CN105429957A - IP address jump safety communication method based on SDN framework - Google Patents

IP address jump safety communication method based on SDN framework Download PDF

Info

Publication number
CN105429957A
CN105429957A CN201510730603.1A CN201510730603A CN105429957A CN 105429957 A CN105429957 A CN 105429957A CN 201510730603 A CN201510730603 A CN 201510730603A CN 105429957 A CN105429957 A CN 105429957A
Authority
CN
China
Prior art keywords
address
main frame
host
virtual
controller
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Pending
Application number
CN201510730603.1A
Other languages
Chinese (zh)
Inventor
芦斌
赵正
巩道福
刘粉林
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
Individual
Original Assignee
Individual
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Individual filed Critical Individual
Priority to CN201510730603.1A priority Critical patent/CN105429957A/en
Publication of CN105429957A publication Critical patent/CN105429957A/en
Pending legal-status Critical Current

Links

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/14Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
    • H04L63/1441Countermeasures against malicious traffic
    • H04L63/1458Denial of Service
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L45/00Routing or path finding of packets in data switching networks
    • H04L45/74Address processing for routing
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L49/00Packet switching elements
    • H04L49/70Virtual switches
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L61/00Network arrangements, protocols or services for addressing or naming
    • H04L61/45Network directories; Name-to-address mapping
    • H04L61/4505Network directories; Name-to-address mapping using standardised directories; using standardised directory access protocols
    • H04L61/4511Network directories; Name-to-address mapping using standardised directories; using standardised directory access protocols using domain name system [DNS]
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L61/00Network arrangements, protocols or services for addressing or naming
    • H04L61/50Address allocation
    • H04L61/5007Internet protocol [IP] addresses
    • H04L61/5014Internet protocol [IP] addresses using dynamic host configuration protocol [DHCP] or bootstrap protocol [BOOTP]
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/14Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
    • H04L63/1433Vulnerability analysis
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/14Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
    • H04L63/1441Countermeasures against malicious traffic
    • H04L63/1466Active attacks involving interception, injection, modification, spoofing of data unit addresses, e.g. hijacking, packet injection or TCP sequence number attacks
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/14Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
    • H04L63/1441Countermeasures against malicious traffic
    • H04L63/1491Countermeasures against malicious traffic using deception as countermeasure, e.g. honeypots, honeynets, decoys or entrapment

Landscapes

  • Engineering & Computer Science (AREA)
  • Computer Security & Cryptography (AREA)
  • Computer Networks & Wireless Communication (AREA)
  • Signal Processing (AREA)
  • Computer Hardware Design (AREA)
  • Computing Systems (AREA)
  • General Engineering & Computer Science (AREA)
  • Data Exchanges In Wide-Area Networks (AREA)

Abstract

The invention discloses an IP address jump safety communication method based on an SDN framework. The method comprises steps that A, an IP address of a Host2 is requested by a Host1; B, a real IP address r2 of the Host2 is replaced by a virtual IP address h2 through a controller; C, a domain analysis response is forwarded by the controller to the Host1; D, an r1 is taken as a source address and the h2 is taken as a target address by the Host1 to send a data packet to the Host2; E, a flow rule is generated by the controller to replace the r1 by a virtual IP address h1, and the flow rule is issued; F, the r1 is replaced by the h1 through the source switch, and forwarding is carried out; G, the h2 is replaced by the r2 through the target switch, and forwarding is carried out; H, the r2 is taken as a source address and the h1 is taken as a target address by the Host2 to send a response data packet; I, the r2 is replaced by the h2 through the target switch, and forwarding is carried out; J, the h1 is replaced by the r1 through the source switch, and forwarding to the Host1 is carried out. Through the method, jump IPs can be dynamically distributed to a host computer in the IPH network, one-time one-change access to the host computer IP is transparently realized, attack based on scanning and DDoS attach can be effectively fought against.

Description

A kind of based on the IP address saltus step safety communicating method under SDN framework
Technical field
The present invention relates to network safety filed, particularly relate to a kind of based on the IP address saltus step safety communicating method under SDN framework.
Background technology
At present, along with the development of computer network and universal, the network information security causes the attention of people gradually, and network-combination yarn antagonism has become the focus of current research.Traditional network service based on static IP makes server or some critical host be exposed in face of assailant, and assailant can be identified and target of attack quickly and accurately.IP saltus step is the class technology in MTD, and it makes assailant be difficult to the preparatory stage locking target of attack of attacking by the dynamic and randomness increasing host IP address, and restriction assailant finds leak, hides network internal assets.
In legacy network, the expense realizing IP saltus step is very high, often needs the terminal disposition software and hardware at communicating pair, and needs to carry out in distributed environment synchronously.Realize efficient IP saltus step and need flexible and highly controlled network.Emerging software defined network is realize IP saltus step to bring new method.Software defined network (software-definednetwork, be called for short SDN) by network-based control plane and Forwarding plane (also claiming datum plane) decoupling zero, to network centralized control.SDN is one framework flexibly, and it can be directly able to programme and carry out abstract to underlying device to network, and this makes SDN have powerful network management and control ability, is to realize IP saltus step well to select.
Under the framework of legacy network, the people such as Ehab propose random host saltus step RMH scheme, and the program periodically gives host assignment virtual IP address, this virtual IP address is used for route, and at the edge of network, saltus step IP is automatically translated into real IP address.The people such as Matthew propose MT6D, and its IPv6 utilizing address space huge achieves the IP saltus step strategy of robust.The method adopts tunneling technique by packet encapsulation, repeatedly converts the object IP address, source of tunnel sender and recipient, makes assailant be difficult to determine position and the identity of communication host, be difficult to listen to complete communication flows.The people such as Sifalakis propose a kind of network communication data protection mechanism of address Network Based saltus step, and a stream is separated into and multiplely connects end to end by it, hides two internodal communications.The people such as Antonatos propose the address space randoming scheme NASR upgraded based on DHCP, and it has transformed terminal operating system, utilize IP saltus step opposing based on the worm attacking list, the IP address saltus step finite rate of the program.Above scheme all needs in terminal mounting software, change terminal operating system or disposes hardware device, and this makes such scheme deployment cost high, is difficult to practical application.Under SDN framework, the people such as Jafarian propose the transparent IP jump method OF-RMH of terminal.This process employs SDN to the centralized control of datum plane and programmable characteristic, realized the mapping of real IP and virtual IP address by controller, and do the conversion of real IP and virtual IP address on Openflow switch.But because the method revises the IP address of packet in network pellucidly, cause the method not support multichannel agreement, and the method only resists attack, but further step is not taked to assailant.
Summary of the invention
The object of this invention is to provide a kind of based on the IP address saltus step safety communicating method under SDN framework, can be the main frame dynamic assignment saltus step IP in IPH network, realize one time one pellucidly and become accessing host ip, effective opposing, based on the attack scanned and ddos attack, can be supported multichannel agreement and add attack difficulty.
The present invention adopts following technical proposals:
Based on the IP address saltus step safety communicating method under SDN framework, it is characterized in that, comprise the following steps successively:
A: main frame Host 1domain name mapping request is sent, requesting host Host to dns server 2iP address;
Wherein, main frame Host 2for being in the main frame of IPH network internal, main frame Host 1have main frame Host 2domain name and the IP address of dns server;
B:DNS server acknowledge main frame Host 1the domain name mapping request sent, and domain name mapping response is sent to controller, controller Stochastic choice virtual ip address h 2, main frame Host in then domain name mapping being replied 2real IP address r 2replace with virtual ip address h 2, and be virtual ip address h 2open window phase;
C: controller will comprise main frame Host 2virtual ip address h 2domain name mapping response be transmitted to main frame Host 1;
D: main frame Host 1main frame Host is obtained by domain name mapping response 2virtual ip address h 2, then with main frame Host 1real IP address r 1as source address, main frame Host 2virtual ip address h 2as destination address to main frame Host 2send packet; Due to now source switch Switch 1also not flowing rule accordingly can route data packets, therefore source switch Switch 1by this Packet Generation to controller; Source switch Switch 1refer to main frame Host 1the packet sent enters first switch during IPH network;
E: controller inspection is as the main frame Host of destination address 2virtual ip address h 2whether in window phase, if in window phase, then controller Stochastic choice virtual ip address h 1, generate stream rule by main frame Host 1real IP address r 1replace with virtual ip address h 1, and switches all on path issues stream rule; If not, then this packet is abandoned;
F: source switch Switch 1utilize the stream rule received, to main frame Host 1send to main frame Host 2the source address of packet modify, by source address and main frame Host 1real IP address r 1replace with virtual ip address h 1and forward;
G: object switch Switch 2after receiving this packet, by destination address and main frame Host 2virtual ip address h 2replace with main frame Host 2real IP address r 2and forward; Object switch Switch 2refer to main frame Host 1last switch of process when packet sent leaves IPH network;
H: main frame Host 2after receiving packet, with main frame Host 2real IP address r 2as source address, main frame Host 1virtual ip address h 1reply data bag is sent as destination address;
I: object switch Switch 2the stream rule utilizing controller to issue is to main frame Host 2send to main frame Host 1the source address of reply data bag modify, by source address and main frame Host 2real IP address r 2replace with main frame Host 2virtual ip address h 2and forward;
J: source switch Switch 1after receiving reply data bag, by destination address and main frame Host 1virtual ip address h 1replace with main frame Host 1real IP address r 1after be transmitted to main frame Host 1, main frame Host 1normally receive reply data bag.
In described step B, the ttl value in domain name request response is write minimum feasible value, to ensure main frame Host by controller 1again access main frame Host 2in time, needs to re-start domain name mapping.
In described step B, be virtual ip address h at controller 2open in the process of window phase, first controller judges main frame Host according to IP address of internal network list 1the main frame of IPH network-external or the main frame of IPH network internal;
As main frame Host 1when being the main frame of IPH network-external, controller is virtual ip address h 2open external windows phase W out, main frame Host in then domain name mapping being replied 2real IP address r 2replace with virtual ip address h 2;
As main frame Host 1when being the main frame of IPH network internal, controller is virtual ip address h 2open interior window phase W in, main frame Host in finally domain name mapping being replied 2real IP address r 2replace with virtual ip address h 2.
In described step B, as main frame Host 1when being the main frame of IPH network-external, in domain name mapping request data package, do not comprise source host IP address and main frame Host 1real IP address r 1, source host IP address is obtained window phase tlv triple W by controller together with asterisk wildcard and the temporal binding that exceeds the time limit out={ dst_hIP, *, expiration_time}, wherein dst_hIP refers to saltus step IP address and the virtual ip address of destination host, dst_hIP=h 2, expiration_time refers to window phase expired time; External windows phase W outonly accepting object IP is dst_hIP and main frame Host 2virtual ip address h 2, source host IP address is the arbitrary data bag of outer net IP.
In described step B, as main frame Host 1when being the main frame of IPH network internal, controller will be Host 2the virtual ip address h of Random assignment 2with main frame Host 1source IP address and real IP address r 1and window phase expired time binds together and obtains window phase tlv triple W in={ dst_hIP, src_rIP, expiration_time}, wherein dst_hIP=h 2, src_rIP=r 1, expiration_time is window phase expired time; External windows phase W inonly accepting source host IP address is r 1, object IP is dst_hIP and main frame Host 2virtual ip address h 2packet.External windows phase W inin to comprise source host IP address be to verify Connection initiator position.
Controller utilizes ALG gateway to carry out IP address mapping and the rectification to ACK and SEQ to protocol data payload package part.
Controller utilizes honey jar to catch scanning flow and DDoS flow; Honey jar is grouped into by honey jar control section and honey jar enforcement division, honey jar execution part is divided into escape way module, interactive module and information collection module, escape way module in charge communicates with controller, interactive module is responsible for communicating with assailant, and information collection module is responsible for collecting assailant's information;
If within certain period, the inactive IP that a certain source IP accesses exceedes threshold value, then judge source host just in scan for networks, and this Time Controller sends order by honey jar control section to honey jar, notices assailant's source address and countermeasure; Controller issues stream rule to switch, and scanning flow sends to honey jar, and guarantees that honey jar can communicate with assailant; Subsequently, honey jar communicates with assailant, and honey jar is collected information and reported controller, provides information needed for controller does further decision-making;
If at main frame Host 2virtual ip address h 2window phase in, access this virtual ip address h 2source address quantity exceed threshold value, then judge that these flows are DDoS flow, and by this virtual ip address of access h 2flow be routed to honey jar.
The present invention can realize IP saltus step communication under SDN framework, and IPH is by monitoring host computer Access status, and Stochastic choice saltus step IP distributes to main frame and issues stream rule to switch, and switch completes the conversion of main frame real IP to saltus step IP, realizes IP saltus step.Saltus step is transparent to end host, and the IP address of main frame all changes when each access, realize the host access that one time one, IP address becomes, effectively can resist the attack based on scanning and ddos attack, can also support that multichannel agreement attacks difficulty to increase external network.
Accompanying drawing explanation
Fig. 1 is schematic flow sheet of the present invention;
Fig. 2 is that ALG gateway carries out the schematic flow sheet of IP address mapping and the rectification to ACK and SEQ to protocol data payload package part;
Fig. 3 is the scanning result schematic diagram of OF-RHM scheme outside;
Fig. 4 is the scanning result schematic diagram of IPH scheme outside;
Fig. 5 is OF-RHM and IPH conceptual internal scanning result schematic diagram;
Fig. 6 is OF-RHM and IPH conceptual internal multiple scanning result schematic diagram;
Fig. 7 is the scanning flow results schematic diagram that IPH middle controller receives;
Fig. 8 is the DDoS flow results schematic diagram that IPH middle controller receives.
Embodiment
Below in conjunction with drawings and Examples, the present invention is done with detailed description:
IPH network, i.e. saltus step network, form primarily of saltus step communications portion, application gateway part and honey jar part.Wherein saltus step communications portion is responsible for the saltus step realizing address port; Application gateway part is responsible for conversion to target flow and rectification; Honey jar part is responsible for fascination assailant and is collected assailant's information.
As shown in Figure 1, of the present invention based on the IP address saltus step safety communicating method under SDN framework, comprise the following steps successively:
A: main frame Host 1domain name mapping request is sent, requesting host Host to dns server 2iP address;
Wherein, main frame Host 2for being in the main frame of IPH network internal, main frame Host 1have main frame Host 2domain name and the IP address of dns server;
B:DNS server acknowledge main frame Host 1the domain name mapping request sent, and domain name mapping response is sent to controller, controller Stochastic choice virtual ip address h 2, main frame Host in then domain name mapping being replied 2real IP address r 2replace with virtual ip address h 2, and be virtual ip address h 2open window phase;
In the present invention, the ttl value in domain name request response is write a minimum feasible value, to ensure main frame Host by controller 1again access main frame Host 2in time, needs to re-start domain name mapping.In whole communication process, main frame Host 1with main frame Host 2real IP address do not need to change, main frame Host 1with main frame Host 2all only know saltus step IP address and the virtual ip address of the other side, controller is responsible for changing real IP address and virtual ip address.In each access process, controller is all main frame Host 2random assignment virtual ip address, at main frame Host 1it seems, its access main frame Host 2time object IP each all not identical, i.e. one time one change.
In the present invention, be virtual ip address h at controller 2open in the process of window phase, first controller judges main frame Host according to IP address of internal network list 1the main frame of IPH network-external or the main frame of IPH network internal;
As main frame Host 1when being the main frame of IPH network-external, controller is virtual ip address h 2open external windows phase W out, main frame Host in then domain name mapping being replied 2real IP address r 2replace with virtual ip address h 2;
As main frame Host 1when being the main frame of IPH network-external, in domain name mapping request data package, do not comprise source host IP address and main frame Host 1real IP address r 1, source host IP address is obtained window phase tlv triple W by controller together with asterisk wildcard and the temporal binding that exceeds the time limit out={ dst_hIP, *, expiration_time}, wherein dst_hIP refers to saltus step IP address and the virtual ip address of destination host, dst_hIP=h 2, expiration_time refers to window phase expired time; External windows phase W outonly accepting object IP is dst_hIP and main frame Host 2virtual ip address h 2, source host IP address is the arbitrary data bag of outer net IP.
As main frame Host 1when being the main frame of IPH network internal, controller is virtual ip address h 2open interior window phase W in, main frame Host in finally domain name mapping being replied 2real IP address r 2replace with virtual ip address h 2;
Owing to only arranging a dns server in IPH network, as main frame Host 1when being the main frame of IPH network internal, controller will be Host 2the virtual ip address h of Random assignment 2with main frame Host 1source IP address and real IP address r 1and window phase expired time binds together and obtains window phase tlv triple W in={ dst_hIP, src_rIP, expiration_time}, wherein dst_hIP=h 2, src_rIP=r 1, expiration_time is window phase expired time; External windows phase W inonly accepting source host IP address is r 1, object IP is dst_hIP and main frame Host 2virtual ip address h 2packet.External windows phase W inin to comprise source host IP address be to verify Connection initiator position.When the time more than expiration_time time, window phase will be closed, and reclaim hIP address and virtual ip address.If expiration_time is long, then assailant may launch a offensive to the hIP in window phase in expiration_time, if but expiration_time is too short, then and the hIP in window phase may be caused not accessed just expired in advance.In IPH, expiration_time can according to system safety state dynamic conditioning.
C: controller will comprise main frame Host 2virtual ip address h 2domain name mapping response be transmitted to main frame Host 1;
D: main frame Host 1main frame Host is obtained by domain name mapping response 2virtual ip address h 2, then with main frame Host 1real IP address r 1as source address, main frame Host 2virtual ip address h 2as destination address to main frame Host 2send packet; Due to now source switch Switch 1also not flowing rule accordingly can route data packets, therefore source switch Switch 1by this Packet Generation to controller; Source switch Switch 1refer to main frame Host 1the packet sent enters first switch during IPH network.
E: controller inspection is as the main frame Host of destination address 2virtual ip address h 2whether in window phase, if in window phase, then controller Stochastic choice virtual ip address h 1, generate stream rule by main frame Host 1real IP address r 1replace with virtual ip address h 1, and switches all on path (comprises source switch Switch 1with object switch Switch 2) issue stream rule; If not, then this packet is abandoned.
As main frame Host 1after receiving domain name request response, obtain main frame Host 2virtual ip address h 2, use virtual ip address h 2as destination address, main frame Host 1real IP address r 1as source address access main frame Host 2.Because also there is no corresponding routing iinformation in switch, switch by this Packet Generation to controller.Controller checks the source address of packet, when the source address of packet is the IPH network address, detects { dst_IP, src_IP, now_time} and W inwhether mate; When the source address of packet is outer net address, detect { dst_IP, src_IP, now_time} and W outwhether mate.Wherein, dst_IP refers to destination host IP address, and src_IP refers to source host IP address, and now_time refers to current time, if packet can by W inor W outaccept, then generate stream rule.Controller only responds can the packet of correct match window phase, and (comprises switch Switch for these packets at switch 1with object switch Switch 2relevant switch interior) upper installation stream rule.
If the packet entering controller have passed the detection of window phase, be then the source address main frame Host of packet 1distribute virtual ip address, controller in virtual ip address pond Stochastic choice not yet by the virtual ip address h used 1.This Time Controller sets up the real IP address of source host and destination host and the mapping relations of virtual ip address, src refers to source host, and dst refers to destination host.Controller, according to the path between source host and destination host, generates respective streams rule to switch each on path.The stream rule generated is IP to IP, contains 1 ~ 3 layer of routing iinformation (switch ports themselves, MCA address, IP address).The stream rule generated does not comprise port numbers, and therefore IPH supports the bottom instruments such as port numbers encryption and ping.Controller to source switch create-rule, the source address of translation data bag equally to object exchange control unit create-rule conversion destination address r 2 ↔ h 2 .
F: source switch Switch 1utilize the stream rule received, to main frame Host 1send to main frame Host 2the source address of packet modify, by source address and main frame Host 1real IP address r 1replace with virtual ip address h 1and forward;
G: object switch Switch 2after receiving this packet, by destination address and main frame Host 2virtual ip address h 2replace with main frame Host 2real IP address r 2and forward; Object switch Switch 2refer to main frame Host 1last switch of process when packet sent leaves IPH network;
H: main frame Host 2after receiving packet, with main frame Host 2real IP address r 2as source address, main frame Host 1virtual ip address h 1reply data bag is sent as destination address;
I: object switch Switch 2the stream rule utilizing controller to issue is to main frame Host 2send to main frame Host 1the source address of reply data bag modify, by source address and main frame Host 2real IP address r 2replace with main frame Host 2virtual ip address h 2and forward;
J: source switch Switch 1after receiving reply data bag, by destination address and main frame Host 1virtual ip address h 1replace with main frame Host 1real IP address r 1after be transmitted to main frame Host 1, main frame Host 1normally receive reply data bag.
Transparent because IPH realizes IP saltus step to terminal, but multichannel agreement (as H.323, the agreement such as SIP, FTP) design based on the characteristic of static IP, the load of these protocol data bags may based on IP address, or IP address is just carried in load, if the IP address in IPH translation data bag IP head and do not consider the load of packet, then may destroy the proper communication of this quasi-protocol.Therefore, in IPH, the packets need for this quasi-protocol carries out address transition in application layer.IPH adopts the correctness of ALG technique guarantee upper layer communication.ALG (ApplicationLevelGateway) gateway can identify specified protocol, and it not only checks header packet information, and more the data of packet application layer are analyzed on deep layer ground, are similar to the ALG in NAT.For File Transfer Protocol in the present embodiment, introduce the support of IPH to multichannel agreement.
File Transfer Protocol negotiation data in control connection connects, and carries the real IP address of main frame in data cube computation negotiation packet (containing PORT order or PASV order).This can reveal the real IP address of main frame in IPH, and can destroy communication.More serious problem is the IP address of carrying in FTP message is not 32 fixed length integers, but with the ascii string that dotted decimal notation represents, this just causes and may cause the change of message-length to the conversion of address in FTP message.
In IPH, the groundwork of ALG gateway is the impact that rectification IPH communicates on this quasi-protocol, and this comprises the conversion of protocol data payload package part IP address and the rectification to ACK, SEQ.The design of ALG gateway is divided into control and performs two parts.ALG execution part is divided into three modules: 1) escape way module in charge communicates with controller.2) flow monitoring module and monitor the stream flowing through ALG gateway.3) convection current of stream translation module is changed.In the present invention, as shown in Figure 2, controller utilizes ALG gateway to carry out IP address mapping and the rectification to ACK and SEQ to protocol data payload package part by following steps.
A: the main frame Host running the client of FTP 1to the main frame Host running ftp server 2when initiating ftp session, controller receives the first packet (destination interface is 21) of ftp session.
B: first packet is resolved to File Transfer Protocol packet by controller, first the ALG module of controller is to specific gateway transmitting order to lower levels, and notice runs the main frame Host of the client of FTP 1with the main frame Host running ftp server 2will initiate ftp session, gateway is that new session does homework.
C: controller issues stream rule to switch, and route runs the main frame Host of the client of FTP 1send to the main frame Host running ftp server 2file Transfer Protocol packet and its reply data bag, make these packets pass through gateway.
D: packet arrives ftp server Host through the monitoring of gateway 2.
When running the Host of ftp client 1with the Host running ftp server 2(be assumed to be and initiatively connect) when negotiation data connects, the client of FTP sends PORT order to ftp server, wherein carries the client place main frame Host of FTP 1real IP address rIP; ALG gateway finds PORT order after receiving this packet, and this packet is transmitted to controller.Real IP address rIP in this packet PORT order is revised as respective virtual IP address by controller, and obtains data packet length variable quantity.Amended Packet Generation is returned ALG gateway by controller, and notifies the correction value of ALG gateway A CK and SEQ.Amended packet is forwarded to the Host running ftp server by ALG gateway 2.Host 2on ftp server receive PORT order after, send reply data bag, reply data bag is routed to gateway, and the ACK value of gateway to this packet is revised, and is transmitted to Host 1.Final Host 1on ftp client correctly can receive response data packet.
ALG module in controller to the amendment of FTP message PORT order and the computational process of data packet length correction value as follows: if after carrying out address transition, the size of FTP packet remains unchanged, then only recalculate School Affairs, amended Packet Generation is returned ALG; If after address transition, FTP packet has shortened, then fill message with ascii character 0, ensures consistent with the length of raw data packets, recalculates School Affairs, this amended Packet Generation is returned gateway; If after address transition, FTP packet has been grown than origination message, so carry out following operation: record ftp session state information and data packet length increment, controller is by data packet length increment notification gateway, by data packet length increment, gateway just correctly can adjust the value of SEQ or ACK in follow-up FTP packet.Controller recalculates School Affairs, and this amended Packet Generation is returned gateway.
For improving IPH to the resistivity of network attack, controller utilizes honey jar to catch scanning flow and DDoS flow.If note abnormalities flow, controller is to honey jar transmitting order to lower levels, and issue stream rule, route abnormal flow, to honey jar, makes honey jar can collect assailant's information simultaneously.Honey jar is grouped into by honey jar control section and honey jar enforcement division, honey jar execution part is divided into escape way module, interactive module and information collection module, escape way module in charge communicates with controller, interactive module is responsible for communicating with assailant, and information collection module is responsible for collecting assailant's information;
Scanner scans all IP addresses of a certain IP address block usually, can send a large amount of ARP packet or IP packet at short notice to network.Due to the routing iinformation that switch is not all, therefore mass data bag is sent to controller by exchange opportunity.If the object IP address of the target ip address of ARP message or IP message is not in window phase, then this claims IP address to be inactive IP, and is suspicious data bag by this packet classification, by the source IP address of controller record suspicious data bag.If within certain period, the inactive IP that a certain source IP accesses exceedes threshold value, then judge source host just in scan for networks, and this Time Controller sends order by honey jar control section to honey jar, notices assailant's source address and countermeasure; Then controller issues stream rule to all switches, and scanning flow sends to honey jar, and guarantees that honey jar can communicate with assailant; Subsequently, honey jar communicates with assailant, and collects information by honey jar and report controller, provides information needed for controller does further decision-making.
Ddos attack is often initiated by outer net, send mass data bag to certain IPH network IP.If this IP address is not in window phase, then controller does not issue stream rule to this IP, and DDoS flow can not achieve the goal main frame.Just can threaten to destination host when the object IP address of ddos attack is in window phase, therefore only need to detect the DDoS flow of object IP in window phase and process.First extranet access IPH network host will carry out domain name mapping request, and controller is that a hIP opens window phase.If at main frame Host 2virtual ip address h 2window phase in, access this virtual ip address h 2source address quantity exceed threshold value, then judge that these flows are DDoS flow, and by this virtual ip address of access h 2flow be routed to honey jar.
Below in conjunction with specific embodiment, effect of the present invention is further elaborated:
Adopt Mininet to create the network of SDN framework in the present embodiment, adopt POX as controller.Comprise two subnets in Experimental Network, one of them subnet is IPH network, comprises 600 main frames, and another subnet comprises 200 main frames.Select a category-B address block as hIP address pool.
1.1 scanning attack
Network sweep be network attack important step, it can investigate mobile host computers and number of mobile host computers, and then can obtain the information such as open port, operating system and potential leak, for network attack provides support.Experiment adopts popular network sweep instrument Nmap to scan IPH network.
1) external scan
Number of mobile host computers in objective network is the sensitive information of network security, and assailant by mobile host computers number awareness network scale, thus takes suitable attack means.Herein in experiment, external scan Simulation with I PH network-external is to the scanning attack of IPH network internal.IPH and OF-RMH in the same topology of Experimental comparison [the scanning result of two kinds of IP hop scheme scheme, random selecting 30 external hosts run Nmap and scan IPH network internal main frame.Figure 3 shows that the scanning result under OF-RMH scheme, in figure, abscissa represents scanning times, and ordinate represents host number.The number of mobile host computers scanned under OF-RMH fluctuates about 600, this is because at any time, controller is that every platform IPH network host distributes a hIP.Scanning that number of mobile host computers is slightly smaller than or is a bit larger tham number of mobile host computers is because in scan period, the drain sweep that the hIP saltus step corresponding to main frame causes or multiple scanning.But by scanning, the quantity of IPH network internal main frame just can be estimated.With first time scanning result for benchmark, follow-up scanning and first time scan compared with.The internal host discovery rate of scanning attack
R f i n d = C f i n d C i n
Wherein C infor IPH network host quantity, C findthe IP number of addresses repeated is scanned with first time.In OF-RHM scheme, R findbelow 2%.
Under IPH, if there is no hIP in window phase, then survival main frame can not be scanned, if the hIP just scanned is in window phase, then this IP can be scanned.For Simulation with I PH network host normally accepts new connection, hold controller is open 100 ~ 1000 external windows phases and 100 ~ 1000 inner window phases at random.Figure 4 shows that experimental result, in figure, abscissa represents scanning times, and ordinate represents number of mobile host computers.The number of mobile host computers scanned under IPH and IPH network host quantity have nothing to do, and assailant cannot judge IPH network of network quantity by scanning result.With first time scanning result for benchmark, follow-up scanning and first time scan compared with.In IPH scheme, R findsame below 2%.
2) inner scanning
The worm being applied to IPH network penetration can according to the attack list set in advance or certain IP address range, at IPH network sweep mobile host computers.If its successful scan is to movable main frame, then propagate worm to mobile host computers.Experiment adopts the scanning behavior of inner scanning simulation worm, and the main frame in random selecting 30 IPH networks runs Nmap, scans the main frame in IPH network.For Simulation with I PH network host normally accepts new connection, hold controller is open 100 ~ 1000 external windows phases and 100 ~ 1000 inner window phases at random.As shown in Figure 5, the inner scanning result under OF-RHM is similar with external scan result for the scanning result of OF-RHM and IPH, has the main frame of about 600 to be scanned as mobile host computers, R findbetween 1% ~ 2%.In IPH scheme, controller has bound source IP and object IP to the window phase that IPH network host opens, and controller only responds the packet all mated with source IP and object IP in window, at main frame H ithe scanner of upper operation can only find H ithe connection initiated, the IP quantity therefore scanned under IPH is little, and the main frame being not more than 1% in experiment is scanned, R findbe 0.Fig. 6 is under OF-RHM and IPH scheme, with first time scanning result for benchmark, follow-up scanning and first time scan compared with R findcurve.
1.2 multichannel protocol communications
Experiment is at IPH network settings ftp server, and ftp client and the ftp server of outer net or IPH network set up session.Experiment is tested OF-RHM and IPH scheme, gets 100 communication respectively and calculates average delay.
Table 1FTP protocol communication
OF-RHM does not change the IP address in FTP message, can initiate to connect to the real IP of main frame, causing the failure of data cube computation when setting up data cube computation.Context of methods can correctly be changed, therefore, it is possible to normally set up data cube computation the IP address in FTP message.The data cube computation that experiment adopts sets up mode for initiatively connecting.In table 1, the data of last column are the average delay of ftp server and client communication.In IPH control connection/data number are below the time delay of negotiation data connection packet ,/number before data be the time delay of other packets in control connection.In OF-RHM scheme, packet is without application gateway, and time delay is less.In IPH, the packet of ftp session will be resolved through gateway, change and again package send, therefore time delay is larger.The particularly packet of negotiation data connection, to resolve through ALG, the ALG control section sent to again on controller, ALG control section is resolved this kind of packet, change, such Packet Generation is returned gateway after transmitting order to lower levels, and therefore time delay obviously increases.But in the communications, the transmission carrying out a file only have a negotiation data to connect packet, process time delay that this packet produces much smaller than total call duration time, obviously can not increase call duration time.
The control section of ALG and execution part all adopt python to write, and carry out good design according to C mono-speech like sound, estimate improve 10 to the processing speed of packet 3doubly.
1.3 route abnormal flows
Controller is monitored exception flow of network in real time, if the flow noted abnormalities, controller configures honey jar according to abnormal flow, collects assailant's information.Carry out detecting and catching for scanning attack flow and ddos attack flow in test, wherein V sbe set to 50, T sbe set to 10s, V dbe set to 50, window phase is set to 10s.
1) scanning attack flow
An outer net main frame runs Nmap scanner, scans IPH network host, experiment opens and closes honey jar respectively, and experimental result as shown in Figure 7.From experimental result, if close honey jar, then, after scanner brings into operation, controller can continue the flow receiving scanning; Opening honey jar scanning flow can at T safter be routed to honey jar, controller no longer receives scanning flow, and honey jar is responsible for communicating with assailant and collecting information.
2) ddos attack flow
Ddos attack is initiated by outer net usually, a large amount of connections is initiated for a main frame, experiment utilizes the request of an outer net main frame initiated domain name analysis, obtain the IPH network host hIP address of current Lawful, and in window phase, this hIP is distributed to 100 outer net main frames, these main frames send IP packet to the hIP obtained simultaneously, and experimental result as shown in Figure 8.From experimental result, if close honey jar, then controller can continue to receive DDoS flow; Open honey jar, DDoS flow can at T safter be routed to honey jar, controller no longer receives DDoS flow, and honey jar is responsible for abandoning or communicating with assailant, and collects information.
It is to be connected that traditional honey jar is passive etc., and in IPH, controller detects network just time under attack, initiatively gives honey jar by attack traffic, expand honey jar information capture scope.The flow of the exception of the real-time monitor network of IPH, can successfully manage the attack of IPH network penetration and outer net.
Expense
The hIP that saltus step IP address space: IPH realizes being connected with IPH network host becomes for mono-time one, and during connecting, keep the distribution state of hIP, connects and terminates rear recovery hIP.Therefore hIP quantity should be greater than the quantity be flexibly connected set up with IPH network host.If a network has n main frame and IPH network host to connect, each main frame is on average per second sets up λ connection, and average each connection needs w to stop second, and each connection needs source and destination two hIP, then required hIP quantity is at least 2 λ wn.To ensure hIP have stronger randomness then required hIP address space should be greater than 2 λ wn.
Stream table size: in IPH, source object switch carries out the amendment of IP address to the packet of each connection, therefore rule number in source object switch upper reaches is directly proportional with being flexibly connected number λ wn.The IP address of source object switch to the packet flowing into and flow out IPH network both direction is all made an amendment, and therefore rule number in source object switch upper reaches is 2 λ wn.

Claims (7)

1., based on the IP address saltus step safety communicating method under SDN framework, it is characterized in that, comprise the following steps successively:
A: main frame Host 1domain name mapping request is sent, requesting host Host to dns server 2iP address;
Wherein, main frame Host 2for being in the main frame of IPH network internal, main frame Host 1have main frame Host 2domain name and the IP address of dns server;
B:DNS server acknowledge main frame Host 1the domain name mapping request sent, and domain name mapping response is sent to controller, controller Stochastic choice virtual ip address h 2, main frame Host in then domain name mapping being replied 2real IP address r 2replace with virtual ip address h 2, and be virtual ip address h 2open window phase;
C: controller will comprise main frame Host 2virtual ip address h 2domain name mapping response be transmitted to main frame Host 1;
D: main frame Host 1main frame Host is obtained by domain name mapping response 2virtual ip address h 2, then with main frame Host 1real IP address r 1as source address, main frame Host 2virtual ip address h 2as destination address to main frame Host 2send packet; Due to now source switch Switch 1also not flowing rule accordingly can route data packets, therefore source switch Switch 1by this Packet Generation to controller; Source switch Switch 1refer to main frame Host 1the packet sent enters first switch during IPH network;
E: controller inspection is as the main frame Host of destination address 2virtual ip address h 2whether in window phase, if in window phase, then controller Stochastic choice virtual ip address h 1, generate stream rule by main frame Host 1real IP address r 1replace with virtual ip address h 1, and switches all on path issues stream rule; If not, then this packet is abandoned;
F: source switch Switch 1utilize the stream rule received, to main frame Host 1send to main frame Host 2the source address of packet modify, by source address and main frame Host 1real IP address r 1replace with virtual ip address h 1and forward;
G: object switch Switch 2after receiving this packet, by destination address and main frame Host 2virtual ip address h 2replace with main frame Host 2real IP address r 2and forward; Object switch Switch 2refer to main frame Host 1last switch of process when packet sent leaves IPH network;
H: main frame Host 2after receiving packet, with main frame Host 2real IP address r 2as source address, main frame Host 1virtual ip address h 1reply data bag is sent as destination address;
I: object switch Switch 2the stream rule utilizing controller to issue is to main frame Host 2send to main frame Host 1the source address of reply data bag modify, by source address and main frame Host 2real IP address r 2replace with main frame Host 2virtual ip address h 2and forward;
J: source switch Switch 1after receiving reply data bag, by destination address and main frame Host 1virtual ip address h 1replace with main frame Host 1real IP address r 1after be transmitted to main frame Host 1, main frame Host 1normally receive reply data bag.
2. according to claim 1ly to it is characterized in that: in described step B based on the IP address saltus step safety communicating method under SDN framework, controller domain name request is replied in ttl value write minimum feasible value, to ensure main frame Host 1again access main frame Host 2in time, needs to re-start domain name mapping.
3. according to claim 1ly it is characterized in that: in described step B based on the IP address saltus step safety communicating method under SDN framework, is virtual ip address h at controller 2open in the process of window phase, first controller judges main frame Host according to IP address of internal network list 1the main frame of IPH network-external or the main frame of IPH network internal;
As main frame Host 1when being the main frame of IPH network-external, controller is virtual ip address h 2open external windows phase W out, main frame Host in then domain name mapping being replied 2real IP address r 2replace with virtual ip address h 2;
As main frame Host 1when being the main frame of IPH network internal, controller is virtual ip address h 2open interior window phase W in, main frame Host in finally domain name mapping being replied 2real IP address r 2replace with virtual ip address h 2.
4. according to claim 3 based on the IP address saltus step safety communicating method under SDN framework, it is characterized in that: in described step B, as main frame Host 1when being the main frame of IPH network-external, in domain name mapping request data package, do not comprise source host IP address and main frame Host 1real IP address r 1, source host IP address is obtained window phase tlv triple W by controller together with asterisk wildcard and the temporal binding that exceeds the time limit out={ dst_hIP, *, expiration_time}, wherein dst_hIP refers to saltus step IP address and the virtual ip address of destination host, dst_hIP=h 2, expiration_time refers to window phase expired time; External windows phase W outonly accepting object IP is dst_hIP and main frame Host 2virtual ip address h 2, source host IP address is the arbitrary data bag of outer net IP.
5. according to claim 3 based on the IP address saltus step safety communicating method under SDN framework, it is characterized in that: in described step B, as main frame Host 1when being the main frame of IPH network internal, controller will be Host 2the virtual ip address h of Random assignment 2with main frame Host 1source IP address and real IP address r 1and window phase expired time binds together and obtains window phase tlv triple W in={ dst_hIP, src_rIP, expiration_time}, wherein dst_hIP=h 2, src_rIP=r 1, expiration_time is window phase expired time; External windows phase W inonly accepting source host IP address is r 1, object IP is dst_hIP and main frame Host 2virtual ip address h 2packet.External windows phase W inin to comprise source host IP address be to verify Connection initiator position.
6. according to claim 1 based on the IP address saltus step safety communicating method under SDN framework, it is characterized in that: controller utilizes ALG gateway to carry out IP address mapping and the rectification to ACK and SEQ to protocol data payload package part.
7. according to claim 1 based on the IP address saltus step safety communicating method under SDN framework, it is characterized in that: controller utilizes honey jar to catch scanning flow and DDoS flow; Honey jar is grouped into by honey jar control section and honey jar enforcement division, honey jar execution part is divided into escape way module, interactive module and information collection module, escape way module in charge communicates with controller, interactive module is responsible for communicating with assailant, and information collection module is responsible for collecting assailant's information;
If within certain period, the inactive IP that a certain source IP accesses exceedes threshold value, then judge source host just in scan for networks, and this Time Controller sends order by honey jar control section to honey jar, notices assailant's source address and countermeasure; Controller issues stream rule to switch, and scanning flow sends to honey jar, and guarantees that honey jar can communicate with assailant; Subsequently, honey jar communicates with assailant, and honey jar is collected information and reported controller, provides information needed for controller does further decision-making;
If at main frame Host 2virtual ip address h 2window phase in, access this virtual ip address h 2source address quantity exceed threshold value, then judge that these flows are DDoS flow, and by this virtual ip address of access h 2flow be routed to honey jar.
CN201510730603.1A 2015-11-02 2015-11-02 IP address jump safety communication method based on SDN framework Pending CN105429957A (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN201510730603.1A CN105429957A (en) 2015-11-02 2015-11-02 IP address jump safety communication method based on SDN framework

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN201510730603.1A CN105429957A (en) 2015-11-02 2015-11-02 IP address jump safety communication method based on SDN framework

Publications (1)

Publication Number Publication Date
CN105429957A true CN105429957A (en) 2016-03-23

Family

ID=55507899

Family Applications (1)

Application Number Title Priority Date Filing Date
CN201510730603.1A Pending CN105429957A (en) 2015-11-02 2015-11-02 IP address jump safety communication method based on SDN framework

Country Status (1)

Country Link
CN (1) CN105429957A (en)

Cited By (43)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN105978875A (en) * 2016-05-11 2016-09-28 中国人民解放军国防信息学院 Dynamic service realization method and system base on service hopping and intelligent cleaning
CN106060184A (en) * 2016-05-11 2016-10-26 中国人民解放军国防信息学院 Three dimensional-based IP address hop pattern generation method and hop controllers
CN106161670A (en) * 2016-06-02 2016-11-23 黄小勇 Address conversion process method and address conversion processing unit
CN106302461A (en) * 2016-08-16 2017-01-04 杭州华三通信技术有限公司 A kind of method and device checking traffic policy legitimacy
CN106302525A (en) * 2016-09-27 2017-01-04 黄小勇 A kind of cyberspace security defend method and system based on camouflage
CN106657044A (en) * 2016-12-12 2017-05-10 杭州电子科技大学 Webpage address hopping method for improving security defense of website system
CN106790641A (en) * 2017-01-11 2017-05-31 中国人民解放军国防信息学院 A kind of end hopping Web service access control method and device
CN106982206A (en) * 2017-03-10 2017-07-25 中国科学院信息工程研究所 A kind of malice scanning defence method adaptively changed based on IP address and system
CN107147533A (en) * 2017-05-31 2017-09-08 郑州云海信息技术有限公司 A kind of flow table configuration distributing method and system based on SDN frameworks
CN107809495A (en) * 2016-09-09 2018-03-16 华为技术有限公司 Address management method and device
CN108259688A (en) * 2016-12-28 2018-07-06 广东世纪网通信设备股份有限公司 VoIP platforms telephone fraud behavioral value method, apparatus and detecting system
WO2018149406A1 (en) * 2017-02-16 2018-08-23 中兴通讯股份有限公司 Ip address hopping method and apparatus for software defined network (sdn)
CN109347881A (en) * 2018-11-30 2019-02-15 东软集团股份有限公司 Network protection method, apparatus, equipment and storage medium based on network cheating
CN109347830A (en) * 2018-10-23 2019-02-15 中国人民解放军战略支援部队信息工程大学 A kind of network dynamic system of defense and method
CN109451084A (en) * 2018-09-14 2019-03-08 华为技术有限公司 A kind of service access method and device
CN109495440A (en) * 2018-09-06 2019-03-19 国家电网有限公司 A kind of random device of Intranet dynamic security
CN109756498A (en) * 2019-01-04 2019-05-14 烽火通信科技股份有限公司 The NAT ALG conversion method and system of Transmission Control Protocol on communication equipment
CN109818953A (en) * 2019-01-21 2019-05-28 常州工程职业技术学院 A kind of sensor safe defense technique in mobile Internet of things system
CN109922144A (en) * 2019-02-28 2019-06-21 北京百度网讯科技有限公司 Method and apparatus for handling data
CN109981803A (en) * 2017-12-27 2019-07-05 中兴通讯股份有限公司 Service request processing method and device
CN106657066B (en) * 2016-12-23 2019-07-16 中国电子科技集团公司第三十研究所 A kind of random jump method and device of network management plane address
CN110138777A (en) * 2019-05-15 2019-08-16 电子科技大学 A kind of regular detection method of SDN stream based on region growing algorithm
CN110198270A (en) * 2019-05-10 2019-09-03 华中科技大学 A kind of active defense method in SDN network based on path and IP address jump
CN110611671A (en) * 2019-09-12 2019-12-24 北京邮电大学 Local area network communication method and device based on moving target defense
CN111163062A (en) * 2019-12-12 2020-05-15 之江实验室 Multi-network address hopping security defense method for cross fire attack
CN111683063A (en) * 2020-05-20 2020-09-18 北京吉安金芯信息技术有限公司 Message processing method, system, device, storage medium and processor
CN111818058A (en) * 2020-07-09 2020-10-23 武汉量子风暴信息科技有限公司 Network hopping controller-oriented safety protection method, system and related equipment
CN112637175A (en) * 2020-12-17 2021-04-09 山东云天安全技术有限公司 Defense method and device for industrial Internet of things
CN113014682A (en) * 2019-12-20 2021-06-22 中兴通讯股份有限公司 Method, system, terminal device and storage medium for realizing network dynamics
CN113098894A (en) * 2021-04-22 2021-07-09 福建奇点时空数字科技有限公司 SDN IP address hopping method based on randomization algorithm
CN113098900A (en) * 2021-04-29 2021-07-09 福建奇点时空数字科技有限公司 SDN network IP hopping method supporting address space expansion
CN113114666A (en) * 2021-04-09 2021-07-13 天津理工大学 Moving target defense method for scanning attack in SDN network
CN113225255A (en) * 2021-03-31 2021-08-06 福建奇点时空数字科技有限公司 SDN random route hopping method based on trigger generation mechanism
CN113242268A (en) * 2021-07-12 2021-08-10 北京宇创瑞联信息技术有限公司 Authentication method for data secure transmission, data secure transmission method and system
CN113242270A (en) * 2021-07-12 2021-08-10 北京宇创瑞联信息技术有限公司 Data transmission method, device and system based on virtualization network
CN113489730A (en) * 2021-07-12 2021-10-08 于洪 Data transmission method, device and system based on virtualization network
CN113489731A (en) * 2021-07-12 2021-10-08 于洪 Data transmission method and system based on virtualization network and network security equipment
CN113660252A (en) * 2021-08-12 2021-11-16 江苏亨通工控安全研究院有限公司 Active defense system and method
CN113676476A (en) * 2021-08-18 2021-11-19 大连海事大学 Encrypted jump method based on action programmable software defined network
CN113872846A (en) * 2021-10-08 2021-12-31 新华三信息安全技术有限公司 Message sending method and device
CN114465745A (en) * 2021-09-28 2022-05-10 北京卫达信息技术有限公司 Network topology confusion virtual device and virtual method based on virtual network
CN115051836A (en) * 2022-05-18 2022-09-13 中国人民解放军战略支援部队信息工程大学 APT attack dynamic defense method and system based on SDN
WO2023165324A1 (en) * 2022-03-03 2023-09-07 华为技术有限公司 Communication method, network device, terminal, and domain name system server

Citations (3)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN101582907A (en) * 2009-06-24 2009-11-18 成都市华为赛门铁克科技有限公司 Method for enhancing the trapping capability of honeynet and honeynet system
CN103139184A (en) * 2011-12-02 2013-06-05 中国电信股份有限公司 Intelligent network firewall device and network attack protection method
CN104348794A (en) * 2013-07-30 2015-02-11 深圳市腾讯计算机系统有限公司 Network layer DDOS (Distributed Denial of Service) attack source identification method, device and system

Patent Citations (3)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN101582907A (en) * 2009-06-24 2009-11-18 成都市华为赛门铁克科技有限公司 Method for enhancing the trapping capability of honeynet and honeynet system
CN103139184A (en) * 2011-12-02 2013-06-05 中国电信股份有限公司 Intelligent network firewall device and network attack protection method
CN104348794A (en) * 2013-07-30 2015-02-11 深圳市腾讯计算机系统有限公司 Network layer DDOS (Distributed Denial of Service) attack source identification method, device and system

Non-Patent Citations (1)

* Cited by examiner, † Cited by third party
Title
崔臣浩,祝跃飞,李伟,王凯: "基于移动目标防御的内网防渗透技术研究", 《计算机应用研究》 *

Cited By (62)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN106060184A (en) * 2016-05-11 2016-10-26 中国人民解放军国防信息学院 Three dimensional-based IP address hop pattern generation method and hop controllers
CN106060184B (en) * 2016-05-11 2019-04-05 中国人民解放军国防信息学院 A kind of IP address hopping patterns generation method and jump controller based on three-dimensional
CN105978875B (en) * 2016-05-11 2019-04-05 中国人民解放军国防信息学院 A kind of dynamic Service realization method and system based on service hopping and intelligently cleaned
CN105978875A (en) * 2016-05-11 2016-09-28 中国人民解放军国防信息学院 Dynamic service realization method and system base on service hopping and intelligent cleaning
CN106161670B (en) * 2016-06-02 2020-09-22 黄小勇 Address translation processing method and address translation processing device
CN106161670A (en) * 2016-06-02 2016-11-23 黄小勇 Address conversion process method and address conversion processing unit
CN106302461A (en) * 2016-08-16 2017-01-04 杭州华三通信技术有限公司 A kind of method and device checking traffic policy legitimacy
CN106302461B (en) * 2016-08-16 2020-10-27 新华三技术有限公司 Method and device for checking validity of flow strategy
CN107809495A (en) * 2016-09-09 2018-03-16 华为技术有限公司 Address management method and device
CN106302525A (en) * 2016-09-27 2017-01-04 黄小勇 A kind of cyberspace security defend method and system based on camouflage
CN106657044A (en) * 2016-12-12 2017-05-10 杭州电子科技大学 Webpage address hopping method for improving security defense of website system
CN106657066B (en) * 2016-12-23 2019-07-16 中国电子科技集团公司第三十研究所 A kind of random jump method and device of network management plane address
CN108259688A (en) * 2016-12-28 2018-07-06 广东世纪网通信设备股份有限公司 VoIP platforms telephone fraud behavioral value method, apparatus and detecting system
CN106790641A (en) * 2017-01-11 2017-05-31 中国人民解放军国防信息学院 A kind of end hopping Web service access control method and device
CN106790641B (en) * 2017-01-11 2019-08-23 中国人民解放军国防信息学院 A kind of end hopping Web service access control method and device
WO2018149406A1 (en) * 2017-02-16 2018-08-23 中兴通讯股份有限公司 Ip address hopping method and apparatus for software defined network (sdn)
CN108449441A (en) * 2017-02-16 2018-08-24 中兴通讯股份有限公司 The IP address jump method and device of software defined network SDN
CN106982206A (en) * 2017-03-10 2017-07-25 中国科学院信息工程研究所 A kind of malice scanning defence method adaptively changed based on IP address and system
CN106982206B (en) * 2017-03-10 2019-11-26 中国科学院信息工程研究所 A kind of malice scanning defence method and system adaptively converted based on IP address
CN107147533A (en) * 2017-05-31 2017-09-08 郑州云海信息技术有限公司 A kind of flow table configuration distributing method and system based on SDN frameworks
US11451510B2 (en) 2017-12-27 2022-09-20 Zte Corporation Method and apparatus for processing service request
CN109981803A (en) * 2017-12-27 2019-07-05 中兴通讯股份有限公司 Service request processing method and device
CN109495440A (en) * 2018-09-06 2019-03-19 国家电网有限公司 A kind of random device of Intranet dynamic security
CN109451084A (en) * 2018-09-14 2019-03-08 华为技术有限公司 A kind of service access method and device
CN109347830A (en) * 2018-10-23 2019-02-15 中国人民解放军战略支援部队信息工程大学 A kind of network dynamic system of defense and method
CN109347881A (en) * 2018-11-30 2019-02-15 东软集团股份有限公司 Network protection method, apparatus, equipment and storage medium based on network cheating
CN109756498A (en) * 2019-01-04 2019-05-14 烽火通信科技股份有限公司 The NAT ALG conversion method and system of Transmission Control Protocol on communication equipment
CN109818953A (en) * 2019-01-21 2019-05-28 常州工程职业技术学院 A kind of sensor safe defense technique in mobile Internet of things system
CN109922144A (en) * 2019-02-28 2019-06-21 北京百度网讯科技有限公司 Method and apparatus for handling data
US11689564B2 (en) 2019-02-28 2023-06-27 Beijing Baidu Netcom Science And Technology Co., Ltd. Method and apparatus for processing data in cleaning device
CN110198270A (en) * 2019-05-10 2019-09-03 华中科技大学 A kind of active defense method in SDN network based on path and IP address jump
CN110138777A (en) * 2019-05-15 2019-08-16 电子科技大学 A kind of regular detection method of SDN stream based on region growing algorithm
CN110138777B (en) * 2019-05-15 2020-03-17 电子科技大学 SDN flow rule detection method based on region growing algorithm
CN110611671A (en) * 2019-09-12 2019-12-24 北京邮电大学 Local area network communication method and device based on moving target defense
CN111163062A (en) * 2019-12-12 2020-05-15 之江实验室 Multi-network address hopping security defense method for cross fire attack
CN111163062B (en) * 2019-12-12 2022-02-22 之江实验室 Multi-network address hopping security defense method for cross fire attack
CN113014682A (en) * 2019-12-20 2021-06-22 中兴通讯股份有限公司 Method, system, terminal device and storage medium for realizing network dynamics
CN113014682B (en) * 2019-12-20 2023-09-15 中兴通讯股份有限公司 Method, system, terminal equipment and storage medium for realizing network dynamic property
CN111683063A (en) * 2020-05-20 2020-09-18 北京吉安金芯信息技术有限公司 Message processing method, system, device, storage medium and processor
CN111818058B (en) * 2020-07-09 2022-06-21 武汉量子风暴信息科技有限公司 Network hopping controller-oriented safety protection method, system and related equipment
CN111818058A (en) * 2020-07-09 2020-10-23 武汉量子风暴信息科技有限公司 Network hopping controller-oriented safety protection method, system and related equipment
CN112637175A (en) * 2020-12-17 2021-04-09 山东云天安全技术有限公司 Defense method and device for industrial Internet of things
CN112637175B (en) * 2020-12-17 2021-08-20 山东云天安全技术有限公司 Defense method and device for industrial Internet of things
CN113225255A (en) * 2021-03-31 2021-08-06 福建奇点时空数字科技有限公司 SDN random route hopping method based on trigger generation mechanism
CN113114666A (en) * 2021-04-09 2021-07-13 天津理工大学 Moving target defense method for scanning attack in SDN network
CN113114666B (en) * 2021-04-09 2022-02-22 天津理工大学 Moving target defense method for scanning attack in SDN network
CN113098894A (en) * 2021-04-22 2021-07-09 福建奇点时空数字科技有限公司 SDN IP address hopping method based on randomization algorithm
CN113098900B (en) * 2021-04-29 2023-04-07 厦门美域中央信息科技有限公司 SDN network IP hopping method supporting address space expansion
CN113098900A (en) * 2021-04-29 2021-07-09 福建奇点时空数字科技有限公司 SDN network IP hopping method supporting address space expansion
CN113242268A (en) * 2021-07-12 2021-08-10 北京宇创瑞联信息技术有限公司 Authentication method for data secure transmission, data secure transmission method and system
CN113922987A (en) * 2021-07-12 2022-01-11 北京宇创瑞联信息技术有限公司 Data secure transmission method, equipment and system
CN113489731A (en) * 2021-07-12 2021-10-08 于洪 Data transmission method and system based on virtualization network and network security equipment
CN113489730A (en) * 2021-07-12 2021-10-08 于洪 Data transmission method, device and system based on virtualization network
CN113242270A (en) * 2021-07-12 2021-08-10 北京宇创瑞联信息技术有限公司 Data transmission method, device and system based on virtualization network
CN113660252A (en) * 2021-08-12 2021-11-16 江苏亨通工控安全研究院有限公司 Active defense system and method
CN113676476A (en) * 2021-08-18 2021-11-19 大连海事大学 Encrypted jump method based on action programmable software defined network
CN114465745A (en) * 2021-09-28 2022-05-10 北京卫达信息技术有限公司 Network topology confusion virtual device and virtual method based on virtual network
CN114465745B (en) * 2021-09-28 2022-11-18 北京卫达信息技术有限公司 Network topology confusion virtual device and virtual method based on virtual network
CN113872846A (en) * 2021-10-08 2021-12-31 新华三信息安全技术有限公司 Message sending method and device
WO2023165324A1 (en) * 2022-03-03 2023-09-07 华为技术有限公司 Communication method, network device, terminal, and domain name system server
CN115051836A (en) * 2022-05-18 2022-09-13 中国人民解放军战略支援部队信息工程大学 APT attack dynamic defense method and system based on SDN
CN115051836B (en) * 2022-05-18 2023-08-04 中国人民解放军战略支援部队信息工程大学 SDN-based APT attack dynamic defense method and system

Similar Documents

Publication Publication Date Title
CN105429957A (en) IP address jump safety communication method based on SDN framework
Fichera et al. OPERETTA: An OPEnflow-based REmedy to mitigate TCP SYNFLOOD Attacks against web servers
US11005865B2 (en) Distributed denial-of-service attack detection and mitigation based on autonomous system number
Masoud et al. On preventing ARP poisoning attack utilizing Software Defined Network (SDN) paradigm
US10911473B2 (en) Distributed denial-of-service attack detection and mitigation based on autonomous system number
Rengaraju et al. Detection and prevention of DoS attacks in Software-Defined Cloud networks
Merlo et al. A comparative performance evaluation of DNS tunneling tools
Gilad et al. LOT: A defense against IP spoofing and flooding attacks
Žagar et al. Security aspects in IPv6 networks–implementation and testing
Bogdanoski et al. Wireless network behavior under icmp ping flooddos attack and mitigation techniques
Lin et al. MECPASS: Distributed denial of service defense architecture for mobile networks
Mohammadnia et al. IoT-NETZ: Practical spoofing attack mitigation approach in SDWN network
Bhatia et al. Ensemble-based ddos detection and mitigation model
Alotaibi et al. Security issues in protocols of TCP/IP model at layers level
Das et al. Flood control: Tcp-syn flood detection for software-defined networks using openflow port statistics
Abdulla Survey of security issues in IPv4 to IPv6 tunnel transition mechanisms
CN105850091B (en) For providing method, border networks device and the IP server of the connection between communication service providers and the IP server for providing service
Ansilla et al. Data security in Smart Grid with hardware implementation against DoS attacks
Thang et al. Synflood spoofed source DDoS attack defense based on packet ID anomaly detection with bloom filter
Doucette An Architectural Approach for Mitigating Next-Generation Denial of Service Attacks
Kotenko et al. Packet level simulation of cooperative distributed defense against Internet attacks
Kimiyama et al. Autonomous and distributed internet security (AIS) infrastructure for safe internet
Guo et al. Intrusion prevention with attack traceback and software-defined control plane for campus networks
Mayer Quality of Service Impacts of a Moving Target Defense with Software-defined Networking
Meena et al. Status of address spoofing attack prevention techniques in software-defined networking (SDN)

Legal Events

Date Code Title Description
C06 Publication
PB01 Publication
C10 Entry into substantive examination
SE01 Entry into force of request for substantive examination
WD01 Invention patent application deemed withdrawn after publication
WD01 Invention patent application deemed withdrawn after publication

Application publication date: 20160323