CN108028828B

CN108028828B - Distributed denial of service (DDoS) attack detection method and related equipment

Info

Publication number: CN108028828B
Application number: CN201580031751.2A
Authority: CN
Inventors: 徐通; 郑涛; 董平; 孙嘉楠
Original assignee: Huawei Technologies Co Ltd
Current assignee: Honor Device Co Ltd
Priority date: 2015-08-29
Filing date: 2015-08-29
Publication date: 2020-10-27
Anticipated expiration: 2035-08-29
Also published as: WO2017035717A1; CN108028828A

Abstract

The embodiment of the invention discloses a distributed denial of service (DDoS) attack detection method and related equipment, which are applied to a Software Defined Network (SDN), wherein the SDN comprises a controller and at least one boundary switch. Wherein the method comprises the following steps: monitoring a first request message in a preset first window, and calculating a current request rate of a target device in the SDN for the first request message, wherein the first request message is a request data stream which is sent to the controller by a boundary switch corresponding to the target device and needs to be processed by the controller; judging whether the target equipment is in an abnormal state or not by taking the current request rate as a basis; if the target equipment is in an abnormal state, inquiring flow table matching information corresponding to the target equipment; and determining whether the target equipment is attacked by the DDoS or not by taking the flow table matching information as a basis. By adopting the method and the device, the accuracy of DDoS attack detection aiming at the SDN can be improved.

Description

Distributed denial of service (DDoS) attack detection method and related equipment

Technical Field

The present invention relates to the field of communications technologies, and in particular, to a DDoS attack detection method and related devices.

Background

A Software Defined Network (SDN) is a novel Network architecture that separates a control plane and a data plane of a Network device, so as to flexibly control Network traffic, and provides a good platform for innovation of a core Network and application. Meanwhile, the SDN network also faces some security issues, such as being vulnerable to Distributed Denial of Service (DDoS) attacks. In the SDN, all data flows newly entering the SDN need to request processing from a controller in the SDN to obtain routing results, which may cause performance degradation of the controller processing when excessive requests to the controller occur within a period of time. If a DDoS attacker forges and sends a large number of packets of different flows, the controller processing resources are consumed maliciously. Moreover, when the DDoS attack creates a large number of packets belonging to different flows and occupies the controller resource, the controller may issue a large number of flow entries, which may cause overflow of the flow table space of the bottom layer switching device in the network. Therefore, how to effectively implement DDoS attack detection on devices in an SDN network becomes an urgent problem to be solved.

Currently, only a few studies aiming at detecting that the SDN is subjected to DDoS attack exist, and a method for detecting that the controller in the SDN is subjected to DDoS attack by using entropy change is disclosed. When the Network is normal, the destination IP address, the Virtual Local Area Network (VLAN) number, the destination port, or other fields of the data stream generally exhibit strong randomness, and at this time, the entropy value is large; when the controller is attacked by DDoS, the randomness of a certain field or certain fields of the data flow is reduced, and at the moment, the entropy value is smaller, so that whether the controller is attacked by DDoS or not can be determined according to the size of the entropy value. Wherein the entropy value is used to measure the expected value of the occurrence of a random variable.

However, the DDoS attack detection method based on the entropy depends on the randomness difference between the normal data stream and the attack data stream, so that when the randomness of the attack data stream is strong, the situation of missing report attack occurs, and when the randomness of the normal data stream is not strong, the normal data stream is mistakenly used as the attack data stream, and the situation of false report attack occurs. That is, the current DDoS attack detection method needs to rely on the randomness of normal data flow and attack data flow for detection, and the accuracy is low.

Disclosure of Invention

Embodiments of the present invention provide a DDoS attack detection method and related devices, which can improve accuracy of DDoS attack detection without depending on randomness of normal data streams and attack data streams for detection.

In a first aspect, an embodiment of the present invention provides a DDoS attack detection method, which is applied in a software defined network SDN, where the SDN includes a controller and at least one border switch, and includes:

monitoring a first request message in a preset first window, and calculating a current request rate of a target device in the SDN for the first request message, wherein the first request message is a request data stream which is sent to the controller by a boundary switch corresponding to the target device and needs to be processed by the controller;

judging whether the target equipment is in an abnormal state or not by taking the current request rate as a basis;

if the target equipment is in an abnormal state, inquiring flow table matching information corresponding to the target equipment;

and determining whether the target equipment is attacked by the DDoS or not by taking the flow table matching information as a basis.

With reference to the first aspect, in a first possible implementation manner of the first aspect, the method further includes:

if the target device is determined to be attacked by the DDoS attack, determining a target physical port from at least one physical port of the boundary switch corresponding to the target device, where the target physical port is a physical port with the highest data stream density corresponding to the first request message in the first window of the at least one physical port;

marking a target data flow transmitted by the target physical port, wherein the target data flow is a data flow between switches in the SDN;

and redirecting the marked target data stream to a data filtering device bound with a boundary switch corresponding to the target device in advance, so that the data filtering device processes the marked target data stream.

With reference to the first aspect or the first possible implementation manner of the first aspect, in a second possible implementation manner of the first aspect, the target device is a target border switch in the at least one border switch; the monitoring a first request message in a preset first window, and calculating a current request rate of a target device in the SDN for the first request message, including:

monitoring a first request message sent by the target boundary switch in a preset first window;

and calculating the request rate of the first request message, and taking the calculated request rate as the current request rate of the target boundary switch for the first request message.

With reference to the first aspect or the first possible implementation manner of the first aspect, in a third possible implementation manner of the first aspect, the target device is the controller; the monitoring a first request message in a preset first window, and calculating a current request rate of a target device in the SDN for the first request message, including:

monitoring a first request message sent by each boundary switch in the SDN in a preset first window;

respectively counting to obtain the request rate of the first request message sent by each boundary switch in the first window;

and counting the request rate of each boundary switch to obtain the current request rate of the boundary network determined by all the boundary switches in the SDN in the first window, and taking the current request rate of the boundary network as the current request rate of the controller for the first request message.

With reference to the first aspect, or the first possible implementation manner of the first aspect, or the second possible implementation manner of the first aspect, or the third possible implementation manner of the first aspect, in a fourth possible implementation manner of the first aspect, the determining, based on the current request rate, whether the target device is in an abnormal state includes:

judging whether the current request rate is higher than a preset first threshold corresponding to the target device, wherein the first threshold is determined according to the request rate of a first request message in a preset second window;

and if the current time is higher than the first threshold value, determining that the target equipment is in an abnormal state.

With reference to the first aspect, or the first possible implementation manner of the first aspect, or the second possible implementation manner of the first aspect, or the third possible implementation manner of the first aspect, or the fourth possible implementation manner of the first aspect, in a fifth possible implementation manner of the first aspect, the querying flow table matching information corresponding to the target device includes:

sending a flow table information query instruction to a boundary switch corresponding to the target device;

receiving flow table matching information returned by the boundary switch corresponding to the target equipment in response to the flow table information query instruction;

the determining whether the target device is attacked by DDoS based on the flow table matching information includes:

calculating the current flow table matching efficiency corresponding to the target equipment by taking the flow table matching information as a basis;

judging whether the current flow table matching efficiency exceeds a preset second threshold corresponding to the target device, wherein the second threshold is determined according to flow table matching efficiency obtained by flow table matching information statistics in a preset third window;

and if the target equipment does not exceed the second threshold value, determining that the target equipment is attacked by the DDoS.

With reference to the fifth possible implementation manner of the first aspect, in a sixth possible implementation manner of the first aspect, the target device is a target boundary switch in the at least one boundary switch; the calculating the current flow table matching efficiency corresponding to the target device based on the flow table matching information includes:

and calculating flow table matching efficiency corresponding to the flow table matching information according to the flow table matching information returned by the target boundary switch, and taking the calculated flow table matching efficiency as the current flow table matching efficiency of the target boundary switch.

With reference to the fifth possible implementation manner of the first aspect, in a seventh possible implementation manner of the first aspect, the target device is the controller, and the boundary switches corresponding to the target device include all boundary switches in the SDN; the calculating the current flow table matching efficiency corresponding to the target device based on the flow table matching information includes:

respectively calculating flow table matching efficiency corresponding to the flow table matching information returned by each boundary switch according to the flow table matching information returned by each boundary switch in the SDN;

and calculating to obtain an average value of the flow table matching efficiency corresponding to each boundary switch, and taking the average value as the current flow table matching efficiency corresponding to the controller.

With reference to the sixth possible implementation manner of the first aspect or the seventh possible implementation manner of the first aspect, in an eighth possible implementation manner of the first aspect, the flow table matching information includes a second-level duration and a matching packet number; the flow table matching efficiency corresponding to the flow table matching information is calculated, and the method comprises the following steps:

and taking the quotient of the matching packet number and the second-level duration as the flow table matching efficiency corresponding to the flow table matching information.

With reference to the fifth possible implementation manner of the first aspect, in a ninth possible implementation manner of the first aspect, the method further includes:

monitoring a second request message of the boundary switch corresponding to the target device, wherein the second request message is generated according to flow table matching information in a preset third window;

calculating the matching efficiency of the historical flow table corresponding to the target device by taking the second request message as a basis;

and determining a second threshold corresponding to the target device according to the historical flow table matching efficiency corresponding to the target device.

With reference to the ninth possible implementation manner of the first aspect, in a tenth possible implementation manner of the first aspect, the second request message includes reason information, a second-level duration, and a number of matching packets; the calculating the matching efficiency of the historical flow table corresponding to the target device based on the second request message includes:

analyzing the reason information;

if the reason information comprises idle overtime information, taking a quotient of the number of the matching packets and a target difference value as historical flow table matching efficiency corresponding to the target equipment, wherein the target difference value is a difference value between the second-level duration and idle time corresponding to the idle overtime information;

and if the reason information comprises hard timeout information, taking the quotient of the number of the matching packets and the second-level duration as the matching efficiency of the historical flow table corresponding to the target device.

With reference to the first possible implementation manner of the first aspect, in an eleventh possible implementation manner of the first aspect, the target device is a target border switch in the at least one border switch; the determining a target physical port from at least one physical port of the boundary switch corresponding to the target device includes:

and determining the physical port with the maximum data stream density corresponding to the first request message in at least one physical port of the target boundary switch as a target physical port according to the first request message.

With reference to the first possible implementation manner of the first aspect, in a twelfth possible implementation manner of the first aspect, the target device is the controller; the determining a target physical port from at least one physical port of the boundary switch corresponding to the target device includes:

obtaining current flow table matching efficiency of each boundary switch in the SDN, and taking the boundary switch with the current flow table matching efficiency lower than that of a boundary network corresponding to the SDN as a target switch, wherein the boundary network corresponding to the SDN is determined by the at least one boundary switch in the SDN;

and determining a physical port with the maximum data stream density corresponding to the first request message in at least one physical port of the target switch as a target physical port according to the first request message corresponding to the target switch.

With reference to the first possible implementation manner of the first aspect, in a thirteenth possible implementation manner of the first aspect, the marking a target data stream of the target physical port includes:

filling a hardware address Hash value of a boundary switch corresponding to the target equipment in a data packet idle field corresponding to a target data stream of the target physical port; alternatively, the first and second electrodes may be,

and performing data packet encapsulation on the target data stream of the target physical port by adopting a general encapsulation technology.

With reference to the first possible implementation manner of the first aspect, in a fourteenth possible implementation manner of the first aspect, the method further includes:

respectively acquiring address information of a boundary switch and data filtering equipment in the SDN;

acquiring topological structure information of the SDN;

and determining at least one data filtering device for the boundary switch according to the topological structure information, and binding the determined address information of the data filtering device with the address information of the boundary switch.

In a second aspect, an embodiment of the present invention provides a DDoS attack detection apparatus, which is applied to a software defined network SDN, where the SDN includes a controller and at least one border switch, and includes:

a calculating module, configured to monitor a first request message in a preset first window, and calculate a current request rate of a target device in the SDN for the first request message, where the first request message is a request data stream that needs to be processed by the controller and is sent to the controller by a border switch corresponding to the target device;

an anomaly judgment module, configured to judge whether the target device is in an abnormal state based on the current request rate;

the query module is used for querying flow table matching information corresponding to the target device when the judgment result of the abnormity judgment module is that the target device is in an abnormal state;

and the attack determining module is used for determining whether the target equipment is attacked by the DDoS according to the flow table matching information.

With reference to the second aspect, in a first possible implementation manner of the second aspect, the apparatus further includes:

a port determining module, configured to determine, when it is determined that the target device is attacked by DDoS, a target physical port from at least one physical port of a boundary switch corresponding to the target device, where the target physical port is a physical port with a largest data stream density corresponding to the first request message in the first window of the at least one physical port;

a marking module, configured to mark a target data flow transmitted by the target physical port, where the target data flow is a data flow between switches in the SDN;

and the redirection module is used for redirecting the marked target data stream to a data filtering device which is bound with a boundary switch corresponding to the target device in advance so that the data filtering device processes the marked target data stream.

With reference to the second aspect or the first possible implementation manner of the second aspect, in a second possible implementation manner of the second aspect, the target device is a target border switch in the at least one border switch; the calculation module comprises:

the first monitoring unit is used for monitoring a first request message sent by the target boundary switch in a preset first window;

a first calculating unit, configured to calculate a request rate of the first request message, and use the calculated request rate as a current request rate of the target border switch for the first request message.

With reference to the second aspect or the first possible implementation manner of the second aspect, in a third possible implementation manner of the second aspect, the target device is the controller; the calculation module comprises:

a second monitoring unit, configured to monitor a first request message sent by each border switch in the SDN within a preset first window;

the second computing unit is used for respectively counting the request rate of the first request message sent by each boundary switch in the first window;

the second computing unit is further configured to obtain current request rates of the border networks determined by all border switches in the SDN within the first window according to the request rate statistics of each border switch, and use the current request rates of the border networks as current request rates of the controller for the first request message.

With reference to the second aspect, or the first possible implementation manner of the second aspect, or the second possible implementation manner of the second aspect, or the third possible implementation manner of the second aspect, in a fourth possible implementation manner of the second aspect, the abnormality determining module includes:

a first determining unit, configured to determine whether the current request rate is higher than a preset first threshold corresponding to the target device, where the first threshold is determined according to a request rate of a first request message in a preset second window;

a first determining unit, configured to determine that the target device is in an abnormal state when a determination result of the first determining unit is higher than the first threshold.

With reference to the second aspect, or the first possible implementation manner of the second aspect, or the second possible implementation manner of the second aspect, or the third possible implementation manner of the second aspect, or the fourth possible implementation manner of the second aspect, in a fifth possible implementation manner of the second aspect, the query module includes:

the instruction sending unit is used for sending a flow table information query instruction to a boundary switch corresponding to the target equipment when the target equipment is in an abnormal state;

the information receiving unit is used for receiving flow table matching information returned by the boundary switch corresponding to the target device in response to the flow table information inquiry instruction;

the attack determination module includes:

the efficiency calculating unit is used for calculating the current flow table matching efficiency corresponding to the target equipment by taking the flow table matching information as a basis;

a second judging unit, configured to judge whether the current flow table matching efficiency exceeds a preset second threshold corresponding to the target device, where the second threshold is determined according to the flow table matching efficiency obtained by statistics of flow table matching information in a preset third window;

a second determining unit, configured to determine that the target device is attacked by DDoS when a determination result of the second determining unit is that the current flow table matching efficiency does not exceed the second threshold.

With reference to the fifth possible implementation manner of the second aspect, in a sixth possible implementation manner of the second aspect, the target device is a target boundary switch in the at least one boundary switch; the efficiency calculation unit is specifically configured to:

With reference to the fifth possible implementation manner of the second aspect, in a seventh possible implementation manner of the second aspect, the target device is the controller, and the boundary switches corresponding to the target device include all boundary switches in the SDN; the efficiency calculation unit is specifically configured to:

respectively calculating flow table matching efficiency corresponding to the flow table matching information returned by each boundary switch according to the flow table matching information returned by each boundary switch in the SDN; and calculating to obtain an average value of the flow table matching efficiency corresponding to each boundary switch, and taking the average value as the current flow table matching efficiency corresponding to the controller.

With reference to the fifth possible implementation manner of the second aspect, in an eighth possible implementation manner of the second aspect, the apparatus further includes:

the efficiency determining module is configured to monitor a second request message of the boundary switch corresponding to the target device, and calculate a historical flow table matching efficiency corresponding to the target device based on the second request message, where the second request message is generated according to flow table matching information in a preset third window;

and the threshold value determining module is used for determining a second threshold value corresponding to the target equipment according to the historical flow table matching efficiency corresponding to the target equipment.

With reference to the eighth possible implementation manner of the second aspect, in a ninth possible implementation manner of the second aspect, the second request message includes reason information, a second-level duration, and a number of matching packets; the efficiency determination module includes:

the analysis unit is used for analyzing the reason information;

a third determining unit, configured to, when the analysis result of the analyzing unit is that the reason information includes idle timeout information, use a quotient of the matching packet number and a target difference as a historical flow table matching efficiency corresponding to the target device, where the target difference is a difference between the second-level duration and idle time corresponding to the idle timeout information;

the third determining unit is further configured to, when the analysis result of the analyzing unit is that the reason information includes hard timeout information, use a quotient of the number of matching packets and the second-level duration as a historical flow table matching efficiency corresponding to the target device.

With reference to the first possible implementation manner of the second aspect, in a tenth possible implementation manner of the second aspect, the target device is a target boundary switch in the at least one boundary switch; the port determination module is specifically configured to:

and when the target boundary switch is determined to be attacked by the DDoS attack, determining a physical port with the maximum data stream density corresponding to the first request message in at least one physical port of the target boundary switch as a target physical port according to the first request message.

With reference to the first possible implementation manner of the second aspect, in an eleventh possible implementation manner of the second aspect, the target device is the controller; the port determination module is specifically configured to:

when the controller is determined to be attacked by DDoS, acquiring current flow table matching efficiency of each boundary switch in the SDN, and taking the boundary switch with the current flow table matching efficiency lower than that of a boundary network corresponding to the SDN as a target switch, wherein the boundary network corresponding to the SDN is determined by the at least one boundary switch in the SDN;

With reference to the first possible implementation manner of the second aspect, in a twelfth possible implementation manner of the second aspect, the marking module is specifically configured to:

With reference to the first possible implementation manner of the second aspect, in a thirteenth possible implementation manner of the second aspect, the apparatus further includes:

an obtaining module, configured to obtain address information of a boundary switch and a data filtering device in the SDN, respectively;

the obtaining module is further configured to obtain topology structure information of the SDN;

and the binding determining module is used for determining at least one data filtering device for the boundary switch according to the topological structure information and binding the address information of the determined data filtering device with the address information of the boundary switch.

In a third aspect, an embodiment of the present invention provides a network device applied to a software defined network SDN, where the SDN includes a controller and at least one border switch, and includes: the system comprises a communication interface, a memory and a processor, wherein the processor is respectively connected with the communication interface and the memory; wherein the content of the first and second substances,

the memory is used for storing driving software;

the processor reads the driving software from the memory and executes under the action of the driving software:

monitoring a first request message in a preset first window through the communication interface, and calculating a current request rate of a target device in the SDN for the first request message, where the first request message is a request data stream which is sent to the controller by a boundary switch corresponding to the target device and needs to be processed by the controller;

With reference to the third aspect, in a first possible implementation manner of the third aspect, the processor reads the driver software from the memory and further performs, under the action of the driver software, the following steps:

and redirecting the marked target data stream to a data filtering device bound with a boundary switch corresponding to the target device in advance through the communication interface so that the data filtering device processes the marked target data stream.

With reference to the third aspect or the first possible implementation manner of the third aspect, in a second possible implementation manner of the third aspect, the target device is a target border switch in the at least one border switch; the processor, when executing the monitoring of the first request message in the preset first window and calculating a current request rate of a target device in the SDN for the first request message, specifically executes the following steps:

With reference to the third aspect or the first possible implementation manner of the third aspect, in a third possible implementation manner of the third aspect, the target device is the controller; the processor, when executing the monitoring of the first request message in the preset first window and calculating a current request rate of a target device in the SDN for the first request message, specifically executes the following steps:

With reference to the third aspect, or the first possible implementation manner of the third aspect, or the second possible implementation manner of the third aspect, or the third possible implementation manner of the third aspect, in a fourth possible implementation manner of the third aspect, when the processor determines, based on the current request rate, whether the target device is in an abnormal state, the processor specifically performs the following steps:

With reference to the third aspect, or the first possible implementation manner of the third aspect, or the second possible implementation manner of the third aspect, or the third possible implementation manner of the third aspect, or the fourth possible implementation manner of the third aspect, in a fifth possible implementation manner of the third aspect, when the processor performs the query on the flow table matching information corresponding to the target device, the processor specifically performs the following steps:

sending a flow table information query instruction to a boundary switch corresponding to the target device through the communication interface;

receiving flow table matching information returned by the boundary switch corresponding to the target device in response to the flow table information query instruction through the communication interface;

when the processor determines whether the target device is attacked by DDoS based on the flow table matching information, the following steps are specifically executed:

With reference to the fifth possible implementation manner of the third aspect, in a sixth possible implementation manner of the third aspect, the target device is a target boundary switch in the at least one boundary switch; when the processor calculates the current flow table matching efficiency corresponding to the target device based on the flow table matching information, the following steps are specifically executed:

With reference to the fifth possible implementation manner of the third aspect, in a seventh possible implementation manner of the third aspect, the target device is the controller, and the boundary switches corresponding to the target device include all boundary switches in the SDN; when the processor calculates the current flow table matching efficiency corresponding to the target device based on the flow table matching information, the following steps are specifically executed:

With reference to the sixth possible implementation manner of the third aspect or the seventh possible implementation manner of the third aspect, in an eighth possible implementation manner of the third aspect, the flow table matching information includes a second-level duration and a matching packet number; when the processor performs calculation of the flow table matching efficiency corresponding to the flow table matching information, the following steps are specifically performed:

With reference to the fifth possible implementation manner of the third aspect, in a ninth possible implementation manner of the third aspect, the processor is further configured to execute the following steps:

With reference to the ninth possible implementation manner of the third aspect, in a tenth possible implementation manner of the third aspect, the second request message includes reason information, a second-level duration, and a number of matching packets; when the processor calculates the matching efficiency of the historical flow table corresponding to the target device based on the second request message, the processor specifically executes the following steps:

analyzing the reason information;

With reference to the first possible implementation manner of the third aspect, in an eleventh possible implementation manner of the third aspect, the target device is a target boundary switch in the at least one boundary switch; when the processor determines a target physical port from the at least one physical port of the boundary switch corresponding to the target device, specifically performing the following steps:

With reference to the first possible implementation manner of the third aspect, in a twelfth possible implementation manner of the third aspect, the target device is the controller; when the processor determines a target physical port from the at least one physical port of the boundary switch corresponding to the target device, specifically performing the following steps:

With reference to the first possible implementation manner of the third aspect, in a thirteenth possible implementation manner of the third aspect, when the processor performs marking on the target data stream of the target physical port, the processor specifically performs the following steps:

With reference to the first possible implementation manner of the third aspect, in a fourteenth possible implementation manner of the third aspect, the processor reads the driver software from the memory and further performs the following steps under the action of the driver software:

respectively acquiring address information of a boundary switch and data filtering equipment in the SDN through the communication interface;

acquiring topological structure information of the SDN;

determining at least one data filtering device for the boundary switch according to the topology information, and

and binding the determined address information of the data filtering equipment with the address information of the boundary switch.

Compared with the prior art, the embodiment of the invention has the following beneficial effects:

the embodiment of the invention can calculate the current request rate corresponding to the target equipment in the SDN through the monitored first request message, and judge whether the target equipment is in an abnormal state according to the current request rate, thereby realizing the purpose of determining whether the target equipment is attacked by DDoS (distributed denial of service) by further inquiring the current flow table matching information when the target equipment is in the abnormal state. The DDoS attack detection method of the embodiment of the invention does not need to rely on the randomness of normal data flow and attack data flow, thereby improving the accuracy of DDoS attack detection.

Drawings

In order to more clearly illustrate the embodiments of the present invention or the technical solutions in the prior art, the drawings used in the description of the embodiments or the prior art will be briefly described below, it is obvious that the drawings in the following description are only some embodiments of the present invention, and for those skilled in the art, other drawings can be obtained according to the drawings without creative efforts.

Fig. 1 is a diagram of an SDN system architecture provided by an embodiment of the present invention;

fig. 2 is a schematic flow chart of a DDoS attack detection method according to an embodiment of the present invention;

fig. 3 is a schematic flow chart of a DDoS attack protection method according to an embodiment of the present invention;

fig. 4 is an application scenario diagram of a DDoS attack detection and protection method provided by an embodiment of the present invention;

fig. 5 is a schematic flowchart of a DDoS attack detection and protection method according to an embodiment of the present invention;

fig. 6 is a schematic flowchart of another DDoS attack detection and protection method according to an embodiment of the present invention;

fig. 7 is a schematic structural diagram of a DDoS attack detection apparatus according to an embodiment of the present invention;

fig. 8 is a schematic structural diagram of another DDoS attack detection apparatus according to an embodiment of the present invention;

fig. 9 is a schematic structural diagram of a network device according to an embodiment of the present invention.

Detailed Description

The technical solutions in the embodiments of the present invention will be clearly and completely described below with reference to the drawings in the embodiments of the present invention, and it is obvious that the described embodiments are only a part of the embodiments of the present invention, and not all of the embodiments. All other embodiments, which can be derived by a person skilled in the art from the embodiments given herein without making any creative effort, shall fall within the protection scope of the present invention.

It should be understood that the technical solution of the embodiment of the present invention may be specifically applied to a software defined network SDN, and specifically relates to a DDoS attack detection scheme for the SDN, so that accuracy of DDoS attack detection can be improved.

A specific architecture of the software defined network SDN is explained below. Referring to fig. 1, fig. 1 is a diagram illustrating an SDN system architecture according to an embodiment of the present invention. Specifically, as shown in fig. 1, the SDN includes a controller, at least one boundary switch, and an internal switch. Wherein the at least one border switch (only two shown in figure 1) determines a border network in the SDN. Communication between the controller and each switch (including the border switch and the internal switch) is performed via control links (shown by dotted lines in the figure), including transmission of request packets generated by the switches, transmission of query and response messages between the controller and the switches, and the like. In addition, the switches can also communicate with each other through a communication link (shown as a solid line in the figure), such as transmitting data flow of users (including attackers) in the current network.

Please refer to fig. 2, which is a flowchart illustrating a DDoS attack detection method according to an embodiment of the present invention, specifically, the method according to the embodiment of the present invention may be specifically applied to a software defined network SDN, where the SDN includes a controller and at least one border switch, and as shown in fig. 2, the method according to the embodiment of the present invention may include the following steps:

s101: monitoring a first request message in a first window preset in a current SDN, and calculating a current request rate of a target device in the SDN for the first request message.

It should be noted that the method according to the embodiment of the present invention may be specifically applied to a network device, such as a controller in the SDN or other independently configured detection devices, and the embodiment of the present invention is not limited thereto.

The first request message is a request data flow, such as a PacketIN data flow, which is sent to the controller by a boundary switch corresponding to a target device in the SDN and needs to be processed by the controller. The first request message is specifically a data flow between the SDN controller and the switch. The target device may be specifically a controller in the SDN or any boundary switch, that is, the embodiment of the present invention can implement DDoS attack detection on the controller in the SDN network, also implement DDoS attack detection on the boundary switch in the SDN, and also implement DDoS attack detection on the controller and the boundary switch in the SDN at the same time.

Specifically, the first window may refer to a time window or a number window, that is, the current request rate is calculated according to the first request message in a current certain time window, or calculated according to the first request message in a current certain number window.

Optionally, the target device may be a target boundary switch of the at least one boundary switch; the monitoring a first request message in a preset first window, and calculating a current request rate of a target device in the SDN for the first request message may specifically be: monitoring a first request message sent by the target boundary switch in a preset first window; and calculating the request rate of the first request message, and taking the calculated request rate as the current request rate of the target boundary switch for the first request message. That is to say, when detecting a DDoS attack on a boundary switch, a current request rate, which is a request rate of the target boundary switch for the first request message in a current time window or quantity window, may be calculated by monitoring a first request message, such as a PacketIN message, sent to a controller in the current time window or quantity window of the target boundary switch in the SDN network. Wherein the target boundary switch may be any boundary switch in the SDN.

Optionally, the target device may also be a controller in the SDN network; the monitoring a first request message in a preset first window, and calculating a current request rate of a target device in the SDN for the first request message may specifically be: monitoring a first request message sent by each boundary switch in the SDN in a preset first window; respectively counting to obtain the request rate of the first request message sent by each boundary switch in the first window; and counting the request rate of each boundary switch to obtain the current request rate of the boundary network determined by all the boundary switches in the SDN in the first window, and taking the current request rate of the boundary network as the current request rate corresponding to the controller. That is to say, when detecting a DDoS attack on a controller, a request rate of each border switch for a first request message, such as a PacketIN message, sent to the controller within a current time window or quantity window in the SDN network may be obtained by monitoring the first request message, such as the PacketIN message, sent to the controller within the current time window or quantity window by the border switch, and according to the request rate of each border switch, for example, a sum of the request rates of each border switch is used as a current request rate of a border network corresponding to the border switch, so that a computer controls the corresponding current request rate (i.e., the current request rate of the border network).

S102: and judging whether the target equipment is in an abnormal state or not according to the current request rate.

In a specific embodiment, whether the target device is in an abnormal state may be determined by detecting whether the current request rate of the target device satisfies a preset rule.

Optionally, the determining, based on the current request rate, whether the target device is in an abnormal state may specifically be: judging whether the current request rate is higher than a preset first threshold corresponding to the target equipment or not; and if the current time is higher than the first threshold value, determining that the target equipment is in an abnormal state. The first threshold may be determined according to a request rate of the first request message within a preset second window. The second window may also be a time window or a quantity window, that is, a historical request rate corresponding to the first request message in the window is obtained by monitoring the first request message in a certain time window or quantity window and calculating, so as to determine the first threshold according to the historical request rate. Further, the target device may be a border switch or a controller, the first threshold corresponding to the border switch is determined by a historical request rate calculated according to the monitored first request message of the border switch in the second window, and the first threshold corresponding to the controller is determined by a historical request rate of the border network calculated according to the monitored first request message of each border switch in the SDN in the second window.

Further optionally, it may be preset that when the current request rates corresponding to the first window are counted for multiple times continuously and are all higher than the first threshold, it is determined that the target device is in the abnormal state. Specifically, the current request rate corresponding to the first window may be counted, and whether the current request rate is higher than a preset first threshold corresponding to the target device is determined; if the current request rate is higher than the first threshold value, continuing to monitor the first request message in the first window, counting a new current request rate corresponding to the first window, and judging whether the new current request rate is higher than the first threshold value; and repeating the steps of monitoring the first request message in the first window and counting the new current request rate corresponding to the first window until the current request rate is higher than the first threshold value after m times of continuous judgment, and determining that the target device is in an abnormal state.

S103: and if the target equipment is in an abnormal state, inquiring flow table matching information corresponding to the target equipment.

Specifically, the flow table matching information corresponding to the target device may include flow table matching information generated according to the first request message corresponding to the target device monitored in the first window, and may further include flow table matching information already existing in the boundary switch corresponding to the target device before the first window, specifically, may be flow table matching information of a current certain time window or quantity window. The flow table matching information may include field information such as a duration _ sec in seconds and a packet count _ count in matching packets.

S104: and determining whether the target equipment is attacked by the DDoS or not by taking the flow table matching information as a basis.

In a specific embodiment, the querying of the flow table matching information corresponding to the target device may specifically be: sending a flow table information query instruction to a boundary switch corresponding to the target device; and receiving flow table matching information returned by the boundary switch corresponding to the target equipment in response to the flow table information query instruction. Further, the determining whether the target device is attacked by DDoS based on the flow table matching information may specifically be: calculating the current flow table matching efficiency corresponding to the target equipment by taking the flow table matching information as a basis; judging whether the matching efficiency of the current flow table exceeds a preset second threshold corresponding to the target device; and if the target equipment does not exceed the second threshold value, determining that the target equipment is attacked by the DDoS.

And the second threshold is determined according to the flow table matching efficiency obtained by counting the flow table matching information in the preset third window. The third window may also be a time window or a number window, that is, the second threshold may be determined according to flow table matching information in a certain time window or number window. Further, the target device may be a boundary switch or a controller, the second threshold corresponding to the boundary switch is determined by flow table matching efficiency calculated according to flow table matching information of the boundary switch in the third window, and the second threshold corresponding to the controller is determined by flow table matching efficiency of the boundary network calculated according to flow table matching information of each boundary switch in the third window in the SDN.

Optionally, the target device may be a target boundary switch of the at least one boundary switch; the calculating the current flow table matching efficiency corresponding to the target device based on the flow table matching information may specifically be: and calculating flow table matching efficiency corresponding to the flow table matching information according to the flow table matching information returned by the target boundary switch, and taking the calculated flow table matching efficiency as the current flow table matching efficiency of the target boundary switch.

Optionally, the target device may also be the controller, and the boundary switches corresponding to the target device include all boundary switches in the SDN; then, the calculating the current flow table matching efficiency corresponding to the target device based on the flow table matching information may specifically be: respectively calculating flow table matching efficiency corresponding to the flow table matching information returned by each boundary switch according to the flow table matching information returned by each boundary switch in the SDN; and calculating to obtain an average value of the flow table matching efficiency corresponding to each boundary switch, and taking the average value as the current flow table matching efficiency corresponding to the controller.

Further optionally, the flow table matching information includes a second-level duration and a matching packet number; calculating the flow table matching efficiency corresponding to the flow table matching information, which may specifically be: and taking the quotient of the matching packet number and the second-level duration as the flow table matching efficiency corresponding to the flow table matching information.

Further, the second threshold value can be set according to the historical flow table request rate of the boundary switch corresponding to the target device. Specifically, a second request message of the boundary switch corresponding to the target device may be monitored, where the second request message is generated according to flow table matching information in a preset third window; calculating the matching efficiency of the historical flow table corresponding to the target device by taking the second request message as a basis; and determining a second threshold corresponding to the target device according to the historical flow table matching efficiency corresponding to the target device. Specifically, the second request message may include reason information, a second-level duration, and a number of matching packets; the calculating the matching efficiency of the historical flow table corresponding to the target device based on the second request message may specifically be: analyzing the reason information; if the reason information comprises idle overtime information, taking a quotient of the number of the matching packets and a target difference value as historical flow table matching efficiency corresponding to the target equipment, wherein the target difference value is a difference value between the second-level duration and idle time corresponding to the idle overtime information; and if the reason information comprises hard timeout information, taking the quotient of the number of the matching packets and the second-level duration as the matching efficiency of the historical flow table corresponding to the target device.

In a specific embodiment, if the determination result is that the target device is not attacked by DDoS, the controller may perform conventional load balancing optimization. If the judgment result shows that the target equipment is attacked by the DDoS, the DDoS attack can be further protected according to a preset protection rule.

In the embodiment of the invention, the current request rate corresponding to the target device in the SDN network can be obtained through the monitored first request message, and whether the target device is in an abnormal state is judged according to the current request rate, so that when the target device is in the abnormal state, whether the target device is attacked by DDoS (distributed denial of service) is determined by further inquiring the current flow table matching information. The DDoS attack detection method of the embodiment of the invention does not need to rely on the randomness of normal data flow and attack data flow, thereby improving the accuracy of DDoS attack detection.

Further, after detecting that the current SDN is attacked by DDoS, for example, a controller or a switch in the SDN is attacked by DDoS, the DDoS attack may be protected according to a pre-configured protection rule. Specifically, please refer to fig. 3, which is a flowchart illustrating a DDoS attack protection method according to an embodiment of the present invention, and as shown in fig. 3, the protection method according to the embodiment of the present invention includes the following steps:

s201: and if the target equipment is determined to be attacked by the DDoS, determining a target physical port from at least one physical port of the boundary switch corresponding to the target equipment.

Each boundary switch includes at least one physical port, and the target physical port is a physical port with the largest data stream density corresponding to the first request message in the first window of the at least one physical port, that is, a physical port with the largest number of requests for the first request message in unit time in the first window.

Optionally, the target device may be a target boundary switch in the at least one boundary switch, that is, when it is detected that a device under DDoS attack in the SDN network is a boundary switch, the target device may be determined from at least one physical port of the boundary switch corresponding to the target device, and the determining may specifically be: and determining the physical port with the maximum data stream density corresponding to the first request message in at least one physical port of the target boundary switch as a target physical port according to the first request message.

Optionally, the target device may also be a controller in the SDN, that is, when it is detected that a device subjected to DDoS attack in the SDN network is the controller, the determining a target physical port from at least one physical port of a boundary switch corresponding to the target device may specifically be: obtaining current flow table matching efficiency of each boundary switch in the SDN, and taking the boundary switch with the current flow table matching efficiency lower than that of a boundary network corresponding to the SDN as a target switch, wherein the boundary network corresponding to the SDN is determined by the at least one boundary switch in the SDN; and determining a physical port with the maximum data stream density corresponding to the first request message in at least one physical port of the target switch as a target physical port according to the first request message corresponding to the target switch.

S202: and marking the target data stream transmitted by the target physical port.

The target data flow may be specifically a data flow between switches in the software defined network SDN, that is, a data flow of a user (including an attacker) in the SDN.

Optionally, the marking the target data stream of the target physical port may specifically be: filling a hardware address Hash value of a boundary switch corresponding to the target equipment in a data packet idle field corresponding to a target data stream of the target physical port; or, performing data packet encapsulation on the target data stream of the target physical port by adopting a general encapsulation technology. In addition, the priority of the marked target data stream can be set to be the highest so as to conveniently redirect the target data stream to the data filtering device bound with the target device in time.

S203: and redirecting the marked target data stream to a data filtering device bound with a boundary switch corresponding to the target device in advance, so that the data filtering device processes the marked target data stream.

In a specific embodiment, address information of a boundary switch and address information of a data filtering device in the SDN may be obtained respectively; acquiring topological structure information of the SDN; and determining at least one data filtering device for the boundary switch according to the topological structure information, and binding the determined address information of the data filtering device with the address information of the boundary switch. Specifically, at least one data filtering device may be bound to each boundary switch, for example, the data filtering device may be bound to each boundary switch according to a topology structure of the SDN network and/or a load condition of each data filtering device, and the data filtering device is used to process a data flow redirected by the boundary switch corresponding to a target device when the target device is attacked by DDoS, so as to implement DDoS attack protection.

Further, if the target device is still in the DDoS attack state after a preset certain time window (or number window), according to the newly received first request message and the flow table matching information, a physical port with the maximum data flow density corresponding to the first request message, except the last determined target physical port, of the plurality of physical ports in the boundary switch corresponding to the target device may be determined as a new target physical port, and the target data flow of the new target physical port is marked and then redirected to the bound data filtering device. And so on, thereby realizing gradually redirecting the port data flow with more concentrated attack to the data filtering equipment so as to realize the protection of DDoS attack.

When the target device attacked by the DDoS recovers to the normal state after the redirection protection is performed, and is no longer in the abnormal state, the data stream marking and redirection processing of the target physical port with the highest attack data stream density can be stopped.

In the embodiment of the present invention, when it is detected that a target device such as a switch or a controller in an SDN network is attacked by DDoS, protection against DDoS attack on the target device can be achieved by determining a target physical port with the highest DDoS attack-suffering data flow density in a boundary switch corresponding to the target device, marking a target data flow of the target physical port, and redirecting to the bound data filtering device. Compared with the prior art that a plurality of controllers are configured, when the data processing capacity of the currently used controller exceeds a preset data capacity threshold value, other idle controllers are started, the data packet received by the controller exceeding the threshold value is extracted by using a data packet header analysis method, and therefore a protection mode that a flow issuing table discards, intercepts and blocks the data flow at a switch end is adopted.

Fig. 4 is a diagram of an application scenario for detecting and protecting DDoS attacks according to an embodiment of the present invention. Specifically, as shown in fig. 4, an SDN according to an embodiment of the present invention includes a controller, a boundary switch X, a boundary switch Y, an internal switch, and data filtering devices respectively bound to the boundary switch X and the boundary switch Y (it is assumed that the boundary switch X and the boundary switch Y are bound to the same data filtering device, and only a connection relationship between the boundary switch X and the data filtering device is shown in fig. 4), where the boundary switch X and the boundary switch Y determine a boundary network corresponding to the SDN. The controller communicates with the switches (including the border switch and the internal switch) via control links (shown by dotted lines), including transmitting request packets generated by the switches, and transmitting inquiry and response messages between the controller and the switches. The switches can communicate with each other through a communication link (shown as a solid line in the figure), such as transmitting data streams of users (including attackers) in the current network. The DDoS attack detection and protection method according to the embodiment of the present invention is described in detail below, taking target devices as switches and controllers, respectively, as examples.

With reference to fig. 4 and fig. 5 together, it is a flowchart of a DDoS attack detection and protection method provided in an embodiment of the present invention, where in the embodiment of the present invention, the target device is a border switch in an SDN network, that is, when DDoS attack detection and protection needs to be performed on a certain border switch (hereinafter, referred to as a target border switch), as shown in fig. 5, the DDoS attack detection and protection method according to the embodiment of the present invention includes:

s301: and presetting a first threshold and a second threshold corresponding to the target boundary switch.

In a specific embodiment, a first request message, such as a PacketIN message, sent to a controller may be monitored by monitoring a target boundary switch (the target boundary switch is any boundary switch in an SDN, that is, may be a boundary switch X, may be a boundary switch Y, and may also monitor the boundary switches X and Y at the same time) for a period of time, such as a week, so as to calculate a historical request rate of the target boundary switch for the PacketIN message, and set a first threshold for the target boundary switch according to the historical request rate. Because both the border switch and the internal switch generate PacketIN messages with the source address of the internal switch as the self address, namely the border switch X only generates PacketIN messages with the source address of the self address, but does not generate PacketIN messages with the source address of the internal network switch. Therefore, when the controller receives the PacketIN request message, statistics can be performed by determining whether the source address of the PacketIN is the address of the border switch X. Specifically, when the controller monitors that the source address of the PacketIN message is the address of the intranet switch, no statistical processing is performed; and when the source address of the monitored packet IN message is the address of the boundary switch X, counting, and recording the source address, the arrival time and the arrival number of the message. According to the recorded PacketIN messages of the border switch X, one or more preset windows, such as a quantity window N (second window), may be selected, for example, N is 100, and the request rate of the border switch X, that is, the historical request rate, is calculated every time 100 PacketIN messages are received (N/t, which is the time corresponding to the quantity window, that is, the time when the N PacketIN messages are received, and the t values of different windows are generally different). That is, the counted PacketIN message used for calculating the request rate is a PacketIN message that is sent to the controller by the target border switch and has a source address of the target border switch. Further, a first threshold value corresponding to determining whether the boundary switch X is in an abnormal state may be set for the boundary switch X according to a plurality of historical request rates of the boundary switch X calculated within a period of time and in combination with actual conditions such as hardware conditions and service characteristics of the boundary switch X.

In addition, the second threshold may also be determined by flow table matching efficiency obtained through flow table matching information statistics in a preset third window, for example, by monitoring a FlowRemoved flow table deletion message (second request message) sent to the controller by the boundary switch X within a period of time, such as a week, to calculate historical flow table matching efficiency of the target boundary switch, so as to set the second threshold for determining whether the target boundary switch is in a DDoS attack state according to the historical flow table matching efficiency. The FlowRemoved message is generated according to flow table matching information corresponding to the border switch X, and specifically is a message correspondingly generated when the border switch X deletes a certain data flow table therein. Specifically, when the source address of the monitored FlowRemoved message is the address of the intranet switch, the content of the message is not extracted and recorded; and when the source address of the monitored FlowRemoved message is the address of the boundary switch X, extracting the information in fields of a reason, a second-level duration _ sec and a matching packet number packet _ count in the message. If the information in the reason replay field is IDLE TIMEOUT IDLE _ TIMEOUT, the historical flow table matching efficiency of the data flow may be calculated as flow table matching efficiency ═ packet number of matched packets _ count ÷ (duration _ sec-IDLE time duration); if the information in the reason replay field is HARD TIMEOUT HARD _ TIMEOUT or DELETE, the flow table matching efficiency of the data flow may be calculated as the flow table matching efficiency, i.e., the number of packets _ count ÷ duration _ sec. According to the matching efficiency of the plurality of historical flow tables of the boundary switch X in a preset window, such as a preset number window N (a third window), the distribution of the matching efficiency of the historical flow tables of the boundary switch X is obtained through statistical processing, and the second threshold value can be set and obtained for the boundary switch X by combining the actual conditions of the safety risk, the service characteristics and the like of the boundary switch X.

S302: and monitoring a first request message sent by the target boundary switch in a preset first window.

S303: and calculating the request rate of the first request message, and taking the calculated request rate as the current request rate of the target boundary switch for the first request message.

In a specific embodiment, a PacketIN message, i.e., a first request message, sent to the controller by the border switch X may be monitored in real time, and a source address, an arrival time, and an arrival number of the message may be recorded. Determining a preset first window, such as a quantity window N, for example, N equals 100, that is, calculating the request rate of the border switch X, i.e., the current request rate, once every 100 PacketIN messages from the border switch X are received by the controller.

S304: determining whether the current request rate is above the first threshold.

S305: and if the value is higher than the first threshold value, determining that the target boundary switch is in an abnormal state.

In an embodiment, the state of the boundary switch X may be determined as an abnormal state when the current request rate of the boundary switch X is higher than the first threshold m times consecutively, where m is an integer greater than 0. Specifically, the current request rate of the boundary switch X may be compared with a first threshold corresponding to the boundary switch X, if the current request rate of the target boundary switch is higher than (or equal to) the first threshold, a counter corresponding to the boundary switch X is incremented by one, and if the current request rate of the boundary switch X is lower than the first threshold, the counter is cleared. When the counter corresponding to the boundary switch X is detected to be accumulated to m, the target boundary switch can be determined to be in an abnormal state.

S306: and sending a flow table information query instruction to the target boundary switch.

S307: and receiving flow table matching information returned by the target boundary switch in response to the flow table information inquiry instruction, and calculating the current flow table matching efficiency corresponding to the target boundary switch.

In a specific embodiment, when it is detected that the border switch X is in an abnormal state, in order to further determine whether the abnormality is caused by a burst of large traffic or a DDoS attack, the controller may send a flow table information query instruction (the instruction is a standard signaling specified by an OpenFlow protocol) to the border switch X in the abnormal state, where the flow table information query instruction is used to query current matching information of its internal flow table, that is, flow table matching information corresponding to the border switch X, and includes second-level duration _ sec and packet number matching _ count information. To determine whether the anomaly was caused by an attack.

According to the query result, the current flow table matching efficiency of the boundary switch X currently in an abnormal state can be calculated, for example: the current flow table matching efficiency is matching packet number packet _ count ÷ duration _ sec.

S308: and judging whether the matching efficiency of the current flow table exceeds the second threshold value.

S309: and if the target boundary switch does not exceed the second threshold value, determining that the target boundary switch is attacked by DDoS.

In a specific embodiment, the calculated current flow table matching efficiency of the boundary switch X may be compared with a second threshold corresponding to the boundary switch X, and if the current flow table matching efficiency is higher than the second threshold, it may indicate that the boundary switch X is not attacked by DDoS, and the anomaly may be caused by a large burst traffic; if the matching efficiency of the current table is lower than or equal to the second threshold, it can indicate that the boundary switch X is attacked by DDoS.

When determining that the boundary switch X is attacked by DDoS, further realizing the protection of the DDoS attack according to attack related detection information, including packetIN statistical information, flow table matching information and the like in the m windows N; if the DDoS attack is not encountered, the controller can carry out conventional optimization such as complex equalization and the like.

S310: and determining the physical port with the maximum data stream density corresponding to the first request message in at least one physical port of the target boundary switch as a target physical port according to the first request message.

Wherein the target boundary switch includes at least one physical port. As shown in fig. 4, assume that the target boundary switch, boundary switch X, includes A, B, C and D four physical ports. Specifically, when it is determined that the boundary switch X is attacked by DDoS, a physical port, i.e., a target physical port, which is a physical port with the largest proportion of PacketIN messages among the four physical ports, such as port D, may be determined according to PacketIN statistical messages in m windows N that generate the abnormal alarm.

S311: and marking the target data stream of the target physical port.

In a specific embodiment, after determining that the target physical port with the highest attack data flow density is the port D as described above, the controller may issue a redirection flow table instruction to the boundary switch X, where a matching domain rule corresponding to the flow table instruction is that priorities of all target data flows (which may be data flows between switches) entering from the port D are highest, and the action is to uniformly mark the data flows entering from the port D, for example, fill a Hash value of a hardware address of the boundary switch X in an idle field of a data packet or perform packet encapsulation by using a general encapsulation technique. In addition, a flow table instruction may also be issued to the switch between the boundary switch X and the data filtering device bound to the boundary switch X (if there is no intermediate switch, the flow table instruction is not sent), the matching domain rule corresponding to the flow table instruction is that all idle fields are Hash values of the hardware address of the boundary switch X or a data packet adopting a general encapsulation technology, the priority is the highest level, and the action is forwarding to the bound data filtering device.

S312: and redirecting the marked target data stream to a data filtering device bound with the target boundary switch in advance so that the data filtering device processes the marked target data stream.

Specifically, when the boundary switch X and the data filtering device are bound, address information of the boundary switch X and the data filtering device, such as a hardware address and an IP address of the device, may be obtained according to a network deployment record or topology analysis. In addition, according to the topological relation between the boundary switch X and the data filtering device, the information interaction cost between the boundary switch X and the data filtering device is calculated through a shortest path or a load balancing method, at least one data filtering device with smaller information interaction cost (such as shortest path, least intermediate node and/or lighter load with the boundary switch X) is selected, and the address information of the selected data filtering device is bound with the boundary switch X.

Further, it can keep monitoring the attack related detection information (including PacketIN statistical message, flow table matching information, etc.) of the target boundary switch in real time, and determine whether the boundary switch X is still under DDoS attack according to the attack related detection information. If the DDoS attack still occurs, a physical port, such as port C, with the most intensive current attack data flow, except for port D, of the four physical ports of the boundary switch X may be determined according to new attack-related detection information, and the target data flow of the port C is redirected to the bound data filtering device. If DDoS attack is no longer received, if the boundary switch X is no longer in an abnormal state after the redirection protection is performed, data flow marking and redirection processing may be stopped, specifically, the redirection flow table instructions on the boundary switch X may be sequentially deleted according to a preset time interval, or whether the redirection flow table instruction flow table on the boundary switch X is deleted may be determined according to a detection result of the data filtering device after processing.

In the embodiment of the invention, the current request rate of the switch in the SDN network can be obtained through the monitored first request message, and whether the switch is in an abnormal state is judged according to the current request rate, so that when the switch is in the abnormal state, whether the switch is attacked by the DDoS is detected by further inquiring the matching information of the current flow table without depending on the randomness of normal data flow and attacking data flow, and the accuracy of DDoS attack detection is improved. In addition, the embodiment of the invention also solves the problem that whether the switch is attacked by DDoS can not be detected in the prior art. Furthermore, when detecting that a certain switch in the SDN network is attacked by DDoS, the embodiment of the present invention may further implement effective protection against DDoS attack on the switch by determining a target physical port in the switch, which has the highest DDoS attack data flow density, marking the target data flow of the target physical port, and redirecting to a data filtering device bound to the switch, and solve the problems of normal data flow accidental injury and flow table space overflow caused in the existing DDoS attack protection.

Fig. 6 is a schematic flow diagram of another DDoS attack detection and protection method according to an embodiment of the present invention, where in the embodiment of the present invention, the target device is a controller in an SDN network, that is, when DDoS attack detection and protection need to be performed on the controller, as shown in fig. 6, the DDoS attack detection and protection method according to the embodiment of the present invention includes:

s401: and presetting a first threshold and a second threshold corresponding to the controller.

In a specific embodiment, a first request message, such as a PacketIN message, sent to a controller by each border switch in the SDN network may be monitored to calculate a historical request rate corresponding to the controller, so as to set a first threshold for the controller according to the historical request rate. Specifically, as shown in fig. 4, historical request rate distributions of the switches X and Y may be obtained through statistics of packet in messages sent by each boundary switch (including the switches X and Y) in a preset window, for example, a preset number window N (a second window), and the historical request rate distributions of all the boundary switches, that is, the switches X and Y, are summed to obtain historical request rate distributions of the boundary network determined by the switches X and Y, and then the historical request rate of the boundary network may be used as the historical request rate corresponding to the controller. The method for calculating the historical request rate of the border switch may refer to the related description of the above embodiments, and is not described herein again. Further, a first threshold value corresponding to determining whether the controller is in an abnormal state may be set and obtained for the controller according to the historical request rate distribution of the boundary network, and in combination with the actual conditions of the controller, such as the hardware condition, the network service characteristics, and the like.

In addition, a second threshold value for determining whether the controller is in a DDoS attack state can be set for the controller according to the historical flow table matching efficiency by monitoring a FlowRemoved message (second request message) sent by each border switch to the controller to calculate the historical flow table matching efficiency of each border switch. Specifically, according to the historical flow table matching efficiency information of each boundary switch, the historical flow table matching efficiency distribution of each boundary switch can be obtained through statistics, and the historical matching efficiency distribution of all the boundary switches is processed averagely, so that the historical flow table matching efficiency distribution of the boundary network can be obtained. According to the historical flow table matching efficiency distribution of the boundary network, the second threshold value can be set and obtained for the controller by combining the actual conditions of the controller, such as the security risk, the service characteristics and the like. The method for calculating the historical flow table matching efficiency of the border switch may refer to the description of the above embodiments, and is not described herein again.

S402: monitoring a first request message sent by each boundary switch in the current SDN in a preset first window.

S403: and respectively counting to obtain the request rate of the first request message sent by each boundary switch in the first window.

S404: and counting the request rate of each boundary switch to obtain the current request rate of the boundary network determined by all the boundary switches in the SDN in the first window, and taking the current request rate of the boundary network as the current request rate of the controller for the first request message.

In a specific embodiment, a PacketIN message, i.e. a first request message, sent by each border switch to the controller may be monitored in real time, and a source address, an arrival time, and an arrival number of the message may be recorded. Determining a preset first window, such as a number window N, may calculate a current request rate corresponding to a controller (i.e., a current request rate of a border network) every time the controller receives N PacketIN messages from border switches in the SDN, that is, when a sum of the PacketIN messages sent by all border switches is N.

S405: determining whether the current request rate is above the first threshold.

S406: and if the first threshold value is higher than the first threshold value, determining that the controller is in an abnormal state.

In an embodiment, the state of the controller may be determined as an abnormal state when the current request rate corresponding to the controller is higher than the first threshold corresponding to the controller m times consecutively, where m is an integer greater than 0. Specifically, the current request rate corresponding to the controller may be compared with a first threshold corresponding to the controller, if the current request rate of the controller is higher than (or equal to) the first threshold, a counter corresponding to the controller is incremented by one, and if the current request rate of the controller is lower than the first threshold, the counter is cleared. When the counter corresponding to the controller is detected to be accumulated to m, the controller can be determined to be in an abnormal state.

S407: and sending a flow table information query instruction to the boundary switch corresponding to the controller.

S408: and receiving flow table matching information returned by the boundary switch corresponding to the controller in response to the flow table information inquiry instruction, and calculating the current flow table matching efficiency corresponding to the controller.

And the boundary switches corresponding to the controller are all boundary switches in the SDN.

In a specific embodiment, if it is detected that the controller is in an abnormal state, the controller may send a flow table information query instruction to each boundary switch (including boundary switches X and Y) in the SDN, where the flow table information query instruction is used to query current matching information of an internal flow table thereof, that is, flow table matching information corresponding to the controller, including second-level duration _ sec and matching packet number packet _ count information, and calculate current flow table matching efficiency of each boundary switch according to a query result, where the current flow table matching efficiency is as follows: the current flow table matching efficiency is matching packet number packet _ count ÷ duration _ sec. And averaging the current flow table matching efficiency of each boundary switch to obtain the current flow table matching efficiency of the boundary network in an abnormal state, and then taking the current flow table matching efficiency of the boundary network as the current flow table matching efficiency corresponding to the controller.

S409: and judging whether the matching efficiency of the current flow table exceeds the second threshold value.

S410: and if the second threshold value is not exceeded, determining that the controller is attacked by the DDoS.

In a specific embodiment, the calculated current flow table matching efficiency corresponding to the controller may be compared with a second threshold corresponding to the controller, and if the current flow table matching efficiency corresponding to the controller is higher than the second threshold, it may be indicated that the controller is not attacked by DDoS attack; if the matching efficiency of the flow table is lower than or equal to the second threshold value, it can indicate that the controller is attacked by DDoS.

When the controller is determined to be attacked by DDoS, further realizing the protection of the DDoS attack according to attack related detection information, including packetIN statistical information, flow table matching information and the like in the m windows N; if the DDoS attack is not encountered, the controller can carry out conventional optimization such as complex equalization and the like.

S411: the current flow table matching efficiency of each boundary switch in the SDN is obtained, and the boundary switch with the current flow table matching efficiency lower than that of the boundary network is used as a target switch.

S412: and determining a physical port with the maximum data stream density corresponding to the first request message in at least one physical port of the target switch as a target physical port according to the first request message corresponding to the target switch.

Wherein the target switch includes at least one physical port. Specifically, when it is determined that the controller is attacked by DDoS, a boundary switch, that is, a target switch, whose current flow table matching efficiency is lower than that of the boundary network (that is, the current flow table matching efficiency corresponding to the controller) can be determined, and if the determined target switch with lower flow table matching efficiency is a boundary switch X, a physical port, that is, a target physical port, whose proportion of PacketIN messages in each physical port of the boundary switch X is the largest, can be determined according to PacketIN statistical messages in m windows N in which the abnormal alarm is generated. As shown in fig. 4, assume that the boundary switch X includes A, B, C and D four physical ports, and the determined target physical port is port D.

S413: and marking the target data stream of the target physical port.

In a specific embodiment, after determining that a target physical port with the highest attack data flow density is the port D as described above, the controller may issue a redirection flow table instruction to the target switch, that is, the boundary switch X, where a matching domain rule corresponding to the flow table instruction is that priorities of all target data flows (which may be data flows between switches) entering from the port D are highest, and the action is to uniformly mark the data flows entering from the port D, for example, fill a Hash value of a hardware address of the boundary switch X in an idle field of a data packet or perform packet encapsulation by using a general encapsulation technique. In addition, a flow table instruction can be issued to the switch between the target switch and the data filtering device bound with the target switch, the matching domain rule corresponding to the flow table instruction is a hardware address Hash value of the target switch or a data packet adopting a general encapsulation technology, the priority is the highest level, and the action is forwarding to the bound data filtering device.

S414: and redirecting the marked target data stream to a data filtering device bound with the target switch in advance so that the data filtering device processes the marked target data stream.

Specifically, the binding manner of the target switch and the data filtering device may refer to the related description in the foregoing embodiments, and details are not repeated here.

Further, attack related detection information (including PacketIN statistical information, flow table matching information, and the like) of each border switch can be kept monitored in real time, and whether the controller still suffers from DDoS attack or not can be determined according to the attack related detection information. If the DDoS attack still occurs, according to new attack-related detection information, a physical port, such as port C, of the four physical ports of the boundary switch X, of which the flow table matching efficiency is lower than the flow table matching efficiency of the boundary network, except for the port D with the highest data flow density at the last time, where the current attack data flow is the most dense, is determined, and the target data flow of the port C is redirected to the bound data filtering device. If the DDoS attack is no longer received, and if the controller is no longer in an abnormal state after the redirection protection is performed, the data flow marking and redirection processing may be stopped, specifically, the redirection flow table instruction on the boundary switch X may be sequentially deleted according to a preset time interval, or whether the redirection flow table instruction on the boundary switch X is deleted may be determined according to a detection result of the data filtering device after processing.

It should be noted that, in the SDN network, a first threshold and a second threshold corresponding to each boundary switch and each controller may be preset in advance, so that DDoS attack detection and protection may be performed on each boundary switch and each controller at the same time, which is not described herein again.

In the embodiment of the invention, the current request rate corresponding to the controller in the SDN network can be obtained through the monitored first request message, and whether the controller is in an abnormal state is judged according to the current request rate, so that when the controller is in the abnormal state, whether the controller is attacked by the DDoS is detected by further inquiring the matching information of the current flow table without depending on the randomness of normal data flow and attacking data flow, and the accuracy of DDoS attack detection is improved. Furthermore, when detecting that a controller in the SDN network is attacked by DDoS, the embodiment of the present invention may further determine a target physical port with the highest DDoS-attacked data flow density in a target switch with a lower flow table matching efficiency, mark the target data flow of the target physical port, and redirect the target data flow to a data filtering device bound to the target switch, thereby implementing effective protection against DDoS attack on the controller, and solving the problems of normal data flow accidental injury and flow table space overflow caused in the existing DDoS attack protection.

Fig. 7 is a schematic structural diagram of a DDoS attack detection apparatus according to an embodiment of the present invention, where the apparatus is applicable to a software defined network SDN, where the SDN includes a controller and at least one border switch. Specifically, the DDoS attack detection device includes a calculation module 11, an anomaly determination module 12, an inquiry module 13, and an attack determination module 14. Wherein the content of the first and second substances,

the calculation module 11 is configured to monitor a first request message in a preset first window, and calculate a current request rate of a target device in the SDN for the first request message, where the first request message is a request data stream that is sent to the controller by a boundary switch corresponding to the target device and needs to be processed by the controller.

It should be noted that the apparatus according to the embodiment of the present invention may be specifically disposed in a network device, such as a controller in the SDN or other independently disposed detection devices, and the embodiment of the present invention is not limited thereto.

The abnormal determination module 12 is configured to determine whether the target device is in an abnormal state based on the current request rate.

In a specific embodiment, after the calculating module 11 calculates the current request rate corresponding to the target device, the anomaly determining module 12 may determine whether the target device is in an abnormal state by detecting whether the current request rate of the target device satisfies a preset rule, for example, whether the current request rate exceeds a preset first threshold.

The query module 13 is configured to query the flow table matching information corresponding to the target device when the determination result of the abnormality determination module 12 is that the target device is in an abnormal state.

The attack determining module 14 is configured to determine whether the target device is attacked by DDoS based on the flow table matching information.

In a specific embodiment, the attack determining module 14 may determine whether the target device is attacked by DDoS by detecting whether the flow table matching information acquired by the querying module 13 satisfies a preset matching rule, for example, whether the flow table matching efficiency corresponding to the flow table matching information exceeds a preset second threshold.

Further, if the attack determination module 14 determines that the target device is not under a DDoS attack, the controller may perform a conventional load balancing optimization. If the attack determining module 14 determines that the target device is attacked by DDoS, the DDoS attack may be further protected according to a preset protection rule.

Further, please refer to fig. 8, which is a schematic structural diagram of another DDoS attack detection apparatus provided in the embodiment of the present invention, specifically, the apparatus in the embodiment of the present invention includes a calculation module 11, an abnormality judgment module 12, an inquiry module 13, and an attack determination module 14 of the DDoS attack detection apparatus. Further, in the embodiment of the present invention, the apparatus may further include:

a port determining module 15, configured to determine, when it is determined that the target device is attacked by DDoS, a target physical port from at least one physical port of a boundary switch corresponding to the target device, where the target physical port is a physical port with a largest data stream density corresponding to the first request message in the first window in the at least one physical port.

And the marking module 16 is configured to mark a target data stream transmitted by the target physical port.

A redirecting module 17, configured to redirect the marked target data stream to a data filtering device bound to a boundary switch corresponding to the target device in advance, so that the data filtering device processes the marked target data stream.

Further, in an optional embodiment, the target device may be a target border switch of the at least one border switch; the calculation module 11 may comprise (not shown in the figures):

a first monitoring unit 111, configured to monitor a first request message sent by the target border switch in a preset first window;

a first calculating unit 112, configured to calculate a request rate of the first request message, and use the calculated request rate as a current request rate of the target border switch for the first request message.

In a specific embodiment, the first monitoring unit 111 may monitor, in real time, a first request message, such as a PacketIN message, sent by the target border switch to the controller, and record a source address, an arrival time, and an arrival number of the message. The first calculating unit 112 may calculate the request rate of the target border switch, i.e. the current request rate, once when the first listening unit 11 listens to a preset first window, e.g. a number window N, to the PacketIN message from the target border switch.

Further, in an optional embodiment, the target device may also be the controller; the calculation module 11 may comprise (not shown in the figures):

a second monitoring unit 113, configured to monitor a first request message sent by each border switch in the SDN in a preset first window;

a second calculating unit 114, configured to separately count request rates of the first request messages sent by each border switch in the first window;

the second computing unit 115 is further configured to obtain current request rates of the border networks determined by all border switches in the SDN within the first window according to the request rate statistics of each border switch, and use the current request rates of the border networks as the current request rates of the controller for the first request message.

In a specific embodiment, the second monitoring unit 113 may monitor, in real time, a PacketIN message, that is, a first request message, sent to the controller by each border switch in the SDN, and record a source address, an arrival time, and an arrival number of the message. The second calculating unit 114 may calculate a request rate of each border switch for a PacketIN message when the second monitoring unit 113 monitors every preset first window, for example, N quantity windows, to the PacketIN message from the border switch in the SDN, that is, when the sum of the number of PacketIN messages sent by all border switches is N, and uses the sum of the request rates of each border switch as a current request rate corresponding to the controller (that is, a current request rate of the border network).

Further, the abnormality determining module 12 may specifically include (not shown in the figure):

a first determining unit 121, configured to determine whether the current request rate is higher than a preset first threshold corresponding to the target device, where the first threshold is determined according to a request rate of a first request message in a preset second window;

a first determining unit 122, configured to determine that the target device is in an abnormal state when the determination result of the first determining unit 121 is higher than the first threshold.

Specifically, the first determining unit 122 may determine the state of the target device as an abnormal state when the current request rate corresponding to the target device is higher than the first threshold corresponding to the target device m times consecutively, where m is an integer greater than 0.

Further, the query module 13 may specifically include (not shown in the figure):

an instruction sending unit 131, configured to send a flow table information query instruction to a boundary switch corresponding to the target device when the target device is in an abnormal state;

an information receiving unit 132, configured to receive flow table matching information returned by the boundary switch corresponding to the target device in response to the flow table information query instruction;

the attack determination module 14 may specifically include (not shown in the figures):

the efficiency calculating unit 141 is configured to calculate the current flow table matching efficiency corresponding to the target device based on the flow table matching information;

a second determining unit 142, configured to determine whether the current flow table matching efficiency exceeds a preset second threshold corresponding to the target device, where the second threshold is determined according to the flow table matching efficiency obtained by statistics of flow table matching information in a preset third window;

a second determining unit 143, configured to determine that the target device is attacked by DDoS when a determination result of the second determining unit 142 is that the current flow table matching efficiency does not exceed the second threshold.

Further, in an optional embodiment, the target device may be a target border switch of the at least one border switch; the efficiency calculation unit 141 may be specifically configured to:

The port determination module 15 may be specifically configured to:

Wherein the target boundary switch includes at least one physical port. Specifically, when the attack determining module 14 determines that the target boundary switch is attacked by DDoS, the port determining module 15 may determine, according to PacketIN statistical messages in the m windows N where the abnormal alarm is generated, a physical port with a largest proportion of PacketIN messages in the at least one physical port as the target physical port.

Further, in an optional embodiment, the target device may also be the controller, and the boundary switches corresponding to the target device include all boundary switches in the SDN; the efficiency calculation unit 141 may be further specifically configured to:

The port determination module 15 may be specifically configured to:

Wherein the target switch includes at least one physical port. Specifically, when the attack determining module 14 determines that the controller is attacked by DDoS, the port determining module 15 may determine to obtain a boundary switch, that is, a target switch, whose current flow table matching efficiency is lower than the current flow table matching efficiency of the boundary network (that is, the current flow table matching efficiency corresponding to the controller), and may determine, according to PacketIN statistical messages in m windows N where the abnormal alarm is generated, a physical port with a largest proportion of PacketIN messages in each physical port of the target switch as the target physical port.

Further optionally, the marking module 16 may be specifically configured to:

Further, in an alternative embodiment, the device further comprises (not shown in the figures):

the efficiency determining module 18 is configured to monitor a second request message of the boundary switch corresponding to the target device, and calculate a historical flow table matching efficiency corresponding to the target device based on the second request message, where the second request message is generated according to flow table matching information in a preset third window;

and a threshold determining module 19, configured to determine, according to the historical flow table matching efficiency corresponding to the target device, a second threshold corresponding to the target device.

Further optionally, the second request message includes reason information, a second-level duration and a matching packet number; the efficiency determination module 18 may include (not shown):

an analysis unit 181 configured to analyze the cause information;

a third determining unit 182, configured to, when the analysis result of the analyzing unit 181 is that the reason information includes idle timeout information, use a quotient of the matching packet number and a target difference as a historical flow table matching efficiency corresponding to the target device, where the target difference is a difference between the second-level duration and idle time corresponding to the idle timeout information;

the third determining unit 182 is further configured to, when the analysis result of the analyzing unit 181 is that the reason information includes hard timeout information, use a quotient of the number of matching packets and the second-level duration as a historical flow table matching efficiency corresponding to the target device.

Further, in an alternative embodiment, the apparatus may further comprise (not shown in the figures):

an obtaining module 20, configured to obtain address information of a boundary switch and a data filtering device in the SDN, respectively;

the obtaining module 20 is further configured to obtain topology structure information of the SDN;

a binding determining module 21, configured to determine at least one data filtering device for the boundary switch according to the topology information, and bind the address information of the determined data filtering device with the address information of the boundary switch.

Specifically, when binding the boundary switch and the data filtering device, the obtaining module 20 may obtain address information of the boundary switch and the data filtering device, such as a hardware address and an IP address of the device, according to a network deployment record or topology analysis. In addition, the binding determining module 21 may further calculate information interaction costs between the boundary switch and the data filtering devices by using a shortest path or a load balancing method according to a topological relationship between the boundary switch and the data filtering devices, select at least one data filtering device with a smaller information interaction cost (e.g., the data filtering device with the shortest path between the boundary switch and the data filtering device, the data filtering device with the fewest intermediate nodes, and/or the data filtering device with a lighter load), and bind the address information of the selected data filtering device with the boundary switch X.

In the embodiment of the invention, the current request rate corresponding to the target device in the SDN network can be obtained through the monitored first request message, and whether the target device is in an abnormal state is judged according to the current request rate, so that when the target device is in the abnormal state, whether the target device is attacked by DDoS (distributed denial of service) is determined by further inquiring the current flow table matching information. The DDoS attack detection method of the embodiment of the invention does not need to rely on the randomness of normal data flow and attack data flow, thereby improving the accuracy of DDoS attack detection. Further, when it is detected that a target device in the SDN network, such as a switch or a controller, is attacked by DDoS, the protection against the DDoS attack of the target device can be achieved by determining a target physical port, where a data stream density of a boundary switch corresponding to the target device, which is attacked by DDoS is the largest, and by redirecting the target data stream of the target physical port to the bound data filtering device after marking the target data stream. Compared with the prior art that a plurality of controllers are configured, when the data processing capacity of the currently used controller exceeds a preset data capacity threshold value, other idle controllers are started, the data packet received by the controller exceeding the threshold value is extracted by using a data packet header analysis method, and therefore a protection mode that a flow issuing table discards, intercepts and blocks the data flow at a switch end is adopted.

Further, please refer to fig. 9, which is a schematic structural diagram of a network device according to an embodiment of the present invention, the network device is applicable to a software defined network SDN, where the SDN includes a controller and at least one border switch. Specifically, the network device according to the embodiment of the present invention includes: a communication interface 300, a memory 200 and a processor 100, wherein the processor 100 is connected to the communication interface 300 and the memory 200 respectively. The memory 200 may be a high-speed RAM memory or a non-volatile memory (non-volatile memory), such as at least one disk memory. The communication interface 300, the memory 200 and the processor 100 may be connected by a bus, or may be connected by other methods. In this embodiment, a bus connection is described. Wherein the content of the first and second substances,

the memory 200 is used for storing driving software;

the processor 100 reads the driver software from the memory 200 and executes under the action of the driver software:

monitoring a first request message in a preset first window through the communication interface 300, and calculating a current request rate of a target device in the SDN for the first request message, where the first request message is a request data stream that is sent to the controller by a boundary switch corresponding to the target device and needs to be processed by the controller;

It should be noted that the network device according to the embodiment of the present invention may be specifically a controller in the SDN or other independently configured detection devices.

Further, the processor 100 reads the driver software from the memory and, under the action of the driver software, further performs the following steps:

the marked target data stream is redirected to a data filtering device bound to a boundary switch corresponding to the target device in advance through the communication interface 300, so that the data filtering device processes the marked target data stream.

Optionally, the target device is a target boundary switch in the at least one boundary switch; when the processor 100 executes the monitoring of the first request message in the preset first window and calculates a current request rate of the target device in the SDN for the first request message, specifically execute the following steps:

Optionally, the target device is the controller; when the processor 100 executes the monitoring of the first request message in the preset first window and calculates a current request rate of the target device in the SDN for the first request message, specifically execute the following steps:

Further, when the processor 100 determines whether the target device is in an abnormal state based on the current request rate, the following steps are specifically performed:

Further optionally, when executing the query of the flow table matching information corresponding to the target device, the processor 100 specifically executes the following steps:

sending a flow table information query instruction to a boundary switch corresponding to the target device through the communication interface 300;

receiving flow table matching information returned by the boundary switch corresponding to the target device in response to the flow table information query instruction through the communication interface 300;

when the processor 100 determines whether the target device is attacked by DDoS based on the flow table matching information, the following steps are specifically executed:

Optionally, the target device is a target boundary switch in the at least one boundary switch; when the processor 100 calculates the current flow table matching efficiency corresponding to the target device based on the flow table matching information, the following steps are specifically performed:

Optionally, the target device is the controller, and the boundary switches corresponding to the target device include all boundary switches in the SDN; when the processor 100 calculates the current flow table matching efficiency corresponding to the target device based on the flow table matching information, the following steps are specifically performed:

Further optionally, the flow table matching information includes a second-level duration and a matching packet number; when the processor 100 performs calculation of the flow table matching efficiency corresponding to the flow table matching information, the following steps are specifically performed:

Further, the processor 100 is further configured to perform the following steps:

Further optionally, the second request message includes reason information, a second-level duration and a matching packet number; when the processor 100 calculates the historical flow table matching efficiency corresponding to the target device based on the second request message, specifically execute the following steps:

analyzing the reason information;

Optionally, the target device is a target boundary switch in the at least one boundary switch; when the processor 100 determines a target physical port from the at least one physical port of the boundary switch corresponding to the target device, specifically, the following steps are performed:

Optionally, the target device is the controller; when the processor 100 determines a target physical port from the at least one physical port of the boundary switch corresponding to the target device, specifically, the following steps are performed:

Further optionally, when the processor 100 performs the marking on the target data stream of the target physical port, specifically perform the following steps:

respectively acquiring address information of a boundary switch and data filtering equipment in the SDN through the communication interface 300;

acquiring topological structure information of the SDN;

In the foregoing embodiments, the descriptions of the respective embodiments have respective emphasis, and for parts that are not described in detail in a certain embodiment, reference may be made to related descriptions of other embodiments.

In the embodiments provided in the present invention, it should be understood that the disclosed apparatus and method may be implemented in other ways. For example, the above-described apparatus embodiments are merely illustrative, and for example, the division of the units is only one logical division, and other divisions may be realized in practice, for example, a plurality of units or components may be combined or integrated into another system, or some features may be omitted, or not executed. In addition, the shown or discussed mutual coupling or direct coupling or communication connection may be an indirect coupling or communication connection through some interfaces, devices or units, and may be in an electrical, mechanical or other form.

The units described as separate parts may or may not be physically separate, and parts displayed as units may or may not be physical units, may be located in one place, or may be distributed on a plurality of network units. Some or all of the units can be selected according to actual needs to achieve the purpose of the solution of the embodiment.

In addition, functional units in the embodiments of the present invention may be integrated into one processing unit, or each unit may exist alone physically, or two or more units are integrated into one unit. The integrated unit can be realized in a form of hardware, or in a form of hardware plus a software functional unit.

The integrated unit implemented in the form of a software functional unit may be stored in a computer readable storage medium. The software functional unit is stored in a storage medium and includes several instructions to enable a computer device (which may be a personal computer, a server, or a network device) or a processor (processor) to execute some steps of the methods according to the embodiments of the present invention. And the aforementioned storage medium includes: various media capable of storing program codes, such as a usb disk, a removable hard disk, a Read-Only Memory (ROM), a Random Access Memory (RAM), a magnetic disk, or an optical disk.

It is obvious to those skilled in the art that, for convenience and simplicity of description, the foregoing division of the functional modules is merely used as an example, and in practical applications, the above function distribution may be performed by different functional modules according to needs, that is, the internal structure of the device is divided into different functional modules to perform all or part of the above described functions. For the specific working process of the device described above, reference may be made to the corresponding process in the foregoing method embodiment, which is not described herein again.

Finally, it should be noted that: the above embodiments are only used to illustrate the technical solution of the present invention, and not to limit the same; while the invention has been described in detail and with reference to the foregoing embodiments, it will be understood by those skilled in the art that: the technical solutions described in the foregoing embodiments may still be modified, or some or all of the technical features may be equivalently replaced; and the modifications or the substitutions do not make the essence of the corresponding technical solutions depart from the scope of the technical solutions of the embodiments of the present invention.

Claims

1. A distributed denial of service (DDoS) attack detection method is applied to a Software Defined Network (SDN), the SDN comprises a controller and at least one boundary switch, and the method is characterized by comprising the following steps:

determining whether the target equipment is attacked by DDoS or not by taking the flow table matching information as a basis;

wherein, said determining whether the target device is attacked by DDoS based on the flow table matching information comprises: calculating the current flow table matching efficiency corresponding to the target equipment by taking the flow table matching information as a basis; judging whether the current flow table matching efficiency exceeds a preset second threshold corresponding to the target device, wherein the second threshold is determined according to flow table matching efficiency obtained by flow table matching information statistics in a preset third window; and if the target equipment does not exceed the second threshold value, determining that the target equipment is attacked by the DDoS.

2. The method of claim 1, further comprising:

3. The method of claim 1, wherein the target device is a target border switch of the at least one border switch; the monitoring a first request message in a preset first window, and calculating a current request rate of a target device in the SDN for the first request message, including:

4. The method of claim 2, wherein the target device is a target border switch of the at least one border switch; the monitoring a first request message in a preset first window, and calculating a current request rate of a target device in the SDN for the first request message, including:

5. The method of claim 1, wherein the target device is the controller; the monitoring a first request message in a preset first window, and calculating a current request rate of a target device in the SDN for the first request message, including:

6. The method of claim 2, wherein the target device is the controller; the monitoring a first request message in a preset first window, and calculating a current request rate of a target device in the SDN for the first request message, including:

7. The method according to any one of claims 1 to 6, wherein said determining whether the target device is in an abnormal state based on the current request rate comprises:

8. The method according to any one of claims 1 to 6, wherein the querying flow table matching information corresponding to the target device includes:

and receiving flow table matching information returned by the boundary switch corresponding to the target equipment in response to the flow table information query instruction.

9. The method of claim 8, wherein the target device is a target border switch of the at least one border switch; the calculating the current flow table matching efficiency corresponding to the target device based on the flow table matching information includes:

10. The method of claim 8, wherein the target device is the controller, and wherein the boundary switches corresponding to the target device comprise all boundary switches in the SDN; the calculating the current flow table matching efficiency corresponding to the target device based on the flow table matching information includes:

11. The method of claim 9, wherein the flow table match information includes a duration in seconds and a number of matching packets; the flow table matching efficiency corresponding to the flow table matching information is calculated, and the method comprises the following steps:

12. The method of claim 8, further comprising:

13. The method of claim 12, wherein the second request message comprises cause information, a duration in seconds, and a number of matching packets; the calculating the matching efficiency of the historical flow table corresponding to the target device based on the second request message includes:

analyzing the reason information;

14. The method of claim 2, wherein the target device is a target border switch of the at least one border switch; the determining a target physical port from at least one physical port of the boundary switch corresponding to the target device includes:

15. The method of claim 2, wherein the target device is the controller; the determining a target physical port from at least one physical port of the boundary switch corresponding to the target device includes:

16. The method of claim 2, wherein marking the target data stream of the target physical port comprises:

17. The method of claim 2, further comprising:

acquiring topological structure information of the SDN;

18. A distributed denial of service (DDoS) attack detection device applied to a Software Defined Network (SDN), wherein the SDN comprises a controller and at least one boundary switch, the device comprising:

the attack determining module is used for determining whether the target equipment is attacked by the DDoS according to the flow table matching information;

19. The apparatus of claim 18, further comprising:

a redirection module, configured to redirect the marked target data stream to a data filtering device bound to a boundary switch corresponding to the target device in advance, so that the data filtering device processes the marked target data stream;

wherein the attack determination module comprises:

20. The apparatus of claim 18, wherein the target device is a target border switch of the at least one border switch; the calculation module comprises:

21. The apparatus of claim 19, wherein the target device is a target border switch of the at least one border switch; the calculation module comprises:

22. The apparatus of claim 18, wherein the target device is the controller; the calculation module comprises:

23. The apparatus of claim 19, wherein the target device is the controller; the calculation module comprises:

24. The apparatus according to any one of claims 18 to 23, wherein the abnormality determining module comprises:

25. The apparatus of any one of claims 18-23, wherein the query module comprises:

and the information receiving unit is used for receiving flow table matching information returned by the boundary switch corresponding to the target device in response to the flow table information inquiry instruction.

26. The apparatus of claim 19 or 21 or 23, wherein the target device is a target border switch of the at least one border switch; the efficiency calculation unit is specifically configured to:

27. The apparatus of claim 19, 21 or 23, wherein the target device is the controller, and wherein the boundary switches corresponding to the target device comprise all boundary switches in the SDN; the efficiency calculation unit is specifically configured to:

28. The apparatus of claim 25, further comprising:

29. The apparatus of claim 28, wherein the second request message comprises cause information, a duration in seconds, and a number of matching packets; the efficiency determination module includes:

the analysis unit is used for analyzing the reason information;

30. The apparatus of claim 19, wherein the target device is a target border switch of the at least one border switch; the port determination module is specifically configured to:

31. The apparatus of claim 19, wherein the target device is the controller; the port determination module is specifically configured to:

32. The apparatus of claim 19, wherein the tagging module is specifically configured to:

33. The apparatus of claim 19, further comprising:

34. A network device for application in a software defined network, SDN, the SDN including a controller and at least one border switch, comprising: the system comprises a communication interface, a memory and a processor, wherein the processor is respectively connected with the communication interface and the memory; wherein the content of the first and second substances,

the memory is used for storing driving software;

35. The network device of claim 34, wherein the processor reads the driver software from the memory and under the action of the driver software, further performs the following steps:

36. The network device of claim 34, wherein the target device is a target border switch of the at least one border switch; the processor, when executing the monitoring of the first request message in the preset first window and calculating a current request rate of a target device in the SDN for the first request message, specifically executes the following steps:

37. The network device of claim 35, wherein the target device is a target border switch of the at least one border switch; the processor, when executing the monitoring of the first request message in the preset first window and calculating a current request rate of a target device in the SDN for the first request message, specifically executes the following steps:

38. The network device of claim 34, wherein the target device is the controller; the processor, when executing the monitoring of the first request message in the preset first window and calculating a current request rate of a target device in the SDN for the first request message, specifically executes the following steps:

39. The network device of claim 35, wherein the target device is the controller; the processor, when executing the monitoring of the first request message in the preset first window and calculating a current request rate of a target device in the SDN for the first request message, specifically executes the following steps:

40. The network device according to any of claims 34-39, wherein the processor, when executing the determining whether the target device is in an abnormal state based on the current request rate, specifically executes the following steps:

41. The network device according to any one of claims 34 to 39, wherein the processor, when performing the query of the flow table matching information corresponding to the target device, specifically performs the following steps:

and receiving flow table matching information returned by the boundary switch corresponding to the target device in response to the flow table information query instruction through the communication interface.

42. The network device of claim 41, wherein the target device is a target border switch of the at least one border switch; when the processor calculates the current flow table matching efficiency corresponding to the target device based on the flow table matching information, the following steps are specifically executed:

43. The network device of claim 41, wherein the target device is the controller, and wherein the boundary switches corresponding to the target device comprise all boundary switches in the SDN; when the processor calculates the current flow table matching efficiency corresponding to the target device based on the flow table matching information, the following steps are specifically executed:

44. The network device of claim 42 or 43, wherein the flow table match information comprises a duration in seconds and a number of matching packets; when the processor performs calculation of the flow table matching efficiency corresponding to the flow table matching information, the following steps are specifically performed:

45. The network device of claim 41, wherein the processor is further configured to perform the steps of:

46. The network device of claim 45, wherein the second request message comprises cause information, a duration in seconds, and a number of matching packets; when the processor calculates the matching efficiency of the historical flow table corresponding to the target device based on the second request message, the processor specifically executes the following steps:

analyzing the reason information;

47. The network device of claim 35, wherein the target device is a target border switch of the at least one border switch; when the processor determines a target physical port from the at least one physical port of the boundary switch corresponding to the target device, specifically performing the following steps:

48. The network device of claim 35, wherein the target device is the controller; when the processor determines a target physical port from the at least one physical port of the boundary switch corresponding to the target device, specifically performing the following steps:

49. The network device according to claim 35, wherein the processor, when performing the marking of the target data stream of the target physical port, specifically performs the following steps:

50. The network device of claim 35, wherein the processor reads the driver software from the memory and under the action of the driver software, further performs the following steps:

acquiring topological structure information of the SDN;

51. A computer-readable storage medium, characterized in that it stores a computer program which, when executed by a computer device, is capable of implementing the method of any one of claims 1 to 17.