OpenFlow Switch Timeout Sniffing Method Based on Detection Interval Changes

doi:10.3969/j.issn.1671-1122.2025.02.010

Abstract

Abstract:

Software-defined Networking achieves centralization, programmability, and flexibility by separating the control plane and data plane. However, the network architecture faces new attack threats. Timeout sniffing against SDN switches is one of the main security threats. The existing timeout sniffing methods ignore the impact of the maximum timeout value, the generation time of sniffing packets, and the relationship between timeouts on sniffing timeouts, resulting in problems such as sniffing failed, timeout type recognition error, and low timeout sniffing accuracy. In order to solve the above problems, this paper proposed a OpenFlow switch timeout flow entry timeout mechanism sniffing method based on the detection interval change-TIMIC. The method first obtained a timeout value by adjusting the sending interval of the sniffing packet and then determined the specific timeout mechanism and more accurate timeout value through the timeout value. The experimental results show that TIMIC can successfully detect timeout types and values under different timeout mechanisms, and the detected timeout values can maintain a small sniffing error. Under the universal timeout setting, TIMIC sends fewer timeout sniffing packets and has lower sniffing costs.

Key words: software-defined networking, timeout mechanism sniffing, sniffing interval

CLC Number:

TP309

YANG Zhiyuan, CUI Yunhe, CHEN Yi, GUO Chun. OpenFlow Switch Timeout Sniffing Method Based on Detection Interval Changes[J]. Netinfo Security, 2025, 25(2): 295-305.

Figures/Tables 16

References 17

[1]	CUI Yunhe, QIAN Qing, GUO Chun, et al. Towards DDoS Detection Mechanisms in Software-Defined Networking[EB/OL]. (2021-07-10)[2024-09-10]. https://www.sciencedirect.com/science/article/abs/pii/S1084804521001703?via%3Dihub.
[2]	YAO Xianxian, XIA Hongbin, LIU Yuan. Detection and Mitigation of DDoS Based on Attention Mechanism in SDN Environment[EB/OL]. (2024-05-31)[2024-09-10]. https://kns.cnki.net/kcms/detail/21.1106.TP.20240530.1039.008.html.
	姚纤纤, 夏鸿斌, 刘渊. SDN环境中基于注意力机制的DDoS检测和缓解[EB/OL]. (2024-05-31)[2024-09-10]. https://kns.cnki.net/kcms/detail/21.1106.TP.20240530.1039.008.html.
[3]	LEI Yuxia. Research on DDoS Anomaly Attack Detection Technology Based on SDN Architecture[J]. Shanxi Electronic Technology, 2024(3): 120-123.
	雷宇霞. 基于SDN架构的DDoS异常攻击检测技术研究[J]. 山西电子技术, 2024(3): 120-123.
[4]	ZHANG Junrong. Analysis of Software Defined Network (SDN) Technology[J]. Digital Communication World, 2024(6): 115-117.
	张俊茸. 软件定义网络(SDN)技术分析[J]. 数字通信世界, 2024(6): 115-117.
[5]	WANG Dongbin, WU Dongzhe, ZHI Hui, et al. Preventing Flow Table Overflow against Denial of Service Attack in Software Defined Network[J]. Journal on Communications, 2023, 44(2): 1-11 doi: 10.11959/j.issn.1000-436x.2023036
	王东滨, 吴东哲, 智慧, 等. 软件定义网络抗拒绝服务攻击的流表溢出防护[J]. 通信学报, 2023, 44(2): 1-11. doi: 10.11959/j.issn.1000-436x.2023036
[6]	RAN Longyan, CUI Yunhe, GUO Chun, et al. Defending Saturation Attacks on SDN Controller: A Confusable Instance Analysis-Based Algorithm[EB/OL]. (2022-06-17)[2024-09-10]. https://www.sciencedirect.com/science/article/abs/pii/S1389128622002298?via%3Dihub.
[7]	LI Jishuai, TU Tengfei, LI Yongsheng, et al. DoSGuard: Mitigating Denial-of-Service Attacks in Software-Defined Networks[EB/OL]. (2021-01-29)[2024-09-10]. https://pubmed.ncbi.nlm.nih.gov/35161800/.
[8]	CONTI M, GANGWAL A, GAUR M S. A Comprehensive and Effective Mechanism for DDoS Detection in SDN[C]// IEEE. 2017 IEEE 13th International Conference on Wireless and Mobile Computing, Networking and Communications (WiMob). New York: IEEE, 2017: 1-8.
[9]	WANG Zhi, ZHANG Hao, GU Jianjun. A Hybrid Method of Joint Entropy and Multiple Clustering Based DDoS Detection in SDN[J]. Netinfo Security, 2023, 23(10): 1-7.
	王智, 张浩, 顾建军. SDN网络中基于联合熵与多重聚类的DDoS攻击检测[J]. 信息网络安全, 2023, 23(10): 1-7.
[10]	XU Jianfeng, ZHANG Fangtao, XU Zhen, et al. Field Manipulation Attacks Based on Sniffing Techniques[J]. Journal of Electronics & Information Technology, 2020, 42(10): 2342-2349.
	徐建峰, 张方韬, 徐震, 等. 基于嗅探技术的字段操纵攻击研究[J]. 电子与信息学报, 2020, 42(10): 2342-2349.
[11]	PATWARDHAN A, JAYARAMA D, LIMAYE N, et al. SDN Security: Information Disclosure and Flow Table Overflow Attacks[C]// IEEE. 2019 IEEE Global Communications Conference (GLOBECOM). New York: IEEE, 2019: 1-6.
[12]	YIĞIT B, GÜR G, ALAGÖZ F, et al. Network Fingerprinting via Timing Attacks and Defense in Software Defined Networks[EB/OL]. (2023-06-02)[2024-09-10]. https://www.sciencedirect.com/science/article/abs/pii/S1389128623002955?via%3Dihub.
[13]	CAO Jiahao, XU Mingwei, LI Qi, et al. The LOFT Attack: Overflowing SDN Flow Tables at a Low Rate[J]. IEEE/ACM Transactions on Networking, 2023, 31(3): 1416-1431.
[14]	CHEN Xingshu, HUA Qiang, WANG Yitong, et al. Research on Low-Rate DDoS Attack of SDN Network in Cloud Environment[J]. Journal on Communications, 2019, 40(6): 210-222. doi: 10.11959/j.issn.1000-436x.2019120
	陈兴蜀, 滑强, 王毅桐, 等. 云环境下SDN网络低速率DDoS攻击的研究[J]. 通信学报, 2019, 40(6): 210-222. doi: 10.11959/j.issn.1000-436x.2019120
[15]	AZZOUNI A, BRAHAM O, TRANG N T M, et al. Fingerprinting OpenFlow Controllers: The First Step to Attack an SDN Control Plane[C]// IEEE. 2016 IEEE Global Communications Conference (GLOBECOM). New York: IEEE, 2016: 1-6.
[16]	LENG Junyuan, ZHOU Yadong, ZHANG Junjie, et al. An Inference Attack Model for Flow Table Capacity and Usage: Exploiting the Vulnerability of Flow Table Overflow in Software-Defined Network[EB/OL]. (2015-04-13)[2024-09-10]. https://arxiv.org/abs/1504.03095v1.
[17]	BENSON T, AKELLA A, MALTZ D A, et al. Network Traffic Characteristics of Data Centers in the Wild[C]// ACM. Proceedings of the 10th ACM SIGCOMM Conference on Internet Measurement. New York: ACM, 2010: 267-280.

组别	空闲超时/s	硬超时/s
第一组	10	11
第二组	10	30
第三组	60	61
第四组	60	300

组别	空闲超时/s	硬超时/s
第一组	0	10
第二组	0	30
第三组	0	60
第四组	0	100

组别	空闲超时/s	硬超时/s
第一组	10	0
第二组	30	0
第三组	60	0
第四组	100	0

组别	超时类别	设置时长/s	TIMIC	LOFT	RAFA
第一组	空闲超时	10	9.00 s(10.00%)	8.63 s(13.70%)	3.05 s(69.50%)
第一组	硬超时	11	9.55 s(13.18%)	9.51 s(13.55%)	11.92 s(8.36%)
第二组	空闲超时	10	9.00 s(10.00%)	9.54 s(4.60%)	4.42 s(55.80%)
第二组	硬超时	30	29.36 s(2.13%)	28.52 s(4.93%)	30.95 s(3.17%)
第三组	空闲超时	60	59.00 s(1.67%)	0 s(100%)/ 探测错误	6.38 s(89.37%)
第三组	硬超时	61	59.61 s(2.28%)	59.13 s(3.07%)	62.69 s(2.77%)
第四组	空闲超时	60	59.00 s(1.67%)	58.78 s(2.03%)	13.62 s(77.30%)
第四组	硬超时	300	299.13 s(0.29%)	298.94 s(0.35%)	301.53 s(0.51%)

组别	超时类别	设置时长/s	TIMIC	LOFT	RAFA
第一组	空闲超时	10	10.00 s(0%)	9.42 s(5.80%)	2.90 s(71.00%)
第一组	硬超时	11	11.63 s(5.73%)	10.56 s(4.00%)	11.24 s(2.18%)
第二组	空闲超时	10	10.00 s(0%)	9.87 s(1.30%)	4.42 s(55.80%)
第二组	硬超时	30	29.21 s(2.63%)	29.60 s(1.33%)	31.25 s(4.17%)
第三组	空闲超时	60	60.00 s(0%)	0 s(100%)/ 探测错误	6.20 s(89.67%)
第三组	硬超时	61	61.68 s(1.11%)	60.20 s(1.31%)	61.90 s(1.48%)
第四组	空闲超时	60	60.00 s(0.00%)	58.97 s(1.72%)	13.39 s(77.68%)
第四组	硬超时	300	300.08 s(0.03%)	299.90 s(0.03%)	300.57 s(0.19%)