CN106060015A - IP source address verification method based on SDN - Google Patents

IP source address verification method based on SDN Download PDF

Info

Publication number
CN106060015A
CN106060015A CN201610332912.8A CN201610332912A CN106060015A CN 106060015 A CN106060015 A CN 106060015A CN 201610332912 A CN201610332912 A CN 201610332912A CN 106060015 A CN106060015 A CN 106060015A
Authority
CN
China
Prior art keywords
node
sdn
packet
sdn controller
rule
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Granted
Application number
CN201610332912.8A
Other languages
Chinese (zh)
Other versions
CN106060015B (en
Inventor
胡光武
陈国龙
张平安
孔令晶
李清
肖喜
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
Shenzhen Institute of Information Technology
Original Assignee
Shenzhen Institute of Information Technology
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Shenzhen Institute of Information Technology filed Critical Shenzhen Institute of Information Technology
Priority to CN201610332912.8A priority Critical patent/CN106060015B/en
Publication of CN106060015A publication Critical patent/CN106060015A/en
Application granted granted Critical
Publication of CN106060015B publication Critical patent/CN106060015B/en
Active legal-status Critical Current
Anticipated expiration legal-status Critical

Links

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/08Network architectures or network communication protocols for network security for authentication of entities
    • H04L63/0876Network architectures or network communication protocols for network security for authentication of entities based on the identity of the terminal or configuration, e.g. MAC address, hardware or software configuration or device fingerprint
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/14Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
    • H04L63/1441Countermeasures against malicious traffic
    • H04L63/1483Countermeasures against malicious traffic service impersonation, e.g. phishing, pharming or web spoofing

Landscapes

  • Engineering & Computer Science (AREA)
  • Computer Security & Cryptography (AREA)
  • Computer Hardware Design (AREA)
  • Computing Systems (AREA)
  • General Engineering & Computer Science (AREA)
  • Computer Networks & Wireless Communication (AREA)
  • Signal Processing (AREA)
  • Power Engineering (AREA)
  • Data Exchanges In Wide-Area Networks (AREA)

Abstract

The invention discloses an IP source address verification method based on an SDN. The method comprises the following steps that: A1, an SDN controller converts a domain network topology into one data packet forwarding view tree using a boundary gateway device as a root node; A2, the SDN controller analyzes each node on the data packet forwarding view tree, finds out disposition nodes and disposes the disposition nodes as SDN nodes, and SDN switches are used to replace conventional switches on the disposition nodes; A3, the SDN controller calculates a forwarding rule, and the forwarding rule is disposed on the DN switches; and A4, according to the forwarding rule, the DN switches carry out matching on the arrived data packets. By adopting the method, a small number of SDN devices are arranged in a domain network, a maximum IP source address verification effect is achieved, the increment disposition of the system is facilitated, and the investment of the early stage is effectively reduced.

Description

A kind of IP source address verification method based on SDN
Technical field
The present invention relates to the network safety filed of IP source address checking, particularly relate to a kind of based on software defined network (SDN) method of IP source address checking.
Background technology
Owing to current internet only is carried out forwarding addressing by the destination address of packet, it is not relevant for sending user and transmission The IP source address of main frame, and internet architecture itself lacks the authentication mechanism to packet IP source address, this results in The deception of packet IP source address and the generation of correlation attack behavior caused by source address spoofing, and the most only with number According to bag IP source address for according to being but difficult to seat offence source or tracing to the source by mistake.Many aggressive behaviors (such as Denial of Service attack etc.) are just Utilize this leak, victim is launched a offensive and without undertaking the responsibility, this causes to the credibility of the Internet and calling to account property Very big infringement, this opening also becoming the Internet and Internet user are to the contradiction between the Internet credibility demand.Number It is the believable essential condition in the Internet according to wrapping real IP source address, it is ensured that the reliability of packet IP source address is effectively to reduce Attack, the increase believable important means of network security.
Study and mainly reseted meter, host protocol stack/router software amendment, packet from source address encryption, agreement Filter and dispose SDN equipment scheme etc. to launch.Source address encipherment scheme is mainly by using symmetry to the source address of packet Or asymmetrical AES encrypted, thus realize the purpose in receiving terminal host verification source data packet address legitimacy, But this mechanism not only can affect the source address application (such as stream classification application) as Rule of judgment, key agreement and sorter simultaneously System increases overhead to a certain extent;Agreement weight design utilizes the field of less use in IP agreement packet header, inserts Enter self-defined specific labelling and at these labellings of receiving terminal identification thus judge the true and false of source address, but this mechanism may Have influence on quality services ensure (QoS) in other interior agreements or service, malicious user can also be reached by counterfeit labelling simultaneously To the purpose pretending to be other main frames;Host protocol stack/router software modification refers to by amendment main frame ICP/IP protocol Stack or router operating system realize the purpose of IP source address checking.Such as, host identity protocol (HIP) scheme just at IP layer and The intermediate layer of one " host identities " is set up, by encryption and mapping mechanism, it is ensured that host identities mark and IP between transport layer The relatedness of address mapping and reliability.But the shortcoming of this mechanism is that the enforcement of scheme and deployment cost are bigger;Packet Filtering scheme refers to by setting in advance (such as Layer 2 switch, router, fire wall etc.) on the forward-path equipment of packet Set pattern then thus reach filter invalid data bag purpose, but this mechanism there is also on filtering accuracy false positive (judging by accident) or The deficiency of false negative (failing to judge);Finally, general SDN deployment scheme passes through to dispose SDN equipment in whole subnet, as OpenRouter router, OpenFlow switch etc., utilize controller centralized calculation forward rule and be issued to SDN equipment, Thus reach the target to the checking of packet IP source address.The method requires height to deployment rate, needs whole subnet to dispose SDN and sets For the filter effect that can be only achieved 100%.
Summary of the invention
It is an object of the invention to provide a kind of IP source address verification method based on SDN and system, by territory Intranet Disposing a small amount of SDN equipment in network, it is achieved the maximization of IP source address verification the verifying results, the change to network topology simultaneously also has Well adapting to property.
The present invention provides a kind of IP source address verification method based on SDN, comprises the following steps:
Network topology in territory is changed into a packet with borde gateway equipment as root node and turns by A1, SDN controller Send out Views tree;
Packet is forwarded each node on Views tree to be analyzed by A2, SDN controller, finds out deployment node and disposes SDN node, substitutes the conventional switch disposed on node by SDN switch;
A3, SDN controller calculates and forwards rule and be deployed in SDN switch;
The packet arrived, according to forwarding rule, is mated by A4, SDN switch.
Preferably, in step A1, if only one of which borde gateway equipment in network, then with this equipment as root node;If net Network has multiple borde gateway equipment, then finds out its common and nearest equipment as root node, equipment room is existed simultaneously Multilink is considered as a link.
Preferably, step A1 includes: SDN controller is according to intra-area routes table or signal source shortest path algorithm, by territory Intranet Network topology is converted into a packet with borde gateway equipment as root node and forwards Views tree.
Preferred further, in step A1, signal source shortest path algorithm is dijkstra's algorithm.
Preferably, step A2 includes: SDN controller forwards each node on Views tree according to utility function to packet Value of utility calculate, and node is ranked up by height order on earth by value of utility;According to node sequencing result, successively Choose node, find out SDN node according to heuritic approach.
Preferred further, utility function selects formula below (1) that packet forwards each node on Views tree Value of utility uiCalculate, and node is ranked up by value of utility order from high to low.
Wherein, pci: integer, IP number of prefixes that i-node is covered (include all prefix logarithms in i-node subtree with And the prefix logarithm of i-node itself);ui: integer, i-node is detectable personation prefix value of utility when being SDN node, i.e. can not The IP prefix forged is to quantity;Child [i]: integer array, the numbering of all child nodes of i-node.
To arbitrary node, its value of utility the most all prefixes through this node size to set.
According to the descending sort result of node value of utility, select node accumulative node effectiveness successively according to heuritic approach Value, removes effectiveness simultaneously and repeats, and the prefix i.e. the covered present node prefix to gathering and selected node to be covered is to collection The common factor part closed is rejected, until having selected accumulative value of utility to meet the filter effect demand that user sets.
So far, the node more than filtered out is disposed SDN node, and the order that node is selected is SDN node Deployment order, substitutes the conventional switch disposed on node by SDN switch.
Preferred further, in step A2, heuritic approach is:
Wherein, λ: mark, network or user are to can not the Minimum requirements of spoofed IP prefix ratio;N: integer, node total Number, is equal to | V |;Distinct (): function, when multiple nodes are disposed simultaneously, eliminates the effectiveness repeating to produce.
Preferably, step A3 includes: the packet that SDN controller is generated according to step A1 forwards Views tree and A2 step In SDN node location and the subnet prefix set that covered of SDN node, generate perform to forward legal forwarding rule set, And perform abandon illegally forward rule set, be issued in the lump correspondence SDN node.
Preferably, step A4 includes: after packet arrives SDN switch, and SDN switch is according to turning that A3 step issues Send out rule packet is mated;The match is successful, then perform forward defined in hit forwarding rule or abandon operation.When turning Send out Policy Updates and have a delay, or because policybased routing causes mating unsuccessful, then packet is delivered SDN controller, by SDN control Device is analyzed its legitimacy and issues forwarding rule.
When network topology changes, SDN controller uses precomputation and the mode calculated in real time to re-issue forwarding Rule, it is achieved the self adaptation of change in topology.Precomputation refers to that system precalculates in the case of single node or single-link lost efficacy, Forwarding rule corresponding on each SDN node, thus calculating time when saving change in topology;Calculate in real time and refer in change in topology Calculation setting situation more than expected, then calculate the forwarding rule on SDN node in real time according to topology.
The present invention also provides for a kind of IP source address based on SDN checking system, and this system includes conversion module, disposes SDN Node module, calculating forward rule module and packet matching module;Wherein, conversion module is used for: SDN controller is by territory Intranet Network topology changes into a packet with borde gateway equipment as root node and forwards Views tree;Dispose SDN node module to be used for: Packet is forwarded each node on Views tree to be analyzed by SDN controller, finds out and disposes SDN node, use SDN switch Substitute the conventional switch disposed on node;Calculate and forward rule module to be used for: SDN controller calculates and forwards rule and be deployed in In SDN switch;Data packet matched module is used for: the packet arrived, according to forwarding rule, is mated by SDN switch.
Beneficial effects of the present invention: network topology is converted by the method for the present invention by step A1, looks in step A2 Go out key node and it is carried out SDN node deployment, then the forwarding by step A3 and A4 is regular and data packet matched, it is achieved portion Affix one's name to less SDN node, reach maximized filter effect, thus realize the checking target of intra-domain Internet protocol (IP) source address.
Compared with the method and system of other source address validation existing, the present invention not revising host protocol stack and can show On the premise of having Internet protocol, it is achieved in territory while source data packet address detected, effectively reduce deployment expense, can be real Existing property is high, and network change adaptivity is good, has reached the optimization disposing cost with source address validation effect, and beneficially increment Dispose.The present invention can efficiently reduce the Internet sources address imitating and the generation of correlation attack behavior, to building secure and trusted The Internet there is positive effect.
Accompanying drawing explanation
Fig. 1 a is integrated mechanism schematic diagram before SDN deployed with devices, and Fig. 1 b is integrated mechanism schematic diagram after SDN deployed with devices.
Fig. 2 is SDN node selection algorithm flow chart.
Detailed description of the invention
The present invention is described in detail with specific embodiment below in conjunction with the accompanying drawings.
Fig. 1 a is integrated mechanism schematic diagram before SDN deployed with devices, and Fig. 1 b is integrated mechanism schematic diagram after SDN deployed with devices. H1, H2 are legal hosts, and H1' is personation main frame, and A, B, C are conventional switch, and A' is SDN switch, and D is SDN controller.
The IP address of personation main frame H1' personation legal hosts H1 sends personation packet, before SDN deployed with devices, network Cannot detect and filter and above palm off packet, after domain topology node A disposes SDN equipment, be issued by SDN controller Stream regulatory control then, network just can detect and filter above palms off packet.
The present invention provides a kind of IP source address verification method based on SDN, specifically includes following steps:
Network has in A1, territory multiple borde gateway equipment, finds out multiple barrier gateway device in this network common and nearest Equipment as root node, the multilink that equipment room exists is considered as a link simultaneously.
According to network topology connection matrix information G (V, E), (V is all three layers of forward node set in territory, and E is above three Link metric situation between node layer), SDN controller uses dijkstra's algorithm, and this network topology changes into data Bag forwards Views tree.
A2, calculate the value of utility u of each node according to formula (1)i, i.e. include all prefix logarithms in i-node subtree And the prefix logarithm of i-node itself, and node is ranked up by value of utility order from high to low.
Wherein, pci: integer, IP number of prefixes that i-node is covered (include all prefix logarithms in i-node subtree with And the prefix logarithm of i-node itself);ui: integer, i-node is detectable personation prefix value of utility when being SDN node, i.e. can not The IP prefix forged is to quantity;Child [i]: integer array, the numbering of all child nodes of i-node.
According to the descending sort result of the value of utility of node, select node successively and according to the accumulative node effectiveness of formula (2) Value, removes effectiveness simultaneously and repeats, and the prefix i.e. the covered present node prefix to gathering and selected node to be covered is to collection The common factor part closed is rejected, until having selected accumulative value of utility to meet the filter effect demand that user sets.
Wherein, λ: mark, network or user are to can not the Minimum requirements of spoofed IP prefix ratio;N: integer, node total Number, is equal to | V |;Distinct (): function, when multiple nodes are disposed simultaneously, eliminates the effectiveness repeating to produce.
So far, the node more than filtered out is disposed SDN node, and the order that node is selected is SDN node Deployment order, substitutes the conventional switch on this node by SDN switch.
Shown in SDN node selection algorithm is specific as follows, its flow chart is as shown in Figure 2.
Algorithm 1 SDN node selection algorithm
Input:
AM is N*N topological adjacency matrix;
Output:
α is the ratio that SDN node accounts for all nodes;
A3, manager are revised by SDN controller disposing node or are confirmed.
SDN controller, for each deployment node location, calculates the prefix pair that under this node, all of the port is allowed, the most fair Permitted the communication between legal prefix pair forward (IP=source, source IP prefix/subnet mask, the IP prefix/subnet mask of purpose IP=mesh, Output (port)), stop the communication between other illegal prefixes pair simultaneously.
SDN controller is issued to SDN node by after above compatible rule merging.
When A4, packet arrive SDN device port, packet will be mated by SDN equipment according to forwarding rule, It is made into merit, then performs action command defined in matched rule;Otherwise hand to controller process.Other conventional node functions are not Become, packet is forwarded according to routing table, not by the control of SDN controller with affect, be also not involved in the filtration of packet.
System based on above-mentioned IP source address verification method, including conversion module, disposes SDN node module, calculating forwarding Rule module and packet matching module;Wherein, conversion module is used for: network topology in territory is changed into one by SDN controller Packet with borde gateway equipment as root node forwards Views tree;Dispose SDN node module to be used for: SDN controller is to data Bag forwards each node on Views tree to be analyzed, and finds out deployment node and disposes SDN node, substituting portion by SDN switch Conventional switch on administration's node;Calculate and forward rule module to be used for: SDN controller calculates to forward rule and be deployed in SDN and hands over On changing planes;Data packet matched module is used for: the packet arrived, according to forwarding rule, is mated by SDN switch.

Claims (10)

1. an IP source address verification method based on SDN, it is characterised in that comprise the following steps:
Network topology in territory is changed into a packet forwarding with borde gateway equipment as root node and regards by A1, SDN controller Figure tree;
Packet is forwarded each node on Views tree to be analyzed by A2, SDN controller, finds out deployment node and is deployed as SDN node, substitutes the conventional switch disposed on node by SDN switch;
A3, SDN controller calculates and forwards rule and be deployed in SDN switch;
The packet arrived, according to forwarding rule, is mated by A4, SDN switch.
2. the method for claim 1, it is characterised in that step A1 includes: if only one of which borde gateway sets in network Standby, then with this equipment as root node;If network has multiple borde gateway equipment, then find out its common and nearest equipment conduct Root node, is considered as a link by the multilink that equipment room exists simultaneously.
3. the method for claim 1, it is characterised in that step A1 includes: SDN controller is according to intra-area routes table or list Source shortest path first, changes into network topology in territory a packet with borde gateway equipment as root node and forwards view Tree.
4. method as claimed in claim 3, it is characterised in that described signal source shortest path algorithm is dijkstra's algorithm.
5. the method for claim 1, it is characterised in that step A2 includes: SDN controller according to utility function to data Bag forwards the value of utility of each node on Views tree to calculate, and is arranged by height order on earth by value of utility by node Sequence;According to node sequencing result, choose node successively, find out SDN node according to heuritic approach.
6. method as claimed in claim 4, it is characterised in that utility function described in step A2 is equation below:
∀ pc s , pc t ∈ C h i l d [ i ] , s ≠ t : u i = pc s · pc t + pc i · pc i ‾ ;
Wherein, pci: the IP number of prefixes that i-node is covered;ui: i-node is detectable personation prefix effectiveness when being SDN node Value, the IP prefix i.e. can not forged is to quantity;The numbering of all child nodes of Child [i]: i-node.
7. method as claimed in claim 4, it is characterised in that heuritic approach described in step A2 is:
∀ pc s , pc t ∈ V , s ≠ t : λ = Σ i = 1 N d i s t i n c t ( u i · σ i ) pc s · pc t ;
Wherein, λ: network or user are to can not the Minimum requirements of spoofed IP prefix ratio;The total number of N: node;Distinct (): when multiple nodes are disposed simultaneously, eliminates the effectiveness repeating to produce.
8. the method for claim 1, it is characterised in that step A3 includes: SDN controller generates and performs the legal of forwarding What forwarding rule set and execution abandoned illegally forwards rule set.
9. the method for claim 1, it is characterised in that step A4 includes: SDN switch is according to turning that A3 step issues Send out rule packet is mated;The match is successful, then perform forward defined in hit forwarding rule or abandon operation;Coupling Unsuccessful, then packet is delivered SDN controller, SDN controller analyzes its legitimacy and issue forwarding rule.
10. the system of the method for claim 1, it is characterised in that this system includes conversion module, disposes SDN node Module, calculating forward rule module and packet matching module;
Wherein, conversion module is used for: network topology in territory is changed into one with borde gateway equipment as root node by SDN controller Packet forward Views tree;
Dispose SDN node module to be used for: packet is forwarded each node on Views tree to be analyzed by SDN controller, finds out Dispose node and dispose SDN node, substituting the conventional switch disposed on node by SDN switch;
Calculate and forward rule module to be used for: SDN controller calculates and forwards rule and be deployed in SDN switch;
Data packet matched module is used for: the packet arrived, according to forwarding rule, is mated by SDN switch.
CN201610332912.8A 2016-05-18 2016-05-18 A kind of IP source address verification method based on SDN Active CN106060015B (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN201610332912.8A CN106060015B (en) 2016-05-18 2016-05-18 A kind of IP source address verification method based on SDN

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN201610332912.8A CN106060015B (en) 2016-05-18 2016-05-18 A kind of IP source address verification method based on SDN

Publications (2)

Publication Number Publication Date
CN106060015A true CN106060015A (en) 2016-10-26
CN106060015B CN106060015B (en) 2019-11-01

Family

ID=57177817

Family Applications (1)

Application Number Title Priority Date Filing Date
CN201610332912.8A Active CN106060015B (en) 2016-05-18 2016-05-18 A kind of IP source address verification method based on SDN

Country Status (1)

Country Link
CN (1) CN106060015B (en)

Cited By (7)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN106534197A (en) * 2016-12-22 2017-03-22 国家电网公司 Method and system for filtering malicious traffic in autonomous domain
CN108600158A (en) * 2018-03-08 2018-09-28 清华大学 A kind of source address validation system based on software defined network
CN108881241A (en) * 2018-06-26 2018-11-23 华中科技大学 A kind of software-oriented defines the dynamic source address verification method of network
CN109150895A (en) * 2018-09-13 2019-01-04 清华大学 A kind of verification method of the intra-domain source addresses of software defined network
CN111200611A (en) * 2020-01-06 2020-05-26 清华大学 Method and device for verifying intra-domain source address based on boundary interface equivalence class
CN111475290A (en) * 2020-03-27 2020-07-31 华南理工大学 SDN network packet classification method and system based on GPU
WO2020252895A1 (en) * 2019-06-17 2020-12-24 平安科技(深圳)有限公司 Deployment method, apparatus and device for hybrid software self-defined network, and storage medium

Citations (7)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US20040111640A1 (en) * 2002-01-08 2004-06-10 Baum Robert T. IP based security applications using location, port and/or device identifier information
US20140177634A1 (en) * 2012-12-24 2014-06-26 Huawei Technologies Co., Ltd. Software defined network-based data processing method, node, and system
CN103929379A (en) * 2014-04-15 2014-07-16 浙江工商大学 SDN resource distribution method based on two-sided market multihoming structure
CN104243270A (en) * 2014-09-25 2014-12-24 杭州华三通信技术有限公司 Tunnel setup method and tunnel setup device
CN104348727A (en) * 2013-08-05 2015-02-11 杭州华三通信技术有限公司 Method and equipment for processing flow table item in OpenFlow network
CN104980355A (en) * 2015-05-14 2015-10-14 华中科技大学 Source controllable multicast data transmission method and system thereof under SDN Environment
CN105516184A (en) * 2015-12-31 2016-04-20 清华大学深圳研究生院 Increment deployment SDN network-based method for defending link flooding attack

Patent Citations (7)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US20040111640A1 (en) * 2002-01-08 2004-06-10 Baum Robert T. IP based security applications using location, port and/or device identifier information
US20140177634A1 (en) * 2012-12-24 2014-06-26 Huawei Technologies Co., Ltd. Software defined network-based data processing method, node, and system
CN104348727A (en) * 2013-08-05 2015-02-11 杭州华三通信技术有限公司 Method and equipment for processing flow table item in OpenFlow network
CN103929379A (en) * 2014-04-15 2014-07-16 浙江工商大学 SDN resource distribution method based on two-sided market multihoming structure
CN104243270A (en) * 2014-09-25 2014-12-24 杭州华三通信技术有限公司 Tunnel setup method and tunnel setup device
CN104980355A (en) * 2015-05-14 2015-10-14 华中科技大学 Source controllable multicast data transmission method and system thereof under SDN Environment
CN105516184A (en) * 2015-12-31 2016-04-20 清华大学深圳研究生院 Increment deployment SDN network-based method for defending link flooding attack

Cited By (10)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN106534197A (en) * 2016-12-22 2017-03-22 国家电网公司 Method and system for filtering malicious traffic in autonomous domain
CN108600158A (en) * 2018-03-08 2018-09-28 清华大学 A kind of source address validation system based on software defined network
CN108600158B (en) * 2018-03-08 2020-05-22 清华大学 Source address verification system based on software defined network
CN108881241A (en) * 2018-06-26 2018-11-23 华中科技大学 A kind of software-oriented defines the dynamic source address verification method of network
CN109150895A (en) * 2018-09-13 2019-01-04 清华大学 A kind of verification method of the intra-domain source addresses of software defined network
WO2020252895A1 (en) * 2019-06-17 2020-12-24 平安科技(深圳)有限公司 Deployment method, apparatus and device for hybrid software self-defined network, and storage medium
CN111200611A (en) * 2020-01-06 2020-05-26 清华大学 Method and device for verifying intra-domain source address based on boundary interface equivalence class
CN111200611B (en) * 2020-01-06 2021-02-23 清华大学 Method and device for verifying intra-domain source address based on boundary interface equivalence class
CN111475290A (en) * 2020-03-27 2020-07-31 华南理工大学 SDN network packet classification method and system based on GPU
CN111475290B (en) * 2020-03-27 2023-02-14 华南理工大学 SDN network packet classification method and system based on GPU

Also Published As

Publication number Publication date
CN106060015B (en) 2019-11-01

Similar Documents

Publication Publication Date Title
CN106060015A (en) IP source address verification method based on SDN
Li et al. SAVE: Source address validity enforcement protocol
CN1640090B (en) An apparatus and method for secure, automated response to distributed denial of service attacks
Subramanian et al. Listen and whisper: Security mechanisms for BGP
CN101095321B (en) Method of operating a network
Liu et al. Passport: Secure and Adoptable Source Authentication.
CN102132532B (en) Method and apparatus for avoiding unwanted data packets
Guangsen et al. Cooperative defence against DDoS attacks
CN104954367B (en) A kind of cross-domain ddos attack means of defence of internet omnidirectional
CN102801738B (en) Distributed DoS (Denial of Service) detection method and system on basis of summary matrices
Zhang et al. Towards a SDN-based integrated architecture for mitigating IP spoofing attack
CN101572701A (en) Security gateway system for resisting DDoS attack for DNS service
CN102210126A (en) Method and apparatus for forwarding data packets using aggregating router keys
CN108040057A (en) Suitable for guaranteeing network security, the SDN systems of network communication quality
CN109327426A (en) A kind of firewall attack defense method
CN103701700A (en) Node discovering method and system in communication network
Hubballi et al. An event based technique for detecting spoofed IP packets
Song et al. Novel attacks in OSPF networks to poison routing table
CN114389835A (en) IPv6 option explicit source address encryption security verification gateway and verification method
CN102027726A (en) Method and apparatus for controlling the routing of data packets
Kotenko et al. Simulation of internet DDoS attacks and defense
Zhu et al. Attribute‐Guard: Attribute‐Based Flow Access Control Framework in Software‐Defined Networking
CN108881315A (en) A kind of method and system of the double LSA attack ospf protocols of detection and recovery based on NFV
Li et al. Learning the valid incoming direction of IP packets
CN110601878B (en) Method for constructing stealth network

Legal Events

Date Code Title Description
C06 Publication
PB01 Publication
C10 Entry into substantive examination
SE01 Entry into force of request for substantive examination
GR01 Patent grant
GR01 Patent grant