[go: up one dir, main page]
More Web Proxy on the site http://driver.im/

CN104539595A - SDN framework integrating threat processing and route optimizing and operating method - Google Patents

SDN framework integrating threat processing and route optimizing and operating method Download PDF

Info

Publication number
CN104539595A
CN104539595A CN201410788069.5A CN201410788069A CN104539595A CN 104539595 A CN104539595 A CN 104539595A CN 201410788069 A CN201410788069 A CN 201410788069A CN 104539595 A CN104539595 A CN 104539595A
Authority
CN
China
Prior art keywords
message
attack
controller
ids
ddos
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Granted
Application number
CN201410788069.5A
Other languages
Chinese (zh)
Other versions
CN104539595B (en
Inventor
史毓凯
张家华
杨种学
王江平
李滢
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
Nanjing Xiaozhuang University
Original Assignee
Nanjing Xiaozhuang University
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Nanjing Xiaozhuang University filed Critical Nanjing Xiaozhuang University
Priority to CN201711302098.6A priority Critical patent/CN107888618A/en
Priority to CN201410788069.5A priority patent/CN104539595B/en
Priority to CN201711302100.XA priority patent/CN107888619A/en
Priority to CN201711302091.4A priority patent/CN107786578A/en
Publication of CN104539595A publication Critical patent/CN104539595A/en
Application granted granted Critical
Publication of CN104539595B publication Critical patent/CN104539595B/en
Expired - Fee Related legal-status Critical Current
Anticipated expiration legal-status Critical

Links

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/14Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
    • H04L63/1408Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic by monitoring network traffic
    • H04L63/1416Event detection, e.g. attack signature detection
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L45/00Routing or path finding of packets in data switching networks
    • H04L45/12Shortest path evaluation
    • H04L45/123Evaluation of link metrics
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L45/00Routing or path finding of packets in data switching networks
    • H04L45/12Shortest path evaluation
    • H04L45/125Shortest path evaluation based on throughput or bandwidth
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L49/00Packet switching elements
    • H04L49/20Support for services
    • H04L49/208Port mirroring
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/02Network architectures or network communication protocols for network security for separating internal from external traffic, e.g. firewalls
    • H04L63/0227Filtering policies
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/02Network architectures or network communication protocols for network security for separating internal from external traffic, e.g. firewalls
    • H04L63/0227Filtering policies
    • H04L63/0236Filtering by address, protocol, port number or service, e.g. IP-address or URL
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/14Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
    • H04L63/1408Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic by monitoring network traffic
    • H04L63/1425Traffic logging, e.g. anomaly detection
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/14Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
    • H04L63/1441Countermeasures against malicious traffic
    • H04L63/1458Denial of Service
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/20Network architectures or network communication protocols for network security for managing network security; network security policies in general

Landscapes

  • Engineering & Computer Science (AREA)
  • Computer Security & Cryptography (AREA)
  • Computer Networks & Wireless Communication (AREA)
  • Signal Processing (AREA)
  • Computer Hardware Design (AREA)
  • Computing Systems (AREA)
  • General Engineering & Computer Science (AREA)
  • Data Exchanges In Wide-Area Networks (AREA)
  • Computer And Data Communications (AREA)

Abstract

The invention discloses an SDN framework integrating threat processing and route optimizing, a system and an operating method. The SDN framework comprises an application plane, a data plane and a control plane; when any IDS device located in the data plane detects a message with DDoS attack characteristics in an attack threat, the message is immediately reported to the application plane through an SSL communication channel; the application plane is used for analyzing the attack type and making a corresponding attack threat processing strategy according to the attack type; the control plane provides an attack threat processing interface for the application plane and provides an optimal path calculation interface and/or an attack threat identification interface for the data plane. By means of the SDN framework, a network can achieve traffic forwarding for route optimizing according to real-time conditions of links when subjected to a large-scale DDoS threat and can also identify the DDoS threat and make a processing response quickly and accurately, so that the network communication quality is guaranteed comprehensively.

Description

A kind of SDN framework and method of work integrating threat process and routing optimality
Technical field
The present invention relates to network safety filed, particularly relate to a kind of integrate DDoS threaten filter, the SDN framework of routing optimality and method of work.
Background technology
Current, the network extensively connected at a high speed has become the important infrastructure of modern society.But along with the expansion of internet scale, the defect of traditional specifications system also presents day by day.
The report of country's computer network emergence technology process Consultation Center (CNCERT/CC) up-to-date issue shows: activities of hacker is increased, back door, website, phishing, Web malice hang the attacks such as horse in the trend of increasing substantially, and the internet security of country, enterprise is faced with severe challenge.
Wherein, distributed denial of service attack (Distributed Denial of Service, DDoS) remains and affects one of topmost threat of the Internet security of operation.In the past few years, the number of ddos attack, size, type all sharp rise.
Software defined network (Software Defined Network, SDN) have can real-time update routing policy with rule, supports the characteristics such as profound data packet analysis, thus can threaten for the DDoS in complex network ring environment provide rapider network monitoring accurately and defense function.
Summary of the invention
The object of this invention is to provide a kind of the SDN framework and the method for work that integrate threat process and routing optimality, to solve the network security problem that in existing network, a large amount of ddos attack causes, to realize fast, efficiently, all sidedly identify and defending DDoS (Distributed Denial of Service) attacks.
In order to solve the problems of the technologies described above, the invention provides a kind of SDN framework, comprising: using planar, datum plane and control plane; Wherein
Datum plane, when being arranged in the arbitrary IDS equipment Inspection of datum plane to the message of ddos attack feature, namely reports to using planar by SSL traffic channel;
Using planar, for analyzing attack type, and threatens processing policy according to corresponding attack of attack type customization;
Control plane, threatens Processing Interface for using planar provides to attack, and provides optimal path computation for datum plane and/or attack threat identification interface.
Preferably, detecting to realize DDoS in IDS equipment, comprising in described IDS equipment: deception packet check module, the deceptive practices of link layer and internetwork layer address are detected; Destroy packet check module, the abnormal behaviour that internetwork layer and transport layer flag bit are arranged is detected; Exception message detection module, detects the formula attack that floods of application layer and transport layer; Successively message is detected by described deception packet check module, destruction packet check module, exception message detection module; And if when arbitrary detection module detects that message exists above-mentioned respective behavior, then this message is proceeded to using planar.
Preferably, described using planar is suitable for having deceptive practices when message, and attacks threat in OpenFlow territory, then by the controller shielding main frame in control plane; Maybe when attack threatens not in OpenFlow territory, then by controller, the switch access interface traffic redirect corresponding to this message is filtered to flow cleaning center;
Described using planar is also suitable for having abnormal behaviour when message, then shielded by the flow of controller to attacker or attack main frame; And
When message has the formula attack that floods, then described using planar is suitable for being filtered to flow cleaning center by the switch access interface traffic redirect corresponding to this message by controller.
Beneficial effect of the present invention: DDoS is threatened monitoring, threatens the business function module such as protection, routing optimality to be deployed in datum plane, control plane and using planar respectively by the present invention.Network can being made when threatened by extensive DDoS, the traffic forwarding of routing optimality can be realized according to the real time status of link, carry out DDoS threat identification and processing response accurately, full-scope safeguards network communication quality rapidly simultaneously.
Another aspect, present invention also offers a kind of DDoS and threatens the method for work of filtering SDN system, to solve the technical problem of defending DDoS (Distributed Denial of Service) attacks.
In order to solve the problems of the technologies described above, described DDoS threatens the method for work of filtering SDN system to comprise: when arbitrary IDS equipment Inspection is to when having the message of ddos attack feature, namely report to IDS policy server by SSL traffic channel; Described IDS policy server is according to reporting information, make the processing policy corresponding with the message with ddos attack feature, then this message is shielded by controller or the switch access interface traffic redirect corresponding to this message is filtered to flow cleaning center.
Preferably, detecting to realize DDoS in IDS equipment, comprising in described IDS equipment: deception packet check module, the deceptive practices of link layer and internetwork layer address are detected; Destroy packet check module, the abnormal behaviour that internetwork layer and transport layer flag bit are arranged is detected; Exception message detection module, detects the formula attack that floods of application layer and transport layer; Successively message is detected by described deception packet check module, destruction packet check module, exception message detection module; And if when arbitrary detection module detects that message exists above-mentioned respective behavior, then this message is proceeded to IDS policy server.
Preferably, described IDS policy server is suitable for having deceptive practices when message, and attacks threat in OpenFlow territory, then shield main frame by controller; Maybe when attack threatens not in OpenFlow territory, then by controller, the switch access interface traffic redirect corresponding to this message is filtered to flow cleaning center; Described IDS policy server is also suitable for having abnormal behaviour when message, then shielded by the flow of controller to attacker or attack main frame; And when message has the formula attack that floods, then described IDS policy server is suitable for being filtered to flow cleaning center by the switch access interface traffic redirect corresponding to this message by controller.
The third aspect, present invention also offers a kind of method of work integrating the SDN system threatening process and routing optimality, to solve the distributed monitoring to ddos attack, is formulating the technical problem of corresponding threat processing policy.
In order to solve the problems of the technologies described above, present invention also offers a kind of method of work integrating the SDN system threatening process and routing optimality, comprising the steps:
Step S100, netinit; Step S200, distributed DDoS threatens monitoring; And step S300, threaten process and/or routing optimality.
Preferably, in order to better realize network configuration, the device in described step S100 involved by netinit comprises: controller, IDS policy server and distributed IDS equipment;
The step of netinit is as follows:
Described controller builds network equipment information binding table, and by network equipment information binding table real-time update in each IDS equipment;
Described controller issues the stream table of mirror policy, is transmitted to IDS equipment corresponding in net territory by all port flow mirror images being loaded with main frame that drags of OF switch; And
Described controller issues DDoS threat identification rule to each IDS equipment corresponding in each net territory;
In described step S200, distributed DDoS threatens the method for monitoring to comprise:
Successively to the deceptive practices of link layer and internetwork layer address, internetwork layer and transport layer flag bit arrange abnormal behaviour, and the formula that the floods attack of application layer and transport layer detects;
If when arbitrary detection judges that message exists respective behavior in said process, then this message is proceeded to step S300.
Preferably, the method that the deceptive practices of link layer and internetwork layer address detect is comprised:
By deception packet check module, deceptive practices are detected, namely first, call network equipment information binding table by deception packet check module; Secondly, by deception packet check module, the type being encapsulated in message in Packet-In message is resolved, to obtain corresponding source, object IP address, MAC Address and to upload No. DPID, switch and the port numbers of this Packet-In message, and above-mentioned each information is compared with the corresponding information in network equipment information binding table respectively; If the above-mentioned information matches in message, then message is carried out next and detect; If the above-mentioned information in message is not mated, then message is proceeded to step S300; Described internetwork layer and transport layer flag bit arrange the method that abnormal behaviour carries out detecting and comprise: arrange abnormal behaviour to flag bit detect by destroying packet check module, namely each flag bit of message is detected, to judge whether each flag bit meets ICP/IP protocol specification; If each flag bit of message meets, then message is proceeded to and carry out next detection; If each flag bit of message does not meet, then message is proceeded to step S300; The method that the formula that the floods attack of described application layer and transport layer is carried out detecting comprises: detected the formula attack of flooding by exception message detection module, namely the Hash table for identifying the formula attack message that floods is built at exception message detection module, and judge whether message has the formula attack that floods according to the threshold values set in this Hash table, and judged result is proceeded to step S300.
Preferably, threaten the method for process and/or routing optimality to comprise in described step S300: if message has deceptive practices, and attack threat in OpenFlow territory, then described IDS policy server is suitable for shielding main frame by controller; And threaten not in OpenFlow territory when attacking, then by controller, the switch access interface traffic redirect corresponding to this message is filtered to flow cleaning center; If message has abnormal behaviour, then described IDS policy server is shielded by the flow of controller to attacker or attack main frame; If message has the formula attack that floods, then the switch access interface traffic redirect corresponding to this message is filtered to flow cleaning center by controller by described IDS policy server; And/or go out path optimizing according to link load coefficient calculations, namely the link remaining bandwidth of two adjacent nodes is detected, obtain the load factor of this link, obtaining the optimal path of any two points according to this load factor and initialized network topological diagram, described controller draws corresponding forwarding flow table according to this optimal path and issues each switch.
Preferably, described IDS policy server shielding sends the program of message and/or the method for main frame comprises: first, build corresponding Hash table and the setting respective threshold of counting, namely in the unit interval, the first Hash table that deceptive practices are counted is built in described IDS policy server, flag bit arranges the second Hash table that abnormal behaviour carries out counting, and to the 3rd Hash table that the formula attack of flooding counts; Set first, second, third threshold values in first, second, third Hash table simultaneously; Secondly, shielding sends program and/or the main frame of this message, and namely for the behavior of message proceeding to IDS policy server, utilize corresponding Hash table to count, when count value exceedes respective thresholds, shielding sends program and/or the main frame of this message.
Beneficial effect of the present invention: DDoS threatens filtering technique and route-optimization technique to merge by (1) the present invention, when carrying out monitoring, shielding DDOS attack, blocking up of data can't be caused, and by monitoring and threaten process separately, effectively alleviate the burden of control plane, ensure that network is safer, the operation of colleges and universities; (2) ddos attack cannot be forged to address under the invention enables legacy network architectural framework to carry out identifying that the difficult problem with tracing to the source fundamentally is resolved.When there is ddos attack or normal large discharge business in a network, controller based on the real-time perception to network parameters such as link remaining bandwidths, can realize the routing optimality of normal stream amount, significantly promotes the experience of user; (3) process framework of the present invention adopts open-ended modularity design, achieves the efficient detection to DDoS threat and sweetly disposition; (4) each module obtains packet information and adopts independently Interface design, reduces the coupling relevance of intermodule; (5) each module uses the program data structure optimized, and each process sub-process of careful segmentation, improves the high cohesion characteristic of module.
Accompanying drawing explanation
In order to make content of the present invention be more likely to be clearly understood, below basis specific embodiment and by reference to the accompanying drawings, the present invention is further detailed explanation, wherein
Fig. 1 shows the theory diagram of data Layer in software defined network;
Fig. 2 shows SDN block architecture diagram of the present invention;
Fig. 3 shows the structured flowchart of SDN system of the present invention;
Fig. 4 shows the theory diagram of ddos attack identification based on SDN framework and guard system;
Fig. 5 shows the workflow diagram of deception packet check module;
Fig. 6 shows the workflow diagram destroying packet check module;
Fig. 7 shows the overhaul flow chart of UDP Floodling;
Fig. 8 shows the overhaul flow chart of ICMP Floodling.
Embodiment
For making the object, technical solutions and advantages of the present invention clearly understand, below in conjunction with embodiment also with reference to accompanying drawing, the present invention is described in more detail.Should be appreciated that, these describe just exemplary, and do not really want to limit the scope of the invention.In addition, in the following description, the description to known features and technology is eliminated, to avoid unnecessarily obscuring concept of the present invention.
Fig. 1 shows the theory diagram of data Layer in software defined network.
As shown in Figure 1, in software defined network (Software Defined Network, SDN) framework, when a message (Packet) arrives switch time, first in switch with stream table mate.If the match is successful, the action executing of just specifying according to stream table forwards rule.If it fails to match, then this message is encapsulated in Packet In message by switch, sends to controller, and this message exists in local cache by switch.Wait controller makes decisions, and how to process this message.
A lot of main frame is had in network, then needing to set up one for All hosts in network is the Hash table of key, be referred to as " in violation of rules and regulations number of times Hash table group ", it comprises: be suitable for the first Hash table counted deception message, be suitable for the second Hash table that destruction message is counted, be suitable for attacking to the formula that floods the 3rd Hash table counted.The violation number of times of record respective hosts, the namely credibility of main frame.
Packet in network is real-time, so need the Hash table of the threat packet counting set up in a kind of unit interval, and a key in the corresponding Hash table of each main frame, corresponding key assignments be record unit interval in the number of threat data bag that sends of the main frame of corresponding keys.Key assignments corresponding for keys all in Hash table must set to 0 in the unit interval " timeslice " by this type of Hash table at first; And often kind of message detected all needs a such table, with regard to such as have detected 100 kinds of messages, just need 100 this type of Hash tables.
And each Hash table must have a corresponding threshold value.As long as one has main frame accumulated counts in analog value in Hash table.Check after counting whether this value exceedes the threshold value of setting.If exceed corresponding threshold value, then the key assignments counting in violation number of times Hash table corresponding record.
Further, the threshold value of each Hash table, the parameters such as Hash table timeslice length all can be regulated by interface.
Such as: the Hash table of main frame is:
Unit interval deception packet counting Hash table
Host1 Host2 Host3 Host4 Host5 Host6 Host7 Host8 …… Host n
1 2 2 1 100 2 0 0 …… 0
Unit interval destroys packet counting Hash table
Host1 Host2 Host3 Host4 Host5 Host6 Host7 Host8 …… Host n
1 2 2 1 100 2 0 0 …… 0
Unit interval SYN counts Hash table
Host1 Host2 Host3 Host4 Host5 Host6 Host7 Host8 …… Host n
1 1 0 1 100 2 0 0 …… 0
Unit interval UDP Flood counts Hash table
Host1 Host2 Host3 Host4 Host5 Host6 Host7 Host8 …… Host n
1 1 0 1 10 2 0 0 …… 0
Unit interval ICMP Flood counts Hash table
Host1 Host2 Host3 Host4 Host5 Host6 Host7 Host8 …… Host n
1 1 0 1 100 2 0 0 …… 0
……
Hash tables all is above all unit interval count table, and timeslice counting starts all corresponding key assignments to be set to 0;
Number of times Hash table in violation of rules and regulations
Host1 Host2 Host3 Host4 Host5 Host6 Host7 Host8 …… Host n
1 1 0 1 0 2 0 0 …… 0
On the basis of foregoing invention principle, the specific implementation process of the present embodiment is as follows.
Embodiment 1
Fig. 2 shows SDN block architecture diagram of the present invention.
As shown in Figure 2, a kind of SDN framework, comprising: using planar, datum plane and control plane; Wherein datum plane, when being arranged in the arbitrary IDS of datum plane (i.e. intrusion detection device) equipment Inspection to the message of ddos attack feature, namely reports to using planar by SSL traffic channel; Using planar, for analyzing attack type, and threatens processing policy according to corresponding attack of attack type customization; Control plane, threatens Processing Interface for using planar provides to attack, and provides optimal path computation for datum plane and/or attack threat identification interface.
Wherein, ddos attack characterizing definition is: to the deceptive practices of link layer and internetwork layer address, the abnormal behaviour that arranges internetwork layer and transport layer flag bit, and to flood formula attack to application layer and transport layer.
Comprise in described IDS equipment:
Deception packet check module, detects the deceptive practices of link layer and internetwork layer address; Destroy packet check module, the abnormal behaviour that internetwork layer and transport layer flag bit are arranged is detected; Exception message detection module, detects the formula attack that floods of application layer and transport layer; Successively message is detected by described deception packet check module, destruction packet check module, exception message detection module; And if when arbitrary detection module detects that message exists above-mentioned respective behavior, then this message is proceeded to using planar.
Described using planar is suitable for having deceptive practices when message, and attacks threat in OpenFlow territory, then by the controller shielding main frame in control plane; Maybe when attack threatens not in OpenFlow territory, then by controller, the switch access interface traffic redirect corresponding to this message is filtered to flow cleaning center; Described using planar is also suitable for having abnormal behaviour when message, then shielded by the flow of controller to attacker or attack main frame; And when message has the formula attack that floods, then described using planar is suitable for being filtered to flow cleaning center by the switch access interface traffic redirect corresponding to this message by controller.
In Fig. 2, using planar threatens processing policy about attack type analysis, attack, the attack monitoring of datum plane, attack threaten shielding and routing optimality, and the attack of control plane threatens process, attack threat identification and optimal path computation to launch in the following embodiments.
Wherein, using planar can be realized by IDS policy server, and control plane can be realized by controller.Specifically following examples can be referred to.
Embodiment 2
Fig. 3 shows the structured flowchart of SDN system of the present invention.
As shown in Figure 3, threaten a kind of method of work of filtering in SDN system-based at described DDoS, it comprises: when arbitrary IDS equipment Inspection is to when having the message of ddos attack feature, namely report to IDS policy server by SSL traffic channel; Described IDS policy server is according to reporting information, make the processing policy corresponding with the message with ddos attack feature, then this message is shielded by controller or the switch access interface traffic redirect corresponding to this message is filtered to flow cleaning center.
Fig. 4 shows the theory diagram of SDN system.
As shown in Figure 4, further, comprise in described IDS equipment:
Deception packet check module, detects the deceptive practices of link layer and internetwork layer address;
Destroy packet check module, the abnormal behaviour that internetwork layer and transport layer flag bit are arranged is detected;
Exception message detection module, detects the formula attack that floods of application layer and transport layer;
Successively message is detected by described deception packet check module, destruction packet check module, exception message detection module;
And if when arbitrary detection module detects that message exists above-mentioned respective behavior, then this message is proceeded to IDS policy server.
Further, described IDS policy server is suitable for having deceptive practices when message, and attacks threat in OpenFlow territory, then shield main frame by controller; Maybe when attack threatens not in OpenFlow territory, then by controller, the switch access interface traffic redirect corresponding to this message is filtered to flow cleaning center; Described IDS policy server is also suitable for having abnormal behaviour when message, then shielded by the flow of controller to attacker or attack main frame; And when message has the formula attack that floods, then described IDS policy server is suitable for being filtered to flow cleaning center by the switch access interface traffic redirect corresponding to this message by controller.
The present invention adopts from deception packet check module to destruction packet check module, then to the order that exception message detection module detects successively, wherein, each module obtains packet information and adopts independently Interface design, reduces the coupling relevance of intermodule; And each module uses the program data structure optimized, and each process sub-process of careful segmentation, improves the high cohesion characteristic of module.This detection ordering improves the detection efficiency to message data, and reduces loss.
Fig. 5 shows the workflow diagram of deception packet check module.
As shown in Figure 5, network equipment information binding table is called by described deception packet check module, and the first Hash table being suitable for that packet cheating behavior is counted built in described IDS policy server in the unit interval, and set the first threshold values in this first Hash table; Described deception packet check module, the type of the message be encapsulated in Packet-In message is resolved, to obtain corresponding source, object IP address, MAC Address and to upload No. DPID, switch and the port number information of Packet-In message, and each information is compared with the corresponding information in network equipment information binding table respectively; If the above-mentioned information matches in message, then message is proceeded to and destroy packet check module; If the above-mentioned information in message is not mated, then proceed to described IDS policy server, abandon, and count deceptive practices simultaneously message, when this count value is more than the first threshold values, shielding sends program and/or the main frame of this message.
Concrete, described deception packet check module is used for carrying out first time judgement to message, namely judges whether message is IP spoofing attack message, port spoofing attack message or MAC spoofing attack message.
Concrete steps comprise: parse source, target MAC (Media Access Control) address and switch entrance first in ethernet frames, then parse different messages according to different type of messages.When type of message is IP, ARP, RARP, then parse corresponding source, object IP address then these information to be tabled look-up coupling to the information in network equipment information binding table, if match corresponding information, then give and destroy packet check resume module.If do not mate, then this message is proceeded to the process of IDS policy server; And accumulated counts is carried out to deceptive practices simultaneously, when this count value is more than the first threshold values, shielding sends program and/or the main frame of this message.
Have a device manager module DeviceManagerImpl in Floodlight, when an equipment in a network mobile device time tracking equipment, and according to newly flowing define equipment.
Equipment manager learns equipment from PacketIn request, and from PacketIn message, obtain device network parameter information (information such as source, object IP, MAC, VLAN), is carried out dividing into switch or main frame by equipment by entity classification device.Under default situations, entity classification device uses MAC Address and/or vlan table to show an equipment, mark equipment that these two attributes can be unique.The important information of another one be equipment mounting points (No. DPID of switch and port numbers) (, in an openflow region, an equipment can only have a mounting points, and here openflow region refers to the set of the multiple switches be connected with same Floodlight example.Equipment manager is also provided with expired time for IP address, mounting points, equipment, and last timestamp is as judging the foundation whether they are expired.)
Therefore only need call the IDeviceService that DeviceManagerImpl module provides inside network equipment information binding table module, simultaneously to the monitoring interface of this service interpolation IDeviceListener.
The monitoring interface that wherein IDeviceListener provides has:
ISP: IFloodlightProviderService, IDeviceService
Rely on interface: IFloodlightModule, IDeviceListener
Record in table can refresh the record in binding table in real time according to the low and high level trigger mechanism (low level triggering Port Down extracted by netting twine, and netting twine pulls out the high level of triggering Port Up) of switch.
Traditional ddos attack cannot touch, revise the information of Switch DPID and Switch Port, utilizes this advantage, can detect spoofing attack more flexibly.
Fig. 6 shows the workflow diagram destroying packet check module.
As shown in Figure 6, in described IDS policy server, build being suitable in the unit interval the second Hash table that abnormal behaviour counts is arranged to the flag bit of message, and set the second threshold values in this second Hash table; The each flag bit of described destruction packet check module to message detects, to judge whether each flag bit meets ICP/IP protocol specification; If each flag bit of message meets, then message is proceeded to exception message detection module; If each flag bit of message does not meet, then proceed to described IDS policy server, abandon message, and arrange abnormal behaviour to flag bit simultaneously and count, when this count value is more than the second threshold values, shielding sends program and/or the main frame of this message.
Concrete, described destruction packet check module, judges for carrying out second time to message, namely judges whether message is the attack message with malice flag bit feature.Wherein, the attack message with malice flag bit feature includes but not limited to IP attack message, TCP attack message.Implementation step comprises: detection IP attack message and TCP/UDP attack message wherein being realized to the flag bit of each message, namely identifies whether each flag bit meets ICP/IP protocol specification.If met, just directly transfer to abnormal number packet check resume module.If do not meet, be then judged as attack message, proceed to the process of IDS policy server.
With typical attack such as Tear Drop for row, an offset field and a burst mark (MF) is had in IP packet header, if assailant is arranged to incorrect value offset field, IP fragmentation message just there will be the situation overlapping or disconnect, and target machine system will be collapsed.
In IP heading, have a protocol fields, this field specifies this IP message and carries which kind of agreement.The value of this field is less than 100, if assailant sends to target machine the IP message that a large amount of bands is greater than the protocol fields of 100, the protocol stack in target machine system will be damaged, and is formed and attacks.
Therefore in destruction packet check module, first extract each flag bit of message, then check whether normal.
If normal, then give subsequent module for processing.
If abnormal, then abandon this packet, and to corresponding Hash table rolling counters forward.If when unit interval inside counting device exceedes described second threshold values of setting, then call IDS policy server and corresponding program is shielded and/or directly shields corresponding main frame.
After packet filtering by deception packet check module, the address in the follow-up packet handled by destruction packet check module is all real.Like this, effectively avoid target machine and have received destruction message, may directly cause the protocol stack of target machine to collapse, even target machine directly collapses.
The processing capacity destroying packet check module is roughly similar with deception packet check handling process, and whether normal the flag bit of what difference was that destruction packet check module parses is each message, then detect each flag bit.
If talked about normally, just directly to follow-up exception message detection module process.
If abnormal, then abandon this packet, and to the corresponding Hash table inside counting device counting of host application reference mechanism.If exceed the threshold values of setting, then shield corresponding attacker or directly shield and attack main frame.
The Hash table for identifying the formula attack message that floods is built at described exception message detection module, in described IDS policy server, build the 3rd Hash table being suitable for that the formula attack of flooding is counted in the unit interval, and set the 3rd threshold values in the 3rd Hash table; Described exception message detection module, is suitable for judging whether described message has attack according to the threshold values set in described Hash table; If without attack, then by data distributing; If have attack, then proceed to described IDS policy server, abandon, and count attack simultaneously message, when count value is more than the 3rd threshold values, shielding sends program and/or the main frame of this message.
Concrete, described exception message detection module, judges for carrying out third time to message, namely judges whether message is the formula attack message that floods.
Concrete steps comprise: utilize the identification to building to flood adding up to the respective record in Hash table of formula attack message, and detect whether exceed threshold value, to judge whether the being formula attack message that floods.
Through above-mentioned deception packet check module, the filtering destroying packet check module two modules, the packet of subsequent module for processing belongs to packet under normal circumstances substantially.But, under normal circumstances, also have ddos attack and produce, in the prior art, generally only carry out deception packet check module, destroy packet check module, and in the technical program, in order to avoid ddos attack as much as possible.
Following examples to after carrying out deception packet check module, destroying packet check modular filtration, then shield the embodiment of ddos attack by exception message detection module.This execution mode is for UDP Flooding and ICMP Flooding.
Fig. 7 shows the overhaul flow chart of UDP Floodling.
About UDP Floodling, as shown in Figure 7, utilizing the mechanism of udp protocol without the need to connecting, sending a large amount of UDP message to target machine.Target machine can spend a large amount of time-triggered protocol UDP messages, and these UDP attack messages not only can make the cache overflow depositing UDP message, and can take a large amount of network bandwidths, and target machine (or little) cannot receive legal UDP message.
Because different main frames sends a large amount of UDP message bag to single main frame, so certainly have the situation that udp port takies, so the technical program can receive the unreachable bag of port of an ICMP.
So the technical program can set up a Hash table to All hosts, be used for specially depositing in the unit interval number of times receiving the unreachable bag of ICMP port.If exceed the threshold values of setting, then directly shield corresponding attacker.
Fig. 8 shows the overhaul flow chart of ICMP Floodling.
About ICMP Floodling, as shown in Figure 8, directly unit interval inside counting is carried out for ICMP Flooding.If exceed corresponding threshold values, then direct corresponding shielding is carried out to respective host, although the method is simple, directly effective.
Therefore, exception message detection module, if the type of message detected is exception message type of detection, then carries out corresponding counter detection and whether exceedes threshold value, if do not exceed threshold value, also can be issued by optimum routing policy this packet.If exceeded threshold value, then shield corresponding attacker, or directly corresponding shielding has been carried out to respective host.
When in described deception packet check module, destruction packet check module and exception message detection module, arbitrary module judges that described message is above-mentioned attack message, then this attack message is proceeded to IDS policy server, that is, abandon described message, and shielding sends program and/or the main frame of this message.
When " deception packet check module ", " destroying packet check module " and " exception message detection module " need packet discard or needs to shield threat main frame time.Directly call IDS policy server and carry out corresponding threat process operation.
The concrete implementation step of described IDS policy server comprises:
Abandon described message, namely the step of packet discard comprises as follows:
OpenFlow switch is not matching under corresponding stream expression condition, can this data envelope be contained in Packet In message, this packet exists in local buffer memory by exchange opportunity simultaneously, packet is deposited in the buffer, there is No. ID, a buffer area, this No. ID also can be encapsulated in the buffer_id of Packet In message, by the form of Packet out, the buffer_id simultaneously in Packet out message fills in the buffer area ID (buffer_id in corresponding Packet In message) of the packet that will abandon.
The step of shielding main frame comprises as follows:
OpenFlow protocol streams list structure is as follows:
Territory, packet header Counter Action
The structure in its middle wrapping head territory is:
IDS policy server comprises the step that application programs carries out shielding and comprises as follows:
Step 1: fill in corresponding matching field in the territory, packet header of stream table, and by arranging Wildcards mask field, obtain shielding attacker or host information.Wherein, as attacker need be shielded, then in territory, stream table packet header, fill in following matching field: IP, MAC, VLAN, Swtich DPID, Swtich Port, protocol type and port numbers thereof etc.As need main frame be shielded, then fill in territory, stream table packet header: the matching fields such as IP, MAC, VLAN, Swtich DPID, Swtich Port.
Step 2: stream is shown action lists and puts sky, realizes the data packet discarding of attacker/main frame.
Step 3: call the record value in each Hash table, calculates stream table time-out erasing time automatically.
Step 4: issue stream table mask program or main frame.
Therefore, the network of the technical program can effectively identify and filtering attack packets.
Optionally, after above-mentioned each module, by issuing of the real-time optimum routing policy of normal message.
Concrete steps are as follows:
First enter step S1 to submit to the topological interface (API) of controller the request of acquisition to, then obtain full mesh topology by step S2.
Then, by carrying out the acquisition of total network links state.First enter step S3, then obtain total network links state by step S10, then calculate total network links remaining bandwidth.
Then be exactly the calculating of real-time optimal path, algorithm adopts classical dijkstra's algorithm, and the weights of algorithm change the inverse of the total network links remaining bandwidth that previous step obtains into, so just can ensure that the path calculated is the most unobstructed, the path that propagation delay time is minimum.(specific algorithm of optimal path is see related content in embodiment 3)
Finally, the optimal path calculated is converted to the real-time optimal path strategy be made up of stream table, issued by step S11.
Step S1 uses topological interface, the api interface that a kind of controller carries, and use LLDP (Link Layer Discovery Protocol) and broadcast packet to find link, then controller calculates network topology automatically.
The topological interface of step S2 controller obtains feedback of request to " full mesh topology acquisition module " topology of " real-time optimal path computation module ".
In step S3, " total network links state acquisition module " files a request to " switch query interface module ", obtains total network links state.Wherein, " switch query interface module " carries on " switch characteristic enquiry module " and " switch status enquiry module " basis at controller and expands, and achieves calculating and the query function of link remaining bandwidth.
Then, " switch query module " sends the broadcast packet of switch property request by step S4 all switches in network.Receive the message of switch characteristic feedback in automatic network again by step S5, parse the curr field inside message, obtain each switch ports themselves current bandwidth B.
Next, this module sends the broadcast packet of switch status request by step S6 all switches in network, comprises port and sends the message status such as bag number, port transmission byte number, port accepts byte number, port accepts bag number.Then, this module receives the message of switch status feedback in automatic network by step S7, parses tx_bytes field, obtains sending byte number N 1, obtain current time t 1.
Next, this module sends the broadcast packet of switch status request by step S8 all switches in network, and then, this module receives the message of switch status feedback in automatic network by S9, and timing stops, and obtains current time t 2.Parse tx_bytes field, obtain sending byte number N 2.
Then can calculate present port remaining bandwidth is: B-(N 2-N 1)/(t 2-t 1).
Then, the remaining bandwidth that the network topology that recycling obtains carries out every bar link calculates:
If the connection between switch and switch, then obtain the remaining bandwidth of the switch ports themselves of this both link ends, the remaining bandwidth of this link is the smaller in two port remaining bandwidths.
If the connection between main frame and switch, then obtain the remaining bandwidth of the switch ports themselves connecting main frame, this link remaining bandwidth is the switch ports themselves remaining bandwidth connecting this main frame.
Step S4 controller sends Feature Request message with the form of broadcast to all switches of the whole network.
Step S5 controller receives switch in automatic network and feeds back to the Feature Reply message of controller.
Step S6 controller sends Stats Request message with the form of broadcast to all switches of the whole network.
Step S7 controller receives switch in automatic network and feeds back to the Stats Reply message of controller.
Step S8 controller sends Stats Request message with the form of broadcast to all switches of the whole network.
Step S9 controller receives switch in automatic network and feeds back to the Stats Reply message of controller.
The link remaining bandwidth information feed back that calculates is given " total network links state acquisition module " by step S10 switch query interface.
Step S11 routing policy issues the real-time optimum routing policy that module calculates, and the stream table calculated is handed down to relevant switch by step S12.
This interface of step S12 is the api interface that controller carries, for issuing the optimum routing policy calculated.
Be defending DDOS attack while by described optimal path strategy, the average transmission time delay of network does not increase sharply.
Embodiment 3
A kind of method of work integrating the SDN system threatening process and routing optimality in embodiment 1 and embodiment 2 basis, with by distributed detection and centralized process, effectively alleviate the work load of controller, improve detection efficiency and data transmission rate.
The method of work integrating the SDN system threatening process and routing optimality of the present invention, comprises the steps:
Step S100, netinit; Step S200, distributed DDoS threatens monitoring; And step S300, threaten process and/or routing optimality.
Further, the device in described step S100 involved by netinit comprises: controller, IDS policy server and distributed IDS equipment;
The step of netinit is as follows:
Step S101, described IDS policy server and each IDS equipment set up special SSL traffic channel (this step S101 is optional embodiment); Step S102, described controller builds network equipment information binding table, and by network equipment information binding table real-time update in each IDS equipment; Step S104, described controller issues the stream table of mirror policy, is transmitted to IDS equipment corresponding in net territory by all port flow mirror images being loaded with main frame that drags of OF switch; And step S105, described controller issues DDoS threat identification rule to each IDS equipment corresponding in each net territory.
In described step S200, distributed DDoS threatens the method for monitoring to comprise: successively to the deceptive practices of link layer and internetwork layer address, internetwork layer and transport layer flag bit arrange abnormal behaviour, and the formula that the floods attack of application layer and transport layer detects; If when arbitrary detection judges that message exists respective behavior in said process, then this message is proceeded to step S300.
Concrete implementation step comprises:
Step S210, detects the deceptive practices of link layer and internetwork layer address.
Step S220, detects the abnormal behaviour that internetwork layer and transport layer flag bit are arranged.
Step S230, detects the formula that the floods attack of application layer and transport layer.
Step S240, if by message successively by after described step S210, step S220, step S230, when arbitrary step judges that message exists deception, exception, attack, then proceeds to step S300 by described message.
In described step S210, step S211 is comprised the steps: to the method that the deceptive practices of link layer and internetwork layer address detect, call network equipment information binding table by deception packet check module; Step S212, by deception packet check module, the type being encapsulated in message in Packet-In message is resolved, to obtain corresponding source, object IP address, MAC Address and to upload No. DPID, switch and the port numbers of this Packet-In message, and above-mentioned each information is compared with the corresponding information in network equipment information binding table respectively; If the above-mentioned information matches in message, then proceed to step S220 by message; If the above-mentioned information in message is not mated, then message is proceeded to step S300.
Arrange to internetwork layer and transport layer flag bit the method that abnormal behaviour detects in described step S220 to comprise: detect each flag bit of message, to judge whether each flag bit meets ICP/IP protocol specification; If each flag bit of message meets, then message is proceeded to S230; If each flag bit of message does not meet, then message is proceeded to step S300.
In described step S230, step S231 being comprised the steps: to the method that the formula that the floods attack of application layer and transport layer detects, building the Hash table for identifying the formula attack message that floods at exception message detection module; Step S232, judge whether described message is the formula attack message that floods by exception message detection module according to the threshold values set in described Hash table, and judged result is proceeded to step S300, even without attack, then data normally to be issued or by above-mentioned optimal path policy distribution; If have attack, then take corresponding shielding measure.
The method of process and/or routing optimality is threatened to comprise in described step S300:
If message has deceptive practices, and attack threat in OpenFlow territory, then described IDS policy server is suitable for shielding main frame by controller; And threaten not in OpenFlow territory when attacking, then by controller, the switch access interface traffic redirect corresponding to this message is filtered to flow cleaning center;
If message has abnormal behaviour, then described IDS policy server is shielded by the flow of controller to attacker or attack main frame; Concrete implementation step comprises: for destruction message aggression, because IDS equipment have passed deception packet check, so this message address is real when the message of pre-treatment.It is that the stream table of Drop is by attacker or the flow shielding of attacking main frame that IDS policy server only need issue action by the northbound interface of controller.But this is all the decision-making of coarseness, be only applicable to the destruction message aggression that attack packets is a small amount of.
If message has the formula attack that floods, then the switch access interface traffic redirect corresponding to this message is filtered to flow cleaning center by controller by described IDS policy server; Optionally, the safety means of flow cleaning center also can by the result feedback of protection to controller, adjustment network strategy, the Multidimensional protection under realizing SDN and being mixed with legacy network situation.
Further, path optimizing is gone out according to link load coefficient calculations, namely the link remaining bandwidth of two adjacent nodes is detected, obtain the load factor of this link, obtaining the optimal path of any two points according to this load factor and initialized network topological diagram, described controller draws corresponding forwarding flow table according to this optimal path and issues each switch.
The specific algorithm flow process of path optimizing is as follows:
If r n, (n+1)be the link remaining bandwidth of two adjacent nodes, then its link load coefficient is:
/ * by controller calculate link load coefficient */
U (a, b) for the load factor between any two points and:
U ( a , b ) = Σ n = a b cos t n , ( n + 1 )
If initial network topology figure is G*, calculate the optimal path between any two points,
Described IDS policy server shielding sends the program of message and/or the method for main frame comprises:
First, corresponding Hash table and the setting respective threshold of counting is built, namely
In unit interval, build the first Hash table counted deceptive practices in described IDS policy server, flag bit arranges the second Hash table that abnormal behaviour carries out counting, and to the 3rd Hash table that the formula attack of flooding counts;
Set first, second, third threshold values in first, second, third Hash table simultaneously;
Secondly, shielding sends program and/or the main frame of this message, namely
For the behavior of message proceeding to IDS policy server, utilize corresponding Hash table to count, when count value exceedes respective thresholds, shielding sends program and/or the main frame of this message.
Embodiment 4
SDN framework of the present invention and system can define SDNQA (SDN Communication Quality Assurance Strategy) i.e. SDN communication quality guarantee strategies.
Target design and scene dispose dependence test.
Present invention has been dispose and test, prevailing test environment and content measurement as follows:
(1) based on OpenFlow 1.3 agreement, test is equipped with DDoS and is threatened and to filter and communication quality ensures communication between the Floodlight controller of assembly, OF switch, IDS equipment and IDS policy server.
(2) whether test I DS equipment can abnormal aggression flow in real time monitoring network, and reports IDS policy server by SSL traffic channel.
(3) the test I DS policy server information that whether can report according to IDS equipment, makes that process is corresponding attacks the strategy threatened, and is issued by the northbound interface of controller.
(4) whether test controller can according to network real time status, generates and issues the forward-path of real-time optimization, promoting Consumer's Experience.
The concrete deployment of experiment scene., there are two empty nets network area based on centre.Wherein empty net A deploys this SDNQA system, and empty net B not yet disposes, and all there is some ddos attack puppet machines in each void net.Right side is experiment effect contrast district, comprises a Web server and two subscriber's main stations, wherein Web server runs Tomcat and externally provide Web service, and subscriber's main station A, B are the main frame of access empty net A, B respectively.Left side is attack simulating region, has a ddos attack machine, and the puppet's machine controlled as main control computer in empty net A and empty net B is initiated hybrid-type ddos attack to Web server by attack plane.
Based on above-mentioned experimental situation, verify from the performance of two aspects to SDNQA framework: (1) contrasts the attack frequency that Web server end hybrid-type ddos attack bears; (2) contrast the formula that floods and attack the network average transfer delay caused.
First, flow into situation to Web server end flow to analyze.Puppet's machine that attack plane controls in each void net initiates hybrid-type ddos attack to Web server simultaneously, and its highest frequency is 55Hz, and attacking duration is 100 seconds.Intercept all sequence of data packet of Web server, and isolate the request sequence of each void net, show that empty net A and empty net B institute flow into the request sequence of server respectively, the attack frequency that Web server bears contrasts.
Can find out, SDNQA system identifies typical ddos attack fast within 0s ~ 5s time period, and takes filter protection measure within the time period of 0s ~ 40s.After 40s, network traffics are tending towards normal, and test subscriber's host A normally can obtain web-page requests response always.And do not dispose in the void net B of SDNQA system and have a large amount of attack traffic to flow into always, test subscriber's host B cannot obtain web-page requests response.
Secondly, we extract the request sequence of test subscriber's host A and test subscriber's host B from the sequence of data packet intercepted before, the time of delay of the average transmission of statistical data packet from each request sequence, draw the average transmission time delay contrast of two empty nets.
Can find out, through routing optimality, the average transfer delay of empty net A is not increased sharply along with the increase of data volume.As can be seen here, SDNQA framework can based on the perception to network real time status, and convection current forward-path is optimized, thus ensures that optimal user is experienced when there is ddos attack or normal large discharge business in a network.
Should be understood that, above-mentioned embodiment of the present invention only for exemplary illustration or explain principle of the present invention, and is not construed as limiting the invention.Therefore, any amendment made when without departing from the spirit and scope of the present invention, equivalent replacement, improvement etc., all should be included within protection scope of the present invention.In addition, claims of the present invention be intended to contain fall into claims scope and border or this scope and border equivalents in whole change and modification.

Claims (10)

1. a SDN framework, is characterized in that, comprising: datum plane, using planar and control plane; Wherein
Datum plane, when being arranged in the arbitrary IDS equipment Inspection of datum plane to the message of ddos attack feature, namely reports to using planar by SSL traffic channel;
Using planar, for analyzing attack type, and threatens processing policy according to corresponding attack of attack type customization;
Control plane, threatens Processing Interface for using planar provides to attack, and provides optimal path computation for datum plane and/or attack threat identification interface.
2. SDN framework according to claim 1, is characterized in that, comprises in described IDS equipment:
Deception packet check module, detects the deceptive practices of link layer and internetwork layer address;
Destroy packet check module, the abnormal behaviour that internetwork layer and transport layer flag bit are arranged is detected;
Exception message detection module, detects the formula attack that floods of application layer and transport layer;
Successively message is detected by described deception packet check module, destruction packet check module, exception message detection module; And if when arbitrary detection module detects that message exists above-mentioned respective behavior, then this message is proceeded to using planar.
3. SDN framework according to claim 2, is characterized in that, described using planar is suitable for having deceptive practices when message, and attacks threat in OpenFlow territory, then by the controller shielding main frame in control plane; Maybe when attack threatens not in OpenFlow territory, then by controller, the switch access interface traffic redirect corresponding to this message is filtered to flow cleaning center;
Described using planar is also suitable for having abnormal behaviour when message, then shielded by the flow of controller to attacker or attack main frame; And
When message has the formula attack that floods, then described using planar is suitable for being filtered to flow cleaning center by the switch access interface traffic redirect corresponding to this message by controller.
4. DDoS threatens a method of work of filtering SDN system, comprising:
When arbitrary IDS equipment Inspection is to when having the message of ddos attack feature, namely report to IDS policy server by SSL traffic channel;
Described IDS policy server is according to reporting information, make the processing policy corresponding with the message with ddos attack feature, then this message is shielded by controller or the switch access interface traffic redirect corresponding to this message is filtered to flow cleaning center.
5. DDoS threatens the method for work of filtering SDN system according to claim 4, comprises in described IDS equipment:
Deception packet check module, detects the deceptive practices of link layer and internetwork layer address;
Destroy packet check module, the abnormal behaviour that internetwork layer and transport layer flag bit are arranged is detected;
Exception message detection module, detects the formula attack that floods of application layer and transport layer;
Successively message is detected by described deception packet check module, destruction packet check module, exception message detection module; And if when arbitrary detection module detects that message exists above-mentioned respective behavior, then this message is proceeded to IDS policy server.
6. DDoS threatens the method for work of filtering SDN system according to claim 5, it is characterized in that,
Described IDS policy server is suitable for having deceptive practices when message, and attacks threat in OpenFlow territory, then shield main frame by controller; Maybe when attack threatens not in OpenFlow territory, then by controller, the switch access interface traffic redirect corresponding to this message is filtered to flow cleaning center;
Described IDS policy server is also suitable for having abnormal behaviour when message, then shielded by the flow of controller to attacker or attack main frame; And
When message has the formula attack that floods, then described IDS policy server is suitable for being filtered to flow cleaning center by the switch access interface traffic redirect corresponding to this message by controller.
7. integrate a method of work for the SDN system threatening process and routing optimality, comprise the steps:
Step S100, netinit;
Step S200, distributed DDoS threatens monitoring; And
Step S300, threatens process and/or routing optimality.
8. integrate the method for work of the SDN system threatening process and routing optimality according to claim 7, it is characterized in that,
Device in described step S100 involved by netinit comprises: controller, IDS policy server and distributed IDS equipment;
The step of netinit is as follows:
Described controller builds network equipment information binding table, and by network equipment information binding table real-time update in each IDS equipment;
Described controller issues the stream table of mirror policy, is transmitted to IDS equipment corresponding in net territory by all port flow mirror images being loaded with main frame that drags of OF switch; And
Described controller issues DDoS threat identification rule to each IDS equipment corresponding in each net territory;
In described step S200, distributed DDoS threatens the method for monitoring to comprise:
Successively to the deceptive practices of link layer and internetwork layer address, internetwork layer and transport layer flag bit arrange abnormal behaviour, and
The formula that the floods attack of application layer and transport layer detects;
If when arbitrary detection judges that message exists respective behavior in said process, then this message is proceeded to step S300.
9. integrate the method for work of the SDN system threatening process and routing optimality according to claim 8, it is characterized in that,
The method that the deceptive practices of link layer and internetwork layer address detect is comprised:
By deception packet check module, deceptive practices are detected, namely
First, network equipment information binding table is called by deception packet check module;
Secondly, by deception packet check module, the type being encapsulated in message in Packet-In message is resolved, to obtain corresponding source, object IP address, MAC Address and to upload No. DPID, switch and the port numbers of this Packet-In message, and above-mentioned each information is compared with the corresponding information in network equipment information binding table respectively;
If the above-mentioned information matches in message, then message is carried out next and detect;
If the above-mentioned information in message is not mated, then message is proceeded to step S300;
Described internetwork layer and transport layer flag bit arrange the method that abnormal behaviour carries out detecting and comprise:
Arrange abnormal behaviour by destruction packet check module to flag bit to detect, namely
Each flag bit of message is detected, to judge whether each flag bit meets ICP/IP protocol specification;
If each flag bit of message meets, then message is proceeded to and carry out next detection;
If each flag bit of message does not meet, then message is proceeded to step S300;
The method that the formula that the floods attack of described application layer and transport layer is carried out detecting comprises:
By exception message detection module, the formula attack of flooding is detected, namely
Build the Hash table for identifying the formula attack message that floods at exception message detection module, and judge whether message has the formula attack that floods according to the threshold values set in this Hash table, and judged result is proceeded to step S300;
The method of process and/or routing optimality is threatened to comprise in described step S300:
If message has deceptive practices, and attack threat in OpenFlow territory, then described IDS policy server is suitable for shielding main frame by controller; And threaten not in OpenFlow territory when attacking, then by controller, the switch access interface traffic redirect corresponding to this message is filtered to flow cleaning center;
If message has abnormal behaviour, then described IDS policy server is shielded by the flow of controller to attacker or attack main frame;
If message has the formula attack that floods, then the switch access interface traffic redirect corresponding to this message is filtered to flow cleaning center by controller by described IDS policy server; And/or
Path optimizing is gone out according to link load coefficient calculations, namely the link remaining bandwidth of two adjacent nodes is detected, obtain the load factor of this link, obtaining the optimal path of any two points according to this load factor and initialized network topological diagram, described controller draws corresponding forwarding flow table according to this optimal path and issues each switch.
10. integrate the method for work of the SDN system threatening process and routing optimality according to claim 9, it is characterized in that, described IDS policy server shielding sends the program of message and/or the method for main frame comprises:
First, corresponding Hash table and the setting respective threshold of counting is built, namely
In unit interval, build the first Hash table counted deceptive practices in described IDS policy server, flag bit arranges the second Hash table that abnormal behaviour carries out counting, and to the 3rd Hash table that the formula attack of flooding counts;
Set first, second, third threshold values in first, second, third Hash table simultaneously;
Secondly, shielding sends program and/or the main frame of this message, namely
For the behavior of message proceeding to IDS policy server, utilize corresponding Hash table to count, when count value exceedes respective thresholds, shielding sends program and/or the main frame of this message.
CN201410788069.5A 2014-12-17 2014-12-17 It is a kind of to integrate the SDN frameworks and method of work for threatening processing and routing optimality Expired - Fee Related CN104539595B (en)

Priority Applications (4)

Application Number Priority Date Filing Date Title
CN201711302098.6A CN107888618A (en) 2014-12-17 2014-12-17 The DDoS for solving network security threatens the method for work of filtering SDN systems
CN201410788069.5A CN104539595B (en) 2014-12-17 2014-12-17 It is a kind of to integrate the SDN frameworks and method of work for threatening processing and routing optimality
CN201711302100.XA CN107888619A (en) 2014-12-17 2014-12-17 Integrate the method for work for the SDN systems for threatening processing and routing optimality
CN201711302091.4A CN107786578A (en) 2014-12-17 2014-12-17 Suitable for solving the SDN frameworks and method of work of network security problem

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN201410788069.5A CN104539595B (en) 2014-12-17 2014-12-17 It is a kind of to integrate the SDN frameworks and method of work for threatening processing and routing optimality

Related Child Applications (3)

Application Number Title Priority Date Filing Date
CN201711302100.XA Division CN107888619A (en) 2014-12-17 2014-12-17 Integrate the method for work for the SDN systems for threatening processing and routing optimality
CN201711302091.4A Division CN107786578A (en) 2014-12-17 2014-12-17 Suitable for solving the SDN frameworks and method of work of network security problem
CN201711302098.6A Division CN107888618A (en) 2014-12-17 2014-12-17 The DDoS for solving network security threatens the method for work of filtering SDN systems

Publications (2)

Publication Number Publication Date
CN104539595A true CN104539595A (en) 2015-04-22
CN104539595B CN104539595B (en) 2018-04-10

Family

ID=52855064

Family Applications (4)

Application Number Title Priority Date Filing Date
CN201410788069.5A Expired - Fee Related CN104539595B (en) 2014-12-17 2014-12-17 It is a kind of to integrate the SDN frameworks and method of work for threatening processing and routing optimality
CN201711302100.XA Withdrawn CN107888619A (en) 2014-12-17 2014-12-17 Integrate the method for work for the SDN systems for threatening processing and routing optimality
CN201711302091.4A Withdrawn CN107786578A (en) 2014-12-17 2014-12-17 Suitable for solving the SDN frameworks and method of work of network security problem
CN201711302098.6A Withdrawn CN107888618A (en) 2014-12-17 2014-12-17 The DDoS for solving network security threatens the method for work of filtering SDN systems

Family Applications After (3)

Application Number Title Priority Date Filing Date
CN201711302100.XA Withdrawn CN107888619A (en) 2014-12-17 2014-12-17 Integrate the method for work for the SDN systems for threatening processing and routing optimality
CN201711302091.4A Withdrawn CN107786578A (en) 2014-12-17 2014-12-17 Suitable for solving the SDN frameworks and method of work of network security problem
CN201711302098.6A Withdrawn CN107888618A (en) 2014-12-17 2014-12-17 The DDoS for solving network security threatens the method for work of filtering SDN systems

Country Status (1)

Country Link
CN (4) CN104539595B (en)

Cited By (9)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN105610854A (en) * 2016-01-18 2016-05-25 上海交通大学 Network-based collaborative defense system
CN105897750A (en) * 2016-06-03 2016-08-24 中国电子科技集团公司第三十研究所 Method and system for defending Dos attacks of SDN controller
WO2017035717A1 (en) * 2015-08-29 2017-03-09 华为技术有限公司 Distributed denial of service attack detection method and associated device
CN108289104A (en) * 2018-02-05 2018-07-17 重庆邮电大学 A kind of industry SDN network ddos attack detection with alleviate method
CN109508435A (en) * 2018-10-26 2019-03-22 张派瑞 A kind of anti-network bullying and humiliation method
CN109922048A (en) * 2019-01-31 2019-06-21 国网山西省电力公司长治供电公司 One kind serially dispersing concealed threat Network Intrusion detection method and system
US10659484B2 (en) 2018-02-19 2020-05-19 Cisco Technology, Inc. Hierarchical activation of behavioral modules on a data plane for behavioral analytics
CN111181910A (en) * 2019-08-12 2020-05-19 腾讯科技(深圳)有限公司 Protection method and related device for distributed denial of service attack
US11552965B2 (en) * 2017-12-28 2023-01-10 Hitachi, Ltd Abnormality cause specification support system and abnormality cause specification support method

Families Citing this family (2)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN111885092A (en) * 2020-09-10 2020-11-03 中国联合网络通信集团有限公司 DDoS attack detection method and processing method for edge nodes and SDN
CN114726602A (en) * 2022-03-29 2022-07-08 中国工程物理研究院计算机应用研究所 Self-adaptive threat blocking method for enterprise intranet under network zero change condition

Citations (4)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN102487339A (en) * 2010-12-01 2012-06-06 中兴通讯股份有限公司 Attack preventing method for network equipment and device
US20130117847A1 (en) * 2011-11-07 2013-05-09 William G. Friedman Streaming Method and System for Processing Network Metadata
CN103561011A (en) * 2013-10-28 2014-02-05 中国科学院信息工程研究所 Method and system for preventing blind DDoS attacks on SDN controllers
CN104023034A (en) * 2014-06-25 2014-09-03 武汉大学 Security defensive system and defensive method based on software-defined network

Patent Citations (4)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN102487339A (en) * 2010-12-01 2012-06-06 中兴通讯股份有限公司 Attack preventing method for network equipment and device
US20130117847A1 (en) * 2011-11-07 2013-05-09 William G. Friedman Streaming Method and System for Processing Network Metadata
CN103561011A (en) * 2013-10-28 2014-02-05 中国科学院信息工程研究所 Method and system for preventing blind DDoS attacks on SDN controllers
CN104023034A (en) * 2014-06-25 2014-09-03 武汉大学 Security defensive system and defensive method based on software-defined network

Cited By (13)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
WO2017035717A1 (en) * 2015-08-29 2017-03-09 华为技术有限公司 Distributed denial of service attack detection method and associated device
CN105610854B (en) * 2016-01-18 2019-08-06 上海交通大学 A kind of network cooperating system of defense
CN105610854A (en) * 2016-01-18 2016-05-25 上海交通大学 Network-based collaborative defense system
CN105897750A (en) * 2016-06-03 2016-08-24 中国电子科技集团公司第三十研究所 Method and system for defending Dos attacks of SDN controller
US11552965B2 (en) * 2017-12-28 2023-01-10 Hitachi, Ltd Abnormality cause specification support system and abnormality cause specification support method
CN108289104A (en) * 2018-02-05 2018-07-17 重庆邮电大学 A kind of industry SDN network ddos attack detection with alleviate method
CN108289104B (en) * 2018-02-05 2020-07-17 重庆邮电大学 Industrial SDN network DDoS attack detection and mitigation method
US10659484B2 (en) 2018-02-19 2020-05-19 Cisco Technology, Inc. Hierarchical activation of behavioral modules on a data plane for behavioral analytics
CN109508435A (en) * 2018-10-26 2019-03-22 张派瑞 A kind of anti-network bullying and humiliation method
CN109922048A (en) * 2019-01-31 2019-06-21 国网山西省电力公司长治供电公司 One kind serially dispersing concealed threat Network Intrusion detection method and system
CN109922048B (en) * 2019-01-31 2022-04-19 国网山西省电力公司长治供电公司 Method and system for detecting serial scattered hidden threat intrusion attacks
CN111181910A (en) * 2019-08-12 2020-05-19 腾讯科技(深圳)有限公司 Protection method and related device for distributed denial of service attack
CN111181910B (en) * 2019-08-12 2021-10-08 腾讯科技(深圳)有限公司 Protection method and related device for distributed denial of service attack

Also Published As

Publication number Publication date
CN107888618A (en) 2018-04-06
CN107786578A (en) 2018-03-09
CN104539595B (en) 2018-04-10
CN107888619A (en) 2018-04-06

Similar Documents

Publication Publication Date Title
CN104539594A (en) SDN (software defined network) framework, system and working method combining DDoS (distributed denial of service) threat filtering and routing optimization
CN104660582A (en) Network architecture of software definition of DDoS identification, protection and path optimization
CN104539625B (en) Network security defense system based on software definition and working method thereof
CN104539595A (en) SDN framework integrating threat processing and route optimizing and operating method
CN104468636A (en) SDN structure for DDoS threatening filtering and link reallocating and working method
CN104378380A (en) System and method for identifying and preventing DDoS attacks on basis of SDN framework
Xing et al. Ripple: A programmable, decentralized {Link-Flooding} defense against adaptive adversaries
US7623466B2 (en) Symmetric connection detection
US8468590B2 (en) Rate limiting data traffic in a network
US7743415B2 (en) Denial of service attacks characterization
US7124440B2 (en) Monitoring network traffic denial of service attacks
US9166990B2 (en) Distributed denial-of-service signature transmission
US20190132360A1 (en) Honeynet method, system and computer program for mitigating link flooding attacks of software defined network
WO2002021278A1 (en) Coordinated thwarting of denial of service attacks
CN109327426A (en) A kind of firewall attack defense method
CN105871773A (en) DDoS filtering method based on SDN network architecture
CN102263788A (en) Method and equipment for defending against denial of service (DDoS) attack to multi-service system
CN105871771A (en) SDN network architecture aimed at DDoS network attack
CN105871772A (en) Working method of SDN network architecture aimed at network attack
CN107864110A (en) Botnet main control end detection method and device
CN108833430A (en) A kind of topological guard method of software defined network
Beitollahi et al. A cooperative mechanism to defense against distributed denial of service attacks
US8281400B1 (en) Systems and methods for identifying sources of network attacks
Himanshu et al. A Network Segmentation Architecture for Flow Aggregation and DDoS Mitigation in SDN Using RAPID Flow Rules
RU2791869C1 (en) Volume ddos attacks protection system and method

Legal Events

Date Code Title Description
PB01 Publication
C10 Entry into substantive examination
SE01 Entry into force of request for substantive examination
CB03 Change of inventor or designer information
CB03 Change of inventor or designer information

Inventor after: Shi Yukai

Inventor after: Yang Zhongxue

Inventor after: Chen Fei

Inventor after: Zhang Jiahua

Inventor after: Wang Jiangping

Inventor after: Li Ying

Inventor after: Ou Jiahao

Inventor before: Shi Yukai

Inventor before: Zhang Jiahua

Inventor before: Yang Zhongxue

Inventor before: Wang Jiangping

Inventor before: Li Ying

GR01 Patent grant
GR01 Patent grant
CF01 Termination of patent right due to non-payment of annual fee
CF01 Termination of patent right due to non-payment of annual fee

Granted publication date: 20180410

Termination date: 20201217