The content of the invention
It is an object of the invention to provide a kind of network security protection system and method for work, to solve in a large amount of ddos attacks
When, it can effectively alleviate the burden of SDN controllers, reduce hardware requirement and maintenance cost.
In order to solve the above-mentioned technical problem, the invention provides a kind of network security protection system, including:SDN controllers,
IDS policy servers and IDS equipment;The IDS equipment is suitable to inspect message by random samples, i.e., when IDS equipment detects have
During the message of ddos attack feature, IDS policy servers are reported to;The IDS policy servers are made according to information is reported
Processing strategy corresponding with the message with ddos attack feature, and policy distribution will be handled to SDN controllers to impend
Processing.
Preferably, in order to realize the sampling observation to ddos attack in IDS equipment, include in the IDS equipment:Timing mould
Block, set the sampling observation interval time of message;Packet check module is cheated, the deceptive practices to link layer and internet layer address are carried out
Detection;Packet check module is destroyed, the abnormal behaviour set to internetwork layer and transport layer flag bit detects;Exception message is examined
Module is surveyed, the formula attack that flooded to application layer and transport layer detects;Pass through the deception message within each interval time
Detection module, destruction packet check module, exception message detection module detect to message successively;And if any detection module
When detection outgoing packet has above-mentioned respective behavior, then the message is transferred to IDS policy servers.
Preferably, the IDS policy servers when message suitable for having deceptive practices, and attacks and threaten in OpenFlow domains
In, then attack main frame is shielded by SDN controllers;Or threatened when attacking not in OpenFlow domains, then will by SDN controllers
OF interchanger access interface flows corresponding to the message are redirected to flow cleaning center and filtered;The IDS decision-makings clothes
Business device is further adapted for having abnormal behaviour when message, then to attacker or attacks the flow of main frame by SDN controllers and shield
Cover;And when message has the formula attack that floods, then the IDS policy servers are suitable to pass through SDN controllers by the message
Corresponding OF interchanger access interface flows are redirected to flow cleaning center and filtered.
Preferably, main frame " reference mechanism " is established, i.e., a shielding timing module is set in described SDN controllers and shielding counts
Device;The shielding time is provided with the shielding timing module, the shielding time is suitable to limit shielding attack host time;The shielding
Counter is provided with a shield threshold value, suitable for when attack main frame shielding number exceedes the shield threshold value, forever shielding attack master
Machine.
On the other hand, present invention also offers a kind of method of work of network security protection system.
The method of work of present networks safety defense system, comprises the following steps:
Step S100, initial configuration;Step S200, IDS equipment is set to carry out DDoS threats according to default interval time
Sampling observation;And step S300, respective handling policy distribution is formulated to SDN controllers with the processing that impends according to threat detection.
Preferably, it is as follows the step of initial configuration in the step S100:Step S101, the network security is defendd
The IDS policy servers in system establish special SSL traffic channel with IDS equipment;Step S102, the SDN controls
Device builds network equipment information binding table, and by network equipment information binding table real-time update into IDS equipment;Step
S104, the SDN controllers issue the flow table of mirror policy, i.e., all drag of OF interchangers are loaded with into the port flow mirror image of main frame
It is transmitted to corresponding IDS equipment in domain;And step S105, the SDN controllers issue DDoS threat identifications rule to every
Corresponding IDS equipment in individual domain.
Preferably, IDS equipment is made to carry out the side of DDoS threat sampling observations according to default interval time in the step S200
Method includes:The deceptive practices to link layer and internet layer address successively, internetwork layer and transport layer mark within default interval time
Will position sets abnormal behaviour, and the formula attack that floods of application layer and transport layer to be inspected by random samples;It is if any in said process
When detection judges that outgoing packet has respective behavior, then the message is transferred to step S300.
Preferably, the method that the deceptive practices to link layer and internet layer address are detected includes:By cheating message
Detection module detects to deceptive practices, i.e., first, network equipment information binding table is called by cheating packet check module;
Secondly, the type for being encapsulated in message in Packet-In message is parsed by cheating packet check module, it is corresponding to obtain
Source, purpose IP address, MAC Address and the OF interchangers DPID and port numbers that upload this Packet-In message, and will be upper
Each information is stated to be compared with the corresponding information in network equipment information binding table respectively;If the above- mentioned information matching in message,
Message is then subjected to next detection;If the above- mentioned information in message mismatches, message is transferred to step S300;The internetwork layer
The method for setting abnormal behaviour to be detected with transport layer flag bit includes:Flag bit is set by destroying packet check module
Abnormal behaviour is detected, i.e., each flag bit of message is detected, to judge whether each flag bit meets ICP/IP protocol
Specification;If each flag bit of message meets, message is transferred to and carries out next detection;If each flag bit of message is not met,
Message is transferred to step S300;The method that formula attack is inspected by random samples that floods of the application layer and transport layer includes:Pass through
Exception message detection module detects to the formula attack that floods, i.e., builds in exception message detection module and flooded for identification
The Hash table of formula attack message, and judge whether message has the formula attack that floods according to the threshold values set in the Hash table,
And it will determine that result is transferred to step S300.
Preferably, the step S300 formulates respective handling policy distribution to SDN controllers to carry out according to threat detection
Threatening the method for processing includes:If message has deceptive practices, and attacks and threaten in OpenFlow domains, then the IDS decision-makings
Server is suitable to by SDN controllers shielding attack main frame;And threatened when attacking not in OpenFlow domains, then pass through SDN
OF interchanger access interface flows corresponding to the message are redirected to flow cleaning center and filtered by controller;If message
With abnormal behaviour, then the IDS policy servers to attacker or are attacked the flow of main frame and shielded by SDN controllers
Cover;If message has the formula attack that floods, the IDS policy servers are by SDN controllers by corresponding to the message
OF interchanger access interface flows are redirected to flow cleaning center and filtered;After main frame is attacked in shielding, when setting shields
Between and shield threshold value, the shielding time be suitable to limit shielding attack host time;And when attack main frame shielding number exceedes institute
When stating shield threshold value, the attack main frame is forever shielded;And/or path optimizing is calculated according to link load coefficient, that is, detect two
The link remaining bandwidth of adjacent node, the load factor of the link is obtained, opened up according to the network of the load factor and initialization
Flutter figure obtain any two points optimal path, the SDN controllers forwarded according to corresponding to being drawn the optimal path flow table and under
Send out OF interchangers each.
Preferably, the IDS policy servers shielding sends the program of message and/or the method for attack main frame and included:It is first
First, the corresponding Hash table and setting respective threshold of counting are built, i.e., in the unit interval, is built in the IDS policy servers
The first Hash table counted to deceptive practices, flag bit set the second Hash table that abnormal behaviour is counted, and right
The 3rd Hash table that the formula attack of flooding is counted;Concurrently set in first, second, third Hash table first, second,
3rd threshold values;Secondly, shielding sends the program and/or attack main frame of the message, the i.e. message for being transferred to IDS policy servers
Behavior, counted using corresponding Hash table, when count value exceedes respective thresholds, shielding send the message program and/
Or attack main frame.
Beneficial effects of the present invention:(1) present invention to message, using being detected by way of inspecting by random samples, greatly reducing
The burdens of SDN controllers, and by way of detection separates with decision-making, reduce further the burden of server;And
The efficiency of detection is improved by cheating packet check module, destruction packet check module and exception message detection module;Therefore,
The present invention while SDN controllers burden is effectively alleviated, improves detection efficiency by way of combination, more suitable
Close the network transmission of massive dataflow.(2) the invention enables can not forge ddos attack to address under legacy network architectural framework
The problem for being identified and tracing to the source fundamentally is resolved;Ddos attack or normal big flow business in a network be present
In the case of, SDN controllers based on the real-time perception to network parameters such as link remaining bandwidths, can realize the route of normal stream amount
Optimization, is substantially improved the experience of user;(3) processing framework of the invention is using open-ended modularity design, realizes pair
The efficient detection and flexibly processing that DDoS is threatened;Packet check module is cheated, destroy packet check module and obtains packet letter
Breath uses independent Interface design, reduces the coupling relevance of intermodule;Each module uses the program data structure of optimization, carefully
Cause to split each processing sub-process, improve the high cohesion characteristic of module.
Embodiment 1
Fig. 1 shows the structured flowchart of the network security protection system of the present invention.
As shown in figure 1, a kind of network security protection system, including:It is SDN controllers, IDS policy servers, distributed
IDS equipment;The IDS equipment is suitable to inspect message by random samples, i.e., when IDS equipment (i.e. intrusion detection device) detects have
During the message of ddos attack feature, report to IDS policy servers (can also report to IDS decision-makings clothes by SSL traffic channel
Business device);The IDS policy servers make processing corresponding with the message with ddos attack feature according to information is reported
Strategy, and by processing policy distribution to SDN controllers with the processing that impends.It will enter in the examples below that on processing strategy
Row explanation.
Wherein, ddos attack characterizing definition is:Deceptive practices to link layer and internet layer address, to internetwork layer and transmission
The abnormal behaviour that layer flag bit is set, and the formula attack that flooded to application layer and transport layer.
Inspect by random samples the time at intervals of preset interval time, can be set as needed, such as sampling observation in 2 seconds is once, or 3
Second, or sampling observation in 5 seconds is once;It can also be inspected by random samples using random time, such as random time is set in 1-10S and carried out at random
Sampling observation.
The present invention greatly reduces the burden of SDN controllers by way of sampling observation, is particularly suitable for massive dataflow
Network transmission.
Fig. 2 shows the theory diagram of network security protection system.
As shown in Fig. 2 further, include in the IDS equipment:
Time block, the sampling observation interval time for setting message (are not drawn into, when time block can be by inside IDS in Fig. 2
Clock is realized.);The time block can be realized using clock module;Packet check module is cheated, to link layer and internetwork layer
The deceptive practices of address are detected;Packet check module is destroyed, the abnormal behaviour set to internetwork layer and transport layer flag bit
Detected;Exception message detection module, the formula attack that flooded to application layer and transport layer detect;In each interval time
It is interior that message is examined successively by the deception packet check module, destruction packet check module, exception message detection module
Survey;And if the message is transferred to IDS policy servers when above-mentioned respective behavior be present by any detection module detection outgoing packet.
Further, the IDS policy servers when message suitable for having deceptive practices, and attacks and threaten in OpenFlow domains
In, then attack main frame is shielded by SDN controllers;Or threatened when attacking not in OpenFlow domains, then will by SDN controllers
OF interchanger access interface flows corresponding to the message are redirected to flow cleaning center and filtered;The IDS decision-makings clothes
Business device is further adapted for having abnormal behaviour when message, then to attacker or attacks the flow of main frame by SDN controllers and shield
Cover;And when message has the formula attack that floods, then the IDS policy servers are suitable to pass through SDN controllers by the message
Corresponding OF interchanger access interface flows are redirected to flow cleaning center and filtered.
The present invention using from deception packet check module to destroy packet check module, then to exception message detection module according to
The order of secondary detection, wherein, each module obtains packet information and uses independent Interface design, and the coupling for reducing intermodule is closed
Connection property;And each module uses the program data structure of optimization, careful to split each processing sub-process, improves the high cohesion of module
Characteristic.Mode of this detection ordering with inspecting by random samples is improved to message while the burden of SDN controllers is effectively reduced
The detection efficiency of data, and reduce loss.
Network equipment information binding table is called by the deception packet check module, and in the IDS policy servers
In the middle structure unit interval suitable for the first Hash table for being counted to packet cheating behavior, and set first Hash table
In the first threshold values;The deception packet check module, the type for the message being encapsulated in Packet-In message is solved
Analysis, to obtain corresponding source, purpose IP address, MAC Address and the OF interchangers DPID and the end that upload Packet-In message
Number information, and each information is compared with the corresponding information in network equipment information binding table respectively;It is if upper in message
Information matches are stated, then message is transferred to and destroys packet check module;If the above- mentioned information in message mismatches, it is transferred to described
IDS policy servers, are abandoned to message, and deceptive practices are counted simultaneously, when the count value is more than the first threshold values
When, shielding sends the program and/or attack main frame of the message.
Specifically, the deception packet check module is used to carry out first time judgement to message, that is, judge message whether be
IP spoofing attack message, port spoofing attack message or MAC spoofing attack messages.
Specific steps include:Parse source, target MAC (Media Access Control) address and OF interchanger entrances in ethernet frames first, then
Different messages is parsed according to different type of messages.When type of message is IP, ARP, RARP, then parse corresponding
Then these information are carried out matching of tabling look-up by source, purpose IP address to the information in network equipment information binding table, if matching
To corresponding information, then give and destroy packet check resume module.If mismatching, the message is transferred to IDS policy servers
Processing;And accumulated counts are carried out to deceptive practices simultaneously, when the count value is more than the first threshold values, shielding sends the journey of the message
Sequence and/or attack main frame.
Have a device manager module DeviceManagerImpl in Floodlight, when an equipment in a network
Tracking equipment when mobile device, and equipment is defined according to new stream.
Equipment manager learns equipment from PacketIn requests, and device network parameter is obtained from PacketIn messages
Information (information such as source, purpose IP, MAC, VLAN), equipment is made a distinction by entity classification device and led for OF interchangers or attack
Machine.Entity classification device shows an equipment using MAC Address and/or vlan table under default situations, and the two attributes can be unique
Identify an equipment.Another important information be equipment mount point (No. DPID of OF interchangers and port numbers) (, one
In individual openflow regions, an equipment can only have a mount point, herein openflow regions refer to it is same
The set of the connected multiple OF interchangers of Floodlight examples.Equipment manager is also IP address, mount point, equipment are provided with
Expired time, the last time timestamp foundation whether expired as them are judged.)
Therefore it need to only call what DeviceManagerImpl modules provided inside network equipment information binding table module
IDeviceService, at the same to the service add IDeviceListener monitoring interface.
The monitoring interface that wherein IDeviceListener is provided has:
Interface name |
Function |
public void deviceAdded(IDevice device) |
Main frame addition response |
public void deviceRemoved(IDevice device) |
Main frame removes response |
public void deviceMoved(IDevice device) |
Host mobility responds |
public void deviceIPV4AddrChanged(IDevice device) |
Host IP address changes response |
public void deviceVlanChanged(IDevice device) |
Main frame VLAN changes response |
ISP:IFloodlightProviderService,IDeviceService
Rely on interface:IFloodlightModule,IDeviceListener
According to the low and high level trigger mechanism of OF interchangers, (netting twine extracts triggering PortDown low electricity to record in table
Flat, netting twine pulls out triggering Port Up high level) record that can refresh in real time in binding table.
Traditional ddos attack can not touch, change Switch DPID and Switch Port information, using this advantage,
Spoofing attack can more flexibly be detected.
The flag bit setting abnormal behaviour being suitable to message built in the IDS policy servers in the unit interval is entered
The second Hash table that row counts, and set the second threshold values in second Hash table;The destruction packet check module is to report
Each flag bit of text is detected, to judge whether each flag bit meets ICP/IP protocol specification;If each flag bit symbol of message
Close, then message is transferred to exception message detection module;If each flag bit of message is not met, the IDS decision services are transferred to
Device, message is abandoned, and set abnormal behaviour to count flag bit simultaneously, when the count value is more than the second threshold values
When, shielding sends the program and/or attack main frame of the message.
Specifically, the destruction packet check module, judges for carrying out second to message, that is, judge message whether be
Attack message with malice flag bit feature.Wherein, the attack message with malice flag bit feature includes but is not limited to IP
Attack message, TCP attack messages.Implementation steps include:IP attack message and TCP/UDP attack messages therein are realized each
The detection of the flag bit of message, that is, identify whether each flag bit meets ICP/IP protocol specification.If meeting, just directly hand over
By abnormal number packet check resume module.If not meeting, it is judged as attack message, is transferred to the processing of IDS policy servers.
Using typical attacks such as Tear Drop as row, there are an offset field and a burst mark (MF) in IP packet header,
If offset field is arranged to incorrect value by attacker, the situation for overlapping or disconnecting, target machine just occurs in IP fragmentation message
System will collapse.
In IP headings, there are a protocol fields, the field specifies which kind of agreement the IP messages carry.The field
Value is less than 100, if attacker sends the IP messages of largely protocol fields of the band more than 100, target machine to target machine
Protocol stack in system will be destroyed, and form attack.
Therefore in packet check module is destroyed, each flag bit of outgoing packet is extracted first, is then checked whether normal.
If normal, subsequent module for processing is given.
If abnormal, the packet is abandoned, and to corresponding Hash table rolling counters forward.If unit interval inside counting
When device exceedes second threshold values of setting, then IDS policy servers are called to be shielded to corresponding program and/or directly shielded
Cover corresponding main frame.
After packet by cheating packet check module filters out, the follow-up number destroyed handled by packet check module
All it is real according to the address in bag.So, effectively avoid target machine and have received destruction message, target may be directly resulted in
The protocol stack collapse of machine, or even target machine directly collapse.
It is substantially similar to destroy processing function and the deception packet check handling process of packet check module, distinguishes and is to destroy
What packet check module parsed is the flag bit of each message, whether normal then detects each flag bit.
If normal, just handled directly to follow-up exception message detection module.
If abnormal, the packet is abandoned, and to the corresponding Hash table inside counting device of main frame application reference mechanism
Count.If it exceeds the threshold values of setting, then shield corresponding attacker or directly shielding attack main frame.
The Hash table for identifying the formula attack message that floods is built in the exception message detection module, is determined in the IDS
Build the 3rd Hash table that is counted to the formula attack that floods of being suitable in the unit interval in plan server, and setting this
The 3rd threshold values in 3rd Hash table;The exception message detection module, suitable for being sentenced according to the threshold values set in the Hash table
Whether the message that breaks has attack;If without attack, by data distributing;If having attack, institute is transferred to
IDS policy servers are stated, message is abandoned, and attack is counted simultaneously, when count value is more than the 3rd threshold values
When, shielding sends the program and/or attack main frame of the message.
Specifically, the exception message detection module, for carrying out third time judgement to message, that is, judge message whether be
The formula that floods attack message.
Specific steps include:Using the identification to structure flood formula attack message in Hash table respective record carry out
It is cumulative, and detect whether to exceed threshold value, to judge whether the being formula attack message that floods.
By above-mentioned deception packet check module, destroy filtering out for packet check two modules of module, subsequent module for processing
Packet substantially belong to packet under normal circumstances.However, under normal circumstances, ddos attack generation is also had, existing
In technology, normally only carry out cheating packet check module, destroy packet check module, and in the technical program, in order to the greatest extent may be used
Energy avoids ddos attack.
Following examples are to after carrying out cheating packet check module, destroying packet check modular filtration, then pass through exception
The embodiment of packet check module shield ddos attack.The embodiment is with UDP Flooding and ICMP
Exemplified by Flooding.
On UDP Floodling, using mechanism of the udp protocol without establishing connection, send a large amount of UDP to target machine and report
Text.Target machine can devote a tremendous amount of time processing UDP messages, and these UDP attack messages can not only make the caching of storage UDP messages
Overflow, and substantial amounts of network bandwidth can be taken, target machine can not (or seldom) receive legal UDP messages.
Because different main frames is to a large amount of UDP message bags of single main frame transmission, so having the feelings of udp port occupancy certainly
Condition, so the technical program can receive an ICMP unreachable packet in port.
So the technical program can establish All hosts one Hash table, it is specifically used to receive in the storage unit interval
The number of the unreachable packet in ICMP ports.If it exceeds the threshold values of setting, then directly shield corresponding attacker.
On ICMP Floodling, unit interval inside counting is directly carried out for ICMP Flooding.If it exceeds phase
The threshold values answered, then directly respective host is accordingly shielded, although this method is simple, directly effectively.
Therefore, exception message detection module, if the type of message detected is exception message detection type, phase is carried out
The counter answered detects whether to exceed threshold value, if it does not exceed the threshold, optimal routing policy also can be passed through to the packet
Issue.Threshold value if more than, then corresponding attacker is shielded, or directly respective host is accordingly shielded.
The deception packet check module, destroy any module judgement in packet check module and exception message detection module
When the message is above-mentioned attack message, then the attack message is transferred to IDS policy servers, i.e. abandon the message, and shield
Cover the program for sending the message and/or attack main frame.
When " deception packet check module ", " destroying packet check module " and " exception message detection module " need to abandon number
When according to bag or needing to shield threat main frame.Directly invoke IDS policy servers and carry out corresponding threat processing operation.
The specific implementation steps of the IDS policy servers include:
The step of abandoning the message, i.e. packet discard includes as follows:
The data envelope can be mounted in Packet by OpenFlowOF interchangers in the case of corresponding flow table is not matched
In In message, while there is this packet in local caching in OF exchange opportunities, and packet is deposited in the buffer, have one to delay
Area's ID number is deposited, this ID number can be also encapsulated in the buffer_id of Packet In message, by Packet out form, together
When Packet out message in buffer_id fill in buffer area ID (the corresponding Packet In message of the packet to be abandoned
In buffer_id).
The step of shielding attack main frame, includes as follows:
OpenFlow agreement flow table structures are as follows:
Packet header domain |
Counter |
Action |
The structure in its middle wrapping head domain is:
The step of IDS policy servers include shielding application program includes as follows:
Step 1:Corresponding matching field is filled in the packet header domain of flow table, and by setting Wildcards mask fields,
To obtain shielding attacker or attack host information.Wherein, attacker need to be such as shielded, then under being filled in the domain of flow table packet header
Row matching field:IP, MAC, VLAN, Swtich DPID, Swtich Port, protocol type and its port numbers etc..Such as need to shield
Main frame is attacked, then is filled in the domain of flow table packet header:The matching field such as IP, MAC, VLAN, Swtich DPID, Swtich Port.
Step 2:Flow table action lists are empty, realize the data packet discarding of attacker/main frame.
Step 3:The record value in each Hash table is called, flow table time-out is calculated and is automatically deleted the time.
Step 4:Issue flow table mask program or attack main frame.
Preferably, a shielding timing module and guarding counter are set in the SDN controllers;In the shielding timing module
Provided with the shielding time, the shielding time is suitable to limit shielding attack host time;The guarding counter is provided with a shield threshold value,
Suitable for when attack main frame shielding number exceedes the shield threshold value, forever shielding the attack main frame.
Therefore, the network of the technical program can effectively identify and filter out attack bag.
Optionally, after by above-mentioned each module, by issuing for the real-time optimal routing policy of normal message.
The step of optimal routing policy, is as follows:
Initially enter to submit to the topological interface (API) of SDN controllers and obtain request, to obtain full mesh topology, then pass through
The total network links state computation of acquisition goes out total network links remaining bandwidth.
The calculating of the optimal path in real time, algorithm are changed to one using classical dijkstra's algorithm, the weights of algorithm
The inverse of the total network links remaining bandwidth obtained is walked, to ensure that the path calculated is most unobstructed, the minimum path of propagation delay time.
Specific implementation step on optimal path is discussed in detail in example 2.
Finally, the optimal path calculated is converted into the real-time optimal path strategy being made up of flow table, issued.
Step S1, topological interface is used, the api interface that the SDN controllers carry, (link layer is sent out using LLDP
Existing agreement) and broadcast packet discovery link, then SDN controllers calculate network topology automatically.
" full mesh topology acquisition mould of the topological interface of step S2, SDN controller to " real-time optimal path computation module "
Block " topology obtains the feedback of request.
In step S3, " total network links state acquisition module " files a request to " OF switch queries interface module ", obtains
Total network links state.Wherein, " OF switch queries interface module " is " the OF interchangers characteristic inquiry carried in SDN controllers
Expanded on the basis of module " and " OF switch status enquiry module ", realize calculating and the inquiry work(of link remaining bandwidth
Energy.
Then, " OF switch queries module " by step S4, all OF interchangers into network send OF interchanger characteristics
The broadcast packet of request.The message fed back come OF interchangers characteristic in automatic network is received by step S5 again, parsed in outgoing packet
The curr fields in face, obtain each OF switch ports themselves current bandwidth B.
Next, the module is by step S6, all OF interchangers into network send the broadcast that OF switch status is asked
Bag, including port sends bag number, port sends byte number, port receives the message status such as byte number, port receiver packet number.Connect
, the module receives the message fed back come OF switch status in automatic network by step S7, parses tx_bytes fields, obtains
To transmission byte number N1, obtain current time t1。
Next, the module is by step S8, all OF interchangers into network send the broadcast that OF switch status is asked
Bag, then, the message that the module is fed back by S9 receptions come OF switch status in automatic network, timing stop, when obtaining current
Between t2.Tx_bytes fields are parsed, obtain sending byte number N2。
Present port remaining bandwidth, which can then be calculated, is:B-(N2-N1)/(t2-t1)。
Then, the network topology of acquisition is recycled to carry out the remaining bandwidth calculating of each of the links:
If the connection between OF interchangers and OF interchangers, then obtain this both link ends OF switch ports themselves it is surplus
Remaining bandwidth, the remaining bandwidth of the link is the smaller in two port remaining bandwidths.
If the connection between main frame and OF interchangers, then the tape remaining of the OF switch ports themselves of connection main frame is obtained
Width, this link remaining bandwidth are the OF switch ports themselves remaining bandwidths for connecting the main frame.
Step S4, SDN controller sends Feature Request to all OF interchangers of the whole network in the form of broadcasting and disappeared
Breath.
Step S5, SDN controller, which receive, carrys out the Feature Reply that OF interchangers in automatic network feed back to SDN controllers
Message.
Step S6, SDN controller sends Stats Request message in the form of broadcasting to all OF interchangers of the whole network.
Step S7, SDN controller, which receive to carry out OF interchangers in automatic network and feed back to the Stats Reply of SDN controllers, to disappear
Breath.
Step S8, SDN controller sends Stats Request message in the form of broadcasting to all OF interchangers of the whole network.
Step S9, SDN controller, which receive to carry out OF interchangers in automatic network and feed back to the Stats Reply of SDN controllers, to disappear
Breath.
Step S10, OF switch query interface gives the link remaining bandwidth feedback of the information calculated to " total network links state
Acquisition module ".
Step S11, routing policy issue the real-time optimal routing policy that module calculates, the flow table calculated are passed through into step
Rapid S12 is handed down to the OF interchangers of correlation.
Step S12, the interface are the api interfaces that SDN controllers carry, for issuing the optimal routing policy calculated.
It is while DDOS attack is defendd by the optimal path strategy, the average transmission delay of network does not swash
Increase.
Embodiment 2
The method of work of a kind of network security protection system on the basis of embodiment 1, by inspecting and threatening processing point by random samples
Open, effectively alleviate the work load of SDN controllers, improve detection efficiency and data transmission rate.
Fig. 3 shows the flow chart of the method for work of the network security protection system of the present invention.
As shown in figure 3, the method for work of the network security protection system of the present invention, comprises the following steps:
Step S100, initial configuration;Step S200, IDS equipment is set to carry out DDoS threats according to default interval time
Sampling observation;And step S300, respective handling policy distribution is formulated to SDN controllers with the processing that impends according to threat detection.
The present invention realizes the sampling observation to DDoS by the way of to sampling observation, greatly reduces the burden of SDN controllers.
Wherein, it may refer to the related of embodiment 1 on preset interval time to discuss, repeat no more here.
Further, it is as follows the step of initial configuration in the step S100:
Step S101, the IDS policy servers in the network security protection system and IDS equipment are established special
SSL traffic channel;Step S102, the SDN controllers build network equipment information binding table, and network equipment information is tied up
Table real-time update is determined into IDS equipment;Step S104, the SDN controllers issue the flow table of mirror policy, i.e., by OF interchangers
It is all to drag the port flow mirror image for being loaded with main frame to be transmitted to corresponding IDS equipment in domain;And step S105, the SDN controls
Device processed issues DDoS threat identifications rule to corresponding IDS equipment in each domain.
IDS equipment is carried out DDoS according to default interval time in the step S200 threatens the method for sampling observation to include:
The deceptive practices to link layer and internet layer address successively within default interval time, internetwork layer and transport layer flag bit are set
Abnormal behaviour, and the formula attack that floods of application layer and transport layer are inspected by random samples;If any detection judges in said process
When outgoing packet has respective behavior, then the message is transferred to step S300.
Fig. 4 shows that preset interval time carries out the FB(flow block) of the method for DDoS threat detections.
As shown in figure 4, specific implementation steps include:Step S210, the deceptive practices to link layer and internet layer address
Detected;Step S220, the abnormal behaviour set to internetwork layer and transport layer flag bit detect;Step S230, it is corresponding
Inspected by random samples with the formula attack that floods of layer and transport layer;Step S240, if message is passed sequentially through into the step S210, step
After rapid S220, step S230, when either step judges that outgoing packet has deception, exception, attack, then the message is transferred to
Step S300.
The method that deceptive practices in the step S210 to link layer and internet layer address are detected includes following step
Suddenly:Step S211, network equipment information binding table is called by cheating packet check module;Step S212, by cheating message
Detection module is parsed the type for being encapsulated in message in Packet-In message, with obtain corresponding source, purpose IP address,
MAC Address and the OF interchangers DPID and port numbers for uploading this Packet-In message, and by above-mentioned each information respectively with net
Corresponding information in network facility information binding table is compared;If the above- mentioned information matching in message, step is transferred to by message
S220;If the above- mentioned information in message mismatches, message is transferred to step S300.
The method for setting abnormal behaviour to be detected internetwork layer and transport layer flag bit in the step S220 includes:It is right
Each flag bit of message is detected, to judge whether each flag bit meets ICP/IP protocol specification;If each flag bit of message
Meet, then message is transferred to S230;If each flag bit of message is not met, message is transferred to step S300.
The method that the formula attack that floods in the step S230 to application layer and transport layer is inspected by random samples includes as follows
Step:Step S231, the Hash table for identifying the formula attack message that floods is built in exception message detection module;Step S232,
Judge whether the message is the formula attack report that floods according to the threshold values set in the Hash table by exception message detection module
Text, and will determine that result is transferred to step S300, even without attack, then data are normally issued or by above-mentioned optimal path
Policy distribution;If having attack, corresponding shielding measure is taken.
The method of processing and/or routing optimality is threatened to include in the step S300:If message has deceptive practices, and attacks
Threat is hit in OpenFlow domains, then the IDS policy servers are suitable to by SDN controllers shielding attack main frame;And work as
Attack is threatened not in OpenFlow domains, then by SDN controllers by the OF interchanger access interface flows corresponding to the message
Flow cleaning center is redirected to be filtered;If message has abnormal behaviour, the IDS policy servers are controlled by SDN
Device processed shields to the flow of attacker or attack main frame;Specific implementation steps include:For destroying message aggression, by
Deception packet check is passed through in the currently processed message of IDS equipment, so the message address is real.IDS decision services
Device need to only be issued by the northbound interface of SDN controllers action for Drop flow table by attacker or attack main frame flow screen
Cover.But this is all the decision-making of coarseness, it is only applicable to attack and wraps a small amount of destruction message aggression;If there is message the formula of flooding to attack
Hit behavior, then the IDS policy servers by SDN controllers by the OF interchanger access interface flow weights corresponding to the message
Flow cleaning center is directed to be filtered;Optionally, the safety means of flow cleaning center can also be anti-by the result of protection
Feed SDN controllers, adjust network strategy, the Multidimensional protection realized SDN and be mixed with the case of legacy network;Shielding
After covering attack main frame, setting shielding time and shield threshold value, the shielding time are suitable to limit shielding attack host time;And work as
When attack main frame shielding number exceedes the shield threshold value, the attack main frame is forever shielded.
As another preferred embodiment of sampling observation, after judging to attack main frame, after the time is shielded, recovering should
Attack the data transfer of main frame, but the time interval inspected by random samples is improved to the data of the main frame, i.e. encryption sampling observation.
Further, path optimizing is calculated according to link load coefficient, that is, detects the link remaining bandwidth of two adjacent nodes,
The load factor of the link is obtained, the optimal road of any two points is being obtained according to the load factor and the network topological diagram of initialization
Footpath, the SDN controllers forward flow table according to corresponding to being drawn the optimal path and issue each OF interchangers.
The specific algorithm flow of path optimizing is as follows:
The IDS policy servers shielding, which sends the program of message and/or the method for attack main frame, to be included:
First, the corresponding Hash table and setting respective threshold of counting are built, i.e.,
The first Hash table counted to deceptive practices, mark are built in unit interval, in the IDS policy servers
Position sets the second Hash table for being counted of abnormal behaviour, and to the 3rd Hash table that the formula attack that floods is counted;
Concurrently set first, second, third threshold values in first, second, third Hash table;Secondly, shielding sends the program of the message
And/or attack main frame, i.e., for the behavior for the message for being transferred to IDS policy servers, counted using corresponding Hash table, work as meter
When numerical value exceedes respective thresholds, shielding sends the program and/or attack main frame of the message.
It should be appreciated that the above-mentioned embodiment of the present invention is used only for exemplary illustration or explains the present invention's
Principle, without being construed as limiting the invention.Therefore, that is done without departing from the spirit and scope of the present invention is any
Modification, equivalent substitution, improvement etc., should be included in the scope of the protection.In addition, appended claims purport of the present invention
Covering the whole changes fallen into scope and border or this scope and the equivalents on border and repairing
Change example.
It is complete by above-mentioned description, relevant staff using the above-mentioned desirable embodiment according to the present invention as enlightenment
Various changes and amendments can be carried out without departing from the scope of the technological thought of the present invention' entirely.The technology of this invention
Property scope is not limited to the content on specification, it is necessary to determines its technical scope according to right.