簡易檢索 / 詳目顯示

回結果列表
研究生: 吳冠陞
KUAN-SHENG WU
論文名稱: 實作軟體定義網路之網路攻擊以及防禦策略
Implementation of cyber attack and defense strategy in software defined network
指導教授: 沈上翔
Shan-Hsiang Shen
口試委員: 金台齡
Tai-Lin Chin
黃琴雅
CHIN-YA HUANG
學位類別: 碩士
Master
系所名稱: 電資學院 - 資訊工程系
Department of Computer Science and Information Engineering
論文出版年: 2019
畢業學年度: 107
語文別: 英文
論文頁數: 36
中文關鍵詞: 軟體定義網路網路安全網路攻擊
外文關鍵詞: Software Defined Network, Network Security, Cyber Attack
相關次數: 點閱:423下載:0
分享至:
查詢本校圖書館目錄 查詢臺灣博碩士論文知識加值系統 勘誤回報

    • 近年來因虛擬化的技術成熟,傳統網路硬體架構無法有彈性地管理虛擬機器的網路。催生出軟體定義網路(Software Define Network, SDN) 將網路分為Control Plane 及 Data Plane,可以有效的管理網路,並在虛擬機器數量需要擴展的時候,軟體定義網路亦可以彈性地增加軟體交換器,並管理其交換器。而Controller 控制封包如何轉送(Forward)以及通行與否。在SDN架構下,Controller好比人類大腦一樣主宰一切,而Data Plane像人類的四肢,在失去Controller的指揮,則Data Plane殊不知如何轉送封包。
    本論文試著在SDN架構網路中,實作Attacker模組嘗試對Controller 進行攻擊,Attacker有著傳統網路的攻擊模組以及SDN網路架構中才有的攻擊模組。本篇論文探討軟體定義網路中的網路攻擊手法,以及遭受攻擊後對於SDN網路架構中的影響。最後,我們在此篇論文中嘗試建立防禦架構,並實作一個防禦策略Defender,防禦來自Attacker的攻擊 。本篇實驗顯示,Defender 可以正確的防禦來自Attacker的網路攻擊。

    Due to the maturity of virtualization technology in recent years, the traditional network hardware architecture cannot flexibly manage the network of virtual machines. The emergence of the Software Define Network (SDN) will be divided into the Network Control Plane and Data Plane, can effectively manage the Network, and the number of virtual machines need to expand, the Software Define Network can also be flexible to increase the number of Software switches, and manage the switches. The Controller controls how packets are forwarded and whether they are processed. In SDN architecture, Controller is like a human brain dominate everything, and Data Plane is like human limbs, in the loss of Controller command, Data Plane does not know how to transfer packets. This we try to attack the Controller in the the SDN network by making the modules which has the traditional network attack module and the soft define network only in the SDN network architecture.
    This paper discusses the software define network attack techniques, and the impact of the attack on the SDN network architecture. Finally, in this paper we try to establish a defense structure and implement a defence strategy Defender against attack. The experiment shows that Defender can correctly defend against the cyber attack.

    Content I List of Tables II List of Figures III Abstact 2 Chapter 1 Introduction 3 1.1 Backgroud 4 1.2 Motivation 4 1.3 Organization of Thesis 5 Chapter 2 Related Work 6 2.1 Software Define Network 6 2.2 OpenFlow Protocol 7 2.2.1 Floodlight Controller 7 2.2.2 Opendaylight Controller 7 2.2.3 Flow Table 8 2.3 Open vSwitch 9 2.4 Link Layer Discovery Protocol (LLDP) Packet 9 2.5 The attack surface of software defined network 9 Chapter 3 System Architecture 11 3.1 Software defined network attack strategies 11 3.1.1 ARP flooding attack 11 3.1.2 HTS(Host Tracking Service) attack 12 3.1.3 LLDP(Link Layer Discovery Protocol) forge attack 14 3.2 The design principle of Defender 16 3.3 The defense strategy for ARP Flooding 16 3.3.1 The monitor process for ARP Flooding 17 3.4 The defence stratrgy for HTS attack. 18 3.4.1 The monitor process for HTS attack 19 3.5 The defence strategy for LLDP forge attack 20 Chapter 4 Experimental Results and Analysis 21 4.1 Lab Environment 21 4.1.1 Mininet Emulator 21 4.1.2 The modules to enabled in OpenDayLight 21 4.2 Using Attacker to launch an attack 22 4.2.1 Launch an ArpFlooding attack using Attacker 23 4.2.2 Use Attacker to launch HTS attack 23 4.2.3 Using the Attacker to Launch an LLDP forge attack in the OpenDayLight Controller 24 4.2.4 Using the Attacker to Launch an LLDP forge attack in the Floodlight Controller 25 4.3 Floodlight Controller and OpenDaylight Controller Attack Results 26 4.4 Use Defender and verify defense results 26 4.4.1 Using Defender to defend ArpFlooding attack 27 4.4.2 Using Defender to defend HTS attack 30 4.4.3 Using Defender to defend LLDP forge attack 33 Chapter 5 Conclusion 35 Reference 36

    [1] Hong, Sungmin, et al., “Poisoning Network Visibility in Software-Defined
    Networks: New Attacks and Countermeasures,” NDSS, 2015.
    [2] Tri-Hai Nguyen, Myungsik Yoo, Attacks on Host Tracker in SDN Controller:
    Investigation and Prevention, IEEE ICTC, 2016
    [3] http://sdnsecurity.org/project_SDN-Security-Vulnerbility-attack-list.html
    [4] OpenFlow Specification v1.5.1. https://www.opennetworking.org/wpcontent/
    uploads/.../openflow-switch-v1.5.1.pdf
    [5] Nicira, Open vSwitch project https://www.openvswitch.org/
    [6] Floodlight controller. Open Source Software for Building SoftwareDefined
    Networks. Available: http://www.projectfloodlight.org/
    [7] T.L. Foundation, “Opendaylight Project” https://www.opendaylight.org/
    [8] Performance evaluation of sdn controllers: Floodlight and OpenDaylight
    Engineering Journal, 17(2), 47-57. https://doi.org/10.31436/iiumej.v17i2.615
    [9] Mininet. Rapid prototyping for software defined networks.
    [10] Scapy: Packet manipulation program. http://www.secdev.org/projects/scapy/.
    [11] Dhawan, Mohan, et al., “SPHINX: Detecting Security Attacks in
    Software-Defined Networks,” NDSS, 2015.
    [12] Ahmad, Ijaz, et al., “Security in software defined networks: A survey,”
    IEEE Communications Surveys & Tutorials 17.4, 2015, pp. 2317-2346.
    [13] K. Benton, L. J. Camp, and C. Small. Openflow vulnerability assessment.
    In Proceedings of ACM SIGCOMM Workshop on Hot Topics in
    Software Defined Networking (HotSDN’13), August 2013.
    [14] Openflow wireshark dissector.
    http://archive.openflow.org/wk/index.php/OpenFlow Wireshark Dissector.
    [15] Y. Qian, W. You, and K. Qian, “OpenFlow flow table overflow attacks and
    countermeasures,” in Proc. Eur. Conf. Netw. Commun., Jun. 2016,pp. 205–209.
    [16] D. Kreutz, F. M. Ramos, and P. Verissimo, “Towards secure and dependable
    software-defined networks,” in Proceedings of the second ACM SIGCOMM
    workshop on Hot topics in software defined networking(HotSDN), 2013.
    [17] H. Wang, L. Xu, and G. Gu, “FloodGuard: A DoS Attack Prevention
    Extension in Software-Defined Networks,” in 45th Annual IEEE/IFIP International
    Conference on Dependable Systems and Networks (DSN),2015.
    [18] Shin S, Porras P, Yegneswaran V, Fong M, Gu G, Tyson M. FRESCO: Modular
    composable security services for software-defined networks,Network and Distributed
    Security Symposium 2013.
    [19] S. Lee, C. Yoon, C. Lee, S. Shin, V. Yegneswaran, and P. Porras, “Delta: A security
    assessment framework for software-defined networks,” in NDSS, vol. 17, 2017.
    [20] L. Xu, J. Huang, S. Hong, J. Zhang, and G. Gu, “Attacking the brain: Races in the sdn
    control plane,” in USENIX Security Symposium. USENIX, 2017, pp. 451–468.
    [21] S. K. Fayaz, Y. Tobioka, V. Sekar, and M. Bailey, “Bohatei: Flexible and elastic ddos
    defense.” in USENIX Security Symposium, 2015, pp.817–832.
    [22] Anat Bremler-Barr, Yotam Harchol, David Hay, and Yaron Koral,“Deep Packet
    Inspection as a Service,” In Proceedings of the 10th ACM International on Conference
    on emerging Networking Experiments and Technologies (CoNEXT), NY, USA, 271-
    282, 2014.
    [23] Joao Martins, Mohamed Ahmed, Costin Raiciu, Vladimir Olteanu, Michio Honda,
    Roberto Bifulco, and Felipe Huici, “ClickOS and the art of network function
    virtualization.” In Proceedings of the 11th USENIX Conference on Networked
    Systems Design and Implementation (NSDI). USENIX Association, Berkeley, CA,
    USA, 459-473, 2014.
    [24] S. Jero, W. Koch, R. Skowyra, H. Okhravi, C. Nita-Rotaru, and D. Bigelow,“Identifier
    binding attacks and defenses in software-defined networks,” in USENIX Security
    Symposium. USENIX Association, 2017, pp. 415–432.
    [25] Menghao Zhang, Jun Bi, Jiasong Bai, Guanyu Li, “FloodShield: Securing the SDN Infrastructure Against Denial-of-Service Attacks” IEEE BigDataSE.2018

    無法下載圖示 全文公開日期 2024/01/17 (校內網路)
    全文公開日期 本全文未授權公開 (校外網路)
    全文公開日期 本全文未授權公開 (國家圖書館:臺灣博碩士論文系統)
    QR CODE