臺灣博碩士論文加值系統

近年來因虛擬化的技術成熟，傳統網路硬體架構無法有彈性地管理虛擬機器的網路。催生出軟體定義網路(Software Define Network, SDN) 將網路分為Control Plane 及 Data Plane，可以有效的管理網路，並在虛擬機器數量需要擴展的時候，軟體定義網路亦可以彈性地增加軟體交換器，並管理其交換器。而Controller 控制封包如何轉送(Forward)以及通行與否。在SDN架構下，Controller好比人類大腦一樣主宰一切，而Data Plane像人類的四肢，在失去Controller的指揮，則Data Plane殊不知如何轉送封包。
本論文試著在SDN架構網路中，實作Attacker模組嘗試對Controller 進行攻擊，Attacker有著傳統網路的攻擊模組以及SDN網路架構中才有的攻擊模組。本篇論文探討軟體定義網路中的網路攻擊手法，以及遭受攻擊後對於SDN網路架構中的影響。最後，我們在此篇論文中嘗試建立防禦架構，並實作一個防禦策略Defender，防禦來自Attacker的攻擊 。本篇實驗顯示，Defender 可以正確的防禦來自Attacker的網路攻擊。

Due to the maturity of virtualization technology in recent years, the traditional network hardware architecture cannot flexibly manage the network of virtual machines. The emergence of the Software Define Network (SDN) will be divided into the Network Control Plane and Data Plane, can effectively manage the Network, and the number of virtual machines need to expand, the Software Define Network can also be flexible to increase the number of Software switches, and manage the switches. The Controller controls how packets are forwarded and whether they are processed. In SDN architecture, Controller is like a human brain dominate everything, and Data Plane is like human limbs, in the loss of Controller command, Data Plane does not know how to transfer packets. This we try to attack the Controller in the the SDN network by making the modules which has the traditional network attack module and the soft define network only in the SDN network architecture.
This paper discusses the software define network attack techniques, and the impact of the attack on the SDN network architecture. Finally, in this paper we try to establish a defense structure and implement a defence strategy Defender against attack. The experiment shows that Defender can correctly defend against the cyber attack.

Content I
List of Tables II
List of Figures III
Abstact 2
Chapter 1 Introduction 3
1.1 Backgroud 4
1.2 Motivation 4
1.3 Organization of Thesis 5
Chapter 2 Related Work 6
2.1 Software Define Network 6
2.2 OpenFlow Protocol 7
2.2.1 Floodlight Controller 7
2.2.2 Opendaylight Controller 7
2.2.3 Flow Table 8
2.3 Open vSwitch 9
2.4 Link Layer Discovery Protocol (LLDP) Packet 9
2.5 The attack surface of software defined network 9
Chapter 3 System Architecture 11
3.1 Software defined network attack strategies 11
3.1.1 ARP flooding attack 11
3.1.2 HTS(Host Tracking Service) attack 12
3.1.3 LLDP(Link Layer Discovery Protocol) forge attack 14
3.2 The design principle of Defender 16
3.3 The defense strategy for ARP Flooding 16
3.3.1 The monitor process for ARP Flooding 17
3.4 The defence stratrgy for HTS attack. 18
3.4.1 The monitor process for HTS attack 19
3.5 The defence strategy for LLDP forge attack 20
Chapter 4 Experimental Results and Analysis 21
4.1 Lab Environment 21
4.1.1 Mininet Emulator 21
4.1.2 The modules to enabled in OpenDayLight 21
4.2 Using Attacker to launch an attack 22
4.2.1 Launch an ArpFlooding attack using Attacker 23
4.2.2 Use Attacker to launch HTS attack 23
4.2.3 Using the Attacker to Launch an LLDP forge attack in the OpenDayLight Controller 24
4.2.4 Using the Attacker to Launch an LLDP forge attack in the Floodlight Controller 25
4.3 Floodlight Controller and OpenDaylight Controller Attack Results 26
4.4 Use Defender and verify defense results 26
4.4.1 Using Defender to defend ArpFlooding attack 27
4.4.2 Using Defender to defend HTS attack 30
4.4.3 Using Defender to defend LLDP forge attack 33
Chapter 5 Conclusion 35
Reference 36

[1] Hong, Sungmin, et al., “Poisoning Network Visibility in Software-Defined
Networks: New Attacks and Countermeasures,” NDSS, 2015.
[2] Tri-Hai Nguyen, Myungsik Yoo, Attacks on Host Tracker in SDN Controller:
Investigation and Prevention, IEEE ICTC, 2016
[3] http://sdnsecurity.org/project_SDN-Security-Vulnerbility-attack-list.html
[4] OpenFlow Specification v1.5.1. https://www.opennetworking.org/wpcontent/
uploads/.../openflow-switch-v1.5.1.pdf
[5] Nicira, Open vSwitch project https://www.openvswitch.org/
[6] Floodlight controller. Open Source Software for Building SoftwareDefined
Networks. Available: http://www.projectfloodlight.org/
[7] T.L. Foundation, “Opendaylight Project” https://www.opendaylight.org/
[8] Performance evaluation of sdn controllers: Floodlight and OpenDaylight
Engineering Journal, 17(2), 47-57. https://doi.org/10.31436/iiumej.v17i2.615
[9] Mininet. Rapid prototyping for software defined networks.
[10] Scapy: Packet manipulation program. http://www.secdev.org/projects/scapy/.
[11] Dhawan, Mohan, et al., “SPHINX: Detecting Security Attacks in
Software-Defined Networks,” NDSS, 2015.
[12] Ahmad, Ijaz, et al., “Security in software defined networks: A survey,”
IEEE Communications Surveys & Tutorials 17.4, 2015, pp. 2317-2346.
[13] K. Benton, L. J. Camp, and C. Small. Openflow vulnerability assessment.
In Proceedings of ACM SIGCOMM Workshop on Hot Topics in
Software Defined Networking (HotSDN’13), August 2013.
[14] Openflow wireshark dissector.
http://archive.openflow.org/wk/index.php/OpenFlow Wireshark Dissector.
[15] Y. Qian, W. You, and K. Qian, “OpenFlow flow table overflow attacks and
countermeasures,” in Proc. Eur. Conf. Netw. Commun., Jun. 2016,pp. 205–209.
[16] D. Kreutz, F. M. Ramos, and P. Verissimo, “Towards secure and dependable
software-defined networks,” in Proceedings of the second ACM SIGCOMM
workshop on Hot topics in software defined networking(HotSDN), 2013.
[17] H. Wang, L. Xu, and G. Gu, “FloodGuard: A DoS Attack Prevention
Extension in Software-Defined Networks,” in 45th Annual IEEE/IFIP International
Conference on Dependable Systems and Networks (DSN),2015.
[18] Shin S, Porras P, Yegneswaran V, Fong M, Gu G, Tyson M. FRESCO: Modular
composable security services for software-defined networks,Network and Distributed
Security Symposium 2013.
[19] S. Lee, C. Yoon, C. Lee, S. Shin, V. Yegneswaran, and P. Porras, “Delta: A security
assessment framework for software-defined networks,” in NDSS, vol. 17, 2017.
[20] L. Xu, J. Huang, S. Hong, J. Zhang, and G. Gu, “Attacking the brain: Races in the sdn
control plane,” in USENIX Security Symposium. USENIX, 2017, pp. 451–468.
[21] S. K. Fayaz, Y. Tobioka, V. Sekar, and M. Bailey, “Bohatei: Flexible and elastic ddos
defense.” in USENIX Security Symposium, 2015, pp.817–832.
[22] Anat Bremler-Barr, Yotam Harchol, David Hay, and Yaron Koral,“Deep Packet
Inspection as a Service,” In Proceedings of the 10th ACM International on Conference
on emerging Networking Experiments and Technologies (CoNEXT), NY, USA, 271-
282, 2014.
[23] Joao Martins, Mohamed Ahmed, Costin Raiciu, Vladimir Olteanu, Michio Honda,
Roberto Bifulco, and Felipe Huici, “ClickOS and the art of network function
virtualization.” In Proceedings of the 11th USENIX Conference on Networked
Systems Design and Implementation (NSDI). USENIX Association, Berkeley, CA,
USA, 459-473, 2014.
[24] S. Jero, W. Koch, R. Skowyra, H. Okhravi, C. Nita-Rotaru, and D. Bigelow,“Identifier
binding attacks and defenses in software-defined networks,” in USENIX Security
Symposium. USENIX Association, 2017, pp. 415–432.
[25] Menghao Zhang, Jun Bi, Jiasong Bai, Guanyu Li, “FloodShield: Securing the SDN Infrastructure Against Denial-of-Service Attacks” IEEE BigDataSE.2018