[go: up one dir, main page]
More Web Proxy on the site http://driver.im/

CN107835199A - Suitable for solving the method for work of the SDN systems of network security - Google Patents

Suitable for solving the method for work of the SDN systems of network security Download PDF

Info

Publication number
CN107835199A
CN107835199A CN201711362500.XA CN201711362500A CN107835199A CN 107835199 A CN107835199 A CN 107835199A CN 201711362500 A CN201711362500 A CN 201711362500A CN 107835199 A CN107835199 A CN 107835199A
Authority
CN
China
Prior art keywords
message
attack
packet
hash table
plane
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Withdrawn
Application number
CN201711362500.XA
Other languages
Chinese (zh)
Inventor
不公告发明人
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
Individual
Original Assignee
Individual
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Individual filed Critical Individual
Priority to CN201711362500.XA priority Critical patent/CN107835199A/en
Publication of CN107835199A publication Critical patent/CN107835199A/en
Withdrawn legal-status Critical Current

Links

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/10Network architectures or network communication protocols for network security for controlling access to devices or network resources
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L45/00Routing or path finding of packets in data switching networks
    • H04L45/302Route determination based on requested QoS

Landscapes

  • Engineering & Computer Science (AREA)
  • Computer Networks & Wireless Communication (AREA)
  • Signal Processing (AREA)
  • Computer Hardware Design (AREA)
  • Computer Security & Cryptography (AREA)
  • Computing Systems (AREA)
  • General Engineering & Computer Science (AREA)
  • Data Exchanges In Wide-Area Networks (AREA)
  • Computer And Data Communications (AREA)

Abstract

The invention discloses it is a kind of be suitable to solve network security SDN systems method of work, this SDN framework, including:Using plane, datum plane and control plane;Wherein datum plane, when any IDS equipment detects that attack threatens in datum plane, notice enters attack type analysis process using plane;Using plane, for analyzing attack type, and corresponding attack is customized according to attack type and threatens processing strategy;Control plane, Processing Interface is threatened to provide attack using plane, and optimal path computation and/or attack threat identification interface are provided for datum plane.The present invention can make network when being threatened by extensive DDoS, and the flow forwarding of routing optimality can be realized according to the real time status of link, while rapid accurately progress DDoS threat identifications and processing respond, full-scope safeguards network communication quality.

Description

Suitable for solving the method for work of the SDN systems of network security
Technical field
The present invention relates to network safety filed, more particularly to a kind of work for being suitable to solve the SDN systems of network security Method.
Background technology
Currently, the network connected extensively at a high speed has become the important infrastructure of modern society.However, with internet The expansion of scale, also increasingly show the defects of traditional specificationses system.
The report of national computer network emergence technology processing Consultation Center (CNCERT/CC) newest issue shows:Hacker Activity is increased, and the attack such as website back door, phishing, Web malice extension horses is in the trend that increases substantially, country, enterprise Internet security be faced with severe challenge.
Wherein, distributed denial of service attack (Distributed Denial of Service, DDoS) is still to influence One of internet most important threat safe for operation.In the past few years, the number of ddos attack, size, type be all significantly Go up.
Software defined network (Software Defined Network, SDN) has can real-time update routing policy and rule Then, the characteristics such as profound data packet analysis are supported, thus the DDoS that can be directed in complex network ring environment threatens offer more fast Fast accurately network monitoring and defense function.
The content of the invention
It is an object of the invention to provide a kind of SDN framework, to solve in existing network caused by a large amount of ddos attacks Network security problem, with realize it is quick, efficiently, comprehensively identification and defending DDoS (Distributed Denial of Service) attacks.
In order to solve the above-mentioned technical problem, the invention provides a kind of SDN framework, including:Put down using plane, data Face and control plane;Wherein
Datum plane, when any IDS equipment detects that attack threatens in datum plane, notice enters using plane To attack type analysis process;
Using plane, corresponding attack threat processing is customized for analyzing attack type, and according to attack type Strategy;
Control plane, Processing Interface is threatened to provide attack using plane, and optimal path computation is provided for datum plane And/or attack threat identification interface.
Beneficial effects of the present invention:DDoS is threatened monitoring, threatens the business function modules such as protection, routing optimality by the present invention It is respectively deployed in datum plane, control plane and using plane.Network can be made when being threatened by extensive DDoS, being capable of basis The real time status of link realizes the flow forwarding of routing optimality, while rapid accurately progress DDoS threat identifications and processing ring Should, full-scope safeguards network communication quality.
Another aspect, present invention also offers a kind of SDN systems, to solve the technical problem of defending DDoS (Distributed Denial of Service) attacks.
In order to solve the above-mentioned technical problem, the invention provides a kind of SDN systems, including:Controller, IDS decision services Device, distributed IDS equipment and flow cleaning center;When any IDS equipment detects the message with ddos attack feature, IDS policy servers are reported to by SSL traffic channel;The IDS policy servers are made and had according to information is reported There is processing strategy corresponding to the message of ddos attack feature, it is then that the message is by controller shielding or right by message institute The interchanger access interface flow answered is redirected to flow cleaning center and filtered.
Preferably, in order to realize that DDoS is detected in IDS equipment, include in the IDS equipment:Cheat packet check mould Block, the deceptive practices to link layer and internet layer address detect;Packet check module is destroyed, to internetwork layer and transport layer mark The abnormal behaviour that will position is set is detected;Exception message detection module, the formula attack that flooded to application layer and transport layer are entered Row detection;Message is entered successively by the deception packet check module, destruction packet check module, exception message detection module Row detection;And if the message is transferred to IDS decision services when above-mentioned respective behavior be present by any detection module detection outgoing packet Device.
Preferably, the IDS policy servers when message suitable for having deceptive practices, and attacks and threaten in OpenFlow domains In, then main frame is shielded by controller;Or threatened when attacking not in OpenFlow domains, then it is by controller that message institute is right The interchanger access interface flow answered is redirected to flow cleaning center and filtered;The IDS policy servers are further adapted for working as Message has abnormal behaviour, then the flow of attacker or attack main frame is shielded by controller;And when message has The formula that floods attack, then the IDS policy servers are suitable for being accessed the interchanger corresponding to the message by controller Port flow is redirected to flow cleaning center and filtered.
The third aspect, present invention also offers a kind of fusion DDoS to threaten filtering and the work of the SDN systems of routing optimality Method, to solve the distributed monitoring to ddos attack, formulating the corresponding technical problem for threatening processing strategy.
In order to solve the above-mentioned technical problem, present invention also offers a kind of fusion DDoS to threaten filtering and routing optimality The method of work of SDN systems, comprises the following steps:
Step S100, netinit;Step S200, distributed DDoS threaten monitoring;And step S300, threat processing And/or routing optimality.
Preferably, in order to preferably realize network configuration, the device bag in the step S100 involved by netinit Include:Controller, IDS policy servers and distributed IDS equipment;
The step of netinit, is as follows:
Step S101, the IDS policy servers establish special SSL traffic channel with each IDS equipment;
Step S102, the controller build network equipment information binding table, and network equipment information binding table is real Shi Gengxin is into each IDS equipment;
Step S104, the controller issue the flow table of mirror policy, i.e., all drag of OF interchangers are loaded with into the end of main frame Mouth traffic mirroring is transmitted to corresponding IDS equipment in domain;And
Step S105, the controller issue DDoS threat identifications rule to corresponding each IDS equipment in each domain.
Preferably, distributed DDoS threatens the method for monitoring to include in the step S200:
Abnormal behaviour is set to the deceptive practices of link layer and internet layer address, internetwork layer and transport layer flag bit successively, And
The formula attack that floods of application layer and transport layer is detected;
If any detection judges that outgoing packet has respective behavior in said process, the message is transferred to step S300.
Preferably, the method that the deceptive practices to link layer and internet layer address are detected includes:
Deceptive practices are detected by cheating packet check module, i.e.,
First, network equipment information binding table is called by cheating packet check module;
Secondly, the type for being encapsulated in message in Packet-In message is parsed by cheating packet check module, with Corresponding source, purpose IP address, MAC Address and the interchanger DPID and port numbers that upload this Packet-In message are obtained, And above-mentioned each information is compared with the corresponding information in network equipment information binding table respectively;
If the above- mentioned information matching in message, next detection is carried out by message;
If the above- mentioned information in message mismatches, message is transferred to step S300;
The method that internetwork layer and the transport layer flag bit sets abnormal behaviour to be detected includes:
Abnormal behaviour is set to detect flag bit by destroying packet check module, i.e.,
Each flag bit of message is detected, to judge whether each flag bit meets ICP/IP protocol specification;
If each flag bit of message meets, message is transferred to and carries out next detection;
If each flag bit of message is not met, message is transferred to step S300;
The method that formula attack is detected that floods of the application layer and transport layer includes:
The formula attack that floods is detected by exception message detection module, i.e.,
The Hash table for identifying the formula attack message that floods is built in exception message detection module, and according in the Hash table The threshold values of setting judges whether message has the formula attack that floods, and will determine that result is transferred to step S300.
Preferably, the method for processing and/or routing optimality is threatened to include in the step S300:
If message has deceptive practices, and attacks and threaten in OpenFlow domains, then the IDS policy servers are suitable to logical Cross controller shielding main frame;And threatened when attacking not in OpenFlow domains, then by controller by corresponding to the message Interchanger access interface flow is redirected to flow cleaning center and filtered;
If message has abnormal behaviour, the IDS policy servers are by controller to attacker or attack main frame Flow shielded;
If message has the formula attack that floods, the IDS policy servers are by controller by corresponding to the message Interchanger access interface flow be redirected to flow cleaning center and filtered;And/or
Path optimizing is calculated according to link load coefficient, that is, detects the link remaining bandwidth of two adjacent nodes, is somebody's turn to do The load factor of link, the optimal path of any two points, institute are being obtained according to the load factor and the network topological diagram of initialization Controller is stated to forward flow table according to corresponding to being drawn the optimal path and issue each interchanger.
Preferably, the IDS policy servers shielding sends the program of message and/or the method for main frame and included:
First, the corresponding Hash table and setting respective threshold of counting are built, i.e.,
The first Hash table counted to deceptive practices, mark are built in unit interval, in the IDS policy servers Position sets the second Hash table for being counted of abnormal behaviour, and to the 3rd Hash table that the formula attack that floods is counted;
Concurrently set first, second, third threshold values in first, second, third Hash table;
Secondly, shielding sends the program and/or main frame of the message, i.e.,
For the behavior for the message for being transferred to IDS policy servers, counted using corresponding Hash table, when count value exceedes During respective thresholds, shielding sends the program and/or main frame of the message.
Beneficial effects of the present invention:(1) present invention merges DDoS threat filtering techniques with route-optimization technique, is carrying out When monitoring, shielding DDOS attack, the congestion of data can't be caused, and by the way that monitoring and threat processing are separated, effectively The burden of control plane is alleviated, ensure that network is safer, operations of colleges and universities;(2) the invention enables legacy network system frame The problem that ddos attack is identified and traced to the source can not be forged under structure to address to be fundamentally resolved.Exist in a network In the case of ddos attack or normal big flow business, controller can be based on the real-time sense to network parameters such as link remaining bandwidths Know, realize the routing optimality of normal stream amount, the experience of user is substantially improved;(3) processing framework of the invention is using expansible Modularized design, realize to DDoS threaten efficient detection and flexibly processing;(4) each module obtains packet information and used Independent Interface design, reduce the coupling relevance of intermodule;(5) each module is careful using the program data structure optimized Split each processing sub-process, improve the high cohesion characteristic of module.
Brief description of the drawings
In order that present disclosure is more likely to be clearly understood, below according to specific embodiment and with reference to accompanying drawing, The present invention is further detailed explanation, wherein
Fig. 1 shows the theory diagram of data Layer in software defined network;
Fig. 2 shows ddos attack identification and the theory diagram of guard system based on SDN frameworks;
Fig. 3 shows the workflow diagram of deception packet check module;
Fig. 4 shows the workflow diagram for destroying packet check module;
Fig. 5 shows UDP Floodling overhaul flow chart;
Fig. 6 shows ICMP Floodling overhaul flow chart;
(a) shows the attack frequency that the Web server of unused this ddos attack identification and guard system is born in Fig. 7 The curve map of rate;(b) the attack frequency born using the identification of this ddos attack with the Web server of guard system is shown Curve map.
Embodiment
To make the object, technical solutions and advantages of the present invention of greater clarity, with reference to embodiment and join According to accompanying drawing, the present invention is described in more detail.It should be understood that these descriptions are merely illustrative, and it is not intended to limit this hair Bright scope.In addition, in the following description, the description to known features and technology is eliminated, to avoid unnecessarily obscuring this The concept of invention.
Fig. 1 shows the theory diagram of data Layer in software defined network.
As shown in figure 1, in software defined network (Software Defined Network, SDN) framework, when a report When literary (Packet) reaches interchanger, the flow table of institute's band in interchanger is matched first.If the match is successful, just press Rule is forwarded according to the action executing that flow table is specified.If it fails to match, the message is encapsulated in Packet In message by interchanger In, controller is sent to, and interchanger has this message in local cache.Wait controller to make decisions, how to handle This message.
There are many main frames in network, then it is the Hash table of key to need to establish one to be directed to All hosts in network, is referred to as " violation number Hash table group ", it includes:Suitable for the first Hash table counted to deception message, suitable for entering to destroying message The second Hash table that row counts, suitable for the 3rd Hash table counted to the formula attack that floods.Record the violation time of respective hosts Number, that is, the credibility of main frame.
Packet in network is real-time, so needing to establish a kind of Hash of the threat packet counting in unit interval Table, and a key in the corresponding Hash table of each main frame, corresponding key assignments are corresponding keys in the unit interval of record The number for the threat data bag that main frame is sent.Such Hash table at first must be by Hash table in the unit interval " timeslice " Key assignments corresponding to all keys is set to 0;And the message of every kind of detection has been required for such table, just such as 100 kinds are have detected Message, it is desirable to 100 such Hash tables.
Moreover, each Hash table must have a corresponding threshold value.As long as one has main frame to tire out in analog value in Hash table Add counting.Check whether the value exceedes the threshold value of setting after counting.If it exceeds corresponding threshold value, then in violation number Hash table Key assignments in corresponding record counts.
Also, the parameter such as threshold value, Hash table time leaf length of each Hash table can all be adjusted by interface.
Such as:The Hash table of main frame is:
Unit interval cheats packet counting Hash table
Host1 Host2 Host3 Host4 Host5 Host6 Host7 Host8 …… Host n
1 2 2 1 100 2 0 0 …… 0
Unit interval destroys packet counting Hash table
Host1 Host2 Host3 Host4 Host5 Host6 Host7 Host8 …… Host n
1 2 2 1 100 2 0 0 …… 0
Unit interval SYN counts Hash table
Host1 Host2 Host3 Host4 Host5 Host6 Host7 Host8 …… Host n
1 1 0 1 100 2 0 0 …… 0
Unit interval UDP Flood counts Hash table
Unit interval ICMP Flood counts Hash table
Host1 Host2 Host3 Host4 Host5 Host6 Host7 Host8 …… Host n
1 1 0 1 100 2 0 0 …… 0
……
Above all of Hash table is all unit interval count table, and timeslice, which counts, starts that all corresponding key assignments can be set to 0;
Violation number Hash table
On the basis of foregoing invention principle, the specific implementation process of the present embodiment is as follows.
Embodiment 1
The present embodiment 1 provides a kind of SDN framework, including:Using plane, datum plane and control plane;Wherein Datum plane, when any IDS equipment (i.e. intrusion detection device) detects that attack threatens in datum plane, notice application Plane enters attack type analysis process;Using plane, for analyzing attack type, and customized according to attack type Corresponding attack threatens processing strategy;Control plane, Processing Interface is threatened to provide attack using plane, and carried for datum plane For optimal path computation and/or attack threat identification interface.
The attack threat includes but is not limited to:DDOS attack threatens.
Processing strategy is threatened on attack type analysis, attack using plane, the attack monitoring of datum plane, is attacked Threat shielding and routing optimality are hit, and attack threat processing, attack threat identification and the optimal path computation of control plane will Deploy in the following embodiments.
Wherein, it can realize that control plane is realized by controller by IDS policy servers using plane.
Embodiment 2
Embodiment 2 provides a kind of SDN systems, including:Controller, IDS policy servers, distributed IDS equipment and Flow cleaning center;When any IDS equipment detects the message with ddos attack feature, i.e., by SSL traffic channel Report to IDS policy servers;The IDS policy servers are made and the report with ddos attack feature according to information is reported Processing strategy corresponding to literary, then the message is shielded by controller or by the interchanger access interface corresponding to the message Flow is redirected to flow cleaning center and filtered.
Wherein, ddos attack characterizing definition is:Deceptive practices to link layer and internet layer address, to internetwork layer and transmission The abnormal behaviour that layer flag bit is set, and the formula attack that flooded to application layer and transport layer.
Fig. 2 shows ddos attack identification and the theory diagram of guard system based on SDN frameworks.
As shown in Fig. 2 further, include in the IDS equipment:
Packet check module is cheated, the deceptive practices to link layer and internet layer address detect;
Packet check module is destroyed, the abnormal behaviour set to internetwork layer and transport layer flag bit detects;
Exception message detection module, the formula attack that flooded to application layer and transport layer detect;
By the deception packet check module, packet check module, exception message detection module are destroyed successively to message Detected;And if the message is transferred to IDS decision-makings clothes when above-mentioned respective behavior be present by any detection module detection outgoing packet Business device.
Further, the IDS policy servers when message suitable for having deceptive practices, and attacks and threaten in OpenFlow domains In, then main frame is shielded by controller;Or threatened when attacking not in OpenFlow domains, then it is by controller that message institute is right The interchanger access interface flow answered is redirected to flow cleaning center and filtered;The IDS policy servers are further adapted for working as Message has abnormal behaviour, then the flow of attacker or attack main frame is shielded by controller;And when message has The formula that floods attack, then the IDS policy servers are suitable for being accessed the interchanger corresponding to the message by controller Port flow is redirected to flow cleaning center and filtered.
The present invention using from deception packet check module to destroy packet check module, then to exception message detection module according to The order of secondary detection, wherein, each module obtains packet information and uses independent Interface design, and the coupling for reducing intermodule is closed Connection property;And each module uses the program data structure of optimization, careful to split each processing sub-process, improves the high cohesion of module Characteristic.This detection ordering improves the detection efficiency to message data, and reduces loss.
Fig. 3 shows the workflow diagram of deception packet check module.
As shown in figure 3, network equipment information binding table is called by the deception packet check module, and in the IDS Build the first Hash table that is counted to packet cheating behavior of being suitable in the unit interval in policy server, and setting this The first threshold values in first Hash table;The deception packet check module, by the class for the message being encapsulated in Packet-In message Type is parsed, to obtain corresponding source, purpose IP address, MAC Address and the interchanger DPID for uploading Packet-In message Number and port number information, and each information is compared with the corresponding information in network equipment information binding table respectively;If message In above- mentioned information matching, then by message be transferred to destroy packet check module;If the above- mentioned information in message mismatches, it is transferred to The IDS policy servers, are abandoned to message, and deceptive practices are counted simultaneously, when the count value is more than first During threshold values, shielding sends the program and/or main frame of the message.
Specifically, the deception packet check module is used to carry out first time judgement to message, that is, judge message whether be IP spoofing attack message, port spoofing attack message or MAC spoofing attack messages.
Specific steps include:Parse source, target MAC (Media Access Control) address and interchanger entrance, Ran Hougen in ethernet frames first Different messages is parsed according to different type of messages.When type of message is IP, ARP, RARP, then parse corresponding source, Then these information are carried out matching of tabling look-up by purpose IP address to the information in network equipment information binding table, if matching phase The information answered, then give and destroy packet check resume module.If mismatching, the message is transferred to the processing of IDS policy servers; And simultaneously to deceptive practices carry out accumulated counts, when the count value is more than the first threshold values, shielding send the message program and/ Or main frame.
Have a device manager module DeviceManagerImpl in Floodlight, when an equipment in a network Tracking equipment when mobile device, and equipment is defined according to new stream.
Equipment manager learns equipment from PacketIn requests, and device network parameter is obtained from PacketIn messages Information (information such as source, purpose IP, MAC, VLAN), is made a distinction equipment for interchanger or main frame by entity classification device.It is silent Entity classification device shows an equipment using MAC Address and/or vlan table in the case of recognizing, and the two attributes can uniquely identify one Individual equipment.Another important information be equipment mount point (No. DPID of interchanger and port numbers) (, at one In openflow regions, an equipment can only have a mount point, herein openflow regions refer to it is same The set of the connected multiple switch of Floodlight examples.Equipment manager is also IP address, mount point, equipment were provided with Time phase, the last time timestamp foundation whether expired as them are judged.)
Therefore it need to only call what DeviceManagerImpl modules provided inside network equipment information binding table module IDeviceService, at the same to the service add IDeviceListener monitoring interface.
The monitoring interface that wherein IDeviceListener is provided has:
Interface name Function
public void deviceAdded(IDevice device) Main frame addition response
public void deviceRemoved(IDevice device) Main frame removes response
public void deviceMoved(IDevice device) Host mobility responds
public void deviceIPV4AddrChanged(IDevice device) Host IP address changes response
public void deviceVlanChanged(IDevice device) Main frame VLAN changes response
ISP:IFloodlightProviderService,IDeviceService
Rely on interface:IFloodlightModule,IDeviceListener
Record in table according to the low and high level trigger mechanism of interchanger (netting twine extracts triggering Port Down low level, Netting twine pulls out triggering Port Up high level) record that can refresh in real time in binding table.
Traditional ddos attack can not touch, change Switch DPID and Switch Port information, using this advantage, Spoofing attack can more flexibly be detected.
Fig. 4 shows the workflow diagram for destroying packet check module.
It is suitable to set the flag bit of message as shown in figure 4, building in the IDS policy servers in the unit interval The second Hash table that abnormal behaviour is counted, and set the second threshold values in second Hash table;The destruction message inspection Survey module to detect each flag bit of message, to judge whether each flag bit meets ICP/IP protocol specification;If message Each flag bit meets, then message is transferred into exception message detection module;If each flag bit of message is not met, it is transferred to described IDS policy servers, are abandoned to message, and set abnormal behaviour to count flag bit simultaneously, when the count value surpasses When crossing the second threshold values, shielding sends the program and/or main frame of the message.
Specifically, the destruction packet check module, judges for carrying out second to message, that is, judge message whether be Attack message with malice flag bit feature.Wherein, the attack message with malice flag bit feature includes but is not limited to IP Attack message, TCP attack messages.Implementation steps include:IP attack message and TCP/UDP attack messages therein are realized each The detection of the flag bit of message, that is, identify whether each flag bit meets ICP/IP protocol specification.If meeting, just directly hand over By abnormal number packet check resume module.If not meeting, it is judged as attack message, is transferred to the processing of IDS policy servers.
Using typical attacks such as Tear Drop as row, there are an offset field and a burst mark (MF) in IP packet header, If offset field is arranged to incorrect value by attacker, the situation for overlapping or disconnecting, target machine just occurs in IP fragmentation message System will collapse.
In IP headings, there are a protocol fields, the field specifies which kind of agreement the IP messages carry.The field Value is less than 100, if attacker sends the IP messages of largely protocol fields of the band more than 100, target machine to target machine Protocol stack in system will be destroyed, and form attack.
Therefore in packet check module is destroyed, each flag bit of outgoing packet is extracted first, is then checked whether normal.
If normal, subsequent module for processing is given.
If abnormal, the packet is abandoned, and to corresponding Hash table rolling counters forward.If unit interval inside counting When device exceedes second threshold values of setting, then IDS policy servers are called to be shielded to corresponding program and/or directly shielded Cover corresponding main frame.
After packet by cheating packet check module filters out, the follow-up number destroyed handled by packet check module All it is real according to the address in bag.So, effectively avoid target machine and have received destruction message, target may be directly resulted in The protocol stack collapse of machine, or even target machine directly collapse.
It is substantially similar to destroy processing function and the deception packet check handling process of packet check module, distinguishes and is to destroy What packet check module parsed is the flag bit of each message, whether normal then detects each flag bit.
If normal, just handled directly to follow-up exception message detection module.
If abnormal, the packet is abandoned, and to the corresponding Hash table inside counting device of main frame application reference mechanism Count.If it exceeds the threshold values of setting, then shield corresponding attacker or directly shielding attack main frame.
The Hash table for identifying the formula attack message that floods is built in the exception message detection module, is determined in the IDS Build the 3rd Hash table that is counted to the formula attack that floods of being suitable in the unit interval in plan server, and setting this The 3rd threshold values in 3rd Hash table;The exception message detection module, suitable for being sentenced according to the threshold values set in the Hash table Whether the message that breaks has attack;If without attack, by data distributing;If having attack, institute is transferred to IDS policy servers are stated, message is abandoned, and attack is counted simultaneously, when count value is more than the 3rd threshold values When, shielding sends the program and/or main frame of the message.
Specifically, the exception message detection module, for carrying out third time judgement to message, that is, judge message whether be The formula that floods attack message.
Specific steps include:Using the identification to structure flood formula attack message in Hash table respective record carry out It is cumulative, and detect whether to exceed threshold value, to judge whether the being formula attack message that floods.
By above-mentioned deception packet check module, destroy filtering out for packet check two modules of module, subsequent module for processing Packet substantially belong to packet under normal circumstances.However, under normal circumstances, ddos attack generation is also had, existing In technology, normally only carry out cheating packet check module, destroy packet check module, and in the technical program, in order to the greatest extent may be used Energy avoids ddos attack.
Following examples are to after carrying out cheating packet check module, destroying packet check modular filtration, then pass through exception The embodiment of packet check module shield ddos attack.The embodiment is with UDP Flooding and ICMP Exemplified by Flooding.
Fig. 5 shows UDP Floodling overhaul flow chart.
On UDP Floodling, as shown in figure 5, using mechanism of the udp protocol without establishing connection, sent out to target machine Send a large amount of UDP messages.Target machine can devote a tremendous amount of time processing UDP messages, and these UDP attack messages can not only make storage The cache overflow of UDP messages, and substantial amounts of network bandwidth can be taken, target machine can not (or seldom) receive it is legal UDP messages.
Because different main frames is to a large amount of UDP message bags of single main frame transmission, so having the feelings of udp port occupancy certainly Condition, so the technical program can receive an ICMP unreachable bag in port.
So the technical program can establish All hosts one Hash table, it is specifically used to receive in the storage unit interval The number of the unreachable bag in ICMP ports.If it exceeds the threshold values of setting, then directly shield corresponding attacker.
Fig. 6 shows ICMP Floodling overhaul flow chart.
On ICMP Floodling, as shown in fig. 6, directly carrying out unit interval inside counting for ICMP Flooding. If it exceeds corresponding threshold values, then directly accordingly shielded to respective host, although this method is simple, directly effectively.
Therefore, exception message detection module, if the type of message detected is exception message detection type, phase is carried out The counter answered detects whether to exceed threshold value, if it does not exceed the threshold, optimal routing policy also can be passed through to the packet Issue.Threshold value if more than, then corresponding attacker is shielded, or directly respective host is accordingly shielded.
The deception packet check module, destroy any module judgement in packet check module and exception message detection module When the message is above-mentioned attack message, then the attack message is transferred to IDS policy servers, i.e. abandon the message, and shield Cover the program and/or main frame for sending the message.
When " deception packet check module ", " destroying packet check module " and " exception message detection module " need to abandon number When according to bag or needing to shield threat main frame.Directly invoke IDS policy servers and carry out corresponding threat processing operation.
The specific implementation steps of the IDS policy servers include:
The step of abandoning the message, i.e. packet discard includes as follows:
The data envelope can be mounted in Packet In by OpenFlow interchangers in the case of corresponding flow table is not matched In message, while there is this packet in local caching in exchange opportunity, and packet is deposited in the buffer, there is a buffer area ID number, this ID number can be also encapsulated in the buffer_id of Packet In message, by Packet out form, simultaneously Buffer_id in Packet out message fills in the buffer area ID for the packet to be abandoned (in corresponding Packet In message Buffer_id).
The step of shielding main frame includes as follows:
OpenFlow agreement flow table structures are as follows:
Packet header domain Counter Action
The structure in its middle wrapping head domain is:
The step of IDS policy servers include shielding application program includes as follows:
Step 1:Corresponding matching field is filled in the packet header domain of flow table, and by setting Wildcards mask fields, To obtain shielding attacker or host information.Wherein, attacker need to be such as shielded, then fills in following in the domain of flow table packet header With field:IP, MAC, VLAN, Swtich DPID, Swtich Port, protocol type and its port numbers etc..Such as need to shield main frame, Then filled in the domain of flow table packet header:The matching field such as IP, MAC, VLAN, Swtich DPID, Swtich Port.
Step 2:Flow table action lists are empty, realize the data packet discarding of attacker/main frame.
Step 3:The record value in each Hash table is called, flow table time-out is calculated and is automatically deleted the time.
Step 4:Issue flow table mask program or main frame.
Therefore, the network of the technical program can effectively identify and filter out attack bag.
Optionally, after by above-mentioned each module, by issuing for the real-time optimal routing policy of normal message.
Comprise the following steps that:
Initially enter step S1 come to controller topological interface (API) submit obtain request, then by step S2 come Obtain full mesh topology.
Then, by carrying out the acquisition of total network links state.Step S3 is initially entered, is then obtained by step S10 Total network links state, then calculate total network links remaining bandwidth.
Then it is exactly the calculating of real-time optimal path, algorithm is changed to using classical dijkstra's algorithm, the weights of algorithm The inverse for the total network links remaining bandwidth that previous step obtains, this ensures that the path calculated is most unobstructed, propagation delay time Minimum path.(specific algorithm of optimal path is referring to related content in embodiment 3)
Finally, the optimal path calculated is converted into the real-time optimal path strategy being made up of flow table, passes through step S11 Issue.
Step S1 uses topological interface, and the api interface that a kind of controller carries, using LLDP, (link layer finds association View) and broadcast packet discovery link, then controller calculate network topology automatically.
The topological interface of step S2 controllers is opened up to " the full mesh topology acquisition module " of " real-time optimal path computation module " Flutter the feedback for obtaining request.
In step S3, " total network links state acquisition module " files a request to " switch query interface module ", obtains complete Network chain line state.Wherein, " switch query interface module " is " the interchanger characteristic enquiry module " carried in controller and " handed over Change planes state-query module " on the basis of expand, realize calculating and the query function of link remaining bandwidth.
Then, " switch query module " by step S4, all interchangers into network send interchanger property requests Broadcast packet.The message fed back come interchanger characteristic in automatic network is received by step S5 again, parses the curr inside outgoing packet Field, obtain each switch ports themselves current bandwidth B.
Next, the module is by step S6, all interchangers into network send the broadcast packet that switch status is asked, Bag number is sent including port, port sends byte number, port receives the message status such as byte number, port receiver packet number.Then, should Module receives the message fed back come switch status in automatic network by step S7, parses tx_bytes fields, is sent Byte number N1, obtain current time t1
Next, the module is by step S8, all interchangers into network send the broadcast packet that switch status is asked, Then, the message that the module is fed back by S9 receptions come switch status in automatic network, timing stop, and obtain current time t2。 Tx_bytes fields are parsed, obtain sending byte number N2
Present port remaining bandwidth, which can then be calculated, is:B-(N2-N1)/(t2-t1)。
Then, the network topology of acquisition is recycled to carry out the remaining bandwidth calculating of each of the links:
If the connection between interchanger and interchanger, then obtain the tape remaining of the switch ports themselves of this both link ends Width, the remaining bandwidth of the link is the smaller in two port remaining bandwidths.
If the connection between main frame and interchanger, then the remaining bandwidth of the switch ports themselves of connection main frame is obtained, should Bar link remaining bandwidth is the switch ports themselves remaining bandwidth for connecting the main frame.
Step S4 controllers send Feature Request message in the form of broadcasting to all interchangers of the whole network.
Step S5 controllers, which receive, carrys out the Feature Reply message that interchanger in automatic network feeds back to controller.
Step S6 controllers send Stats Request message in the form of broadcasting to all interchangers of the whole network.
Step S7 controllers, which receive, carrys out the Stats Reply message that interchanger in automatic network feeds back to controller.
Step S8 controllers send Stats Request message in the form of broadcasting to all interchangers of the whole network.
Step S9 controllers, which receive, carrys out the Stats Reply message that interchanger in automatic network feeds back to controller.
Step S10 switch queries interface is by the link remaining bandwidth feedback of the information calculated to " total network links state obtains Modulus block ".
Step S11 routing policies issue the real-time optimal routing policy that module calculates, and the flow table calculated is passed through into step Rapid S12 is handed down to the interchanger of correlation.
The step S12 interfaces are the api interfaces that controller carries, for issuing the optimal routing policy calculated.
It is while DDOS attack is defendd by the optimal path strategy, the average transmission delay of network does not swash Increase.
Embodiment 3
A kind of fusion DDoS on the basis of embodiment 1 and embodiment 2 threatens filtering and the work of the SDN systems of routing optimality Make method, by distributed detection and the processing of centralization, effectively to alleviate the work load of controller, improve inspection Survey efficiency and data transmission rate.
The fusion DDoS of the present invention threatens filtering and the method for work of the SDN systems of routing optimality, comprises the following steps:
Step S100, netinit;Step S200, distributed DDoS threaten monitoring;And step S300, threat processing And/or routing optimality.
Further, the device in the step S100 involved by netinit includes:Controller, IDS policy servers With distributed IDS equipment;
The step of netinit, is as follows:
Step S101, the IDS policy servers establish special SSL traffic channel with each IDS equipment;Step S102, The controller builds network equipment information binding table, and by network equipment information binding table real-time update to each IDS equipment In;Step S104, the controller issue the flow table of mirror policy, i.e., all drag of OF interchangers are loaded with into the port flow of main frame Mirror image is transmitted to corresponding IDS equipment in domain;And step S105, the controller issue DDoS threat identifications rule to every Corresponding each IDS equipment in individual domain.
Distributed DDoS threatens the method for monitoring to include in the step S200:Successively to link layer and internet layer address Deceptive practices, internetwork layer and transport layer flag bit set abnormal behaviour, and the formula attack that floods of application layer and transport layer Detected;If any detection judges that outgoing packet has respective behavior in said process, the message is transferred to step S300.
Specific implementation steps include:
Step S210, the deceptive practices to link layer and internet layer address detect.
Step S220, the abnormal behaviour set to internetwork layer and transport layer flag bit detect.
Step S230, the formula attack that floods to application layer and transport layer detect.
Step S240, if after message is passed sequentially through into the step S210, step S220, step S230, either step is sentenced When disconnected outgoing packet has deception, exception, attack, then the message is transferred to step S300.
The method that deceptive practices in the step S210 to link layer and internet layer address are detected includes following step Suddenly:Step S211, network equipment information binding table is called by cheating packet check module;Step S212, by cheating message Detection module is parsed the type for being encapsulated in message in Packet-In message, with obtain corresponding source, purpose IP address, MAC Address and the interchanger DPID and port numbers for uploading this Packet-In message, and by above-mentioned each information respectively with network Corresponding information in facility information binding table is compared;If the above- mentioned information matching in message, step is transferred to by message S220;If the above- mentioned information in message mismatches, message is transferred to step S300.
The method for setting abnormal behaviour to be detected internetwork layer and transport layer flag bit in the step S220 includes:It is right Each flag bit of message is detected, to judge whether each flag bit meets ICP/IP protocol specification;If each flag bit of message Meet, then message is transferred to S230;If each flag bit of message is not met, message is transferred to step S300.
The method that the formula attack that floods in the step S230 to application layer and transport layer is detected includes as follows Step:Step S231, the Hash table for identifying the formula attack message that floods is built in exception message detection module;Step S232, Judge whether the message is the formula attack report that floods according to the threshold values set in the Hash table by exception message detection module Text, and will determine that result is transferred to step S300, even without attack, then data are normally issued or by above-mentioned optimal path Policy distribution;If having attack, corresponding shielding measure is taken.
The method of processing and/or routing optimality is threatened to include in the step S300:
If message has deceptive practices, and attacks and threaten in OpenFlow domains, then the IDS policy servers are suitable to logical Cross controller shielding main frame;And threatened when attacking not in OpenFlow domains, then by controller by corresponding to the message Interchanger access interface flow is redirected to flow cleaning center and filtered;
If message has abnormal behaviour, the IDS policy servers are by controller to attacker or attack main frame Flow shielded;Specific implementation steps include:For destroying message aggression, due to the currently processed message of IDS equipment Deception packet check is passed through, so the message address is real.IDS policy servers need to only be connect by the north orientation of controller Mouth issues action and shields the flow of attacker or attack main frame for Drop flow table.But this is all the decision-making of coarseness, It is only applicable to attack and wraps a small amount of destruction message aggression.
If message has the formula attack that floods, the IDS policy servers are by controller by corresponding to the message Interchanger access interface flow be redirected to flow cleaning center and filtered;Optionally, the safety of flow cleaning center is set It is standby that the result of protection can also be fed back to controller, network strategy is adjusted, SDN is realized and is mixed with legacy network feelings Multidimensional protection under condition.
Further, path optimizing is calculated according to link load coefficient, that is, detects the link remaining bandwidth of two adjacent nodes, The load factor of the link is obtained, the optimal road of any two points is being obtained according to the load factor and the network topological diagram of initialization Footpath, the controller forward flow table according to corresponding to being drawn the optimal path and issue each interchanger.
The specific algorithm flow of path optimizing is as follows:
If rn, (n+1) is the link remaining bandwidth of two adjacent nodes, then its link load coefficient is:/ * by controller calculate link load coefficient */
Load factors of the U (a, b) between any two points and:
If initial network topology figure is G0, the optimal path between any two points is calculated,
The IDS policy servers shielding, which sends the program of message and/or the method for main frame, to be included:
First, the corresponding Hash table and setting respective threshold of counting are built, i.e.,
The first Hash table counted to deceptive practices, mark are built in unit interval, in the IDS policy servers Position sets the second Hash table for being counted of abnormal behaviour, and to the 3rd Hash table that the formula attack that floods is counted;
Concurrently set first, second, third threshold values in first, second, third Hash table;
Secondly, shielding sends the program and/or main frame of the message, i.e.,
For the behavior for the message for being transferred to IDS policy servers, counted using corresponding Hash table, when count value exceedes During respective thresholds, shielding sends the program and/or main frame of the message.
Embodiment 4
The SDN frameworks and system of the present invention can define SDNQA (SDN Communication Quality Assurance Strategy) it is SDN communication quality guarantee strategies.
Target design and scene deployment dependence test.
Present invention has been deployment and test, prevailing test environment and test content are as follows:
(1) agreements of OpenFlow 1.3 are based on, test threatens filtering to ensure component with communication quality equipped with DDoS Communication between Floodlight controllers, OF interchangers, IDS equipment and IDS policy servers.
(2) test IDS equipment whether abnormal aggression flow that can be in real time monitoring network, and believed by SSL traffic Road reports IDS policy servers.
(3) test IDS policy servers whether the information that can be reported according to IDS equipment, make the corresponding attack of processing The strategy of threat, and issued by the northbound interface of controller.
(4) whether test controller can generate according to network real time status and issue the forward-path of real-time optimization, carry Rise Consumer's Experience.
The specific deployment of experiment scene, it is middle based on network area, have two empty nets.Wherein empty net A deploys this SDNQA systems, and empty net B is not yet disposed, and some ddos attack puppet machines all be present in each empty net.Right side is experiment effect Contrast district, including a Web server and two subscriber's main stations, Tomcat is run wherein on Web server Web is externally provided Service, subscriber's main station A, B are empty net A, the B of access main frame respectively.Left side is attack simulating region, there is a ddos attack machine, Attack plane controls puppet's machine in empty net A and empty net B to initiate hybrid-type ddos attack to Web server using as main control computer.
Based on above-mentioned experimental situation, the performance of SDNQA frameworks is verified in terms of two:(1) contrast hybrid-type The attack frequency that Web server end is born under ddos attack;(2) the network average transmission caused by contrasting the formula attack that floods is prolonged Late.
First, situation is flowed into Web server end flow to analyze.Puppet's machine in each empty net of attack plane control is simultaneously Hybrid-type ddos attack initiated Web server, and its highest frequency is 55Hz, a length of 100 seconds during attack.Intercept Web service All sequence of data packet of device, and the request sequence of each empty net is isolated, show that empty net A and empty net B flow into server respectively Request sequence, scheme in attack frequency contrast such as Fig. 7 that Web server is born shown in (a) and figure (b).
As can be seen that SDNQA systems quickly identify typical ddos attack within 0s~5s periods, and 0s~ Filter protection measure is taken in 40s period.After 40s, network traffics tend to be normal, and test subscriber's main station A is always Web-page requests response can normally be obtained.And do not dispose in the empty net B of SDNQA systems has substantial amounts of attack traffic to flow into always, survey Examination subscriber's main station B can not obtain web-page requests response.
Secondly, we extract test subscriber's main station A from the sequence of data packet intercepted before and test subscriber's main station B's Request sequence, the time delay of the average transmission of statistical data packet from each request sequence, draw two empty average transmissions netted Delay contrast.
As can be seen that by routing optimality, void net A average transfer delay is not increased sharply with the increase of data volume. As can be seen here, SDNQA frameworks can be optimized based on the perception to network real time status, convection current forward-path, so as in net Ensure optimal user experience in the case of ddos attack or normal big flow business in network being present.
It should be appreciated that the above-mentioned embodiment of the present invention is used only for exemplary illustration or explains the present invention's Principle, without being construed as limiting the invention.Therefore, that is done without departing from the spirit and scope of the present invention is any Modification, equivalent substitution, improvement etc., should be included in the scope of the protection.In addition, appended claims purport of the present invention Covering the whole changes fallen into scope and border or this scope and the equivalents on border and repairing Change example.

Claims (4)

1. a kind of fusion DDoS threatens filtering and the method for work of the SDN systems of routing optimality, it is characterised in that including following step Suddenly:
Step S100, netinit;
Step S200, distributed DDoS threaten monitoring;And
Step S300, threaten processing and/or routing optimality;
Distributed DDoS threatens the method for monitoring to include in the step S200:
Abnormal behaviour is set to the deceptive practices of link layer and internet layer address, internetwork layer and transport layer flag bit successively, and
The formula attack that floods of application layer and transport layer is detected;
If any detection judges that outgoing packet has respective behavior in said process, the message is transferred to step S300.
2. the method for work of SDN systems according to claim 1, it is characterised in that
The method that deceptive practices to link layer and internet layer address are detected includes:
Deceptive practices are detected by cheating packet check module, i.e.,
First, network equipment information binding table is called by cheating packet check module;
Secondly, the type for being encapsulated in message in Packet-In message is parsed by cheating packet check module, to obtain Corresponding source, purpose IP address, MAC Address and the interchanger DPID and port numbers that upload this Packet-In message, and will Above-mentioned each information is compared with the corresponding information in network equipment information binding table respectively;
If the above- mentioned information matching in message, next detection is carried out by message;
If the above- mentioned information in message mismatches, message is transferred to step S300;
The method that internetwork layer and the transport layer flag bit sets abnormal behaviour to be detected includes:
Abnormal behaviour is set to detect flag bit by destroying packet check module, i.e.,
Each flag bit of message is detected, to judge whether each flag bit meets ICP/IP protocol specification;
If each flag bit of message meets, message is transferred to and carries out next detection;
If each flag bit of message is not met, message is transferred to step S300;
The method that formula attack is detected that floods of the application layer and transport layer includes:
The formula attack that floods is detected by exception message detection module, i.e.,
Build for identifying the Hash table for the formula attack message that floods in exception message detection module, and set according in the Hash table Threshold values judge whether message has and flood formula attack, and will determine that result is transferred to step S300.
3. the method for work of SDN systems according to claim 2, it is characterised in that threat is handled in the step S300 And/or the method for routing optimality includes:
If message has deceptive practices, and attacks and threaten in OpenFlow domains, then the IDS policy servers are suitable to pass through control Device processed shields main frame;And when attack threaten not in OpenFlow domains, then by controller by the message corresponding to exchange Machine access interface flow is redirected to flow cleaning center and filtered;
If message has abnormal behaviour, the IDS policy servers are by controller to attacker or the stream of attack main frame Amount is shielded;
Flooded formula attack if message has, the IDS policy servers by controller by the message corresponding to friendship Access interface flow of changing planes is redirected to flow cleaning center and filtered;And/or
Path optimizing is calculated according to link load coefficient, that is, detects the link remaining bandwidth of two adjacent nodes, obtains the link Load factor, according to the load factor and initialization network topological diagram obtain any two points optimal path, the control Device processed forwards flow table according to corresponding to being drawn the optimal path and issues each interchanger.
4. the method for work of SDN systems according to claim 3, it is characterised in that the IDS policy servers shielding hair The program of text of delivering newspaper and/or the method for main frame include:
First, the corresponding Hash table and setting respective threshold of counting are built, i.e.,
The first Hash table counted to deceptive practices is built in unit interval, in the IDS policy servers, flag bit is set Put the second Hash table that abnormal behaviour is counted, and to the 3rd Hash table that the formula attack that floods is counted;
Concurrently set first, second, third threshold values in first, second, third Hash table;
Secondly, shielding sends the program and/or main frame of the message, i.e.,
For the behavior for the message for being transferred to IDS policy servers, counted using corresponding Hash table, when count value exceedes accordingly During threshold values, shielding sends the program and/or main frame of the message.
CN201711362500.XA 2014-12-17 2014-12-17 Suitable for solving the method for work of the SDN systems of network security Withdrawn CN107835199A (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN201711362500.XA CN107835199A (en) 2014-12-17 2014-12-17 Suitable for solving the method for work of the SDN systems of network security

Applications Claiming Priority (2)

Application Number Priority Date Filing Date Title
CN201711362500.XA CN107835199A (en) 2014-12-17 2014-12-17 Suitable for solving the method for work of the SDN systems of network security
CN201410786993.XA CN104539594B (en) 2014-12-17 2014-12-17 Merge DDoS and threaten filtering and SDN frameworks, system and the method for work of routing optimality

Related Parent Applications (1)

Application Number Title Priority Date Filing Date
CN201410786993.XA Division CN104539594B (en) 2014-12-17 2014-12-17 Merge DDoS and threaten filtering and SDN frameworks, system and the method for work of routing optimality

Publications (1)

Publication Number Publication Date
CN107835199A true CN107835199A (en) 2018-03-23

Family

ID=52855063

Family Applications (4)

Application Number Title Priority Date Filing Date
CN201711362506.7A Active CN108040057B (en) 2014-12-17 2014-12-17 Working method of SDN system suitable for guaranteeing network security and network communication quality
CN201711362500.XA Withdrawn CN107835199A (en) 2014-12-17 2014-12-17 Suitable for solving the method for work of the SDN systems of network security
CN201410786993.XA Expired - Fee Related CN104539594B (en) 2014-12-17 2014-12-17 Merge DDoS and threaten filtering and SDN frameworks, system and the method for work of routing optimality
CN201711362482.5A Active CN108063765B (en) 2014-12-17 2014-12-17 SDN system suitable for solving network security

Family Applications Before (1)

Application Number Title Priority Date Filing Date
CN201711362506.7A Active CN108040057B (en) 2014-12-17 2014-12-17 Working method of SDN system suitable for guaranteeing network security and network communication quality

Family Applications After (2)

Application Number Title Priority Date Filing Date
CN201410786993.XA Expired - Fee Related CN104539594B (en) 2014-12-17 2014-12-17 Merge DDoS and threaten filtering and SDN frameworks, system and the method for work of routing optimality
CN201711362482.5A Active CN108063765B (en) 2014-12-17 2014-12-17 SDN system suitable for solving network security

Country Status (1)

Country Link
CN (4) CN108040057B (en)

Cited By (2)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN111277609A (en) * 2020-02-24 2020-06-12 深圳供电局有限公司 SDN network monitoring method and system
CN111683162A (en) * 2020-06-09 2020-09-18 福建健康之路信息技术有限公司 IP address management method and device based on flow identification

Families Citing this family (24)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN104539625B (en) * 2015-01-09 2017-11-14 江苏理工学院 Network security defense system based on software definition and working method thereof
CN104468636A (en) * 2015-01-09 2015-03-25 李忠 SDN structure for DDoS threatening filtering and link reallocating and working method
CN106713220A (en) * 2015-07-24 2017-05-24 中兴通讯股份有限公司 DDOS-attack-based prevention method and device
CN105049441B (en) * 2015-08-07 2019-01-01 杭州数梦工场科技有限公司 Prevent the method and system of link type ddos attack
CN108028828B (en) * 2015-08-29 2020-10-27 华为技术有限公司 Distributed denial of service (DDoS) attack detection method and related equipment
CN105282152B (en) * 2015-09-28 2018-08-28 广东睿江云计算股份有限公司 A kind of method of abnormal traffic detection
CN105391690B (en) * 2015-10-19 2018-11-13 中国科学院信息工程研究所 A kind of network interception defence method and system based on POF
CN105516129A (en) * 2015-12-04 2016-04-20 重庆邮电大学 Method and device for blocking botnet control channel based on SDN (Software Defined Network) technology
CN106936799B (en) 2015-12-31 2021-05-04 阿里巴巴集团控股有限公司 Message cleaning method and device
CN106961414B (en) * 2016-01-12 2020-12-25 阿里巴巴集团控股有限公司 Honeypot-based data processing method, device and system
CN106131031B (en) * 2016-07-19 2020-03-10 北京兰云科技有限公司 Method and device for cleaning and processing DDoS (distributed denial of service) flow
CN106534197A (en) * 2016-12-22 2017-03-22 国家电网公司 Method and system for filtering malicious traffic in autonomous domain
CN108289104B (en) * 2018-02-05 2020-07-17 重庆邮电大学 Industrial SDN network DDoS attack detection and mitigation method
CN110213214B (en) * 2018-06-06 2021-08-31 腾讯科技(深圳)有限公司 Attack protection method, system, device and storage medium
EP3831034B1 (en) 2018-07-27 2024-05-01 Nokia Solutions and Networks Oy Method, device, and system for network traffic analysis
US10880329B1 (en) * 2019-08-26 2020-12-29 Nanning Fugui Precision Industrial Co., Ltd. Method for preventing distributed denial of service attack and related equipment
CN110912869A (en) * 2019-10-15 2020-03-24 合肥科技职业学院 Big data-based monitoring and reminding method
WO2022000430A1 (en) * 2020-07-02 2022-01-06 深圳市欢太科技有限公司 Server threat assessment method, and related product
CN112804242B (en) * 2021-01-25 2022-09-13 蔡世泳 API safety management system and method for non-perception automatic discovery
CN113254989B (en) * 2021-04-27 2022-02-15 支付宝(杭州)信息技术有限公司 Fusion method and device of target data and server
CN113271318B (en) * 2021-07-19 2021-09-21 中国科学院信息工程研究所 Network threat perception system and method
CN114374622B (en) * 2021-12-31 2023-12-19 恒安嘉新(北京)科技股份公司 Shunting method based on fusion shunting equipment and fusion shunting equipment
CN114726602A (en) * 2022-03-29 2022-07-08 中国工程物理研究院计算机应用研究所 Self-adaptive threat blocking method for enterprise intranet under network zero change condition
CN116319106B (en) * 2023-05-22 2023-08-08 北京网藤科技有限公司 Process-level micro-isolation method and system for industrial control security

Family Cites Families (13)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN100414868C (en) * 2003-06-24 2008-08-27 北京邮电大学 Data merging mechanism for large distributive intrusion inspecting system
US8347073B2 (en) * 2008-09-05 2013-01-01 Cisco Technology, Inc. Inspection and rewriting of cryptographically protected data from group VPNs
CN101980506B (en) * 2010-10-29 2013-08-14 北京航空航天大学 Flow characteristic analysis-based distributed intrusion detection method
CN102487339B (en) * 2010-12-01 2015-06-03 中兴通讯股份有限公司 Attack preventing method for network equipment and device
US9392010B2 (en) * 2011-11-07 2016-07-12 Netflow Logic Corporation Streaming method and system for processing network metadata
CN102801738B (en) * 2012-08-30 2014-11-05 中国人民解放军国防科学技术大学 Distributed DoS (Denial of Service) detection method and system on basis of summary matrices
CN103095521B (en) * 2012-12-18 2016-03-30 华为技术有限公司 The control method of flow detection, system, device, controller and checkout equipment
US9300483B2 (en) * 2013-03-15 2016-03-29 International Business Machines Corporation Self-routing multicast in a software defined network fabric
KR101460651B1 (en) * 2013-05-14 2014-11-14 고려대학교 산학협력단 Device and method for distributing load of server based on cloud computing
CN103491095B (en) * 2013-09-25 2016-07-13 中国联合网络通信集团有限公司 Flow cleaning framework, device and flow lead, flow re-injection method
CN103561011B (en) * 2013-10-28 2016-09-07 中国科学院信息工程研究所 A kind of SDN controller method and system for preventing blind DDoS attacks on
CN104023034B (en) * 2014-06-25 2017-05-10 武汉大学 Security defensive system and defensive method based on software-defined network
CN104660582B (en) * 2014-12-17 2018-01-19 南京晓庄学院 The network architecture of the software definition of DDoS identifications, protection and path optimization

Cited By (3)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN111277609A (en) * 2020-02-24 2020-06-12 深圳供电局有限公司 SDN network monitoring method and system
CN111683162A (en) * 2020-06-09 2020-09-18 福建健康之路信息技术有限公司 IP address management method and device based on flow identification
CN111683162B (en) * 2020-06-09 2022-10-25 福建健康之路信息技术有限公司 IP address management method based on flow identification

Also Published As

Publication number Publication date
CN108063765A (en) 2018-05-22
CN108063765B (en) 2021-07-16
CN108040057A (en) 2018-05-15
CN104539594B (en) 2018-02-23
CN108040057B (en) 2021-08-06
CN104539594A (en) 2015-04-22

Similar Documents

Publication Publication Date Title
CN104539594B (en) Merge DDoS and threaten filtering and SDN frameworks, system and the method for work of routing optimality
CN104660582B (en) The network architecture of the software definition of DDoS identifications, protection and path optimization
CN104539595B (en) It is a kind of to integrate the SDN frameworks and method of work for threatening processing and routing optimality
CN104539625B (en) Network security defense system based on software definition and working method thereof
Xing et al. Ripple: A programmable, decentralized {Link-Flooding} defense against adaptive adversaries
CN104378380A (en) System and method for identifying and preventing DDoS attacks on basis of SDN framework
CN104468636A (en) SDN structure for DDoS threatening filtering and link reallocating and working method
CN104836702B (en) Mainframe network unusual checking and sorting technique under a kind of large traffic environment
CN102263788B (en) Method and equipment for defending against denial of service (DDoS) attack to multi-service system
CN101589595B (en) A containment mechanism for potentially contaminated end systems
US20030145232A1 (en) Denial of service attacks characterization
US20070248084A1 (en) Symmetric connection detection
WO2002021278A1 (en) Coordinated thwarting of denial of service attacks
WO2002021296A1 (en) Statistics collection for network traffic
WO2002021302A1 (en) Monitoring network traffic denial of service attacks
CN105871773A (en) DDoS filtering method based on SDN network architecture
WO2002021279A1 (en) Thwarting source address spoofing-based denial of service attacks
CN106357685A (en) Method and device for defending distributed denial of service attack
Rengaraju et al. Detection and prevention of DoS attacks in Software-Defined Cloud networks
TW201124876A (en) System and method for guarding against dispersive blocking attacks
Jiang et al. BSD‐Guard: A Collaborative Blockchain‐Based Approach for Detection and Mitigation of SDN‐Targeted DDoS Attacks
CN107864110A (en) Botnet main control end detection method and device
CN105871771A (en) SDN network architecture aimed at DDoS network attack
CN105871772A (en) Working method of SDN network architecture aimed at network attack
CN108833430A (en) A kind of topological guard method of software defined network

Legal Events

Date Code Title Description
PB01 Publication
PB01 Publication
SE01 Entry into force of request for substantive examination
SE01 Entry into force of request for substantive examination
WW01 Invention patent application withdrawn after publication

Application publication date: 20180323

WW01 Invention patent application withdrawn after publication