350 rub
Journal Information-measuring and Control Systems №3 for 2015 г.
Article in number:
Architecting the cluster software-defined networking with centralized control, resistant to DDoS
Authors:
E.S. Sokolova -Dr.Sc. (Eng.), Head of Depertment, Рrofessor, Nizhny Novgorod State Technical University n.a. R.E. Alekseev. E-mail: essokolowa@gmail.com V.V. Krylov - Dr.Sc. (Eng.), Рrofessor, Nizhny Novgorod State Technical University n.a. R.E. Alekseev. E-mail: vkrylov@heterarchica.com D.A. Lyakhmanov - Ph.D. (Eng.), Nizhny Novgorod State Technical University n.a. R.E. Alekseev. E-mail: dm.virger@gmail.com S.N. Kapranov - Ph.D. (Eng.), Associate Professor, Nizhny Novgorod State Technical University n.a. R.E. Alekseev. E-mail: serg.kapranov@gmail.com T.I. Balashova - Senior Lecturer, Nizhny Novgorod State Technical University n.a. R.E. Alekseev. E-mail: tibalashova@mail.ru
Abstract:
Openness and integration of information and telecommunication systems requires development new solutions in countering threats to information area. The new solutions are actually in the area of resiliency of information networks. The paper offers an approach to solve the problems of defense against DDoS attacks in next generation networks  Software-defined Networking (SDN), where the manage process and sending data are divided. The main advantage of SDN is an opportunity of rebuilding network architecture in a «hot» mode, when participants of data exchange are absolutely clear and don-t affect the progress. This is able to make the participants of data exchange insensitive to DDoS attacks which are the main tool for attacker to block the functioning of single network services or the computer node. Presented in the work method to protect SDN segments is based on dynamic changes of IP-addresses of protected server by a schedule known only for authorized users. The idea of the method is that not authorized clients don-t have information about the IP-addresses changes schedule and accordingly are not able to send requests to the server creating a big load on it-s resources. The schedule of IP-address change, which is going in a process of data exchange between client and the server, is unique for each session. As an algorithm for generating schedule offers to use irreversible algorithm of generating pseudo-random sequence, representing a modification of Feigenbaum algorithm. Destination IP-address for each sending packet is calculating according to initial parameters and depends on timestamp of the current packet, session start time, algorithm of generating pseudo-random sequence and mapping function of the set of number in the set of IP-address pool. The process of access to secure server begins with client authorization. In good case the client gets access certificate, which contains a dynamic IP-address changes schedule. Further the client starts data transmission to secure server. When receiving the network packet from the client recipient\'s IP-address is calculating. If the calculated IP-address equals with address of received packet then this packet redirected to the real address of secure server. Otherwise, this packet rejected. Wherein for an external observer IP-address of secure server will be changing every millisecond. The developing solution is realized as secure cluster and will be as a segment of Software-defined networking architecture, containing managing commutators, controllers, verificators and unmanaged commutators. Each element of the network executes strictly defined functions and responsible for realization of separate part of IP-address dynamic change algorithm. The presented defense method is distributed as attacks it prevents. The developing defense against DDoS attacks method differs from existing analogs, based on structure or semantic traffic analysis. Conception of redirecting data stream, position in its base, is good proved itself in cellular networks and widely used today.
Pages: 43-48
References

 

  1. Dmitriev D.V., Kapranov S.N., Markov E.V. Issledovanie algoritmov predvaritelnojj obrabotki biometricheskikh obrazov dlja celejj verifikacii // Nejjrokompjutery: razrabotka, primenenie. 2014. № 3. C. 52-55.
  2. http://lred.ru/index.php/inetsecurity/33267-qrator-labs
  3. Krylov V., Kravtsov K., Sokolova E., Lyakhmanov D. SDI Defense Against DDoS Attacks Based on IP Fast Hopping Method. SDN & NFV: Modern Networking Technologies 2014 International Science and Technology Conference «Modern Networking Technologies (MoNeTec)». Moscow, Russia. October 27-29 2014. R. 83-87.