PB01 Publication
PB01 Publication
SE01 Entry into force of request for substantive examination
SE01 Entry into force of request for substantive examination
GR01 Patent grant
GR01 Patent grant