Software defined networking (SDN) is a network architecture in which a control function is separated from a forwarding function. The SDN is divided into a control plane and a data plane. The control plane is responsible for control and management of the entire network, and data is forwarded on the data plane according to a rule specified by the control plane. A control device on the control plane is referred to as a central controller (controller for short), and a forwarding device on the data plane is a network switch (switch for short). As a core device of the entire SDN, the controller determines correct forwarding of traffic on the data plane. The switch processes a data packet according to a flow table sent by the controller, for example, performs an operation of forwarding or discarding the data packet.
An attacked object in conventional cyber security generally is a host or a server. In the SDN, the controller as the core device of the entire SDN also has a possibility of being attacked. A form of an attack on the controller generally is a packet_in message flooding attack, where packet_in is a message type.
In the SDN, when receiving a data packet, the switch first performs matching between the data packet and flow entries in an internal flow table of the switch, and if the matching succeeds, performs an operation indicated by a flow entry that succeeds in the matching. If a flow entry that matches the data packet does not exist in the internal flow table, the switch constructs a packet_in message, and sends the packet_in message to the controller, to request the controller to deliver a rule for processing the data packet.
After receiving the packet_in message, the controller sends a flow entry to the switch through determining. The flow entry includes the rule for processing the data packet. Therefore, an important function of the controller is to effectively process the packet_in message.
Therefore, when attacking a controller, a malicious attacker in a network usually constructs lots of meaningless, illegal, or random data packets. Consequently, a switch cannot perform matching between the data packets and flow entries in an internal flow table, and then, the switch may construct lots of packet_in messages, and send the packet_in messages to the controller. The packet_in messages occupy both resources of the controller and effective bandwidth of a secure channel between the controller and the switch. Consequently, a time of the controller for processing other unattacking data is prolonged, and even a service request of a normal user cannot be responded to.