Like traditional networks, the security protection system in SDN networks typically includes attack detection, attack tracing, and attack mitigation, as represented in the theoretical model shown in Fig. 2.
The detection of network attack behaviors typically involves the use of various detection algorithms to identify existing attacks on the network as early as possible. Attack tracing is the process of retracing the transmission path of attack traffic using effective means, until the source host of the attack is discovered. Attack mitigation involves formulating corresponding strategies to counter the attack behaviors of the source host, preventing the continuous entry of attack traffic into the network, and ensuring that the quality of network services does not significantly deteriorate due to attack activities. Given SDN's excellent centralized control capabilities, once the attack source host is identified, immediate countermeasures can usually be taken, such as blocking the access switch port of the attack source or diverting the attack traffic to a default port for discarding. Therefore, in SDN, tracing and mitigation are often studied as an integrated process.
Attackers typically use forged header information, such as fake IP or MAC addresses, to evade tracking. Consequently, even after the system detects an attack in the network, it is difficult to trace back the attack path and track down the attack source using the IP addresses, MAC addresses, or other information obtained from a single detection result. Therefore, tracing the correct attack origin is a prerequisite for effectively mitigating the impact of network attacks.
3.1 Attack Tracing Based on Packet-In Messages
To reduce the computational overhead on forwarding devices during the tracing process, this paper only uses the source IP address (\(I{P_{Src}}\)), destination IP address (\(I{P_{Dst}}\)), and forwarding time (\({T_{Tra}}\)) of the data packet as the parameters to track the target data packet. The tracing process mainly consists of two steps: first, the controller extracts the triplet information of \(I{P_{Src}},{\text{ }}I{P_{Dst}},{\text{ }}{T_{Tra}}\)from the Packet-In message as matching parameters; then, it extracts \(I{P^{\prime}_{Src}},{\text{ }}I{P^{\prime}_{Dst}}\)and forwarding statistics information from the forwarding rules of the switch, and matches them with the triplet information of the target data packet to determine whether the target data packet has passed through that switch, implementing the process as follows.
(1) Establish an SDN network topology mapping diagram, number all switches in sequence to ensure that each switch has a unique identifier.
(2) Parse the Packet-In messages received by the controller and extract the triplet information of the target packet, such as \(I{P_{Src}},{\text{ }}I{P_{Dst}},{\text{ }}{T_{Tra}}\) and other relevant parameters, as matching criteria.
(3) Traverse the flow table entries of all switches, match them against the triplet information, and record the number of switches and the port numbers that have forwarded the target packet. By integrating the global SDN topology map known to the controller, trace the transmission path of the target packet within the SDN network, which can be represented as follows:
$${E_{i,j}}=\sum {({s_i},{p_i})} \to ({s_j},{p_j})$$
1
Here, \({E_{i,j}}\)represents the transmission path of the target packet, \({s_i},{\text{ }}{s_j}\) denotes the node switch along the transmission path, and \({p_i},{\text{ }}{p_j}\) refers to the respective port numbers on the switches. When the target packet passes through two switches \({s_i},{\text{ }}{s_j}\), the edge connecting\({s_i},{\text{ }}{s_j}\) is considered the attack path, and \({p_i},{\text{ }}{p_j}\) is the interface for entry and exit ports.
(4) Compile all the transmission paths generated by tracing Packet-In messages. When many data packets with different destinations are found to be originating from the same edge switch, this switch is identified as the access switch of the attack source. The host connected to the data packet reception port is the source host initiating the IP spoofing attack.
3.2 Mitigation strategy based on dynamic restriction
After tracing the source host that initiates the IP spoofing attack to the switch and port connected to the SDN, execute a restriction policy on the port connected to that switch. For a certain period, discard any packets from that port without matching rules and prohibit the switch from sending Packet_In messages to the controller, as described in Algorithm 1.
Algorithm 1 IP Spoofing Attack Mitigation Algorithm
Purpose: To mitigate IP spoofing attacks in SDN by dynamically restricting the access of suspected attackers.
|
Inputs:
• source_ip: The source IP address suspected of initiating the spoofing attack.
• switch_id: The identifier of the switch where the suspicious traffic is detected.
• port_no: The port number on the switch where the suspicious traffic is detected.
• T: The dynamic restriction time (in seconds) for which the restriction policy will be enforced.
• controller: Reference to the SDN controller object.
Outputs:
• Enforcement of a restriction policy on the identified switch port.
Steps:
1. Detection and Tracing:
o Detect suspicious IP traffic.
o Trace the source of the suspicious traffic to switch_id and port_no.
2. Policy Enforcement:
o For switch_id and port_no:
- Install a flow entry on the switch with the following properties:
- priority: High enough to ensure it takes precedence over other rules.
- match: Source IP = source_ip.
- instructions: Drop the packet.
- timeout: T.
- Update the switch configuration to block Packet_In messages from port_no for T.
3. Monitoring:
o Continuously monitor the traffic on port_no during the T period.
o If additional suspicious activity is detected, extend the duration or take further action.
4. Review and Adjustment:
o After T expires, review the traffic behavior.
o If the suspicious activity has ceased, remove the restriction policy.
o If the suspicious activity continues, reapply the restriction policy or escalate the response.
5. Reporting:
o Log the details of the attack and the actions taken to the controller's log file.
6. Reset:
o Reset the switch configuration to allow normal traffic through port_no if the restriction period ends and no further suspicious activity is detected.
|
When the prohibition time exceeds the set restriction time, the forwarding function of the switch is restored. The initial restriction time (\({T_{{\text{set}}}}\)) is manually set, and subsequently, each time the switch is prohibited, the restriction time doubles, i.e., \({T_{\lim }}={T_{{\text{set}}}}*{2^{n - 1}}\), where \({T_{{\text{set}}}}\) is the initial restriction time when first detected as an attack source, which is manually set and defaults to 20 seconds; n is the number of times the switch has been detected as an attack source.
This mitigation strategy is not limited by the topology of the SDN network. It can promptly isolate new flow requests from the source host initiating IP spoofing attacks on any switch, preventing new attack traffics from entering the SDN network. This helps maintain the performance of the switches and the controller without it constantly declining due to attack behaviors, making it widely applicable. Additionally, the affected switches can still provide continuous forwarding services for legitimate flows corresponding to flow table entries, effectively ensuring the normal operation of legitimate network services during the restriction period. This is also well-suited for SDN networks with high requirements for network service stability.
Additionally, while the mitigation algorithm can intercept new attack data streams, the flow table entries generated by early attack traffics are still stored in the switch's flow table. These entries do not automatically delete immediately; they are only overwritten when their lifetime expires. However, before that, they continue to occupy the switch's storage space, affecting the switch's forwarding performance and also increasing the risk of flow table overflow. The characteristic of these flow table entries is that the number of packets forwarded recorded in the counter is very few, mostly only once, and some are even zero times. Therefore, we use a dynamic deletion strategy to periodically clean up those flow table entries in the switch that have not been matched for a long time, as described in Algorithm 2.
Algorithm 2 Malicious Flow Table Entry Dynamic Deletion Algorithm
Purpose: To periodically clear flow table entries in the switch that have not been matched for a long time, particularly those created by early attack traffics.
|
Inputs:
• switch_id: Identifier of the switch to clean up.
• controller: Reference to the SDN controller object.
• cleanup_interval: The interval (in seconds) at which the cleanup process should run.
• min_packet_count: The minimum number of packets that must have been forwarded according to the flow entry's counter to consider it active.
Outputs:
• Cleanup of inactive flow table entries in the specified switch.
Steps:
1. Initialization:
o Set the cleanup_interval and min_packet_count parameters.
2. Periodic Cleanup:
o Every cleanup_interval:
- For each flow table entry in the switch (switch_id):
- Check the packet count in the flow entry's counter.
- If the packet count is less than or equal to min_packet_count:
- Delete the flow table entry.
3. Verification:
o Verify that only flow table entries with a low packet count (often 1 or 0) are removed.
4. Logging:
o Log the details of the deleted flow table entries to the controller's log file.
5. Repeat:
o Repeat the process at regular intervals as defined by cleanup_interval.
|
Through the dynamic deletion strategy, the switch's flow table can be periodically "slimmed down," freeing up more available space for the switch, which helps the switch maintain a more reliable forwarding function and ensures that the SDN network can provide higher-quality network services.