近年來隨著科技的進步,使用者對於網路服務的需求與功能也越趨多元,但是現今的網路架構下已經難以負荷如此龐大的要求。在如此的環境下,造就了軟體定義網路(Software-Defined Networking, SDN)的發展。SDN是一開放式的網路架構,將控制功能(Control plane)從傳送層(Forwarding plane / Data plane)中獨立出來,並利用OpenFlow此協定作為控制層與傳輸層之傳輸協定,採集中式的網路管理,藉此提升網管人員對於網路的控制能力、降低網路的複雜度,並自行定義所需的網路。但在此新穎的網路架構中存在著隱憂,這些隱憂會在遭受到惡意的阻斷式服務攻擊時造成SDN網路所提供之服務中斷並崩潰。因此本論文將以負載平衡為服務,提出SDN網路下的阻斷式服務攻擊減緩系統,藉此來提升SDN網路的可用性,確保在遭受到攻擊情況時,網路所提供之服務可以維持正常之運作。 本論文中透過主動式攻擊減緩(Active Mitigation)以及被動式攻擊減緩(Passive Mitigation)來進行SDN網路的保護,並且在負載平衡服務中,提供了SYN Flooding Attack檢測機制,以及透過設置reverse netmask的UDP pre-configured flow來降低Control and Data Plane Interface(CDPI)之負擔。透過Active Mitigation可降低60.2%的OpenFlow Switch資源消耗,而SYN Flooding Attack也可以阻擋在TCP SYN Flooding下95.77%的OpenFlow Switch資源消耗,另外在本論文提出透過單一類別支援向量機之Passive Mitigation攻擊減緩機制下平均可以偵測出98.8%的惡意流量,顯示本機制可以有效防止在遭受到攻擊的情況下SDN網路服務中斷的情況發生。 ;With the technology growth, user requirements for network services are becoming more and more diverse. Software-Defined Networking (SDN), an open network architecture, decouples the control functions from traditional network devices and uses OpenFlow as the communication protocol between control plane and forwarding plane. It also centralizes the network control to decrease the complexity of network topology. However, security issues remain in this emerging network architecture. These problems will cause SDN services interrupted and even collapsed when subjected to malicious DoS attacks. Therefore, this paper will provide a load balancing service with the proposed DoS attack mitigation mechanism in SDN network. This mitigated can increase the availability of SDN network, and ensure the service is normal when under attack. This thesis contains Active and Passive Mitigation mechanism for SDN network protection. In addition, two types of load balancing, TCP and UDP, are also included. TCP load balancing provides SYN Flooding Attack detection to lower hardware resource consumption. UDP load balancing uses reverse netmask method to reduce Control and Data Plane Interface (CDPI) loading. The experimental results show the proposed Active Mitigation can reduce 60.2% consumption of OpenFlow Switch computing power, SYN Flooding attack detection can reduce 95.77% consumption when TCP SYN Flooding occurs, and Passive mitigation by One-class Support Vector Machine can detect 98.8% abnormal traffic. All of these show the proposed mechanisms can effectively prevent SDN network service interruptions from DoS attacks.
