CN108028828A

CN108028828A - A kind of distributed denial of service ddos attack detection method and relevant device

Info

Publication number: CN108028828A
Application number: CN201580031751.2A
Authority: CN
Inventors: 徐通; 郑涛; 董平; 孙嘉楠
Original assignee: Huawei Technologies Co Ltd
Current assignee: Honor Device Co Ltd
Priority date: 2015-08-29
Filing date: 2015-08-29
Publication date: 2018-05-11
Anticipated expiration: 2035-08-29
Also published as: WO2017035717A1; CN108028828B

Abstract

The embodiment of the invention discloses a kind of distributed denial of service ddos attack detection method and relevant device, and applied to software defined network SDN, the SDN includes controller and at least one edge switch.Wherein, the described method includes：The first request message in the first window of preset monitored, and the current request rates that the target device in the SDN is directed to first request message are calculated, first request message is sent to the request data stream of the needs controller processing of the controller for the corresponding edge switch of the target device；Using the current request rates as foundation, judge whether the target device is in abnormality；If the target device is in abnormality, the corresponding flow table match information of the target device is inquired about；Using the flow table match information as foundation, determine whether the target device is subject to ddos attack.Using the present invention, it is capable of the accuracy that lift pins detect the ddos attack of SDN.

Description

A kind of distributed denial of service ddos attack detection method and relevant device

Technical field

The present invention relates to field of communication technology more particularly to a kind of ddos attack detection method and relevant devices.

Background technique

Software defined network (Software Defined Network, referred to as " SDN ") it is one kind by separating network equipment control plane with data surface, to realize the new network framework of network flow flexibly controlled, good platform is provided for the innovation of core network and application.Meanwhile the SDN network also faces some safety problems, is such as subject to distributed denial of service (Distributed Denial of Service, referred to as " DDoS ") attack.In SDN, all new data flows into SDN require the controller into SDN request processing to obtain route results, when a period of time in occur to controller it is requested more when then will lead to controller process performance decline.If ddos attack person forges and send the data packet of a large amount of not cocurrent flows, controller process resource can be maliciously consumed.Moreover, because the ddos attack is while the data packet that manufacture largely belongs to not cocurrent flow occupies controller resource, controller can issue a large amount of flow entry, this flow table space that this may result in network indsole layer exchange device is overflowed.Therefore, the problem for becoming urgent need to resolve to the ddos attack detection of the equipment in SDN network how is effectively realized.

Currently, there is only a small amount of researchs detected for SDN by ddos attack, wherein disclose a kind of method using controller in changes of entropy detection SDN by ddos attack.Since when network is normal, stronger randomness can be generally presented in purpose IP address, virtual LAN (Virtual Local Area Network, referred to as " VLAN ") number, destination port or other fields of data flow, and entropy is larger at this time；And when controller is by ddos attack, the randomness of data flow some or certain fields can reduce, and whether entropy is smaller at this time, so as to determine the controller by ddos attack according to entropy size.Wherein, which is used to measure the desired value of stochastic variable appearance.

However, the ddos attack detection method based on entropy is dependent on normal flow and attacks the random sex differernce between data flow, this is allowed for when attack data flow randomness is stronger, it will appear the case where failing to report attack, when normal flow randomness is not strong, it can then miss using normal flow as attack data flow, out The case where now wrong report attack.That is, current ddos attack detection method needs to rely on, the randomness of normal flow and attack data flow is detected, and accuracy is lower.

Summary of the invention

The embodiment of the present invention provides a kind of ddos attack detection method and relevant device, is able to ascend the accuracy of ddos attack detection, is detected without relying on normal flow and attacking the randomness of data flow.

In a first aspect, being applied in software defined network SDN, the SDN includes controller and at least one edge switch the embodiment of the invention provides a kind of ddos attack detection method, comprising:

The first request message in the first window of preset monitored, and the current request rates that the target device in the SDN is directed to first request message are calculated, first request message is the request data stream for the needs controller processing that the corresponding edge switch of the target device is sent to the controller；

Using the current request rates as foundation, judge whether the target device is in abnormality；

If the target device is in abnormality, the corresponding flow table match information of the target device is inquired；

Using the flow table match information as foundation, determine the target device whether by ddos attack.

With reference to first aspect, in the first possible implementation of the first aspect, the method also includes:

If it is determined that the target device is by ddos attack, then determine that target physical port, the target physical port are the corresponding maximum physical port of data current density of the first request message described in first window described at least one described physical port from least one physical port of the corresponding edge switch of the target device；

The target data stream of the target physical port transmission is marked, the target data stream is the data flow in the SDN between interchanger and interchanger；

Target data stream after the label is redirected to the data filtering device of preparatory edge switch binding corresponding with the target device, so that the data filtering device handles the target data stream after the label.

With reference to first aspect or the first possible implementation of first aspect, in the second possible implementation of the first aspect, the target device is the target side at least one described edge switch Boundary's interchanger；The first request message in the first window of the preset monitored, and calculate the current request rates that the target device in the SDN is directed to first request message, comprising:

The first request message that the object boundary interchanger is sent in the first window of preset monitored；

The request rate of first request message is calculated, and is directed to the current request rates of first request message using the calculated request rate as the object boundary interchanger.

With reference to first aspect or the first possible implementation of first aspect, in a third possible implementation of the first aspect, the target device is the controller；The first request message in the first window of the preset monitored, and calculate the current request rates that the target device in the SDN is directed to first request message, comprising:

The first request message that each edge switch is sent in the SDN in the first window of preset monitored；

Statistics obtains the request rate for the first request message that each edge switch is sent in the first window respectively；

It is counted to obtain the current request rates of border networks determined by all edge switch in the SDN in the first window according to the request rate of each edge switch, and is directed to the current request rates of first request message using the current request rates of the border networks as the controller.

With reference to first aspect, or the first possible implementation of first aspect, or second of possible implementation of first aspect, or the third possible implementation of first aspect, in a fourth possible implementation of the first aspect, it is described using the current request rates as foundation, judge whether the target device is in abnormality, comprising:

Judge whether the current request rates are higher than preset first threshold corresponding with the target device, wherein the first threshold is determined according to the request rate of the first request message in preset second window；

If being higher than the first threshold, it is determined that the target device is in abnormality.

With reference to first aspect, or the first possible implementation of first aspect, or second of possible implementation of first aspect, or the third possible implementation of first aspect, or the 4th kind of possible implementation of first aspect, in the fifth possible implementation of the first aspect, the corresponding flow table match information of the inquiry target device, comprising:

Flow table information inquiry instruction is sent to the corresponding edge switch of the target device；

It receives the corresponding edge switch of the target device and responds the flow table match information that the flow table information inquiry instruction returns；

It is described using the flow table match information as foundation, determine the target device whether by ddos attack, comprising:

Using the flow table match information as foundation, the corresponding current flow table matching efficiency of the target device is calculated；

Judge whether the current flow table matching efficiency is more than preset second threshold corresponding with the target device, wherein the second threshold is determined according to the flow table matching efficiency that the flow table match information in preset third window counts；

If being no more than the second threshold, it is determined that the target device is by ddos attack.

The 5th kind of possible implementation with reference to first aspect, in the sixth possible implementation of the first aspect, the target device are the object boundary interchanger at least one described edge switch；It is described using the flow table match information as foundation, calculate the corresponding current flow table matching efficiency of the target device, comprising:

According to the flow table match information that the object boundary interchanger returns, the corresponding flow table matching efficiency of the flow table match information is calculated, and using the calculated flow table matching efficiency as the current flow table matching efficiency of the object boundary interchanger.

The 5th kind of possible implementation with reference to first aspect, in a seventh possible implementation of the first aspect, the target device are the controller, and the corresponding edge switch of the target device includes all edge switch in the SDN；It is described using the flow table match information as foundation, calculate the corresponding current flow table matching efficiency of the target device, comprising:

According to the flow table match information that each edge switch in the SDN returns, the corresponding flow table matching efficiency of flow table match information of each edge switch return is calculated separately；

The average value of the corresponding flow table matching efficiency of each described edge switch is calculated, and using the average value as the corresponding current flow table matching efficiency of the controller.

7th kind of possible implementation of the 6th kind of possible implementation or first aspect with reference to first aspect, in the 8th kind of possible implementation of first aspect, the flow table match information includes grade duration second and matching packet number；The corresponding flow table matching efficiency of the calculating flow table match information, comprising:

The matching packet number and the quotient of grade duration second is corresponding as the flow table match information Flow table matching efficiency.

The 5th kind of possible implementation with reference to first aspect, in the 9th kind of possible implementation of first aspect, the method also includes:

The second request message of the corresponding edge switch of the target device is monitored, second request message is generated according to the flow table match information in preset third window；

Using second request message as foundation, the corresponding history flow table matching efficiency of the target device is calculated；

According to the corresponding history flow table matching efficiency of the target device, the corresponding second threshold of the target device is determined.

The 9th kind of possible implementation with reference to first aspect, in the tenth kind of possible implementation of first aspect, second request message includes cause information, grade duration second and matching packet number；It is described using second request message as foundation, calculate the corresponding history flow table matching efficiency of the target device, comprising:

Parse the cause information；

If the cause information includes idle time-out information, then using matching packet number history flow table matching efficiency corresponding as the target device with the quotient of target difference, the difference of the target difference be the grade duration second standby time corresponding with the idle time-out information；

If the cause information includes rigid time-out information, using the quotient history flow table matching efficiency corresponding as the target device of the matching packet number and grade duration second.

The possible implementation of with reference to first aspect the first, in a kind of the tenth possible implementation of first aspect, the target device is the object boundary interchanger at least one described edge switch；It is described to determine target physical port from least one physical port of the corresponding edge switch of the target device, comprising:

Using first request message as foundation, the corresponding maximum physical port of data current density of the first request message described at least one physical port of the object boundary interchanger is determined as target physical port.

The possible implementation of with reference to first aspect the first, in the 12nd kind of possible implementation of first aspect, the target device is the controller；It is described to determine target physical port from least one physical port of the corresponding edge switch of the target device, comprising:

The current flow table matching efficiency of each edge switch in the SDN is obtained, and the boundary by the current flow table matching efficiency lower than the current flow table matching efficiency of the corresponding border networks of the SDN exchanges For machine as target switch, the corresponding border networks of the SDN are that at least one edge switch as described in the SDN is determined；

Using corresponding first request message of the target switch as foundation, the corresponding maximum physical port of data current density of the first request message described at least one physical port by the target switch is determined as target physical port.

The possible implementation of with reference to first aspect the first, in the 13rd kind of possible implementation of first aspect, the target data stream to the target physical port is marked, comprising:

The corresponding data packet spare field of target data stream in the target physical port fills in the hardware address Hash values of the corresponding edge switch of the target device；Alternatively,

Packet encapsulation is carried out using target data stream of the generic encapsulation technology to the target physical port.

The possible implementation of with reference to first aspect the first, in the 14th kind of possible implementation of first aspect, the method also includes:

The address information of the edge switch and data filtering device in the SDN is obtained respectively；

Obtain the topology information of the SDN；

According to the topology information it is that the edge switch determines at least one data filtering device, and by the binds address information of the address information for the data filtering device determined and the edge switch.

Second aspect, the embodiment of the invention provides a kind of ddos attack detection devices, are applied to software defined network SDN, the SDN includes controller and at least one edge switch, comprising:

Computing module, for the first request message in the first window of preset monitored, and the current request rates that the target device in the SDN is directed to first request message are calculated, first request message is the request data stream for the needs controller processing that the corresponding edge switch of the target device is sent to the controller；

Abnormal judgment module, for judging whether the target device is in abnormality using the current request rates as foundation；

Enquiry module is that the target device is when in an abnormal state for the judging result in the abnormal judgment module, inquires the corresponding flow table match information of the target device；

Determining module is attacked, for determining the target device whether by ddos attack using the flow table match information as foundation.

In conjunction with second aspect, in the first possible implementation of the second aspect, described device further include:

Port determining module, for when determining the target device by ddos attack, determine that target physical port, the target physical port are the corresponding maximum physical port of data current density of the first request message described in first window described at least one described physical port from least one physical port of the corresponding edge switch of the target device；

Mark module is marked for the target data stream to the target physical port transmission, and the target data stream is the data flow in the SDN between interchanger and interchanger；

Redirection module, for the target data stream after the label to be redirected to the data filtering device of preparatory edge switch binding corresponding with the target device, so that the data filtering device handles the target data stream after the label.

In conjunction with the possible implementation of the first of second aspect or second aspect, in a second possible implementation of the second aspect, the target device is the object boundary interchanger at least one described edge switch；The computing module includes:

First monitoring unit, the first request message sent for object boundary interchanger described in the first window of preset monitored；

First computing unit, for calculating the request rate of first request message, and using the calculated request rate as the object boundary interchanger for the current request rates of first request message.

In conjunction with the possible implementation of the first of second aspect or second aspect, in the third possible implementation of the second aspect, the target device is the controller；The computing module includes:

Second monitoring unit, the first request message sent for each edge switch in the SDN in the first window of preset monitored；

Second computing unit, for counting to obtain the request rate for the first request message that each edge switch is sent in the first window respectively；

Second computing unit, it is also used to be counted according to the request rate of each edge switch to obtain the current request rates of border networks determined by all edge switch in the SDN in the first window, and is directed to the current request rates of first request message using the current request rates of the border networks as the controller.

In conjunction with second aspect, perhaps the first possible implementation of second aspect perhaps second of possible implementation of second aspect or the third possible implementation of second aspect, in the fourth possible implementation of the second aspect, the abnormal judgment module includes:

First judging unit, for judging whether the current request rates are higher than preset first threshold corresponding with the target device, wherein the first threshold is determined according to the request rate of the first request message in preset second window；

First determination unit determines that the target device is in abnormality when for the judging result in first judging unit for higher than the first threshold.

In conjunction with second aspect, or the first possible implementation of second aspect, or second of possible implementation of second aspect, or the third possible implementation of second aspect, or the 4th kind of possible implementation of second aspect, in a fifth possible implementation of the second aspect, the enquiry module includes:

Instruction sending unit, for when in an abnormal state in the target device, the corresponding edge switch of Xiang Suoshu target device sends flow table information inquiry instruction；

Information receiving unit responds the flow table match information that the flow table information inquiry instruction returns for receiving the corresponding edge switch of the target device；

The attack determining module includes:

Efficiency calculation unit, for calculating the corresponding current flow table matching efficiency of the target device using the flow table match information as foundation；

Second judgment unit, for judging whether the current flow table matching efficiency is more than preset second threshold corresponding with the target device, wherein, the second threshold is determined according to the flow table matching efficiency that the flow table match information in preset third window counts；

Second determination unit determines the target device by ddos attack when being no more than the second threshold for the judging result in the second judgment unit for the current flow table matching efficiency.

In conjunction with the 5th kind of possible implementation of second aspect, in the sixth possible implementation of the second aspect, the target device is the object boundary interchanger at least one described edge switch；The efficiency calculation unit is specifically used for:

In conjunction with the 5th kind of possible implementation of second aspect, in the 7th kind of possible implementation of second aspect, the target device is the controller, and the corresponding edge switch of the target device includes institute State all edge switch in SDN；The efficiency calculation unit is specifically used for:

According to the flow table match information that each edge switch in the SDN returns, the corresponding flow table matching efficiency of flow table match information of each edge switch return is calculated separately；The average value of the corresponding flow table matching efficiency of each described edge switch is calculated, and using the average value as the corresponding current flow table matching efficiency of the controller.

In conjunction with the 5th kind of possible implementation of second aspect, in the 8th kind of possible implementation of second aspect, described device further include:

Efficiency determination module, for monitoring the second request message of the corresponding edge switch of the target device, and using second request message as foundation, the corresponding history flow table matching efficiency of the target device is calculated, second request message is generated according to the flow table match information in preset third window；

Threshold determination module, for determining the corresponding second threshold of the target device according to the corresponding history flow table matching efficiency of the target device.

In conjunction with the 8th kind of possible implementation of second aspect, in the 9th kind of possible implementation of second aspect, second request message includes cause information, grade duration second and matching packet number；The efficiency determination module includes:

Resolution unit, for parsing the cause information；

Third determination unit, for when it includes idle time-out information that the resolution unit parsing result, which is the cause information, using matching packet number history flow table matching efficiency corresponding as the target device with the quotient of target difference, the difference of the target difference be the grade duration second standby time corresponding with the idle time-out information；

The third determination unit is also used to when it includes rigid time-out information that the resolution unit parsing result, which is the cause information, using the quotient history flow table matching efficiency corresponding as the target device of the matching packet number and grade duration second.

In conjunction with the first possible implementation of second aspect, in the tenth kind of possible implementation of second aspect, the target device is the object boundary interchanger at least one described edge switch；The port determining module is specifically used for:

When determining the object boundary interchanger by ddos attack, using first request message as foundation, the corresponding maximum physical port of data current density of the first request message described at least one physical port of the object boundary interchanger is determined as target physical port.

In conjunction with the first possible implementation of second aspect, in a kind of the tenth possible implementation of second aspect, the target device is the controller；The port determining module is specifically used for:

When determining the controller by ddos attack, obtain the current flow table matching efficiency of each edge switch in the SDN, and the edge switch using the current flow table matching efficiency lower than the current flow table matching efficiency of the corresponding border networks of the SDN is as target switch, the corresponding border networks of the SDN are that at least one edge switch as described in the SDN is determined；

In conjunction with the first possible implementation of second aspect, in the 12nd kind of possible implementation of second aspect, the mark module is specifically used for:

In conjunction with the first possible implementation of second aspect, in the 13rd kind of possible implementation of second aspect, described device further include:

Module is obtained, for obtaining the address information of edge switch and data filtering device in the SDN respectively；

The acquisition module, is also used to obtain the topology information of the SDN；

Determining module is bound, the edge switch determines at least one data filtering device for being according to the topology information, and by the binds address information of the address information for the data filtering device determined and the edge switch.

The third aspect, the embodiment of the invention provides a kind of network equipments, are applied to software defined network SDN, the SDN includes controller and at least one edge switch, it include: communication interface, memory and processor, the processor is connect with the communication interface and the memory respectively；Wherein,

The memory is used for storage driving software；

The processor reads the drive software from the memory and executes under the action of the drive software:

By the first request message in the first window of the communication interface preset monitored, and described in calculating Target device in SDN is directed to the current request rates of first request message, and first request message is the request data stream for the needs controller processing that the corresponding edge switch of the target device is sent to the controller；

In conjunction with the third aspect, in the first possible implementation of the third aspect, the processor also executes following steps from the memory reading drive software and under the action of the drive software:

Target data stream after the label is redirected to the data filtering device of preparatory edge switch binding corresponding with the target device by the communication interface, so that the data filtering device handles the target data stream after the label.

In conjunction with the possible implementation of the first of the third aspect or the third aspect, in the second possible implementation of the third aspect, the target device is the object boundary interchanger at least one described edge switch；First request message of the processor in the first window for executing the preset monitored, and when calculating the target device in the SDN and being directed to the current request rates of first request message, specifically execute following steps:

In conjunction with the possible implementation of the first of the third aspect or the third aspect, in the third possible implementation of the third aspect, the target device is the controller；First request message of the processor in the first window for executing the preset monitored, and the target device calculated in the SDN is directed to When the current request rates of first request message, following steps are specifically executed:

In conjunction with the third aspect, or the first possible implementation of the third aspect, or second of possible implementation of the third aspect, or the third possible implementation of the third aspect, in the fourth possible implementation of the third aspect, the processor is described using the current request rates as foundation in execution, judges whether the target device is when in an abnormal state, specifically executes following steps:

In conjunction with the third aspect, or the first possible implementation of the third aspect, or second of possible implementation of the third aspect, or the third possible implementation of the third aspect, or the 4th kind of possible implementation of the third aspect, in the 5th kind of possible implementation of the third aspect, the processor specifically executes following steps in the corresponding flow table match information of the execution inquiry target device:

Flow table information inquiry instruction is sent to the corresponding edge switch of the target device by the communication interface；

The corresponding edge switch of the target device, which is received, by the communication interface responds the flow table match information that the flow table information inquiry instruction returns；

The processor is described using the flow table match information as foundation in execution, when whether determining the target device by ddos attack, specifically executes following steps:

In conjunction with the 5th kind of possible implementation of the third aspect, in the 6th kind of possible implementation of the third aspect, the target device is the object boundary interchanger at least one described edge switch；The processor is executing described using the flow table match information as foundation, when calculating the corresponding current flow table matching efficiency of the target device, specifically executes following steps:

In conjunction with the 5th kind of possible implementation of the third aspect, in the 7th kind of possible implementation of the third aspect, the target device is the controller, and the corresponding edge switch of the target device includes all edge switch in the SDN；The processor is executing described using the flow table match information as foundation, when calculating the corresponding current flow table matching efficiency of the target device, specifically executes following steps:

In conjunction with the 6th kind of possible implementation of the third aspect or the 7th kind of possible implementation of the third aspect, in the 8th kind of possible implementation of the third aspect, the flow table match information includes grade duration second and matching packet number；The processor specifically executes following steps in the corresponding flow table matching efficiency of execution calculating flow table match information:

Using the quotient flow table matching efficiency corresponding as the flow table match information of the matching packet number and grade duration second.

In conjunction with the 5th kind of possible implementation of the third aspect, in the 9th kind of possible implementation of the third aspect, the processor is also used to execute following steps:

In conjunction with the 9th kind of possible implementation of the third aspect, in the tenth kind of possible implementation of the third aspect, second request message includes cause information, grade duration second and matching packet number；The processor is executing described using second request message as foundation, when calculating the corresponding history flow table matching efficiency of the target device, specifically executes following steps:

Parse the cause information；

In conjunction with the first possible implementation of the third aspect, in a kind of the tenth possible implementation of the third aspect, the target device is the object boundary interchanger at least one described edge switch；The processor execute it is described determine target physical port from least one physical port of the corresponding edge switch of the target device when, specifically execute following steps:

In conjunction with the first possible implementation of the third aspect, in the 12nd kind of possible implementation of the third aspect, the target device is the controller；The processor execute it is described determine target physical port from least one physical port of the corresponding edge switch of the target device when, specifically execute following steps:

Obtain the current flow table matching efficiency of each edge switch in the SDN, and the edge switch using the current flow table matching efficiency lower than the current flow table matching efficiency of the corresponding border networks of the SDN is as target switch, the corresponding border networks of the SDN are that at least one edge switch as described in the SDN is determined；

Using corresponding first request message of the target switch as foundation, at least by the target switch The corresponding maximum physical port of data current density of first request message described in one physical port is determined as target physical port.

In conjunction with the first possible implementation of the third aspect, in the 13rd kind of possible implementation of the third aspect, the processor specifically executes following steps when the execution target data stream to the target physical port is marked:

In conjunction with the first possible implementation of the third aspect, in the 14th kind of possible implementation of the third aspect, the processor also executes following steps from the memory reading drive software and under the action of the drive software:

Obtain the address information of the edge switch and data filtering device in the SDN respectively by the communication interface；

Obtain the topology information of the SDN；

At least one data filtering device is determined according to the topology information for the edge switch, and

By the binds address information of the address information for the data filtering device determined and the edge switch.

Compared with prior art, the embodiment of the present invention has the advantages that

The corresponding current request rates of target device in SDN network can be calculated by the first request message listened in the embodiment of the present invention, and judge whether the target device is in abnormality according to the current request rates, to when in an abnormal state in the target device, by further inquiring current flow table match information, realizes and determine the target device whether by ddos attack.The ddos attack detection method of the embodiment of the present invention is not necessarily to rely on normal flow and attacks the randomness of data flow, to improve the accuracy of ddos attack detection, and, the ddos attack detection method of the embodiment of the present invention is able to detect the ddos attack of interchanger and controller, whether solves the problems, such as not detecting interchanger in the prior art by ddos attack.

Detailed description of the invention

In order to more clearly explain the embodiment of the invention or the technical proposal in the existing technology, the drawings to be used in the description of the embodiments or prior art will be briefly described below, apparently, drawings in the following description are only some embodiments of the invention, for those of ordinary skill in the art, it is not paying Out under the premise of creative work, it is also possible to obtain other drawings based on these drawings.

Fig. 1 is a kind of SDN system architecture diagram provided in an embodiment of the present invention；

Fig. 2 is a kind of flow diagram of ddos attack detection method provided in an embodiment of the present invention；

Fig. 3 is a kind of flow diagram of ddos attack means of defence provided in an embodiment of the present invention；

Fig. 4 is the application scenario diagram of a kind of ddos attack detection and means of defence provided in an embodiment of the present invention；

Fig. 5 is the flow diagram of a kind of ddos attack detection and means of defence provided in an embodiment of the present invention；

Fig. 6 is the flow diagram of another ddos attack detection and means of defence provided in an embodiment of the present invention；

Fig. 7 is a kind of structural schematic diagram of ddos attack detection device provided in an embodiment of the present invention；

Fig. 8 is the structural schematic diagram of another ddos attack detection device provided in an embodiment of the present invention；

Fig. 9 is a kind of structural schematic diagram of network equipment provided in an embodiment of the present invention.

Specific embodiment

Following will be combined with the drawings in the embodiments of the present invention, and technical scheme in the embodiment of the invention is clearly and completely described, it is clear that described embodiments are only a part of the embodiments of the present invention, instead of all the embodiments.Based on the embodiments of the present invention, every other embodiment obtained by those of ordinary skill in the art without making creative efforts, shall fall within the protection scope of the present invention.

It should be understood that the technical solution of the embodiment of the present invention can be applied particularly in software defined network SDN, and in particular to for the ddos attack detection scheme of SDN, so as to promote the accuracy of ddos attack detection.

The specific framework of software defined network SDN is illustrated below.Referring to Figure 1, Fig. 1 is a kind of SDN system architecture diagram provided in an embodiment of the present invention.Specifically, as shown in Figure 1, including controller, at least one edge switch and internal switch in the SDN.Wherein, which determines the border networks in the SDN.It is communicated between controller and each interchanger (including edge switch and internal switch) by controlling link (as shown in phantom in FIG.), inquiry and response message between request data package and transmission control unit (TCU) and interchanger including transmission switching mechanism generation etc..In addition, between each interchanger can also by communication link (as shown by the solid line in the drawings) into The data flow of user (including attacker) in row communication, such as transmission current network.

Refer to Fig. 2, it is a kind of flow diagram of ddos attack detection method of the embodiment of the present invention, specifically, the method of the embodiment of the present invention can be applied particularly in software defined network SDN, the SDN includes controller and at least one edge switch, as shown in Fig. 2, the embodiment of the present invention the method may include following steps:

S101: monitoring the first request message in current SDN in preset first window, and calculates the current request rates that the target device in the SDN is directed to first request message.

It should be noted that the method for the embodiment of the present invention can be applied particularly in the network equipment such as controller or other detection devices being independently arranged in the SDN, the embodiment of the present invention is without limitation.

Wherein, first request message is that the corresponding edge switch of target device in the SDN is sent to the request data stream that the needs controller of the controller is handled, such as PacketIN data flow.First request message is specially the data flow in the SDN between controller and interchanger.The target device can be specially controller or either boundary interchanger in the SDN, i.e. the embodiment of the present invention can be realized the ddos attack detection to the controller in SDN network, also it may be implemented that the ddos attack detection of edge switch in the SDN can also be realized while detect the ddos attack of controller and edge switch in the SDN.

Specifically, the first window can refer to time window or quantity window, that is, the current request rates are calculated according to the first request message in current sometime window, or calculated according to the first request message in current a certain quantity windows.

Optionally, the target device can be the object boundary interchanger at least one described edge switch；Then the first request message in the first window of the preset monitored, and the current request rates that the target device in the SDN is directed to first request message are calculated, it can be with specifically: the first request message that the object boundary interchanger is sent in the first window of preset monitored；The request rate of first request message is calculated, and is directed to the current request rates of first request message using the calculated request rate as the object boundary interchanger.That is, when carrying out ddos attack detection to edge switch, it can be by monitoring the first request message for being sent to controller in current time window or quantity window of the object boundary interchanger in the SDN network, such as PacketIN message, request rate i.e. current request rates of the object boundary interchanger in the time window or quantity window to first request message are calculated.Wherein, should Object boundary interchanger can be the either boundary interchanger in the SDN.

Optionally, the target device can also be the controller in the SDN network；Then the first request message in the first window of the preset monitored, and the current request rates that the target device in the SDN is directed to first request message are calculated, it can be with specifically: the first request message that each edge switch is sent in the SDN in the first window of preset monitored；Statistics obtains the request rate for the first request message that each edge switch is sent in the first window respectively；It is counted to obtain the current request rates of border networks determined by all edge switch in the SDN in the first window according to the request rate of each edge switch, and using the current request rates of the border networks as the corresponding current request rates of the controller.That is, when carrying out ddos attack detection to controller, it can be by monitoring the first request message sent in current time window or quantity window to controller of each edge switch in the SDN network, such as PacketIN message, calculate separately to obtain request rate of each edge switch in the time window or quantity window to first request message, and according to the request rate of each edge switch, such as using the sum of the request rate of each edge switch as the current request rates of the corresponding border networks of the edge switch, to computer to the corresponding current request rates (i.e. the current request rates of the border networks) of control.

S102: using the current request rates as foundation, judge whether the target device is in abnormality.

In specific embodiment, whether can meet preset rules by detecting the current request rates of the target device, to judge whether the target device is in abnormality.

Optionally, described using the current request rates as foundation, judge whether the target device is in abnormality, it can be with specifically: judge whether the current request rates are higher than preset first threshold corresponding with the target device；If being higher than the first threshold, it is determined that the target device is in abnormality.Wherein, the first threshold, which can be, determines according to the request rate of the first request message in preset second window.Second window may also mean that time window or quantity window, it can be by monitoring the first request message in certain time window or quantity window, and the corresponding historical requests rate of the first request message in the window is calculated, to determine the first threshold according to the historical requests rate.Further, the target device can be edge switch or controller, first request message of the edge switch listened to according to the corresponding first threshold of the edge switch in the second window and what calculated historical requests rate was determined, the corresponding first threshold of the controller then according in the SDN that listens to first request message of each edge switch in the second window and what the historical requests rate of calculated border networks was determined.

It is further alternative, it also can be preset when counting on the corresponding current request rates of first window for continuous several times and being above the first threshold, then determine that the target device is in abnormality.Specifically, the corresponding current request rates of statistics available first window, and judge whether the current request rates are higher than preset first threshold corresponding with the target device；If being higher than the first threshold, continues to monitor the first request message in the first window, count the corresponding new current request rates of the first window, and judge whether the new current request rates are higher than the first threshold；Repeat the first request message in the monitoring first window, the step of counting the first window corresponding new current request rates, until continuous m times judgement obtains the current request rates higher than the first threshold, then it can determine that the target device is in abnormality.

S103: if the target device is in abnormality, the corresponding flow table match information of the target device is inquired.

Specifically, the corresponding flow table match information of the target device may include the flow table match information generated according to corresponding first request message of the target device listened in the first window, it can further include the flow table match information being just already present on before the first window in the corresponding edge switch of the target device, be specifically as follows the flow table match information of current certain time window or quantity window.It may include the field informations such as grade duration duration_sec second and matching packet number packet_count in the flow table match information.

S104: using the flow table match information as foundation, determine the target device whether by ddos attack.

In specific embodiment, the corresponding flow table match information of the inquiry target device can be with specifically: the corresponding edge switch of Xiang Suoshu target device sends flow table information inquiry instruction；It receives the corresponding edge switch of the target device and responds the flow table match information that the flow table information inquiry instruction returns.Further, described using the flow table match information as foundation, determine that the target device, can be with whether by ddos attack specifically: using the flow table match information as foundation, calculate the corresponding current flow table matching efficiency of the target device；Judge whether the current flow table matching efficiency is more than preset second threshold corresponding with the target device；If being no more than the second threshold, it is determined that the target device is by ddos attack.

Wherein, the second threshold is determined according to the flow table matching efficiency that the flow table match information in preset third window counts.The third window may also mean that time window or quantity windows, can determine the second threshold according to the flow table match information in certain time window or quantity window.Further, which can be edge switch or controller, flow table match information of the edge switch in third window according to the corresponding second threshold of the edge switch and what calculated flow table matching efficiency was determined, should The corresponding second threshold of controller then according in the SDN flow table match information of each edge switch in third window and what the flow table matching efficiency of calculated border networks was determined.

Optionally, the target device can be the object boundary interchanger at least one described edge switch；It is described using the flow table match information as foundation, calculate the corresponding current flow table matching efficiency of the target device, it can be with specifically: the flow table match information returned according to the object boundary interchanger, the corresponding flow table matching efficiency of the flow table match information is calculated, and using the calculated flow table matching efficiency as the current flow table matching efficiency of the object boundary interchanger.

Optionally, the target device can also be the controller, and the corresponding edge switch of the target device includes all edge switch in the SDN；It is then described using the flow table match information as foundation, calculate the corresponding current flow table matching efficiency of the target device, it can be with specifically: according to the flow table match information that each edge switch in the SDN returns, calculate separately the corresponding flow table matching efficiency of flow table match information of each edge switch return；The average value of the corresponding flow table matching efficiency of each described edge switch is calculated, and using the average value as the corresponding current flow table matching efficiency of the controller.

Further alternative, the flow table match information includes grade duration second and matching packet number；The corresponding flow table matching efficiency of flow table match information is then calculated, it can be with specifically: using the quotient flow table matching efficiency corresponding as the flow table match information of the matching packet number and duration second grade.

Further, can also be arranged to obtain the second threshold according to the history flow table request rate of the corresponding edge switch of target device.Specifically, the second request message of the corresponding edge switch of the target device can be monitored, second request message is generated according to the flow table match information in preset third window；Using second request message as foundation, the corresponding history flow table matching efficiency of the target device is calculated；According to the corresponding history flow table matching efficiency of the target device, the corresponding second threshold of the target device is determined.Specifically, second request message may include cause information, grade duration second and matching packet number；It is described to calculate the corresponding history flow table matching efficiency of the target device using second request message as foundation, it can be with specifically: parse the cause information；If the cause information includes idle time-out information, then using matching packet number history flow table matching efficiency corresponding as the target device with the quotient of target difference, the difference of the target difference be the grade duration second standby time corresponding with the idle time-out information；If the cause information includes rigid time-out information, using the quotient history flow table matching efficiency corresponding as the target device of the matching packet number and grade duration second.

In specific embodiment, if judging result is the target device not by ddos attack, controller can carry out conventional load balance optimization.If judging result is the target device by ddos attack, further the ddos attack can be protected according to preset protection rule.

In embodiments of the present invention, the corresponding current request rates of target device in SDN network can be calculated by the first request message listened to, and judge whether the target device is in abnormality according to the current request rates, to when in an abnormal state in the target device, by further inquiring current flow table match information, realizes and determine the target device whether by ddos attack.The ddos attack detection method of the embodiment of the present invention is not necessarily to rely on normal flow and attacks the randomness of data flow, to improve the accuracy of ddos attack detection, and, the ddos attack detection method of the embodiment of the present invention is able to detect the ddos attack of interchanger and controller, whether solves the problems, such as not detecting interchanger in the prior art by ddos attack.

Further, detect current SDN by ddos attack, as in SDN controller or interchanger by ddos attack after, then the ddos attack can be protected according to preconfigured protection rule.A kind of flow diagram of ddos attack means of defence of the offer of the embodiment of the present invention specifically, referring to Fig. 3, as shown in figure 3, the means of defence of the embodiment of the present invention the following steps are included:

S201: if it is determined that target device by ddos attack, then determines target physical port from least one physical port of the corresponding edge switch of the target device.

Wherein, each edge switch includes at least one physical port, the target physical port physical port most for unit time the first request message requests quantity in the corresponding maximum physical port of data current density of the first request message in first window described at least one described physical port namely the first window.

Optionally, the target device can be the object boundary interchanger at least one described edge switch, detect in the SDN network by the equipment of ddos attack be edge switch when, it is then described to determine target physical port from least one physical port of the corresponding edge switch of target device, it can be with specifically: using first request message as foundation, the corresponding maximum physical port of data current density of the first request message described at least one physical port of the object boundary interchanger is determined as target physical port.

Optionally, the target device can also be the controller in the SDN, that is, detect the SDN In network by the equipment of ddos attack be controller when, it is described to determine target physical port from least one physical port of the corresponding edge switch of target device, it can be with specifically: obtain the current flow table matching efficiency of each edge switch in the SDN, and the edge switch using the current flow table matching efficiency lower than the current flow table matching efficiency of the corresponding border networks of the SDN is as target switch, the corresponding border networks of the SDN are that at least one edge switch as described in the SDN is determined；Using corresponding first request message of the target switch as foundation, the corresponding maximum physical port of data current density of the first request message described at least one physical port by the target switch is determined as target physical port.

S202: the target data stream of the target physical port transmission is marked.

Wherein, the target data stream can be specially the data flow in the software defined network SDN between interchanger and interchanger, i.e., the data flow of user (including attacker) in the SDN network.

Optionally, the target data stream to the target physical port is marked, can be with specifically: the corresponding data packet spare field of target data stream in the target physical port fills in the hardware address Hash values of the corresponding edge switch of the target device；Alternatively, carrying out packet encapsulation using target data stream of the generic encapsulation technology to the target physical port.In addition, also highest can be set by the priority of the target data stream of the label, in order to which the target data stream to be timely redirected to the data filtering device with target device binding.

S203: the target data stream after the label is redirected to the data filtering device of preparatory edge switch binding corresponding with the target device, so that the data filtering device handles the target data stream after the label.

In specific embodiment, the address information of the edge switch and data filtering device in the SDN can be obtained respectively；Obtain the topology information of the SDN；According to the topology information it is that the edge switch determines at least one data filtering device, and by the binds address information of the address information for the data filtering device determined and the edge switch.Specifically, an at least data filtering device can be bound for each edge switch, it for example according to the loading condition of the topological structure of the SDN network and/or each data filtering device is each edge switch binding data filter plant, data flow for redirecting when target device is by ddos attack to the corresponding edge switch of the target device is handled, to realize that ddos attack protects.

Further, if the target device is still located after preset certain time window (or quantity window) In ddos attack state, it then can be according to the first request message and flow table match information newly received, determine the corresponding maximum physical port of data current density of first request message in multiple physical ports in the corresponding edge switch of the target device in addition to the target physical port that the last time determines as new target physical port, and the target data stream of the target physical port new to this be marked after be redirected to the data filtering device of the binding.And so on, to realize that the port data stream for relatively concentrating attack is gradually redirected to data filtering device, to realize the protection of ddos attack.

When restoring normal condition after carrying out this time redirecting protection by the target device of ddos attack, it is no longer on abnormality, then the data flow token and re-orientation processes of the maximum target physical port of the data current density that can halt attacks.

In embodiments of the present invention, it can be when detecting the target device in SDN network such as interchanger or controller by ddos attack, by determining the maximum target physical port of data current density in the corresponding edge switch of the target device by ddos attack, and the data filtering device of the binding is redirected to after the target data stream of the target physical port is marked, to realize the protection to the ddos attack of the target device.The multiple controllers of configuration in compared with the existing technology, when the data processing amount of currently used controller is more than preset data amount threshold value, other idle handlers are enabled again, and the extraction using the method for packet header analysis to being more than the data packet progress attack signature that threshold controller receives, flow table is issued in exchange generator terminal discarding to take, it intercepts, block the protection method of data flow, the technical solution of the embodiment of the present invention can be redirected to the data filtering device of binding by the data flow for relatively concentrating attack, effective protection can not only be carried out to the ddos attack of the target device, also solve the problem of easily causing normal flow accidental injury and flow table space to overflow in the means of defence of the above-mentioned prior art.

Fig. 4 is referred to, is the application scenario diagram of a kind of ddos attack detection and protection provided in an embodiment of the present invention.Specifically, as shown in Figure 4, it include controller, edge switch X, edge switch Y, internal switch and the data filtering device bound respectively with edge switch X and Y in the SDN of the embodiment of the present invention (it is assumed that edge switch X and Y binds the same data filtering device, the connection relationship of edge switch X Yu the data filtering device are illustrated only in Fig. 4), wherein, edge switch X and Y determines the corresponding border networks of the SDN.It is communicated between the controller and each interchanger (including edge switch and internal switch) by controlling link (as shown in phantom in FIG.), inquiry and response message between request data package and transmission control unit (TCU) and interchanger including transmission switching mechanism generation etc. Deng.It can be communicated by communication link (as shown by the solid line in the drawings) between each interchanger, such as the data flow of the user (including attacker) in transmission current network.Individually below by taking target device is interchanger and controller as an example, the ddos attack detection of the embodiment of the present invention and means of defence are described in detail.

In conjunction with Fig. 4, and together referring to Fig. 5, it is the flow diagram of a kind of ddos attack detection and means of defence provided in an embodiment of the present invention, in embodiments of the present invention, the target device is the edge switch in SDN network, when needing to carry out a certain edge switch (hereinafter referred to as object boundary interchanger) ddos attack detection and protection, as shown in figure 5, the ddos attack detection of the embodiment of the present invention and means of defence include:

S301: the corresponding first threshold of preset target edge switch and second threshold.

In specific embodiment, it can be by monitoring for a period of time as (the object boundary interchanger is the either boundary interchanger in SDN to one week interior object boundary interchanger, it both can be edge switch X, it may be edge switch Y, it can also be while listening for edge switch X and Y, the embodiment of the present invention using by edge switch X as object boundary interchanger, it is illustrated for monitoring edge switch X) it is sent to the first request message such as PacketIN message of controller, to calculate the object boundary interchanger to the historical requests rate of the PacketIN message, to be the object boundary switch configuration first threshold according to the historical requests rate.Due to edge switch and internal switch all can generating source addresses be Self address PacketIN message, that is edge switch X only understands the PacketIN message that generating source addresses are Self address, without the PacketIN message for the address that generating source addresses are Intra-Network switch.Therefore, it when controller receives PacketIN request message, can be counted by the way that whether judge the source address of the PacketIN be the address of edge switch X.Specifically, do not take statistics then processing when the source address that controller monitors PacketIN message is the address of Intra-Network switch；When the source address of the PacketIN message listened to is the address of edge switch X, is then counted, record source address, arrival time and the arriving amt of the message.According to the PacketIN message of the edge switch X of record, one or more preset windows such as quantity window N (the second window) can be chosen, such as N=100, calculate the request rate i.e. historical requests rate (N/t of edge switch X when often receiving 100 PacketIN message, the t is the quantity window corresponding time, the time of N number of PacketIN message is received, the t value of different windows is generally different).That is, the PacketIN message for computation requests rate of the statistics is that the object boundary interchanger is sent to controller and source address is the PacketIN message of the object boundary interchanger.Further, can be according to the multiple historical requests rates for the edge switch X being calculated in a period of time, and combine The actual conditions such as its hardware condition, business characteristic, to be arranged to obtain for determining whether edge switch X is in the corresponding first threshold of abnormality for edge switch X.

Furthermore, also the second threshold can be determined by the flow table matching efficiency that the flow table match information in preset third window counts, for example message (the second request message) is deleted by monitoring a period of time such as one week interior FlowRemoved flow table for being sent to controller by edge switch X, to calculate the history flow table matching efficiency of the object boundary interchanger, to be the object boundary switch configuration for determining whether the object boundary interchanger is in the second threshold of ddos attack state according to the history flow table matching efficiency.Wherein, which generated according to the corresponding flow table match information of edge switch X, and specially edge switch X deletes the corresponding message generated when its certain internal data flow table.Specifically, not extracting then when the source address of the FlowRemoved message listened to is the address of Intra-Network switch and recording the message content；When the source address of the FlowRemoved message listened to is the address of edge switch X, then the information in reason reason, second grade duration duration_sec and the matching packet number packet_count field in the message is extracted.If the information in reason reason field is idle time-out IDLE_TIMEOUT, then the calculation method of the history flow table matching efficiency of the data flow can be flow table matching efficiency=matching packet number packet_count ÷ (grade duration_sec- duration, idle standby time time second)；If the information in reason reason field is hardness time-out HARD_TIMEOUT or deletes DELETE, the calculation method of the flow table matching efficiency of the data flow can be flow table matching efficiency=matching packet number packet_count ÷ seconds grade duration duration_sec.According to multiple history flow table matching efficiencies of the edge switch X in preset window such as preset quantity window N (third window), statistical disposition obtains the history flow table matching efficiency distribution of edge switch X, and combine the actual conditions such as its security risk, business characteristic, then it can be arranged to obtain the second threshold for edge switch X.

S302: the first request message that the object boundary interchanger is sent in the first window of preset monitored.

S303: calculating the request rate of first request message, and the current request rates of first request message are directed to using the calculated request rate as the object boundary interchanger.

In specific embodiment, PacketIN message i.e. the first request message that edge switch X is sent to controller can be monitored in real time, records source address, arrival time and the arriving amt of the message.It determines preset first window such as quantity windows N, such as N=100, request rate, that is, current request rates of primary edge switch X can be calculated when controller often receives 100 to from the PacketIN message of edge switch X.

S304: judge whether the current request rates are higher than the first threshold.

S305: if being higher than the first threshold, it is determined that the object boundary interchanger is in abnormality.

In specific embodiment, the state of edge switch X can be determined as abnormality when being higher than the first threshold current request rates continuous m times of edge switch X, wherein m is the integer greater than 0.Specifically, the current request rates of edge switch X first threshold corresponding with edge switch X can be compared, if the current request rates of the object boundary interchanger are higher than (or being equal to) first threshold, the corresponding counter of edge switch X adds one, if edge switch X is lower than the first threshold, by the counter O reset.When detecting that the corresponding counter of edge switch X is accumulated to m, then it can determine that the object boundary interchanger is in abnormality.

S306: Xiang Suoshu object boundary interchanger sends flow table information inquiry instruction.

S307: the flow table match information of the return of flow table information inquiry instruction described in the object boundary switch responds is received, and calculates the corresponding current flow table matching efficiency of the object boundary interchanger.

In specific embodiment, when detecting that edge switch X is when in an abnormal state, it in order to further determine the exception is caused by burst high traffic, or caused by ddos attack, controller can send flow table information inquiry instruction to the edge switch X in abnormality (instruction is standard signaling as defined in OpenFlow agreement), for inquiring the current corresponding flow table match information of match information i.e. edge switch X of its internal flow table, including grade duration duration_sec second and matching packet number packet_count information etc..To determine whether the exception is caused by attack.

According to query result, then the current flow table matching efficiency for being currently at the edge switch X of abnormality can be calculated, such as: current flow table matching efficiency=matching packet number packet_count ÷ seconds grade duration duration_sec.

S308: judge whether the current flow table matching efficiency is more than the second threshold.

S309: if being no more than the second threshold, it is determined that the object boundary interchanger is by ddos attack.

In specific embodiment, the current flow table matching efficiency second threshold corresponding with edge switch X of calculated edge switch X can be compared, if the current flow table matching efficiency is higher than the second threshold, edge switch X then be can be shown that not by ddos attack, which may be caused by burst high traffic；If deserving flow table matching efficiency less than or equal to the second threshold, it can be shown that edge switch X by ddos attack.

When determining edge switch X by ddos attack, then the protection of ddos attack can be further realized including PacketIN statistical message, the flow table match information etc. in the m window N according to attack coherent detection information；If the controller can carry out the optimization such as conventional complicated equilibrium not by ddos attack.

S310: using first request message as foundation, the corresponding maximum physical port of data current density of the first request message described at least one physical port of the object boundary interchanger is determined as target physical port.

Wherein, which includes at least one physical port.It is assumed that the object boundary interchanger, that is, edge switch X includes tetra- physical ports of A, B, C and D.Specifically, when determining edge switch X by ddos attack, then the maximum physical port of PacketIN message proportion i.e. target physical port in four physical ports can be determined, for example be port D according to the PacketIN statistical message in m window N for generating the abnormality alarming.

S311: the target data stream of the target physical port is marked.

In specific embodiment, after determining the attack for example above-mentioned port D in the maximum target physical port of data current density, controller, which can issue, redirects flow table instruction to edge switch X, the flow table instruct corresponding matching domain rule be all target data streams (data flow that specifically can be between interchanger and interchanger) entered by port D priority be the superlative degree, movement is that unified label is carried out to the data flow entered by port D, such as the hardware address Hash values of edge switch X are filled in data packet spare field or packet encapsulation is carried out using generic encapsulation technology.Furthermore, flow table instruction can also be issued to the interchanger (not sending flow table instruction if without intermediary switch) between edge switch X and the data filtering device bound with it, it is the hardware address hash value that all spare fields are edge switch X or the data packet using generic encapsulation technology that its flow table, which instructs corresponding matching domain rule, priority is the superlative degree, is acted to be forwarded to the data filtering device of the binding.

S312: the target data stream after the label is redirected to the preparatory data filtering device with object boundary interchanger binding, so that the data filtering device handles the target data stream after the label.

Specifically, can dispose record or topological analysis when carrying out the binding of edge switch X and data filtering device according to network, obtain the address information of edge switch X and data filtering device, such as the hardware address and IP address of equipment.In addition, according between edge switch X and data filtering device Topological relation, pass through the methods of shortest path or load balancing, calculate the information exchange cost between edge switch X and data filtering device, at least one data filtering device of information exchange cost smaller (path is most short such as between edge switch X, intermediate node is minimum and/or light load) is selected, and the address information of the data filtering device selected and edge switch X are bound.

Further, the attack coherent detection information (including PacketIN statistical message, flow table match information etc.) for monitoring the object boundary interchanger in real time can be kept, and determines edge switch X whether still by ddos attack according to the attack coherent detection information.If suffering from ddos attack, it then can be according to new attack coherent detection information, determine in four physical ports of the edge switch X current attack data flow physical port the most intensive in addition to the D of port, it for example is port C, and the target data stream of port C is redirected to the data filtering device of the binding.If being no longer influenced by ddos attack, such as edge switch X is no longer on abnormality after carrying out this time redirecting protection, data flow token and re-orientation processes can then be stopped, the redirection flow table instruction on edge switch X specifically can be successively deleted according to prefixed time interval, or can also carry out that treated according to data filtering device testing result decides whether to delete the instruction of the redirection flow table on edge switch X.

In embodiments of the present invention, the current request rates of the interchanger in SDN network can be calculated by the first request message listened to, and judge whether the interchanger is in abnormality according to the current request rates, to when in an abnormal state in the interchanger, by further inquiring current flow table match information, it realizes and detects the interchanger whether by ddos attack, without relying on normal flow and attacking the randomness of data flow, to improve the accuracy of ddos attack detection.In addition, the embodiment of the present invention also solves can not detect the problem of whether interchanger is by ddos attack in the prior art.Further, the embodiment of the present invention can also be when detecting a certain interchanger in SDN network by ddos attack, by determining the maximum target physical port of data current density in the interchanger by ddos attack, and the data filtering device with interchanger binding is redirected to after the target data stream of the target physical port is marked, it realizes the effective protection to the ddos attack of the interchanger, and solves the problems, such as that normal flow caused by existing ddos attack protection is accidentally injured and flow table space is overflowed.

Refer to Fig. 6, it is the flow diagram of another ddos attack detection and means of defence provided in an embodiment of the present invention, in embodiments of the present invention, the target device is the controller in SDN network, when needing to carry out controller ddos attack detection and protection, as shown in fig. 6, the DDoS of the embodiment of the present invention Attack detecting and means of defence include:

S401: the corresponding first threshold of preset controller and second threshold.

In specific embodiment, the the first request message such as PacketIN message that controller can be sent to by monitoring each edge switch in the SDN network, to calculate the corresponding historical requests rate of the controller, to be that first threshold is arranged in the controller according to the historical requests rate.Specifically, as shown in Figure 4, it can be counted respectively according to each edge switch (including interchanger X and Y) in the PacketIN message that preset window such as preset quantity window N (the second window) is sent and obtain the historical requests rate distribution of interchanger X and Y, all edge switch, that is, interchanger X and Y historical requests rate distribution is made into summation process, it, then can be using the historical requests rate of the border networks as the corresponding historical requests rate of the controller to obtain the historical requests rate distribution for the border networks that interchanger X and Y are determined.Wherein, the calculation method of the historical requests rate of the edge switch can refer to the associated description of above-described embodiment, and details are not described herein again.It further, can be according to the historical requests rate distribution of the border networks, in conjunction with actual conditions such as hardware condition, the network service features of controller, to be arranged to obtain for determining whether the controller is in the corresponding first threshold of abnormality for the controller.

Furthermore, the FlowRemoved message (the second request message) of controller can be also sent to by each edge switch by monitoring, to calculate the history flow table matching efficiency of each edge switch, to be that the controller is arranged for determining whether the controller is in the second threshold of ddos attack state according to the history flow table matching efficiency.Specifically, according to the history flow table matching efficiency information of each edge switch, the then statistics available history flow table matching efficiency distribution for obtaining each edge switch, the history match efficiency distribution of all edge switch is made into average treatment, the history flow table matching efficiency distribution of border networks can be obtained.It is distributed according to the history flow table matching efficiency of border networks, in conjunction with actual conditions such as security risk, the business characteristics of controller, then can be arranged to obtain the second threshold for the controller.Wherein, the calculation method of the history flow table matching efficiency of the edge switch can refer to the associated description of above-described embodiment, and details are not described herein again.

S402: the first request message that each edge switch is sent in current SDN in the first window of preset monitored.

S403: statistics obtains the request rate for the first request message that each edge switch is sent in the first window respectively.

S404: it counts to obtain according to the request rate of each edge switch described in the first window The current request rates of border networks determined by all edge switch in SDN, and using the current request rates of the border networks as the controller for the current request rates of first request message.

In specific embodiment, PacketIN message i.e. the first request message that each edge switch is sent to controller can be monitored in real time, records source address, arrival time and the arriving amt of the message.Determine preset first window such as quantity windows N, it then can be in the every N number of PacketIN message to the edge switch in the SDN of reception of controller, the PacketIN message sent in all edge switch and when being N, calculate the primary corresponding current request rates of the controller (namely current request rates of border networks).

S405: judge whether the current request rates are higher than the first threshold.

S406: if being higher than the first threshold, it is determined that the controller is in abnormality.

In specific embodiment, the state of the controller can be determined as abnormality in the corresponding current request rates of the controller continuous m times first threshold corresponding higher than the controller, wherein m is the integer greater than 0.Specifically, the corresponding current request rates of controller first threshold corresponding with the controller can be compared, if the current request rates of the controller are higher than (or being equal to) first threshold, the corresponding counter of the controller adds one, if the controller is lower than the first threshold, by the counter O reset.When detecting that the corresponding counter of the controller is accumulated to m, then it can determine that the controller is in abnormality.

The corresponding edge switch of S407: Xiang Suoshu controller sends flow table information inquiry instruction.

S408: it receives the corresponding edge switch of the controller and responds the flow table match information that the flow table information inquiry instruction returns, and calculate the corresponding current flow table matching efficiency of the controller.

Wherein, the corresponding edge switch of the controller is all edge switch in the SDN.

In specific embodiment, if detecting, the controller is in abnormality, then controller can send flow table information inquiry instruction to each of SDN edge switch (including edge switch X and Y), for inquiring the current corresponding flow table match information of the match information i.e. controller of its internal flow table, including grade duration duration_sec second and matching packet number packet_count information etc., and the current flow table matching efficiency of each edge switch is calculated according to query result, such as: current flow table matching efficiency=matching packet number packet_count ÷ seconds grade duration duration_sec.And the current flow table matching efficiency of each edge switch is averaging processing, obtain the current flow table matching efficiency of the border networks in abnormality, then it can be using the current flow table matching efficiency of the border networks as the corresponding current flow table matching efficiency of the controller.

S409: judge whether the current flow table matching efficiency is more than the second threshold.

S410: if being no more than the second threshold, it is determined that the controller is by ddos attack.

In specific embodiment, the corresponding current flow table matching efficiency of calculated controller second threshold corresponding with the controller can be compared, if the corresponding current flow table matching efficiency of the controller is higher than the second threshold, it can be shown that the controller not by ddos attack；If deserving flow table matching efficiency less than or equal to the second threshold, it can be shown that the controller by ddos attack.

When determining the controller by ddos attack, then the protection of ddos attack can be further realized including PacketIN statistical message, the flow table match information etc. in the m window N according to attack coherent detection information；If the controller can carry out the optimization such as conventional complicated equilibrium not by ddos attack.

S411: the current flow table matching efficiency of each edge switch in the SDN is obtained, and the edge switch using the current flow table matching efficiency lower than the current flow table matching efficiency of the border networks is as target switch.

S412: using corresponding first request message of the target switch as foundation, the corresponding maximum physical port of data current density of the first request message described at least one physical port by the target switch is determined as target physical port.

Wherein, which includes at least one physical port.Specifically, when determining the controller by ddos attack, it then can determine to obtain edge switch i.e. target switch of the current flow table matching efficiency lower than the current flow table matching efficiency (i.e. the corresponding current flow table matching efficiency of controller) of border networks, assuming that the lower target switch of flow table matching efficiency determined is edge switch X, it then can be according to the PacketIN statistical message in m window N for generating the abnormality alarming, determine the maximum physical port of PacketIN message proportion i.e. target physical port in each physical port of edge switch X.It is assumed that edge switch X includes tetra- physical ports of A, B, C and D, and the target physical port-for-port D determined.

S413: the target data stream of the target physical port is marked.

In specific embodiment, after determining the attack for example above-mentioned port D in the maximum target physical port of data current density, controller, which can issue, redirects flow table instruction to the target switch i.e. edge switch X, the flow table instruct corresponding matching domain rule be all target data streams (data flow that specifically can be between interchanger and interchanger) entered by port D priority be the superlative degree, movement fills in the hard of edge switch X to carry out unified label to the data flow entered by port D, such as in data packet spare field Part Address-Hash hash value carries out packet encapsulation using generic encapsulation technology.Furthermore, flow table instruction can also be issued to the interchanger between the target switch and the data filtering device bound with it, it is the hardware address hash value that all spare fields are the target switch or the data packet using generic encapsulation technology that its flow table, which instructs corresponding matching domain rule, priority is the superlative degree, is acted to be forwarded to the data filtering device of the binding.

S414: the target data stream after the label is redirected to the preparatory data filtering device with target switch binding, so that the data filtering device handles the target data stream after the label.

Specifically, the binding mode of the target switch and data filtering device can refer to the associated description in above-described embodiment, details are not described herein again.

Further, the attack coherent detection information (including PacketIN statistical message, flow table match information etc.) for monitoring each edge switch in real time can be kept, and determines the controller whether still by ddos attack according to the attack coherent detection information.If suffering from ddos attack, it then can be according to new attack coherent detection information, determine that the flow table matching efficiency is lower than in the target switch of flow table matching efficiency such as four physical ports of edge switch X of border networks the current attack data flow physical port the most intensive in addition to the maximum port D of last data current density, it for example is port C, and the target data stream of port C is redirected to the data filtering device of the binding.If being no longer influenced by ddos attack, such as the controller is no longer on abnormality after carrying out this time redirecting protection, data flow token and re-orientation processes can then be stopped, the redirection flow table instruction on edge switch X specifically can be successively deleted according to prefixed time interval, or can also carry out that treated according to data filtering device testing result decides whether to delete the instruction of the redirection flow table on edge switch X.

It should be noted that, in the SDN network, can be in advance for each edge switch and controller is preset respectively obtains its corresponding first threshold and second threshold, so as to carry out ddos attack detection and protection to each edge switch and controller simultaneously, details are not described herein again.

In embodiments of the present invention, the corresponding current request rates of controller in SDN network can be calculated by the first request message listened to, and judge whether the controller is in abnormality according to the current request rates, to when in an abnormal state in the controller, by further inquiring current flow table match information, it realizes and detects the controller whether by ddos attack, without relying on normal flow and attacking the randomness of data flow, to improve the accuracy of ddos attack detection.Further, the embodiment of the present invention can also be when detecting the controller in SDN network by ddos attack, by determining that the flow table matches The maximum target physical port of data current density in the lower target switch of efficiency by ddos attack, and the data filtering device with target switch binding is redirected to after the target data stream of the target physical port is marked, it realizes the effective protection to the ddos attack of the controller, and solves the problems, such as that normal flow caused by existing ddos attack protection is accidentally injured and flow table space is overflowed.

Fig. 7 is referred to, is a kind of structural schematic diagram of ddos attack detection device provided in an embodiment of the present invention, described device can be applied to software defined network SDN, and the SDN includes controller and at least one edge switch.Specifically, the ddos attack detection device includes computing module 11, abnormal judgment module 12, enquiry module 13 and attack determining module 14.Wherein,

The computing module 11, for the first request message in the first window of preset monitored, and the current request rates that the target device in the SDN is directed to first request message are calculated, first request message is the request data stream for the needs controller processing that the corresponding edge switch of the target device is sent to the controller.

It should be noted that the described device of the embodiment of the present invention can be specifically set in the network equipment such as controller or other detection devices being independently arranged in the SDN, the embodiment of the present invention is without limitation.

The exception judgment module 12, for judging whether the target device is in abnormality using the current request rates as foundation.

In specific embodiment, after the corresponding current request rates of the target device are calculated in computing module 11, it is default whether abnormal judgment module 12 can be met by detecting the current request rates of the target device Whether rule, such as the current request rates are more than a certain preset first threshold, to judge whether the target device is in abnormality.

The enquiry module 13 is that the target device is when in an abnormal state for the judging result in the abnormal judgment module 12, inquires the corresponding flow table match information of the target device.

The attack determining module 14, for determining the target device whether by ddos attack using the flow table match information as foundation.

In specific embodiment, whether attack determining module 14 can meet preset matching rule by detecting the flow table match information of the enquiry module 13 acquisition, for example whether the corresponding flow table matching efficiency of the flow table match information is more than a certain preset second threshold, to determine the target device whether by ddos attack.

Further, if attack determining module 14 determines the target device not by ddos attack, which can carry out conventional load balance optimization.If attacking determining module 14 determines that the target device by ddos attack, further can protect the ddos attack according to preset protection rule.

Further, refer to Fig. 8, it is the structural schematic diagram of another ddos attack detection device provided in an embodiment of the present invention, specifically, the described device of the embodiment of the present invention includes computing module 11, abnormal judgment module 12, enquiry module 13 and the attack determining module 14 of above-mentioned ddos attack detection device.Further, in embodiments of the present invention, described device may also include that

Port determining module 15, for when determining the target device by ddos attack, determine that target physical port, the target physical port are the corresponding maximum physical port of data current density of the first request message described in first window described at least one described physical port from least one physical port of the corresponding edge switch of the target device.

Mark module 16 is marked for the target data stream to the target physical port transmission.

Redirection module 17, for the target data stream after the label to be redirected to the data filtering device of preparatory edge switch binding corresponding with the target device, so that the data filtering device handles the target data stream after the label.

Further, in an alternate embodiment of the invention, the target device can be the object boundary interchanger at least one described edge switch；Then the computing module 11 may include (not shown):

First monitoring unit 111, the first request message sent for object boundary interchanger described in the first window of preset monitored；

First computing unit 112, for calculating the request rate of first request message, and using the calculated request rate as the object boundary interchanger for the current request rates of first request message.

In specific embodiment, the first monitoring unit 111 can monitor the first request message such as PacketIN message that the object boundary interchanger is sent to controller in real time, and record source address, arrival time and the arriving amt of the message.Then the first computing unit 112 can the first monitoring unit 11 listen to preset first window such as quantity windows it is N number of to from the PacketIN message of the object boundary interchanger when, calculate request rate, that is, current request rates of the primary object boundary interchanger.

Further, in an alternate embodiment of the invention, the target device can also be the controller；Then the computing module 11 may include (not shown):

Second monitoring unit 113, the first request message sent for each edge switch in the SDN in the first window of preset monitored；

Second computing unit 114, for counting to obtain the request rate for the first request message that each edge switch is sent in the first window respectively；

Second computing unit 115, it is also used to be counted according to the request rate of each edge switch to obtain the current request rates of border networks determined by all edge switch in the SDN in the first window, and is directed to the current request rates of first request message using the current request rates of the border networks as the controller.

In specific embodiment, the second monitoring unit 113 can monitor the friendship of the boundary each of the SDN in real time It changes planes and is sent to PacketIN message i.e. the first request message of controller, record source address, arrival time and the arriving amt of the message.Second computing unit 114 can be when the second monitoring unit 113 often listens to preset first window such as the N number of PacketIN message to the edge switch in the SDN of quantity windows, i.e. all edge switch send PacketIN message quantity and be N when, each edge switch is calculated to the request rate of the PacketIN message, and using the sum of the request rate of each edge switch as the corresponding current request rates of the controller (namely current request rates of border networks).

Further, the abnormal judgment module 12 may particularly include (not shown):

First judging unit 121, for judging whether the current request rates are higher than preset first threshold corresponding with the target device, wherein the first threshold is determined according to the request rate of the first request message in preset second window；

First determination unit 122 determines that the target device is in abnormality when for the judging result in first judging unit 121 for higher than the first threshold.

Specifically, the state of the target device can be determined as abnormality in the corresponding current request rates of the target device continuous m times first threshold corresponding higher than the target device by the first determination unit 122, wherein m is the integer greater than 0.

Further, the enquiry module 13 may particularly include (not shown):

Instruction sending unit 131, for when in an abnormal state in the target device, the corresponding edge switch of Xiang Suoshu target device sends flow table information inquiry instruction；

Information receiving unit 132 responds the flow table match information that the flow table information inquiry instruction returns for receiving the corresponding edge switch of the target device；

The attack determining module 14 may particularly include (not shown):

Efficiency calculation unit 141, for calculating the corresponding current flow table matching efficiency of the target device using the flow table match information as foundation；

Second judgment unit 142, for judging whether the current flow table matching efficiency is more than preset second threshold corresponding with the target device, wherein, the second threshold is determined according to the flow table matching efficiency that the flow table match information in preset third window counts；

Second determination unit 143 determines the target device by ddos attack when being no more than the second threshold for the judging result in the second judgment unit 142 for the current flow table matching efficiency.

Further, in an alternate embodiment of the invention, the target device can be handed at least one described boundary Object boundary interchanger in changing planes；The efficiency calculation unit 141 can be specifically used for:

The port determining module 15 can be specifically used for:

Wherein, which includes at least one physical port.Specifically, when attacking the determining object boundary interchanger of determining module 14 by ddos attack, then port determining module 15 can determine that the maximum physical port of PacketIN message proportion is as target physical port at least one physical port according to the PacketIN statistical message in m window N for generating the abnormality alarming.

Further, in an alternate embodiment of the invention, the target device can also be the controller, and the corresponding edge switch of the target device includes all edge switch in the SDN；The efficiency calculation unit 141 can also be specifically used for:

The port determining module 15 can be specifically used for:

Wherein, which includes at least one physical port.Specifically, then port determining module 15 can determine to obtain current flow table when attacking the determining controller of determining module 14 by ddos attack Edge switch, that is, target switch of the matching efficiency lower than the current flow table matching efficiency (i.e. the corresponding current flow table matching efficiency of controller) of border networks, and it can determine that the maximum physical port of PacketIN message proportion is as target physical port in each physical port of the target switch according to the PacketIN statistical message in m window N for generating the abnormality alarming.

Further alternative, the mark module 16 can be specifically used for:

Further, in an alternate embodiment of the invention, described device further includes (not shown):

Efficiency determination module 18, for monitoring the second request message of the corresponding edge switch of the target device, and using second request message as foundation, the corresponding history flow table matching efficiency of the target device is calculated, second request message is generated according to the flow table match information in preset third window；

Threshold determination module 19, for determining the corresponding second threshold of the target device according to the corresponding history flow table matching efficiency of the target device.

Further alternative, second request message includes cause information, grade duration second and matching packet number；The efficiency determination module 18 may include (not shown):

Resolution unit 181, for parsing the cause information；

Third determination unit 182, for when it includes idle time-out information that 181 parsing result of resolution unit, which is the cause information, using matching packet number history flow table matching efficiency corresponding as the target device with the quotient of target difference, the difference of the target difference be the grade duration second standby time corresponding with the idle time-out information；

The third determination unit 182, it is also used to when it includes rigid time-out information that 181 parsing result of resolution unit, which is the cause information, using the quotient history flow table matching efficiency corresponding as the target device of the matching packet number and grade duration second.

Further, in an alternate embodiment of the invention, described device may also include (not shown):

Module 20 is obtained, for obtaining the address information of edge switch and data filtering device in the SDN respectively；

The acquisition module 20, is also used to obtain the topology information of the SDN；

Determining module 21 is bound, for being that the edge switch determines extremely according to the topology information A few data filtering device, and by the binds address information of the address information for the data filtering device determined and the edge switch.

Specifically, record or topological analysis can be disposed according to network by obtaining module 20 when carrying out the binding of edge switch and data filtering device, the address information of the edge switch and data filtering device, such as the hardware address and IP address of equipment are obtained.Furthermore, binding determining module 21 can also be according to the topological relation between the edge switch and data filtering device, pass through the methods of shortest path or load balancing, calculate the information exchange cost between the edge switch and data filtering device, at least one data filtering device of information exchange cost smaller (path is most short such as between the edge switch, intermediate node is minimum and/or light load) is selected, and the address information of the data filtering device selected and edge switch X are bound.

In embodiments of the present invention, the corresponding current request rates of target device in SDN network can be calculated by the first request message listened to, and judge whether the target device is in abnormality according to the current request rates, to when in an abnormal state in the target device, by further inquiring current flow table match information, realizes and determine the target device whether by ddos attack.The ddos attack detection method of the embodiment of the present invention is not necessarily to rely on normal flow and attacks the randomness of data flow, to improve the accuracy of ddos attack detection, and, the ddos attack detection method of the embodiment of the present invention is able to detect the ddos attack of interchanger and controller, whether solves the problems, such as not detecting interchanger in the prior art by ddos attack.Further, when detecting the target device in SDN network such as interchanger or controller by ddos attack, by determining data current density maximum target physical port of the corresponding edge switch of the target device by ddos attack, and the data filtering device of the binding is redirected to after the target data stream of the target physical port is marked, make it possible to realize the protection to the ddos attack of the target device.The multiple controllers of configuration in compared with the existing technology, when the data processing amount of currently used controller is more than preset data amount threshold value, other idle handlers are enabled again, and the extraction using the method for packet header analysis to being more than the data packet progress attack signature that threshold controller receives, flow table is issued in exchange generator terminal discarding to take, it intercepts, block the protection method of data flow, the technical solution of the embodiment of the present invention can be redirected to the data filtering device of binding by the data flow for relatively concentrating attack, effective protection can not only be carried out to the ddos attack of the target device, also solve the problem of easily causing normal flow accidental injury and flow table space to overflow in the means of defence of the above-mentioned prior art.

Further, Fig. 9 is referred to, is a kind of structural schematic diagram of network equipment provided in an embodiment of the present invention, which can be applied to software defined network SDN, and the SDN includes controller and at least one edge switch.Specifically, the network equipment of the embodiment of the present invention includes: communication interface 300, memory 200 and processor 100, the processor 100 is connect with the communication interface 300 and the memory 200 respectively.The memory 200 can be high speed RAM memory, be also possible to non-labile memory (non-volatile memory), for example, at least a magnetic disk storage.Data connection can be carried out by bus between the communication interface 300, memory 200 and processor 100, it can also data connection by other means.It is illustrated in the present embodiment with bus connection.Wherein,

The memory 200 is used for storage driving software；

The processor 100 reads the drive software from the memory 200 and executes under the action of the drive software:

Pass through the first request message in the first window of 300 preset monitored of communication interface, and the current request rates that the target device in the SDN is directed to first request message are calculated, first request message is the request data stream for the needs controller processing that the corresponding edge switch of the target device is sent to the controller；

It should be noted that the network equipment of the embodiment of the present invention can be specially controller or other detection devices being independently arranged in the SDN.

Further, the processor 100 also executes following steps from the memory reading drive software and under the action of the drive software:

Target data stream after the label is redirected to the data filtering device of preparatory edge switch binding corresponding with the target device by the communication interface 300, so that the data filtering device handles the target data stream after the label.

Optionally, the target device is the object boundary interchanger at least one described edge switch；First request message of the processor 100 in the first window for executing the preset monitored, and when calculating the target device in the SDN and being directed to the current request rates of first request message, specifically execute following steps:

Optionally, the target device is the controller；First request message of the processor 100 in the first window for executing the preset monitored, and when calculating the target device in the SDN and being directed to the current request rates of first request message, specifically execute following steps:

Further, the processor 100 is described using the current request rates as foundation in execution, judges whether the target device is when in an abnormal state, specifically executes following steps:

Further alternative, the processor 100 specifically executes following steps in the corresponding flow table match information of the execution inquiry target device:

Flow table information is sent to the corresponding edge switch of the target device by the communication interface 300 Inquiry instruction；

The corresponding edge switch of the target device, which is received, by the communication interface 300 responds the flow table match information that the flow table information inquiry instruction returns；

The processor 100 is described using the flow table match information as foundation in execution, when whether determining the target device by ddos attack, specifically executes following steps:

Optionally, the target device is the object boundary interchanger at least one described edge switch；The processor 100 is executing described using the flow table match information as foundation, when calculating the corresponding current flow table matching efficiency of the target device, specifically executes following steps:

Optionally, the target device is the controller, and the corresponding edge switch of the target device includes all edge switch in the SDN；The processor 100 is executing described using the flow table match information as foundation, when calculating the corresponding current flow table matching efficiency of the target device, specifically executes following steps:

Further alternative, the flow table match information includes grade duration second and matching packet number；The processor 100 specifically executes following steps in the corresponding flow table matching efficiency of execution calculating flow table match information:

Further, the processor 100 is also used to execute following steps:

Further alternative, second request message includes cause information, grade duration second and matching packet number；The processor 100 is executing described using second request message as foundation, when calculating the corresponding history flow table matching efficiency of the target device, specifically executes following steps:

Parse the cause information；

Optionally, the target device is the object boundary interchanger at least one described edge switch；The processor 100 execute it is described determine target physical port from least one physical port of the corresponding edge switch of the target device when, specifically execute following steps:

Optionally, the target device is the controller；The processor 100 execute it is described determine target physical port from least one physical port of the corresponding edge switch of the target device when, specifically execute following steps:

Further alternative, the processor 100 specifically executes following steps when the execution target data stream to the target physical port is marked:

Obtain the address information of the edge switch and data filtering device in the SDN respectively by the communication interface 300；

Obtain the topology information of the SDN；

In the above-described embodiments, it all emphasizes particularly on different fields to the description of each embodiment, there is no the part being described in detail in some embodiment, reference can be made to the related descriptions of other embodiments.

In several embodiments provided by the present invention, it should be understood that disclosed device and method may be implemented in other ways.Such as, the apparatus embodiments described above are merely exemplary, such as, the division of the unit, only a kind of logical function partition, there may be another division manner in actual implementation, such as multiple units or components can be combined or can be integrated into another system, or some features can be ignored or not executed.Another point, shown or discussed mutual coupling, direct-coupling or communication connection can be through some interfaces, the indirect coupling or communication connection of device or unit, can be electrical property, mechanical or other forms.

It is described this unit may or may not be physically separated as illustrated by the separation member, component shown as a unit may or may not be physical unit, it can in one place, or may be distributed over multiple network units.It can some or all of the units may be selected to achieve the purpose of the solution of this embodiment according to the actual needs.

In addition, the functional units in various embodiments of the present invention may be integrated into one processing unit, It is also possible to each unit to physically exist alone, can also be integrated in one unit with two or more units.Above-mentioned integrated unit both can take the form of hardware realization, can also realize in the form of hardware adds SFU software functional unit.

The above-mentioned integrated unit being realized in the form of SFU software functional unit, can store in a computer readable storage medium.Above-mentioned SFU software functional unit is stored in a storage medium, it uses including some instructions so that a computer equipment (can be personal computer, server or the network equipment etc.) or processor (processor) execute the part steps of each embodiment the method for the present invention.And storage medium above-mentioned includes: USB flash disk, mobile hard disk, read-only memory (Read-Only Memory, ROM), the various media that can store program code such as random access memory (Random Access Memory, RAM), magnetic or disk.

Those skilled in the art can be understood that, for convenience and simplicity of description, only the example of the division of the above functional modules, in practical application, it can according to need and be completed by different functional modules above-mentioned function distribution, the internal structure of device is divided into different functional modules, to complete all or part of the functions described above.The specific work process of the device of foregoing description, can refer to corresponding processes in the foregoing method embodiment, and details are not described herein.

Finally, it should be noted that the above embodiments are only used to illustrate the technical solution of the present invention., rather than its limitations；Although present invention has been described in detail with reference to the aforementioned embodiments, those skilled in the art should understand that: it is still possible to modify the technical solutions described in the foregoing embodiments, or equivalent substitution of some or all of the technical features；And these are modified or replaceed, the range for technical solution of various embodiments of the present invention that it does not separate the essence of the corresponding technical solution.

Claims

A kind of distributed denial of service ddos attack detection method is applied in software defined network SDN, and the SDN includes controller and at least one edge switch characterized by comprising

The first request message in the first window of preset monitored, and the current request rates that the target device in the SDN is directed to first request message are calculated, first request message is the request data stream for the needs controller processing that the corresponding edge switch of the target device is sent to the controller；

Using the current request rates as foundation, judge whether the target device is in abnormality；

If the target device is in abnormality, the corresponding flow table match information of the target device is inquired；

Using the flow table match information as foundation, determine the target device whether by ddos attack.
The method according to claim 1, wherein the method also includes:

If it is determined that the target device is by ddos attack, then determine that target physical port, the target physical port are the corresponding maximum physical port of data current density of the first request message described in first window described at least one described physical port from least one physical port of the corresponding edge switch of the target device；

The target data stream of the target physical port transmission is marked, the target data stream is the data flow in the SDN between interchanger and interchanger；

Target data stream after the label is redirected to the data filtering device of preparatory edge switch binding corresponding with the target device, so that the data filtering device handles the target data stream after the label.
Method according to claim 1 or 2, which is characterized in that the target device is the object boundary interchanger at least one described edge switch；The first request message in the first window of the preset monitored, and calculate the current request rates that the target device in the SDN is directed to first request message, comprising:

The first request message that the object boundary interchanger is sent in the first window of preset monitored；

The request rate of first request message is calculated, and using the calculated request rate as described in Object boundary interchanger is directed to the current request rates of first request message.
Method according to claim 1 or 2, which is characterized in that the target device is the controller；The first request message in the first window of the preset monitored, and calculate the current request rates that the target device in the SDN is directed to first request message, comprising:

The first request message that each edge switch is sent in the SDN in the first window of preset monitored；

Statistics obtains the request rate for the first request message that each edge switch is sent in the first window respectively；

It is counted to obtain the current request rates of border networks determined by all edge switch in the SDN in the first window according to the request rate of each edge switch, and is directed to the current request rates of first request message using the current request rates of the border networks as the controller.
Method according to claim 1-4, which is characterized in that it is described using the current request rates as foundation, judge whether the target device is in abnormality, comprising:

Judge whether the current request rates are higher than preset first threshold corresponding with the target device, wherein the first threshold is determined according to the request rate of the first request message in preset second window；

If being higher than the first threshold, it is determined that the target device is in abnormality.
Method according to claim 1-5, which is characterized in that described to inquire the corresponding flow table match information of the target device, comprising:

Flow table information inquiry instruction is sent to the corresponding edge switch of the target device；

It receives the corresponding edge switch of the target device and responds the flow table match information that the flow table information inquiry instruction returns；

It is described using the flow table match information as foundation, determine the target device whether by ddos attack, comprising:

Using the flow table match information as foundation, the corresponding current flow table matching efficiency of the target device is calculated；

Judge whether the current flow table matching efficiency is more than preset second threshold corresponding with the target device, wherein the second threshold is determined according to the flow table matching efficiency that the flow table match information in preset third window counts；

If being no more than the second threshold, it is determined that the target device is by ddos attack.
According to the method described in claim 6, it is characterized in that, the target device is the object boundary interchanger at least one described edge switch；It is described using the flow table match information as foundation, calculate the corresponding current flow table matching efficiency of the target device, comprising:

According to the flow table match information that the object boundary interchanger returns, the corresponding flow table matching efficiency of the flow table match information is calculated, and using the calculated flow table matching efficiency as the current flow table matching efficiency of the object boundary interchanger.
According to the method described in claim 6, the corresponding edge switch of the target device includes all edge switch in the SDN it is characterized in that, the target device is the controller；It is described using the flow table match information as foundation, calculate the corresponding current flow table matching efficiency of the target device, comprising:

According to the flow table match information that each edge switch in the SDN returns, the corresponding flow table matching efficiency of flow table match information of each edge switch return is calculated separately；

The average value of the corresponding flow table matching efficiency of each described edge switch is calculated, and using the average value as the corresponding current flow table matching efficiency of the controller.
Method according to claim 7 or 8, which is characterized in that the flow table match information includes grade duration second and matching packet number；The corresponding flow table matching efficiency of the calculating flow table match information, comprising:

Using the quotient flow table matching efficiency corresponding as the flow table match information of the matching packet number and grade duration second.
According to the method described in claim 6, it is characterized in that, the method also includes:

Monitor the second request message of the corresponding edge switch of the target device, second request message It is to be generated according to the flow table match information in preset third window；

Using second request message as foundation, the corresponding history flow table matching efficiency of the target device is calculated；

According to the corresponding history flow table matching efficiency of the target device, the corresponding second threshold of the target device is determined.
According to the method described in claim 10, it is characterized in that, second request message includes cause information, grade duration second and matching packet number；It is described using second request message as foundation, calculate the corresponding history flow table matching efficiency of the target device, comprising:

Parse the cause information；

If the cause information includes idle time-out information, then using matching packet number history flow table matching efficiency corresponding as the target device with the quotient of target difference, the difference of the target difference be the grade duration second standby time corresponding with the idle time-out information；

If the cause information includes rigid time-out information, using the quotient history flow table matching efficiency corresponding as the target device of the matching packet number and grade duration second.
According to the method described in claim 2, it is characterized in that, the target device is the object boundary interchanger at least one described edge switch；It is described to determine target physical port from least one physical port of the corresponding edge switch of the target device, comprising:

Using first request message as foundation, the corresponding maximum physical port of data current density of the first request message described at least one physical port of the object boundary interchanger is determined as target physical port.
According to the method described in claim 2, it is characterized in that, the target device is the controller；It is described to determine target physical port from least one physical port of the corresponding edge switch of the target device, comprising:

Obtain the current flow table matching efficiency of each edge switch in the SDN, and the edge switch using the current flow table matching efficiency lower than the current flow table matching efficiency of the corresponding border networks of the SDN is as target switch, the corresponding border networks of the SDN are that at least one edge switch as described in the SDN is determined；

Using corresponding first request message of the target switch as foundation, the corresponding maximum physical port of data current density of the first request message described at least one physical port by the target switch is determined as target physical port.
According to the method described in claim 2, it is characterized in that, the target data stream to the target physical port is marked, comprising:

The corresponding data packet spare field of target data stream in the target physical port fills in the hardware address Hash values of the corresponding edge switch of the target device；Alternatively,

Packet encapsulation is carried out using target data stream of the generic encapsulation technology to the target physical port.
According to the method described in claim 2, it is characterized in that, the method also includes:

The address information of the edge switch and data filtering device in the SDN is obtained respectively；

Obtain the topology information of the SDN；

According to the topology information it is that the edge switch determines at least one data filtering device, and by the binds address information of the address information for the data filtering device determined and the edge switch.
A kind of distributed denial of service ddos attack detection device is applied to software defined network SDN, and the SDN includes controller and at least one edge switch characterized by comprising

Computing module, for the first request message in the first window of preset monitored, and the current request rates that the target device in the SDN is directed to first request message are calculated, first request message is the request data stream for the needs controller processing that the corresponding edge switch of the target device is sent to the controller；

Abnormal judgment module, for judging whether the target device is in abnormality using the current request rates as foundation；

Enquiry module is that the target device is when in an abnormal state for the judging result in the abnormal judgment module, inquires the corresponding flow table match information of the target device；

Determining module is attacked, for determining the target device whether by ddos attack using the flow table match information as foundation.
Device according to claim 16, which is characterized in that described device further include:

Port determining module, for when determining the target device by ddos attack, determine that target physical port, the target physical port are the corresponding maximum physical port of data current density of the first request message described in first window described at least one described physical port from least one physical port of the corresponding edge switch of the target device；

Mark module is marked for the target data stream to the target physical port transmission, and the target data stream is the data flow in the SDN between interchanger and interchanger；

Redirection module, for the target data stream after the label to be redirected to the data filtering device of preparatory edge switch binding corresponding with the target device, so that the data filtering device handles the target data stream after the label.
Device according to claim 16 or 17, which is characterized in that the target device is the object boundary interchanger at least one described edge switch；The computing module includes:

First monitoring unit, the first request message sent for object boundary interchanger described in the first window of preset monitored；

First computing unit, for calculating the request rate of first request message, and using the calculated request rate as the object boundary interchanger for the current request rates of first request message.
Device according to claim 16 or 17, which is characterized in that the target device is the controller；The computing module includes:

Second monitoring unit, the first request message sent for each edge switch in the SDN in the first window of preset monitored；

Second computing unit, for counting to obtain the request rate for the first request message that each edge switch is sent in the first window respectively；

Second computing unit, it is also used to be counted according to the request rate of each edge switch to obtain the current request rates of border networks determined by all edge switch in the SDN in the first window, and is directed to the current request rates of first request message using the current request rates of the border networks as the controller.
The described in any item devices of 6-19 according to claim 1, which is characterized in that it is described exception judgment module include:

First judging unit, for judging whether the current request rates are higher than preset first threshold corresponding with the target device, wherein the first threshold is determined according to the request rate of the first request message in preset second window；

First determination unit determines that the target device is in abnormality when for the judging result in first judging unit for higher than the first threshold.
The described in any item devices of 6-20 according to claim 1, which is characterized in that the enquiry module includes:

Instruction sending unit, for when in an abnormal state in the target device, the corresponding edge switch of Xiang Suoshu target device sends flow table information inquiry instruction；

Information receiving unit responds the flow table match information that the flow table information inquiry instruction returns for receiving the corresponding edge switch of the target device；

The attack determining module includes:

Efficiency calculation unit, for calculating the corresponding current flow table matching efficiency of the target device using the flow table match information as foundation；

Second judgment unit, for judging whether the current flow table matching efficiency is more than preset second threshold corresponding with the target device, wherein, the second threshold is determined according to the flow table matching efficiency that the flow table match information in preset third window counts；

Second determination unit determines the target device by ddos attack when being no more than the second threshold for the judging result in the second judgment unit for the current flow table matching efficiency.
Device according to claim 21, which is characterized in that the target device is the object boundary interchanger at least one described edge switch；The efficiency calculation unit is specifically used for:

According to the flow table match information that the object boundary interchanger returns, the corresponding flow table matching efficiency of the flow table match information is calculated, and using the calculated flow table matching efficiency as the current flow table matching efficiency of the object boundary interchanger.
Device according to claim 21, which is characterized in that the target device is the controller, and the corresponding edge switch of the target device includes all edge switch in the SDN；The efficiency calculation unit is specifically used for:

According to the flow table match information that each edge switch in the SDN returns, the corresponding flow table matching efficiency of flow table match information of each edge switch return is calculated separately；The average value of the corresponding flow table matching efficiency of each described edge switch is calculated, and using the average value as the corresponding current flow table matching efficiency of the controller.
Device according to claim 21, which is characterized in that described device further include:

Efficiency determination module, for monitoring the second request message of the corresponding edge switch of the target device, and using second request message as foundation, the corresponding history flow table matching efficiency of the target device is calculated, second request message is generated according to the flow table match information in preset third window；

Threshold determination module, for determining the corresponding second threshold of the target device according to the corresponding history flow table matching efficiency of the target device.
Device according to claim 24, which is characterized in that second request message includes cause information, grade duration second and matching packet number；The efficiency determination module includes:

Resolution unit, for parsing the cause information；

Third determination unit, for when it includes idle time-out information that the resolution unit parsing result, which is the cause information, using matching packet number history flow table matching efficiency corresponding as the target device with the quotient of target difference, the difference of the target difference be the grade duration second standby time corresponding with the idle time-out information；

The third determination unit is also used to when it includes rigid time-out information that the resolution unit parsing result, which is the cause information, using the quotient history flow table matching efficiency corresponding as the target device of the matching packet number and grade duration second.
Device according to claim 17, which is characterized in that the target device is the object boundary interchanger at least one described edge switch；The port determining module is specifically used for:

When determining the object boundary interchanger by ddos attack, with first request message be according to According to the corresponding maximum physical port of data current density of the first request message described at least one physical port of the object boundary interchanger is determined as target physical port.
Device according to claim 17, which is characterized in that the target device is the controller；The port determining module is specifically used for:

When determining the controller by ddos attack, obtain the current flow table matching efficiency of each edge switch in the SDN, and the edge switch using the current flow table matching efficiency lower than the current flow table matching efficiency of the corresponding border networks of the SDN is as target switch, the corresponding border networks of the SDN are that at least one edge switch as described in the SDN is determined；

Using corresponding first request message of the target switch as foundation, the corresponding maximum physical port of data current density of the first request message described at least one physical port by the target switch is determined as target physical port.
Device according to claim 17, which is characterized in that the mark module is specifically used for:

The corresponding data packet spare field of target data stream in the target physical port fills in the hardware address Hash values of the corresponding edge switch of the target device；Alternatively,

Packet encapsulation is carried out using target data stream of the generic encapsulation technology to the target physical port.
Device according to claim 17, which is characterized in that described device further include:

Module is obtained, for obtaining the address information of edge switch and data filtering device in the SDN respectively；

The acquisition module, is also used to obtain the topology information of the SDN；

Determining module is bound, the edge switch determines at least one data filtering device for being according to the topology information, and by the binds address information of the address information for the data filtering device determined and the edge switch.
A kind of network equipment is applied to software defined network SDN, and the SDN includes controller and at least one edge switch characterized by comprising communication interface, memory and processor, the processor are connect with the communication interface and the memory respectively；Wherein,

The memory is used for storage driving software；

The processor reads the drive software from the memory and executes under the action of the drive software:

Pass through the first request message in the first window of the communication interface preset monitored, and the current request rates that the target device in the SDN is directed to first request message are calculated, first request message is the request data stream for the needs controller processing that the corresponding edge switch of the target device is sent to the controller；

Using the current request rates as foundation, judge whether the target device is in abnormality；

If the target device is in abnormality, the corresponding flow table match information of the target device is inquired；

Using the flow table match information as foundation, determine the target device whether by ddos attack.
The network equipment according to claim 30, which is characterized in that the processor also executes following steps from the memory reading drive software and under the action of the drive software:

If it is determined that the target device is by ddos attack, then determine that target physical port, the target physical port are the corresponding maximum physical port of data current density of the first request message described in first window described at least one described physical port from least one physical port of the corresponding edge switch of the target device；

The target data stream of the target physical port transmission is marked, the target data stream is the data flow in the SDN between interchanger and interchanger；

Target data stream after the label is redirected to the data filtering device of preparatory edge switch binding corresponding with the target device by the communication interface, so that the data filtering device handles the target data stream after the label.
The network equipment according to claim 30 or 31, which is characterized in that the target device is the object boundary interchanger at least one described edge switch；First request message of the processor in the first window for executing the preset monitored, and when calculating the target device in the SDN and being directed to the current request rates of first request message, specifically execute following steps:

The first request message that the object boundary interchanger is sent in the first window of preset monitored；

The request rate of first request message is calculated, and is directed to the current request rates of first request message using the calculated request rate as the object boundary interchanger.
The network equipment according to claim 30 or 31, which is characterized in that the target device is the controller；First request message of the processor in the first window for executing the preset monitored, and when calculating the target device in the SDN and being directed to the current request rates of first request message, specifically execute following steps:

The first request message that each edge switch is sent in the SDN in the first window of preset monitored；

Statistics obtains the request rate for the first request message that each edge switch is sent in the first window respectively；

It is counted to obtain the current request rates of border networks determined by all edge switch in the SDN in the first window according to the request rate of each edge switch, and is directed to the current request rates of first request message using the current request rates of the border networks as the controller.
According to the described in any item network equipments of claim 30-33, which is characterized in that the processor is described using the current request rates as foundation in execution, judges whether the target device is when in an abnormal state, specifically executes following steps:

Judge whether the current request rates are higher than preset first threshold corresponding with the target device, wherein the first threshold is determined according to the request rate of the first request message in preset second window；

If being higher than the first threshold, it is determined that the target device is in abnormality.
According to the described in any item network equipments of claim 30-34, which is characterized in that the processor specifically executes following steps in the corresponding flow table match information of the execution inquiry target device:

Flow table information inquiry instruction is sent to the corresponding edge switch of the target device by the communication interface；

The corresponding edge switch of the target device, which is received, by the communication interface responds the flow table match information that the flow table information inquiry instruction returns；

The processor is described using the flow table match information as foundation in execution, when whether determining the target device by ddos attack, specifically executes following steps:

Using the flow table match information as foundation, the corresponding current flow table matching efficiency of the target device is calculated；

Judge whether the current flow table matching efficiency is more than preset second threshold corresponding with the target device, wherein the second threshold is determined according to the flow table matching efficiency that the flow table match information in preset third window counts；

If being no more than the second threshold, it is determined that the target device is by ddos attack.
The network equipment according to claim 35, which is characterized in that the target device is the object boundary interchanger at least one described edge switch；The processor is executing described using the flow table match information as foundation, when calculating the corresponding current flow table matching efficiency of the target device, specifically executes following steps:

According to the flow table match information that the object boundary interchanger returns, the corresponding flow table matching efficiency of the flow table match information is calculated, and using the calculated flow table matching efficiency as the current flow table matching efficiency of the object boundary interchanger.
The network equipment according to claim 35, which is characterized in that the target device is the controller, and the corresponding edge switch of the target device includes all edge switch in the SDN；The processor is executing described using the flow table match information as foundation, when calculating the corresponding current flow table matching efficiency of the target device, specifically executes following steps:

According to the flow table match information that each edge switch in the SDN returns, the corresponding flow table matching efficiency of flow table match information of each edge switch return is calculated separately；

The average value of the corresponding flow table matching efficiency of each described edge switch is calculated, and using the average value as the corresponding current flow table matching efficiency of the controller.
The network equipment according to claim 36 or 37, which is characterized in that the flow table match information includes grade duration second and matching packet number；The processor specifically executes following steps in the corresponding flow table matching efficiency of execution calculating flow table match information:

Using the quotient flow table matching efficiency corresponding as the flow table match information of the matching packet number and grade duration second.
The network equipment according to claim 35, which is characterized in that the processor is also used to execute following steps:

The second request message of the corresponding edge switch of the target device is monitored, second request message is generated according to the flow table match information in preset third window；

Using second request message as foundation, the corresponding history flow table matching efficiency of the target device is calculated；

According to the corresponding history flow table matching efficiency of the target device, the corresponding second threshold of the target device is determined.
The network equipment according to claim 39, which is characterized in that second request message includes cause information, grade duration second and matching packet number；The processor is executing described using second request message as foundation, when calculating the corresponding history flow table matching efficiency of the target device, specifically executes following steps:

Parse the cause information；

If the cause information includes idle time-out information, then using matching packet number history flow table matching efficiency corresponding as the target device with the quotient of target difference, the difference of the target difference be the grade duration second standby time corresponding with the idle time-out information；

If the cause information includes rigid time-out information, using the quotient history flow table matching efficiency corresponding as the target device of the matching packet number and grade duration second.
The network equipment according to claim 31, which is characterized in that the target device is the object boundary interchanger at least one described edge switch；The processor execute it is described determine target physical port from least one physical port of the corresponding edge switch of the target device when, specifically execute following steps:

Using first request message as foundation, the corresponding maximum physical port of data current density of the first request message described at least one physical port of the object boundary interchanger is determined as target physical port.
The network equipment according to claim 31, which is characterized in that the target device is the controller；The processor execute it is described determine target physical port from least one physical port of the corresponding edge switch of the target device when, specifically execute following steps:

Obtain the current flow table matching efficiency of each edge switch in the SDN, and the edge switch using the current flow table matching efficiency lower than the current flow table matching efficiency of the corresponding border networks of the SDN is as target switch, the corresponding border networks of the SDN are that at least one edge switch as described in the SDN is determined；

Using corresponding first request message of the target switch as foundation, the corresponding maximum physical port of data current density of the first request message described at least one physical port by the target switch is determined as target physical port.
The network equipment according to claim 31, which is characterized in that the processor specifically executes following steps when the execution target data stream to the target physical port is marked:

The corresponding data packet spare field of target data stream in the target physical port fills in the hardware address Hash values of the corresponding edge switch of the target device；Alternatively,

Packet encapsulation is carried out using target data stream of the generic encapsulation technology to the target physical port.
The network equipment according to claim 31, which is characterized in that the processor also executes following steps from the memory reading drive software and under the action of the drive software:

Obtain the address information of the edge switch and data filtering device in the SDN respectively by the communication interface；

Obtain the topology information of the SDN；

According to the topology information it is that the edge switch determines at least one data filtering device, and by the binds address information of the address information for the data filtering device determined and the edge switch.