CN106060015B - A kind of IP source address verification method based on SDN - Google Patents

A kind of IP source address verification method based on SDN Download PDF

Info

Publication number
CN106060015B
CN106060015B CN201610332912.8A CN201610332912A CN106060015B CN 106060015 B CN106060015 B CN 106060015B CN 201610332912 A CN201610332912 A CN 201610332912A CN 106060015 B CN106060015 B CN 106060015B
Authority
CN
China
Prior art keywords
node
sdn
data packet
prefix
deployment
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Active
Application number
CN201610332912.8A
Other languages
Chinese (zh)
Other versions
CN106060015A (en
Inventor
胡光武
陈国龙
张平安
孔令晶
李清
肖喜
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
Shenzhen Institute of Information Technology
Original Assignee
Shenzhen Institute of Information Technology
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Shenzhen Institute of Information Technology filed Critical Shenzhen Institute of Information Technology
Priority to CN201610332912.8A priority Critical patent/CN106060015B/en
Publication of CN106060015A publication Critical patent/CN106060015A/en
Application granted granted Critical
Publication of CN106060015B publication Critical patent/CN106060015B/en
Active legal-status Critical Current
Anticipated expiration legal-status Critical

Links

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/08Network architectures or network communication protocols for network security for authentication of entities
    • H04L63/0876Network architectures or network communication protocols for network security for authentication of entities based on the identity of the terminal or configuration, e.g. MAC address, hardware or software configuration or device fingerprint
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/14Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
    • H04L63/1441Countermeasures against malicious traffic
    • H04L63/1483Countermeasures against malicious traffic service impersonation, e.g. phishing, pharming or web spoofing

Landscapes

  • Engineering & Computer Science (AREA)
  • Computer Security & Cryptography (AREA)
  • Computer Hardware Design (AREA)
  • Computing Systems (AREA)
  • General Engineering & Computer Science (AREA)
  • Computer Networks & Wireless Communication (AREA)
  • Signal Processing (AREA)
  • Power Engineering (AREA)
  • Data Exchanges In Wide-Area Networks (AREA)

Abstract

The invention discloses a kind of IP source address verification method and system based on SDN, method forward Views tree by the data packet of root node of borde gateway equipment the following steps are included: network topology in domain is converted to one by A1, SDN controller;A2, SDN controller analyze each node on data packet forwarding Views tree, it finds out deployment node and is deployed as SDN node, the conventional switch on deployment node is substituted with SDN switch, A3, SDN controller calculate forward rule and is deployed in SDN switch;A4, SDN switch match the data packet of arrival according to forward rule.This method has reached affixes one's name to a small amount of SDN equipment in domain in the middle part of network, realize the effect of maximized IP source address verifying, be conducive to the incremental deploying of system and efficiently reduce up-front investment.

Description

A kind of IP source address verification method based on SDN
Technical field
The present invention relates to the network safety fileds of IP source address verifying, are based on software defined network more particularly to one kind (SDN) method of IP source address verifying.
Background technique
Since current internet is only forwarded addressing by the destination address of data packet, it is not relevant for sending user and transmission The IP source address of host, and internet architecture itself lacks the authentication mechanism to data packet IP source address, this is resulted in The generation of the deception of data packet IP source address and the correlation attack behavior caused by source address spoofing, and it is subsequent only with number But seat offence source is difficult to for foundation according to packet IP source address or is accidentally traced to the source.Many attacks (such as Denial of Service attack) are exactly It using this loophole, launches a offensive victim without undertaking the responsibility, this is caused to the credibility of internet and calling to account property Very big damage, this also becomes the opening of internet and Internet user to the contradiction between internet credibility demand.Number It is the believable necessary condition in internet according to true IP source address is wrapped, it is ensured that the reliability of data packet IP source address is to effectively reduce Attack increases the believable important means of network security.
Existing research is mainly from source address encryption, agreement redesign, host protocol stack/router software modification, data packet The expansion such as filtering and deployment SDN equipment scheme.Source address encipherment scheme is mainly by the source address to data packet using symmetrical Or asymmetrical Encryption Algorithm is encrypted, thus realize the purpose in receiving end host verification source data packet address legitimacy, But the mechanism not only will affect application (such as stream classification application) of the source address as Rule of judgment, while key agreement and sorter System increases overhead to a certain extent;Agreement redesign scheme is inserted using the less field used in IP agreement packet header Enter customized specific label and identifies these labels in receiving end to judge the true and false of source address, but this mechanism may Other agreements or service including quality services guarantee (QoS) are influenced, while malicious user can also be reached by counterfeit label To the purpose for pretending to be other hosts;Host protocol stack/router software modification refers to by modifying host ICP/IP protocol Stack or router operating system realize the purpose of IP source address verifying.For example, host identity protocol (HIP) scheme just at IP layers and The middle layer that one " host identities " are established between transport layer guarantees host identities mark and IP by encryption and mapping mechanism The relevance and reliability of address of cache.But the shortcomings that this mechanism, is that the implementation of scheme and deployment cost are larger;Data packet Filtering scheme refer to by the forward-path equipment of data packet (such as Layer 2 switch, router, firewall) set in advance Set pattern then to achieve the purpose that filter invalid data packet, but the mechanism on filtering accuracy there is also false positive (erroneous judgement) or The deficiency of false negative (failing to judge);Finally, general SDN deployment scheme by whole subnet dispose SDN equipment, such as OpenRouter router, OpenFlow interchanger etc. using controller centralized calculation forward rule and are issued to SDN equipment, To reach the target to the verifying of data packet IP source address.This method requires height to deployment rate, and whole subnet deployment SDN is needed to set For the filter effect that can be only achieved 100%.
Summary of the invention
The purpose of the present invention is to provide a kind of IP source address verification method and system based on SDN, by domain Intranet A small amount of SDN equipment is disposed in network, realizes the maximization of IP source address verification the verifying results, while also being had to the variation of network topology Well adapting to property.
The present invention provides a kind of IP source address verification method based on SDN, comprising the following steps:
Network topology in domain is converted to one and turned by the data packet of root node of borde gateway equipment by A1, SDN controller Send out Views tree;
A2, SDN controller analyze each node on data packet forwarding Views tree, find out deployment node and dispose SDN node substitutes the conventional switch on deployment node with SDN switch;
A3, SDN controller calculate forward rule and are deployed in SDN switch;
A4, SDN switch match the data packet of arrival according to forward rule.
Preferably, in step A1, if only one borde gateway equipment in network, using this equipment as root node;If net There are multiple borde gateway equipment in network, then finds out its common and nearest equipment as root node, while will be existing for equipment room Multilink is considered as a link.
Preferably, step A1 includes: SDN controller according to intra-area routes table or signal source shortest path algorithm, by domain Intranet Network topology is converted into one and forwards Views tree by the data packet of root node of borde gateway equipment.
Further preferably, signal source shortest path algorithm is dijkstra's algorithm in step A1.
It preferably, include: SDN controller in step A2 according to utility function to each node on data packet forwarding Views tree Value of utility calculated, and node is ranked up by value of utility by high sequence on earth;According to node sequencing as a result, successively Node is chosen, SDN node is found out according to heuritic approach.
Further preferably, utility function selects following formula (1) to each node on data packet forwarding Views tree Value of utility uiIt is calculated, and node is ranked up by the sequence of value of utility from high to low.
Wherein, pci: integer, IP number of prefixes that i-node is covered (including all prefix logarithms in i-node subtree with And the prefix logarithm of i-node itself);ui: that is, integer, i-node detectable personation prefix value of utility when being SDN node can not The IP prefix of forgery is to quantity;Child [i]: integer array, the number of all child nodes of i-node;pct: t node is covered The IP prefix number of lid;pcs: the IP prefix number that s node is covered;T, s node are the child nodes of i-node;SDN administration In all IP prefixes of topology, the IP prefix number that i-node can not cover, i.e. all IP prefix set corresponding to topology and i are saved Point can cover the difference set of prefix set.
To arbitrary node, size of the value of utility, that is, all prefixes by the node to set.
According to the descending sort of node value of utility as a result, successively selecting node and accumulative node effectiveness according to heuritic approach Value, while removing effectiveness repetition, i.e., prefix present node covered to set with selected node to be covered prefix to collection The intersection part of conjunction is rejected, until selected accumulative value of utility meets filter effect demand set by user.
So far, the node filtered out above is disposed SDN node, and the selected sequence of node is SDN node Deployment sequence substitutes the conventional switch on deployment node with SDN switch.
Further preferably, heuritic approach in step A2 are as follows:
Wherein, λ: score, network or user to can not spoofed IP prefix ratio Minimum requirements;N: integer, node it is total Number is equal to | V |;Distinct (): function eliminates the effectiveness for repeating to generate when multiple nodes are disposed simultaneously;σiIt indicates I-node whether be SDN source address detected deployment node, if it is, value be 1, be otherwise 0;pct: the IP that t node is covered Prefix number;pcsRefer to the IP prefix number that s node is covered;V: the set of all nodes in topology.
Preferably, step A3 includes: SDN controller according to step A1 data packet forwarding Views tree generated and A2 step In the subnet prefix set that is covered of SDN node location and SDN node, generate execute forwarding legal forward rule collection, And the illegal forward rule collection abandoned is executed, it is issued to corresponding SDN node together.
Preferably, step A4 includes: after data packet reaches SDN switch, and SDN switch turns according to what A3 step issued Hair rule matches data packet;Successful match then executes forwarding defined in hit forward rule or abandons operation.When turn Hair Policy Updates have a delay, or because policybased routing causes to match unsuccessful, then data packet are delivered SDN controller, controlled by SDN Device analyzes its legitimacy and issues forward rule.
When network topology changes, SDN controller re-issues forwarding by the way of calculating using precomputation and in real time Rule realizes the adaptive of change in topology.Precomputation refers to that system precalculates in the case where single node or single-link failure, Corresponding forward rule on each SDN node, thus calculating time when saving change in topology;It calculates and refers in change in topology in real time Calculation more than expected sets situation, then according to the topological forward rule calculated on SDN node in real time.
The present invention also provides a kind of, and the IP source address based on SDN verifies system, which includes conversion module, deployment SDN Node module calculates forward rule module and data packet matching module;Wherein, conversion module is used for: SDN controller is by domain Intranet Network topology is converted to one and forwards Views tree by the data packet of root node of borde gateway equipment;Deployment SDN node module is used for: SDN controller analyzes each node on data packet forwarding Views tree, finds out and disposes SDN node, use SDN switch Conventional switch on substitution deployment node;Calculate forward rule module to be used for: SDN controller calculates forward rule and is deployed in In SDN switch;Data packet matched module is used for: SDN switch matches the data packet of arrival according to forward rule.
Beneficial effects of the present invention: method of the invention is converted network topology by step A1, is looked in step A2 Key node and SDN node deployment is carried out to it out, then pass through the forward rule and data packet matched, achievement unit of step A3 and A4 Less SDN node is affixed one's name to, maximized filter effect is reached, to realize the verifying target of intra-domain Internet protocol (IP) source address.
Compared with the method and system of other existing source address validations, the present invention can not modify host protocol stack and show Under the premise of having Internet protocol, while realizing source data packet address detected in domain, deployment expense is effectively reduced, it can be real Existing property is high, and network change adaptivity is good, has reached the optimization of deployment cost and source address validation effect, and is conducive to increment Deployment.The present invention can efficiently reduce the generation of the Internet sources address imitating and correlation attack behavior, secure and trusted to constructing Internet have positive effect.
Detailed description of the invention
Fig. 1 a is integrated mechanism schematic diagram before SDN deployed with devices, and Fig. 1 b is integrated mechanism schematic diagram after SDN deployed with devices.
Fig. 2 is SDN node selection algorithm flow chart.
Specific embodiment
The present invention is described in detail with specific embodiment with reference to the accompanying drawing.
Fig. 1 a is integrated mechanism schematic diagram before SDN deployed with devices, and Fig. 1 b is integrated mechanism schematic diagram after SDN deployed with devices. H1, H2 are legal hosts, and H1' is personation host, and A, B, C are conventional switch, and A' is SDN switch, and D is SDN controller.
The IP address for palming off host H1' personation legal hosts H1 sends personation data packet, before SDN deployed with devices, network The above personation data packet can not be detected and be filtered, after disposing SDN equipment on domain topology node A, is issued by SDN controller Flow control rule, network is just able to detect and filters the above personation data packet.
The present invention provides a kind of IP source address verification method based on SDN, specifically includes the following steps:
There are multiple borde gateway equipment in A1, domain in network, it is common and nearest to find out multiple barrier gateway in the network Equipment be considered as a link as root node, while by multilink existing for equipment room.
According to network topology connection matrix information G (V, E), (V is all three layers of forward node set in domain, and E is above three Link metric situation between node layer), SDN controller uses dijkstra's algorithm, which is converted to a data Packet forwarding Views tree.
A2, the value of utility u that each node is calculated according to formula (1)i, that is, include all prefix logarithms in i-node subtree And the prefix logarithm of i-node itself, and node is ranked up by the sequence of value of utility from high to low.
Wherein, pci: integer, IP number of prefixes that i-node is covered (including all prefix logarithms in i-node subtree with And the prefix logarithm of i-node itself);ui: that is, integer, i-node detectable personation prefix value of utility when being SDN node can not The IP prefix of forgery is to quantity;Child [i]: integer array, the number of all child nodes of i-node;pct: t node is covered The IP prefix number of lid;pcs: the IP prefix number that s node is covered;T, s node are the child nodes of i-node;SDN administration In all IP prefixes of topology, the IP prefix number that i-node can not cover, i.e. all IP prefix set corresponding to topology and i are saved Point can cover the difference set of prefix set.
According to the descending sort of the value of utility of node as a result, successively selecting node and adding up node effectiveness according to formula (2) Value, while removing effectiveness repetition, i.e., prefix present node covered to set with selected node to be covered prefix to collection The intersection part of conjunction is rejected, until selected accumulative value of utility meets filter effect demand set by user.
Wherein, λ: score, network or user to can not spoofed IP prefix ratio Minimum requirements;N: integer, node it is total Number is equal to | V |;Distinct (): function eliminates the effectiveness for repeating to generate when multiple nodes are disposed simultaneously;σiIt indicates I-node whether be SDN source address detected deployment node, if it is, value be 1, be otherwise 0;pct: the IP that t node is covered Prefix number;pcsRefer to the IP prefix number that s node is covered;V: the set of all nodes in topology.
So far, the node filtered out above is disposed SDN node, and the selected sequence of node is SDN node Deployment sequence, substitutes the conventional switch on the node with SDN switch.
Shown in SDN node selection algorithm is specific as follows, flow chart is as shown in Figure 2.
Algorithm 1SDN node selection algorithm
Input:
AM is N*N topological adjacency matrix;
Output:
α is the ratio that SDN node accounts for all nodes;
A3, administrator are modified or are confirmed to deployment node by SDN controller.
SDN controller is directed to each deployment node location, calculates the permitted prefix pair of all of the port under the node, that is, permits Perhaps between legal prefix pair communication forwarding (source IP=source IP prefix/subnet mask, destination IP=destination IP prefix/subnet mask, Output (port)), while preventing the communication between other illegal prefixes pair.
SDN controller will be issued to SDN node after the above compatible rule merging.
When A4, data packet reach SDN device port, SDN equipment will be matched data packet according to institute's forward rule, With success, then action command defined in matching rule is executed;Otherwise controller processing is handed to.Other conventional node functions are not Become, data packet is forwarded according to routing table, not by the control of SDN controller and influences, is also not involved in the filtering of data packet.
Based on the system of above-mentioned IP source address verification method, including conversion module, deployment SDN node module, calculating forwarding Rule module and data packet matching module;Wherein, conversion module is used for: network topology in domain is converted to one by SDN controller Views tree is forwarded by the data packet of root node of borde gateway equipment;Deployment SDN node module is used for: SDN controller is to data Each node on packet forwarding Views tree is analyzed, and is found out deployment node and is disposed SDN node, with SDN switch substitution portion Affix one's name to the conventional switch on node;Calculate forward rule module to be used for: SDN controller calculates forward rule and is deployed in SDN friendship On changing planes;Data packet matched module is used for: SDN switch matches the data packet of arrival according to forward rule.

Claims (10)

1. a kind of IP source address verification method based on SDN, which comprises the following steps:
Network topology in domain is converted to one using borde gateway equipment as the data packet of root node forwarding view by A1, SDN controller Figure tree;
A2, SDN controller analyze each node on data packet forwarding Views tree, find out deployment node and are deployed as SDN node substitutes the conventional switch on deployment node with SDN switch;The SDN controller forwards Views tree to data packet The value of utility of upper each node is calculated, and node is ranked up by the sequence of value of utility from high to low;It is arranged according to node Sequence is as a result, successively choose node as SDN node;
A3, SDN controller calculate forward rule and are deployed in SDN switch;
A4, SDN switch match the data packet of arrival according to forward rule.
2. the method as described in claim 1, which is characterized in that if step A1 include: in network only one borde gateway set It is standby, then using this equipment as root node;If there are multiple borde gateway equipment in network, its common and nearest equipment conduct is found out Root node, while multilink existing for equipment room is considered as a link.
3. the method as described in claim 1, which is characterized in that step A1 includes: SDN controller according to intra-area routes table or list Network topology in domain is converted to one and forwards view by the data packet of root node of borde gateway equipment by source shortest path first Tree.
4. method as claimed in claim 3, which is characterized in that the signal source shortest path algorithm is dijkstra's algorithm.
5. the method as described in claim 1, which is characterized in that step A2 include: SDN controller according to utility function to data The value of utility of each node is calculated on packet forwarding Views tree, and node is arranged by value of utility by high sequence on earth Sequence;According to node sequencing as a result, successively choosing node, SDN node is found out according to heuritic approach.
6. method as claimed in claim 5, which is characterized in that utility function described in step A2 is following formula:
Wherein, pci: the IP number of prefixes that i-node is covered;ui: i-node detectable personation prefix effectiveness when being SDN node Value, i.e., the IP prefix that can not be forged is to quantity;Child [i]: the number of all child nodes of i-node;pct: t node is covered The IP prefix number of lid;pcs: the IP prefix number that s node is covered;T, s node are the child nodes of i-node;SDN administration In all IP prefixes of topology, the IP prefix number that i-node can not cover, i.e. all IP prefix set corresponding to topology and i are saved Point can cover the difference set of prefix set.
7. method as claimed in claim 5, which is characterized in that heuritic approach described in step A2 are as follows:
Wherein, λ: network or user to can not spoofed IP prefix ratio Minimum requirements;N: the total number of node;ui: i-node is Detectable personation prefix value of utility when SDN node, i.e., the IP prefix that can not be forged is to quantity;σiIndicate whether i-node is SDN The deployment node of source address detected, if it is, value is 1, it is otherwise 0;distinct(uii) all SDN deployment in representative domain Node is eliminating the value of utility after computing repeatedly;pct: the IP prefix number that t node is covered;pcsRefer to what s node was covered IP prefix number;V: the set of all nodes in topology.
8. the method as described in claim 1, which is characterized in that step A3 includes: that SDN controller generates the legal of execution forwarding Forward rule collection and the illegal forward rule collection for executing discarding.
9. the method as described in claim 1, which is characterized in that step A4 includes: that SDN switch turns according to what A3 step issued Hair rule matches data packet;Successful match then executes forwarding defined in hit forward rule or abandons operation;Matching It is unsuccessful, then data packet is delivered into SDN controller, its legitimacy is analyzed by SDN controller and issues forward rule.
10. a kind of system using claim 1 the method, which is characterized in that the system includes conversion module, deployment SDN Node module calculates forward rule module and data packet matching module;
Wherein, conversion module is used for: network topology in domain is converted to one using borde gateway equipment as root node by SDN controller Data packet forward Views tree;
Deployment SDN node module is used for: SDN controller analyzes each node on data packet forwarding Views tree, finds out Deployment node simultaneously disposes SDN node, substitutes the conventional switch on deployment node with SDN switch;The SDN controller logarithm It is calculated according to the value of utility of each node on packet forwarding Views tree, and node is arranged by the sequence of value of utility from high to low Sequence;According to node sequencing as a result, successively choosing node as SDN node;
Calculate forward rule module to be used for: SDN controller calculates forward rule and is deployed in SDN switch;
Data packet matched module is used for: SDN switch matches the data packet of arrival according to forward rule.
CN201610332912.8A 2016-05-18 2016-05-18 A kind of IP source address verification method based on SDN Active CN106060015B (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN201610332912.8A CN106060015B (en) 2016-05-18 2016-05-18 A kind of IP source address verification method based on SDN

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN201610332912.8A CN106060015B (en) 2016-05-18 2016-05-18 A kind of IP source address verification method based on SDN

Publications (2)

Publication Number Publication Date
CN106060015A CN106060015A (en) 2016-10-26
CN106060015B true CN106060015B (en) 2019-11-01

Family

ID=57177817

Family Applications (1)

Application Number Title Priority Date Filing Date
CN201610332912.8A Active CN106060015B (en) 2016-05-18 2016-05-18 A kind of IP source address verification method based on SDN

Country Status (1)

Country Link
CN (1) CN106060015B (en)

Families Citing this family (7)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN106534197A (en) * 2016-12-22 2017-03-22 国家电网公司 Method and system for filtering malicious traffic in autonomous domain
CN108600158B (en) * 2018-03-08 2020-05-22 清华大学 Source address verification system based on software defined network
CN108881241B (en) * 2018-06-26 2020-02-14 华中科技大学 Dynamic source address verification method for software defined network
CN109150895A (en) * 2018-09-13 2019-01-04 清华大学 A kind of verification method of the intra-domain source addresses of software defined network
CN110417576B (en) * 2019-06-17 2021-10-12 平安科技(深圳)有限公司 Deployment method, device, equipment and storage medium of hybrid software custom network
CN111200611B (en) * 2020-01-06 2021-02-23 清华大学 Method and device for verifying intra-domain source address based on boundary interface equivalence class
CN111475290B (en) * 2020-03-27 2023-02-14 华南理工大学 SDN network packet classification method and system based on GPU

Citations (5)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN103929379A (en) * 2014-04-15 2014-07-16 浙江工商大学 SDN resource distribution method based on two-sided market multihoming structure
CN104243270A (en) * 2014-09-25 2014-12-24 杭州华三通信技术有限公司 Tunnel setup method and tunnel setup device
CN104348727A (en) * 2013-08-05 2015-02-11 杭州华三通信技术有限公司 Method and equipment for processing flow table item in OpenFlow network
CN104980355A (en) * 2015-05-14 2015-10-14 华中科技大学 Source controllable multicast data transmission method and system thereof under SDN Environment
CN105516184A (en) * 2015-12-31 2016-04-20 清华大学深圳研究生院 Increment deployment SDN network-based method for defending link flooding attack

Family Cites Families (2)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US7873985B2 (en) * 2002-01-08 2011-01-18 Verizon Services Corp. IP based security applications using location, port and/or device identifier information
US9203748B2 (en) * 2012-12-24 2015-12-01 Huawei Technologies Co., Ltd. Software defined network-based data processing method, node, and system

Patent Citations (5)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN104348727A (en) * 2013-08-05 2015-02-11 杭州华三通信技术有限公司 Method and equipment for processing flow table item in OpenFlow network
CN103929379A (en) * 2014-04-15 2014-07-16 浙江工商大学 SDN resource distribution method based on two-sided market multihoming structure
CN104243270A (en) * 2014-09-25 2014-12-24 杭州华三通信技术有限公司 Tunnel setup method and tunnel setup device
CN104980355A (en) * 2015-05-14 2015-10-14 华中科技大学 Source controllable multicast data transmission method and system thereof under SDN Environment
CN105516184A (en) * 2015-12-31 2016-04-20 清华大学深圳研究生院 Increment deployment SDN network-based method for defending link flooding attack

Also Published As

Publication number Publication date
CN106060015A (en) 2016-10-26

Similar Documents

Publication Publication Date Title
CN106060015B (en) A kind of IP source address verification method based on SDN
Peng et al. Adjusted probabilistic packet marking for IP traceback
Hao et al. Detecting Spammers with SNARE: Spatio-temporal Network-level Automatic Reputation Engine.
Mankin et al. On design and evaluation of" intention-driven" ICMP traceback
US7814546B1 (en) Method and system for integrated computer networking attack attribution
US10187299B2 (en) Method for using authenticated requests to select network routes
Varadharajan A practical method to counteract denial of service attacks
Bohacek et al. Enhancing security via stochastic routing
Hubballi et al. An event based technique for detecting spoofed IP packets
CN108881315B (en) Method and system for detecting and recovering double LSA attack OSPF protocol based on NFV
JP2013070325A (en) Communication system, communication apparatus, server, and communication method
Beitollahi et al. A cooperative mechanism to defense against distributed denial of service attacks
Farhat Protecting TCP services from denial of service attacks
CN108881241B (en) Dynamic source address verification method for software defined network
US11265249B2 (en) Method for using authenticated requests to select network routes
Subramanian et al. Two layer defending mechanism against ddos attacks.
Li et al. Learning the valid incoming direction of IP packets
Shue et al. Packet forwarding with source verification
Liu et al. TAP: A Traffic-Aware Probabilistic Packet Marking for Collaborative DDoS Mitigation
Kim et al. A BGP attack against traffic engineering
Perlegos DoS defense in structured peer-to-peer networks
Yu et al. SDNDefender: a comprehensive DDoS defense mechanism using hybrid approaches over software defined networking
Doucette An architectural approach for mitigating next-generation denial of service attacks
Kiremire et al. A prediction based approach to ip traceback
Kimiyama et al. Autonomous and distributed internet security (AIS) infrastructure for safe internet

Legal Events

Date Code Title Description
C06 Publication
PB01 Publication
C10 Entry into substantive examination
SE01 Entry into force of request for substantive examination
GR01 Patent grant
GR01 Patent grant