CN111885092A - DDoS attack detection method and processing method for edge nodes and SDN - Google Patents
DDoS attack detection method and processing method for edge nodes and SDN Download PDFInfo
- Publication number
- CN111885092A CN111885092A CN202010949698.7A CN202010949698A CN111885092A CN 111885092 A CN111885092 A CN 111885092A CN 202010949698 A CN202010949698 A CN 202010949698A CN 111885092 A CN111885092 A CN 111885092A
- Authority
- CN
- China
- Prior art keywords
- destination
- address
- request message
- ddos attack
- port
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Pending
Links
Images
Classifications
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/14—Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
- H04L63/1441—Countermeasures against malicious traffic
- H04L63/1458—Denial of Service
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/14—Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
- H04L63/1408—Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic by monitoring network traffic
- H04L63/1416—Event detection, e.g. attack signature detection
Landscapes
- Engineering & Computer Science (AREA)
- Computer Security & Cryptography (AREA)
- Computer Hardware Design (AREA)
- Computing Systems (AREA)
- General Engineering & Computer Science (AREA)
- Computer Networks & Wireless Communication (AREA)
- Signal Processing (AREA)
- Data Exchanges In Wide-Area Networks (AREA)
Abstract
The invention provides a DDoS attack detection method, a processing method and an SDN of edge nodes, wherein the detection method comprises the following steps: receiving a request message stream sent by a puppet machine in a predetermined time period; calculating the entropy value of a destination port and the entropy value of a source port corresponding to each destination IP address in each request message according to the request message flow; and judging whether the edge node corresponding to the destination IP address has DDoS attack according to the entropy value of the destination port corresponding to each destination IP address and the entropy value of the source port. The detection method, the processing method and the SDN can solve the problem that DDoS attack behaviors cannot be detected due to the fact that an edge network is easily attacked by DDoS and no DDoS physical cleaning equipment exists in the prior art.
Description
Technical Field
The invention relates to the technical field of network attack defense, in particular to a DDoS attack detection method and processing method of edge nodes and an SDN.
Background
Distributed Denial of Service (DDoS) attacks are currently the main attack means threatening network security, and a hacker controls a puppet computer to send a large amount of false messages to a victim host, thereby causing network congestion or crash of the victim host. An edge node in an edge network, as a service provider, is vulnerable to a distributed denial of service (DDoS) attack, thereby causing service interruption. In addition, there is usually no very expensive DDoS physical cleaning device in the edge network, so how to detect DDoS attack behavior against edge nodes with low cost in the edge network becomes very critical and necessary.
Disclosure of Invention
The technical problem to be solved by the present invention is to provide a DDoS attack detection method, a processing method and an SDN for an edge node, aiming at the above deficiencies in the prior art, so as to solve the problem in the prior art that a DDoS attack behavior cannot be detected due to the fact that an edge network is easily attacked by DDoS and no DDoS physical cleaning device exists.
In a first aspect, an embodiment of the present invention provides a DDoS attack detection method for an edge node, which is applied to a software defined network SDN, and the method includes:
receiving a request message stream sent by a puppet machine in a predetermined time period;
calculating the entropy value of a destination port and the entropy value of a source port corresponding to each destination IP address in each request message according to the request message flow;
and judging whether the edge node corresponding to the destination IP address has DDoS attack according to the entropy value of the destination port corresponding to each destination IP address and the entropy value of the source port.
Preferably, before the step of receiving the request message stream sent by the puppet machine within the predetermined time period, the method further includes:
and when the starting time of the preset time period comes, clearing the flow table entry of the switch.
Preferably, while receiving a request packet stream sent by the puppet machine within a predetermined time period, the method further includes:
analyzing each request message in the received request message stream to obtain quadruple information of each request message, wherein the quadruple information comprises: a source IP address, a destination IP address, a source port, and a destination port;
and storing the quadruple information of each request message into a preset database.
Preferably, the calculating an entropy value of a destination port and an entropy value of a source port corresponding to each destination IP address in each request message according to the request message flow includes:
acquiring all four-tuple information of each request message in the preset database;
and calculating the entropy value of a destination port and the entropy value of a source port corresponding to each destination IP address in the preset database according to the quadruple information.
Preferably, the determining whether a DDoS attack exists on an edge node corresponding to each destination IP address according to an entropy value of a destination port corresponding to each destination IP address and an entropy value of a source port includes:
if the entropy value of a destination port corresponding to a destination IP address is smaller than a first threshold value and the entropy value of a source port is larger than a second threshold value, judging that a DDoS attack exists on an edge node corresponding to the destination IP address;
and if the entropy value of the destination port corresponding to the destination IP address is smaller than a first threshold value and the entropy value of the source port is smaller than a second threshold value, judging that the edge node corresponding to the destination IP address does not have DDoS attack.
In a second aspect, an embodiment of the present invention provides a DDoS attack processing method for an edge node, which is applied to a software defined network SDN, and the method includes:
judging whether the edge node corresponding to each destination IP address has DDoS attack or not by adopting the DDoS attack detection method of the edge node in the first aspect;
if DDoS attack exists, discarding the request message matched with the destination IP address, the source IP address and the destination port;
and if the edge node is judged to have no DDoS attack, forwarding the request message matched with the destination IP address, the source IP address and the destination port.
Preferably, if it is determined that a DDoS attack exists on the edge node, discarding the request packet matching the destination IP address, the source IP address, and the destination port includes:
a controller in the SDN generates a flow table corresponding to the edge node, wherein the flow table is used for indicating a switch in the SDN to discard a request message matched with the destination IP address, the source IP address and the destination port, and the priority of the flow table is set to be the highest priority;
and issuing the flow table to a switch in the SDN so that the switch preferentially matches the flow table and discards the flow table when receiving a request message matched with the destination IP address, the source IP address and the destination port.
In a third aspect, an embodiment of the present invention provides an SDN, including:
a receiving module, configured to receive a request message stream sent by a puppet machine within a predetermined time period;
a calculating module, connected to the receiving module, configured to calculate, according to the request packet flow, an entropy of a destination port and an entropy of a source port corresponding to each destination IP address in each request packet;
and the judging module is connected with the calculating module and is used for judging whether the DDoS attack exists on the edge node corresponding to the destination IP address or not according to the entropy value of the destination port corresponding to each destination IP address and the entropy value of the source port.
Preferably, the method further comprises the following steps:
and the flow table entry emptying module is used for emptying the flow table entry of the switch when the starting time of the preset time period arrives.
Preferably, the method further comprises the following steps:
the first processing module is connected with the judging module and used for discarding the request message matched with the destination IP address, the source IP address and the destination port when the judging module judges that the DDoS attack exists on the edge node;
and the second processing module is connected with the judging module and used for forwarding the request message matched with the destination IP address, the source IP address and the destination port when the judging module judges that the DDoS attack does not exist in the edge node.
According to the DDoS attack detection method, the processing method, and the SDN of the edge node provided by the embodiments of the present invention, by receiving a request packet flow sent by a puppet machine in a predetermined time period in an edge network by using the SDN, and calculating an entropy value of a destination port and an entropy value of a source port corresponding to each destination IP address in each request packet, a DDoS attack behavior for an edge node port can be detected in an information entropy manner, so that a problem that the DDoS attack behavior cannot be detected due to the fact that the edge network is easily attacked by DDoS and no DDoS physical cleaning device exists in the prior art is solved.
Drawings
FIG. 1: is a flow chart of a DDoS attack detection method of embodiment 1 of the present invention;
FIG. 2: is a flow chart of a DDoS attack processing method of embodiment 2 of the present invention;
FIG. 3: is a structural diagram of an SDN in embodiment 3 of the present invention.
Detailed Description
It should be noted that the embodiments and features of the embodiments in the present application may be combined with each other without conflict. The present application will be described in detail below with reference to the embodiments with reference to the attached drawings.
In order to make the technical solutions better understood by those skilled in the art, the technical solutions in the embodiments of the present application will be clearly and completely described below with reference to the drawings in the embodiments of the present application, and it is obvious that the described embodiments are only partial embodiments of the present application, but not all embodiments. All other embodiments, which can be derived by a person skilled in the art from the embodiments given herein without making any creative effort, shall fall within the protection scope of the present application.
Example 1:
the embodiment provides a DDoS attack detection method for an edge node, which is applied to a Software Defined Network (SDN), and as shown in fig. 1, the method includes:
step S102: receiving a request message stream sent by a puppet machine in a predetermined time period;
in this embodiment, an edge node and a puppet are both located in an edge network, the edge network employs an SDN architecture, the SDN includes a controller and at least one switch, the edge node is a server node in the edge network, a client in the edge network is configured as a puppet after being invaded and manipulated by a hacker, the edge node and the puppet are connected to the switch in the SDN, and the puppet sends a request packet to the SDN, where the request packet includes a normal request packet and a DDoS attack packet.
It should be noted that, in an SDN network, a switch is only responsible for forwarding according to forwarding logic of a controller, and the forwarding logic of the controller is deployed on the switch in a form of a flow table, in the prior art, usually when the network is initialized, the controller may issue a default flow table to the switch, the content of the flow table is to upload a received request message to the controller, the priority of the flow table is lower, when the request message reaches the switch, the switch may match the flow table, and if none of the request messages are matched, the request message may be uploaded to the controller according to the default flow table for processing.
Optionally, before the step of receiving the request message stream sent by the puppet machine within the predetermined time period, the method may further include:
when the starting time of the preset time period comes, the flow table entry of the switch is cleared.
In this embodiment, in order to avoid that the switch directly forwards a flow entry matching a certain attacked edge node because the flow entry exists in the current flow table, the flow entry is not uploaded to the controller, and when the starting time of the predetermined time period comes, the flow entry of the switch is cleared, so that the comprehensiveness of the detection is further ensured. After the flow table entry is cleared, the switch only leaves the default flow table entry, that is, all the received request messages are uploaded to the controller for processing.
Optionally, while receiving the request message stream sent by the puppet machine within the predetermined time period, the method may further include:
analyzing each request message in the received request message stream to obtain quadruple information of each request message, wherein the quadruple information comprises: a source IP address, a destination IP address, a source port, and a destination port;
and storing the quadruple information of each request message into a preset database.
In this embodiment, when the starting time of the predetermined time period comes, for example, at time t0, the controller clears the switch flow table entry and starts the following steps:
step A: the controller receives a request message sent by the switch;
in this example, it is assumed that the puppet machine h1 sends a request message stream to the SDN network, where the request message includes: and after the switch receives the host request message, the switch matches default flow table entries of the switch and sequentially uploads the default flow table entries to the controller.
And B: the controller analyzes the message and stores the four-tuple (source IP address, destination IP address, source port and destination port) information of the request message into a preset database DB. The entries of the DB may be as shown in Table 1:
TABLE 1
| Source IP address | Destination IP address | Source port | Destination port |
| IP-h1 | IP-h2 | Port-h1 | Port-h2 |
| IP-h1 | IP-h3 | Dummy Port0 | Port-h3 |
And C: the controller issues the request message to the switch through the message forwarding program, and executes a normal forwarding process.
When the end time of the predetermined time period comes, for example, at time t1, the table entry of DB in the predetermined time period t may be as shown in table 2, where t is t1-t 0.
TABLE 2
| Source IP | Destination IP | Source port | Destination port |
| IP-h1 | IP-h2 | Port-h1 | Port-h2 |
| IP-h1 | IP-h3 | Dummy Port0 | Port-h3 |
| …… | …… | …… | …… |
| IP-h1 | IP-h3 | Dummy Portn | Port-h3 |
Step S104: and calculating the entropy value of a destination port and the entropy value of a source port corresponding to each destination IP address in each request message according to the request message flow.
Optionally, calculating an entropy value of a destination port and an entropy value of a source port corresponding to each destination IP address in each request message according to the request message flow may include:
acquiring all four-tuple information of each request message in a preset database;
and calculating the entropy value of a destination port corresponding to each destination IP address in a preset database and the entropy value of a source port according to the quadruple information.
Wherein, the formula for calculating the entropy value can be as follows:
H(x)=E[I(xi)]=E[log(2,1/P(xi))]=-∑P(xi)log(2,P(xi))(i=1,2,..n)
wherein x represents a random variable, corresponding to which is a set of all possible outputs, defined as a set of symbols, the output of the random variable being represented by x. P (x) represents the output probability function. The larger the uncertainty of the variable, the larger the entropy, taking table 2 as an example, the entropy of the edge node H3 is log (2, n), and the entropy of the edge node H4 is 0.
Step S106: and judging whether the edge node corresponding to the destination IP address has DDoS attack according to the entropy value of the destination port corresponding to each destination IP address and the entropy value of the source port.
During the research and practice of the prior art, the inventor finds that: the DDoS attack behavior is represented by a puppet machine that a destination port sending a request message is fixed and a source port is largely random, that is, an entropy value H4 of the destination port is smaller than a set first threshold value k4, and an entropy value H3 of the source port is larger than a set second threshold value k 3. Therefore, whether the DDoS attack exists on the edge node corresponding to each destination IP address can be judged according to the entropy value of the destination port corresponding to each destination IP address and the entropy value of the source port.
Optionally, judging whether a DDoS attack exists on an edge node corresponding to the destination IP address according to the entropy of the destination port corresponding to each destination IP address and the entropy of the source port may include:
if the entropy value of the destination port corresponding to the destination IP address is smaller than a first threshold value and the entropy value of the source port is larger than a second threshold value, judging that the DDoS attack exists on the edge node corresponding to the destination IP address;
and if the entropy value of the destination port corresponding to the destination IP address is smaller than a first threshold value and the entropy value of the source port is smaller than a second threshold value, judging that the edge node corresponding to the destination IP address does not have DDoS attack.
In this embodiment, as shown in table 2, if the SDN controller can compare the two signals, if the target IP is H2, H4< k4 and H3< k3, and if the target IP is H3, H4< k4 and H3> k3, it is determined that the designated Port-H3 of the edge node H3 occurs in the network, and the DDoS attack behavior that overloads the edge node is performed.
In the DDoS attack detection method for edge nodes provided in this embodiment, by receiving, in an edge network, a request packet flow sent by a puppet machine in a predetermined time period by using an SDN, and calculating an entropy value of a destination port and an entropy value of a source port corresponding to each destination IP address in each request packet, a DDoS attack behavior for an edge node port can be detected in an information entropy manner, so that a problem that the DDoS attack behavior cannot be detected due to the fact that the edge network is easily attacked by DDoS and a DDoS physical cleaning device does not exist in the prior art is solved.
Example 2:
as shown in fig. 2, the present embodiment provides a DDoS attack processing method, which is applied to a software defined network SDN, and the method includes:
step S202: judging whether the edge node corresponding to each destination IP address has DDoS attack by adopting the DDoS attack detection method of the edge node as described in the embodiment 1;
step S204: if DDoS attack exists, discarding the request message matched with the destination IP address, the source IP address and the destination port;
step S206: and if the edge node is judged to have no DDoS attack, forwarding a request message matched with the destination IP address, the source IP address and the destination port.
Optionally, if it is determined that a DDoS attack exists on the edge node, discarding the request packet matched with the destination IP address, the source IP address, and the destination port may include:
a controller in the SDN generates a flow table corresponding to an edge node, wherein the flow table is used for indicating a switch in the SDN to discard a request message matched with a destination IP address, a source IP address and a destination port, and the priority of the flow table is set to be the highest priority;
and issuing a flow table to a switch in the SDN, so that the switch preferentially matches the flow table and discards the flow table when receiving a request message matched with the destination IP address, the source IP address and the destination port.
During the research and practice of the prior art, the inventor finds that: when detecting that a DDoS attack behavior exists in a network, an existing DDoS attack processing method usually limits a speed of an switch port connected to a puppet computer, and this method avoids propagation of a DDoS message in the network, but may also cause interruption of normal service of the puppet computer. For example, when a host h1 normally accesses a server h2 in a network, the host h1 is attacked by a hacker to become a puppet, and sends and submits a large number of false requests to the server h3, a DDoS attack behavior that overloads the server occurs, and when an SDN controller detects a DDoS attack, all messages sent by h1 are discarded or subjected to rate limiting, so that h1 cannot continue to normally access the network.
In this embodiment, when the SDN controller determines that the network has a DDoS attack behavior that overloads an edge node with respect to a designated Port-h3 of the edge node h3, a triplet (source IP-h1, destination IP-h3, and destination Port-h3) is read and generated from the database information. The SDN controller issues a flow table to the switch, the flow table rule is set to be matched with the triple and the operation of message discarding is executed, and the priority of the flow table is set to be higher than all current flow tables of the switch.
After the above operation, the puppet machine h1 sends a request message to the SDN network again, where the request message includes: the normal request message sent to the server host h2 and the DDoS attack message sent to the server host h3 are of two types, the DDoS attack message sent to h3 is preferentially matched with the set flow table rule, and the switch discards the messages. And matching the normal request message sent to h2 with a default flow table, uploading the message to the controller, and forwarding the message normally according to the logic of the controller.
The DDoS attack processing method provided in the embodiment of the present invention filters DDoS attack messages through a flow table, thereby avoiding affecting normal network access of a puppet computer. Meanwhile, by receiving a request message stream sent by a puppet machine in a predetermined time period in an edge network by using an SDN, and calculating an entropy value of a destination port and an entropy value of a source port corresponding to each destination IP address in each request message, a DDoS attack behavior for an edge node port can be detected in an information entropy manner, thereby solving the problem that the DDoS attack behavior cannot be detected due to the fact that the edge network is easily attacked by DDoS and no DDoS physical cleaning device exists in the prior art.
Example 3:
as shown in fig. 3, the present embodiment provides an SDN, including:
a receiving module 30, configured to receive a request packet stream sent by a puppet machine within a predetermined time period;
a calculating module 32, connected to the receiving module 30, configured to calculate, according to the request packet flow, an entropy of a destination port and an entropy of a source port corresponding to each destination IP address in each request packet;
and the determining module 34 is connected to the calculating module 32, and configured to determine whether a DDoS attack exists on an edge node corresponding to each destination IP address according to the entropy of the destination port corresponding to each destination IP address and the entropy of the source port.
Preferably, the method further comprises the following steps:
and the flow table entry emptying module is used for emptying the flow table entry of the switch when the starting time of the preset time period comes.
Preferably, the method further comprises the following steps:
the first processing module is connected to the judging module 34, and configured to discard the request packet matching the destination IP address, the source IP address, and the destination port when the judging module judges that the DDoS attack exists on the edge node;
and the second processing module is connected to the judging module 34, and is configured to forward a request packet matching the destination IP address, the source IP address, and the destination port when the judging module judges that the DDoS attack does not exist in the edge node.
In the SDN provided in embodiment 3, a request message stream sent by a puppet machine in a predetermined time period is received in an edge network by using the SDN, and an entropy value of a destination port and an entropy value of a source port corresponding to each destination IP address in each request message are calculated, so that a DDoS attack behavior for an edge node port can be detected in an information entropy manner, and thus the problem that the DDoS attack behavior cannot be detected due to the fact that the edge network is easily attacked by DDoS and there is no DDoS physical cleaning device in the prior art is solved.
It will be understood that the above embodiments are merely exemplary embodiments taken to illustrate the principles of the present invention, which is not limited thereto. It will be apparent to those skilled in the art that various modifications and improvements can be made without departing from the spirit and substance of the invention, and these modifications and improvements are also considered to be within the scope of the invention.
Claims (10)
1. A DDoS attack detection method of an edge node is applied to a Software Defined Network (SDN), and comprises the following steps:
receiving a request message stream sent by a puppet machine in a predetermined time period;
calculating the entropy value of a destination port and the entropy value of a source port corresponding to each destination IP address in each request message according to the request message flow;
and judging whether the edge node corresponding to the destination IP address has DDoS attack according to the entropy value of the destination port corresponding to each destination IP address and the entropy value of the source port.
2. The method of claim 1, wherein before the step of receiving the request packet stream sent by the puppet machine within a predetermined time period, the method further comprises:
and when the starting time of the preset time period comes, clearing the flow table entry of the switch.
3. The method of claim 2, wherein, while receiving the request packet stream sent by the puppet machine within a predetermined time period, the method further comprises:
analyzing each request message in the received request message stream to obtain quadruple information of each request message, wherein the quadruple information comprises: a source IP address, a destination IP address, a source port, and a destination port;
and storing the quadruple information of each request message into a preset database.
4. The method of claim 3, wherein the calculating the entropy of the destination port and the entropy of the source port corresponding to each destination IP address in each request packet according to the request packet flow comprises:
acquiring all four-tuple information of each request message in the preset database;
and calculating the entropy value of a destination port and the entropy value of a source port corresponding to each destination IP address in the preset database according to the quadruple information.
5. The method of claim 4, wherein the determining whether the DDoS attack exists on the edge node corresponding to the destination IP address according to the entropy of the destination port and the entropy of the source port corresponding to each destination IP address comprises:
if the entropy value of a destination port corresponding to a destination IP address is smaller than a first threshold value and the entropy value of a source port is larger than a second threshold value, judging that a DDoS attack exists on an edge node corresponding to the destination IP address;
and if the entropy value of the destination port corresponding to the destination IP address is smaller than a first threshold value and the entropy value of the source port is smaller than a second threshold value, judging that the edge node corresponding to the destination IP address does not have DDoS attack.
6. A DDoS attack processing method of an edge node is applied to a Software Defined Network (SDN), and comprises the following steps:
judging whether the edge node corresponding to each destination IP address has DDoS attack by adopting the DDoS attack detection method of the edge node according to any one of claims 1 to 5;
if DDoS attack exists, discarding the request message matched with the destination IP address, the source IP address and the destination port;
and if the edge node is judged to have no DDoS attack, forwarding the request message matched with the destination IP address, the source IP address and the destination port.
7. The DDoS attack processing method for an edge node according to claim 6, wherein if it is determined that a DDoS attack exists on the edge node, discarding the request packet matching the destination IP address, the source IP address, and the destination port comprises:
a controller in the SDN generates a flow table corresponding to the edge node, wherein the flow table is used for indicating a switch in the SDN to discard a request message matched with the destination IP address, the source IP address and the destination port, and the priority of the flow table is set to be the highest priority;
and issuing the flow table to a switch in the SDN so that the switch preferentially matches the flow table and discards the flow table when receiving a request message matched with the destination IP address, the source IP address and the destination port.
8. An SDN, comprising:
a receiving module, configured to receive a request message stream sent by a puppet machine within a predetermined time period;
a calculating module, connected to the receiving module, configured to calculate, according to the request packet flow, an entropy of a destination port and an entropy of a source port corresponding to each destination IP address in each request packet;
and the judging module is connected with the calculating module and is used for judging whether the DDoS attack exists on the edge node corresponding to the destination IP address or not according to the entropy value of the destination port corresponding to each destination IP address and the entropy value of the source port.
9. The SDN of claim 8, further comprising:
and the flow table entry emptying module is used for emptying the flow table entry of the switch when the starting time of the preset time period arrives.
10. The SDN of claim 8, further comprising:
the first processing module is connected with the judging module and used for discarding the request message matched with the destination IP address, the source IP address and the destination port when the judging module judges that the DDoS attack exists on the edge node;
and the second processing module is connected with the judging module and used for forwarding the request message matched with the destination IP address, the source IP address and the destination port when the judging module judges that the DDoS attack does not exist in the edge node.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202010949698.7A CN111885092A (en) | 2020-09-10 | 2020-09-10 | DDoS attack detection method and processing method for edge nodes and SDN |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202010949698.7A CN111885092A (en) | 2020-09-10 | 2020-09-10 | DDoS attack detection method and processing method for edge nodes and SDN |
Publications (1)
| Publication Number | Publication Date |
|---|---|
| CN111885092A true CN111885092A (en) | 2020-11-03 |
Family
ID=73199135
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN202010949698.7A Pending CN111885092A (en) | 2020-09-10 | 2020-09-10 | DDoS attack detection method and processing method for edge nodes and SDN |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN111885092A (en) |
Cited By (1)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| WO2022249451A1 (en) * | 2021-05-28 | 2022-12-01 | 日本電信電話株式会社 | Switch, network controller, communication control method, and communication control program |
Citations (13)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN103441982A (en) * | 2013-06-24 | 2013-12-11 | 杭州师范大学 | Intrusion alarm analyzing method based on relative entropy |
| CN104468624A (en) * | 2014-12-22 | 2015-03-25 | 上海斐讯数据通信技术有限公司 | SDN controller, routing/switching device and network defending method |
| US20150095969A1 (en) * | 2013-07-16 | 2015-04-02 | Fortinet, Inc. | System and method for software defined behavioral ddos attack mitigation |
| CN104836702A (en) * | 2015-05-06 | 2015-08-12 | 华中科技大学 | Host network abnormal behavior detection and classification method under large flow environment |
| WO2017035717A1 (en) * | 2015-08-29 | 2017-03-09 | 华为技术有限公司 | Distributed denial of service attack detection method and associated device |
| CN107888618A (en) * | 2014-12-17 | 2018-04-06 | 蔡留凤 | The DDoS for solving network security threatens the method for work of filtering SDN systems |
| CN108366065A (en) * | 2018-02-11 | 2018-08-03 | 中国联合网络通信集团有限公司 | Attack detection method and SDN switch |
| CN108848095A (en) * | 2018-06-22 | 2018-11-20 | 安徽大学 | The detection of server ddos attack and defence method under SDN environment based on double entropys |
| CN109768955A (en) * | 2017-11-10 | 2019-05-17 | 高丽大学校产学协力团 | System and method based on software defined network defending distributed denial of service attack |
| CN110535888A (en) * | 2019-10-12 | 2019-12-03 | 广州西麦科技股份有限公司 | Port Scan Attacks detection method and relevant apparatus |
| CN111294328A (en) * | 2019-10-23 | 2020-06-16 | 上海科技网络通信有限公司 | Method for active security defense of SDN (software defined network) based on information entropy calculation |
| CN111327590A (en) * | 2020-01-19 | 2020-06-23 | 中国联合网络通信集团有限公司 | Attack processing method and device |
| CN111490975A (en) * | 2020-03-23 | 2020-08-04 | 山东大学 | Distributed denial of service DDoS attack tracing system and method based on software defined network |
-
2020
- 2020-09-10 CN CN202010949698.7A patent/CN111885092A/en active Pending
Patent Citations (13)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN103441982A (en) * | 2013-06-24 | 2013-12-11 | 杭州师范大学 | Intrusion alarm analyzing method based on relative entropy |
| US20150095969A1 (en) * | 2013-07-16 | 2015-04-02 | Fortinet, Inc. | System and method for software defined behavioral ddos attack mitigation |
| CN107888618A (en) * | 2014-12-17 | 2018-04-06 | 蔡留凤 | The DDoS for solving network security threatens the method for work of filtering SDN systems |
| CN104468624A (en) * | 2014-12-22 | 2015-03-25 | 上海斐讯数据通信技术有限公司 | SDN controller, routing/switching device and network defending method |
| CN104836702A (en) * | 2015-05-06 | 2015-08-12 | 华中科技大学 | Host network abnormal behavior detection and classification method under large flow environment |
| WO2017035717A1 (en) * | 2015-08-29 | 2017-03-09 | 华为技术有限公司 | Distributed denial of service attack detection method and associated device |
| CN109768955A (en) * | 2017-11-10 | 2019-05-17 | 高丽大学校产学协力团 | System and method based on software defined network defending distributed denial of service attack |
| CN108366065A (en) * | 2018-02-11 | 2018-08-03 | 中国联合网络通信集团有限公司 | Attack detection method and SDN switch |
| CN108848095A (en) * | 2018-06-22 | 2018-11-20 | 安徽大学 | The detection of server ddos attack and defence method under SDN environment based on double entropys |
| CN110535888A (en) * | 2019-10-12 | 2019-12-03 | 广州西麦科技股份有限公司 | Port Scan Attacks detection method and relevant apparatus |
| CN111294328A (en) * | 2019-10-23 | 2020-06-16 | 上海科技网络通信有限公司 | Method for active security defense of SDN (software defined network) based on information entropy calculation |
| CN111327590A (en) * | 2020-01-19 | 2020-06-23 | 中国联合网络通信集团有限公司 | Attack processing method and device |
| CN111490975A (en) * | 2020-03-23 | 2020-08-04 | 山东大学 | Distributed denial of service DDoS attack tracing system and method based on software defined network |
Non-Patent Citations (2)
| Title |
|---|
| MING XUANYUAN: "Detection and Mitigation of DDoS Attacks Using Conditional Entropy in Software-defined Networking", 《2019 11TH INTERNATIONAL CONFERENCE ON ADVANCED COMPUTING (ICOAC)》 * |
| 原超: "网络设备信息安全评估方法研究", 《信息科技辑》 * |
Cited By (1)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| WO2022249451A1 (en) * | 2021-05-28 | 2022-12-01 | 日本電信電話株式会社 | Switch, network controller, communication control method, and communication control program |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| US11057404B2 (en) | Method and apparatus for defending against DNS attack, and storage medium | |
| US11637845B2 (en) | Method and apparatus for malicious attack detection in a software defined network (SDN) | |
| US10798060B2 (en) | Network attack defense policy sending method and apparatus, and network attack defending method and apparatus | |
| US8397284B2 (en) | Detection of distributed denial of service attacks in autonomous system domains | |
| CN109005175B (en) | Network protection method, device, server and storage medium | |
| US20140289854A1 (en) | Method for thwarting application layer hypertext transport protocol flood attacks focused on consecutively similar application-specific data packets | |
| CN109617931B (en) | DDoS attack defense method and system of SDN controller | |
| US8489755B2 (en) | Technique of detecting denial of service attacks | |
| US7506372B2 (en) | Method and apparatus for controlling connection rate of network hosts | |
| US7854000B2 (en) | Method and system for addressing attacks on a computer connected to a network | |
| CN108737447B (en) | User datagram protocol flow filtering method, device, server and storage medium | |
| US10505952B2 (en) | Attack detection device, attack detection method, and attack detection program | |
| KR20110089179A (en) | Network intrusion protection | |
| CN106534068B (en) | Method and device for cleaning counterfeit source IP in DDOS defense system | |
| US10447715B2 (en) | Apparatus and method of detecting distributed reflection denial of service attack based on flow information | |
| CN112134894A (en) | Moving target defense method for DDoS attack | |
| KR20060128734A (en) | Adaptive defense against various network attacks | |
| CN111212096B (en) | Method, device, storage medium and computer for reducing IDC defense cost | |
| US20090240804A1 (en) | Method and apparatus for preventing igmp packet attack | |
| EP3361694A1 (en) | Method and device for detecting network attack | |
| EP3340568A2 (en) | Anycast-based spoofed traffic detection and mitigation | |
| US20190215336A1 (en) | Method for defending against attack, defense device, and computer readable storage medium | |
| CN108810008B (en) | Transmission control protocol flow filtering method, device, server and storage medium | |
| CN110061998B (en) | Attack defense method and device | |
| CN110958245B (en) | Attack detection method, device, equipment and storage medium |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| PB01 | Publication | ||
| PB01 | Publication | ||
| SE01 | Entry into force of request for substantive examination | ||
| SE01 | Entry into force of request for substantive examination | ||
| RJ01 | Rejection of invention patent application after publication | ||
| RJ01 | Rejection of invention patent application after publication |
Application publication date: 20201103 |