CN107612937B - Detection and defence method under a kind of SDN network to DHCP extensive aggression - Google Patents
Detection and defence method under a kind of SDN network to DHCP extensive aggression Download PDFInfo
- Publication number
- CN107612937B CN107612937B CN201711012757.2A CN201711012757A CN107612937B CN 107612937 B CN107612937 B CN 107612937B CN 201711012757 A CN201711012757 A CN 201711012757A CN 107612937 B CN107612937 B CN 107612937B
- Authority
- CN
- China
- Prior art keywords
- dhcp
- port
- packet
- flow table
- extensive aggression
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Active
Links
Abstract
The invention discloses under a kind of SDN network to DHCP extensive aggression detection and defence method, a kind of method of real-time dynamic DHCP extensive aggression detection threshold value setting for interchanger is proposed in defence method, and accurately positioned to attacked port.Attack is effectively defendd in defence method combination SDN own characteristic, and the pond IP is effectively cleaned using ARP protocol.This patent realizes the effective detection and prevention to DHCP extensive aggression.
Description
Technical field
The invention belongs to Network Communicate Security technical fields, are related to a kind of countermeasure of attack, specifically relate to
And detection and defence method under a kind of SDN network to DHCP extensive aggression.
Technical background
A kind of novel network architecture of software defined network (SDN), it be it is programmable and allow application service in real time into
Enter the control layer of abstract network data flow, infrastructure can be virtualized.SDN compares traditional network, and it is flat to realize control
Face can data plane separation, enable control plane to the centralized control of network implementations centralization, be that network operator is real
It now controls and management network is provided and greatly facilitated.SDN controller is in southbound interface with openflow protocol realization to exchange
The control of machine, northbound interface provide the abstract of disclosed interface and network bottom layer, this makes the programmable network control of centralization
It is made for possibility.
Dynamic host configuration protocol (DHCP) is the network protocol of a local area network, dynamic for going in some way
The IP information of Configuration network equipment, enables them to communicate in an ip network.These IP information include IP address, gateway
Location, dns server address etc. content.When host needs to be connected into network Shi Huixiang Web broadcast DHCP Discover message,
After Dynamic Host Configuration Protocol server receives, DHCP Offer message can be returned to host, host issues DHCP Request message, DHCP again
DHCP ACK can be returned to host after server confirmation, and distribution terminates.The IP address rental period, host can be to Dynamic Host Configuration Protocol server to after about
DHCP Release is submitted to discharge the IP address of oneself occupancy.It is the substantially process of DHCP and host interaction above.
DHCP protocol in traditional network provides the means of limited network centralization control, this agreement working method
Meet very much the thinking of SDN network framework.Therefore in SDN network, we naturally can be by DHCP service with the shape of software
Formula is deployed in SDN controller, and such benefit has very much.For example, can be very good to have prevented pseudo- DHCP service and DHCP clothes
It is engaged in internuncial invasion;Substantially reduce link load problem and broadcast storm etc. caused by broadcast DHCP Discover message.
Even there are many benefits, DHCP service disposed in SDN controller and still has some risks:
(1) the problem of pond IP of DHCP is maliciously consumed;
(2) caused by the DHCP message of a large amount of malice between openflow interchanger and controller link bandwidth consumption;
These attacks belong to DHCP extensive aggression.First problem is also very common in traditional volume network, is similar to SYN
Flood attack, this attack can usually bring some problems, for example after the pond IP exhausts, DHCP service can be refused newly to repeatedly kick into
The host assignment IP come.Second Problem is the problem of structure of SDN is brought, especially under proactive mode, DHCP at
For the rare protocol massages type that can enter controller by reactive mode, thus this make DHCP message be easier at
For the source to link consumption attack between controller and openflow interchanger.
In SDN network, realize that the monitoring to DHCP traffic and prevention DHCP extensive aggression have and must have very much.Traditional method
DHCP snooping is usually opened in a switch, it is general to prevent DHCP with this to filter the DHCP request of not trusted host
Flood attack, but the DHCP extensive aggression that legal host is initiated can not be refused.Meanwhile also have by detection DHCP request rate come
Whether server is judged by DHCP extensive aggression, but the setting static of rate-valve value can not dynamically adapting network DHCP
Normal speed changes the influence to detection, is easy erroneous judgement etc..Also there is increasingly complex mode very effective, but calculating process is too multiple
It is miscellaneous, it is unfavorable for the maintenance of model, also the load of server is affected.
Summary of the invention
In order to solve the defects of prior art, and DHCP extensive aggression is dedicated to solving under novel SDN network framework to net
The influence of network, the present invention is by the real-time monitoring to DHCP traffic, the characteristics of according to DHCP extensive aggression, in conjunction with SDN network from
The advantage of body proposes the method for its detection and defence.
To the detection method of DHCP extensive aggression under a kind of SDN network provided by the invention, which is characterized in that including following
Step:
Step A1: initialization DHCP rate-valve value D;
Step A2: judge whether current period terminates;If so, thening follow the steps A3;Step A2 is executed if it is not, then turning round;
Step A3: judge whether under attack;If so, executing step A4 after updating D;It is held if it is not, being turned round after then updating D
Row step A2;
Step A4: port is pushed into message queue Q by seat offence port.
To the defence method of DHCP extensive aggression under a kind of SDN network provided by the invention, which is characterized in that including following
Step:
Step B1: scanning message queue Q;
Step B2: judge whether queue is non-empty;Head of the queue r is taken out if not for sky | (0/1) port numbers execute step
Rapid B3;Otherwise terminate;
Step B3: judge whether that the pond IP is maliciously consumed;
If so, thening follow the steps B4;
If it is not, thening follow the steps B5;
Step B4: DHCP Discover message is intercepted;
Step B5: judging whether that malice occupies link circuit resource, if so, intercepting whole DHCP messages;
Step B6: controller issues openflow flow table for the port, and the effective time for setting flow table as v, allow friendship
It changes planes and the ARP protocol packet that the port receives is sent to controller;
Step B7: the cleaning pond IP.
The present invention is set in the detection of DHCP extensive aggression using dynamic threshold value, is adapted to the changes in flow rate of SDN network
Property very strong, various drawbacks of fixed rate threshold value before effective solution, while reducing the erroneous judgement of attack;The present invention
The advantage for combining SDN to control network centerization on defense module very effective quickly can take attack source and arrange
It applies, reduces attack in time and give network bring pressure.Attack and detection module are realized with software logic, not using in third party
Between hardware, in the hardware cost for greatly reducing attack defending.Logically, realization is detected logically independent with defense module,
Even can independent work, extend the range of the usage scenario of module.
Detailed description of the invention
Fig. 1 is the overhaul flow chart of the embodiment of the present invention;
Fig. 2 is the defence flow chart of the embodiment of the present invention.
Specific embodiment
Understand for the ease of those of ordinary skill in the art and implement the present invention, with reference to the accompanying drawings and embodiments to this hair
It is bright to be described in further detail, it should be understood that implementation example described herein is merely to illustrate and explain the present invention, not
For limiting the present invention.
See Fig. 1 and Fig. 2, detection and defence method under a kind of SDN network provided by the invention to DHCP extensive aggression,
The following steps are included:
Step 01, using t as a cycle, t is set as 1 minute, go statistics interchanger whole port in current period
The quantity n of DHCP packetk, perform the next step;
Step 02, the data n of the quantity of the DHCP packet in newest m period is savedk-m,nk-m+1,…,nk-1(value of m exists
Between 5 to 30), the present embodiment m is set as 10, find out all DHCP in the T=mt time Mean Speed A (A/min), jump to step 04;
Step 03, if judgement current period terminates, the quantity n of DHCP packet in current period is countedk;If judgement is worked as
The preceding period is not finished, and jumps to step 03;
Step 04, the quantity n of DHCP packet in current period is calculatedkIn each port accounting, choose corresponding to maximum accounting
Port numbers r, count its pond IP surplus S, perform the next step;
Step 05, the general threshold value D=A+S (2e for attacking big vast detection cycle packet quantity of DHCP packet is obtained according to above-mentioned calculation amount-A/r- 1)/u, (r and u are constant, and the rental period that is averaged respectively with network size and IP address is related, r value range can 50~
1000, u value ranges can be 2~30), r=100, u=15 in this example are performed the next step;
Step 06, if judgement nk< D, then it is normal in network, it is not affected by DHCP extensive aggression, jumps to step 07;Judgement
If nk>=D, then network is jumped to step 08 by DHCP extensive aggression;
Step 07, A '=(Am+n is updatedk-nk-m(data for being always ensured that reservation are number in the newest m period to)/m
According to), jump to step 03;
Step 08, then with (2D-nk)/(nD) probability updating A value, update mode be A '=(Am+nk-nk-m)/m;N's
Value can be 2,3,4, and the present embodiment n takes 2, to adapt to the variation of DHCP packet rate;The value of S is recalculated and counts, then
Update D '=A '+S (2e-A′/r- 1)/u, performs the next step;
Step 09, n in current period is calculatedkThe ratio of each port DHCP packet in a DHCP, selects the maximum end of accounting
Slogan r opens new thread thread and performs the next step wherein, jumps to 03;
Step 10, if judgement and by 2D > nk>=D is then determined as the consumption attack of the pond malice IP, by r | 0 push-in message team
It arranges in Q;If judging nk>=2D is then determined as malicious link consumption attack, by r | in 1 push-in message queue Q, execute next
Step;
Step 11, message queue is scanned, judges to take out head of the queue r if it is non-empty | (0/1) port numbers execute next
Step;Judge to terminate thread thread if it is sky;
Step 12, judge if head of the queue is r | 0, then follow the steps 13;Judge if head of the queue is r | 1, it jumps as step 14;
Step 13, controller issues openflow flow table for the port, and sets the effective time of flow table as v (time v
Value be set in 1 to 5 minutes), allow interchanger to be discarded in the DHCP Discover packet that the port receives, prevent DHCP IP
Pond is maliciously consumed, and step 15 is jumped to;
Step 14, controller issues openflow flow table for the port, and sets the effective time of flow table as v (time v
Value be set in 1 to 5 minutes), allow interchanger to be discarded in whole DHCP packets that the port receives, DHCP malice prevented to occupy
Link circuit resource jumps to step 15;
Step 15, controller issues openflow flow table for the port, and sets the effective time of flow table as v (time v
Value be set in 1 to 5 minutes), allow interchanger that will change the ARP protocol packet that port receives and be sent to controller, execute next
Step;
Step 16, controller sends ARP packet to the host that the port has occupied IP with the name of controller, inquires these masters
The MAC Address of machine.The ARP packet link layer address issued is broadcast address.And start timing, timing variable ot is set, under execution
One step;
Step 17, if judgement ot≤v (value of time v was set in 1 to 5 minutes), waits ARP to reply, jump to
Step 18;If judging ot > v, clears up all IP address being marked as other than legitimate ip address and (do not reply occupied by host
IP address and reply the IP address of MAC Address matching error in ARP), and they are reentered into the pond IP, jump to step
11;
Step 18, it if judgement receives ARP reply, performs the next step;If judgement does not receive ARP reply, jump
To step 17;
Step 19, if the ARP destination address that judgement is replied is not controller address, by the destination in topological structure
Location forwards ARP, turns to jump to step 17;If the ARP destination address that judgement is replied is controller address, perform the next step;
Step 20, if the MAC Address that is returned of ARP and its host IP address are replied in judgement, its is corresponding in the pond IP
MAC Address is consistent, then marking IP occupied by the host is legal IP, jumps to step 17;If judgement replys what ARP was returned
Its corresponding MAC Address in the pond IP is inconsistent with its host IP address for MAC Address, jumps to step 17;
It should be understood that the part that this specification does not elaborate belongs to the prior art.
It should be understood that the above-mentioned description for preferred embodiment is more detailed, can not therefore be considered to this
The limitation of invention patent protection range, those skilled in the art under the inspiration of the present invention, are not departing from power of the present invention
Benefit requires to make replacement or deformation under protected ambit, fall within the scope of protection of the present invention, this hair
It is bright range is claimed to be determined by the appended claims.
Claims (7)
1. to the detection method of DHCP extensive aggression under a kind of SDN network, which comprises the following steps:
Step A1: initialization DHCP rate-valve value D;
The specific implementation of step A1 includes following sub-step:
Step A1.1: using t as a cycle, the quantity n of DHCP packet in current period of interchanger whole port is countedk;
Step A1.2: the data n of the quantity of the DHCP packet in newest m period is savedk-m, nk-m+1..., nk-1;Find out T=mt
The Mean Speed of all DHCP packets in time
Step A1.3: the quantity n of DHCP packet in current period is calculatedkIn each port accounting, choose end corresponding to maximum accounting
Slogan r counts its pond IP surplus S;
Step A1.4: the threshold value D=A+S (2e of DHCP packet extensive aggression detection cycle packet quantity is obtained-A/r- 1)/u, wherein r and u
For constant, the rental period that is averaged respectively with network size and IP address is related;
Step A2: judge whether current period terminates;If so, thening follow the steps A3;Step A2 is executed if it is not, then turning round;
Step A3: judge whether under attack;If so, executing step A4 after updating D;If it is not, revolution executes step after then updating D
Rapid A2;
Step A4: seat offence port, and it is pushed into message queue Q.
2. to the detection method of DHCP extensive aggression under SDN network according to claim 1, which is characterized in that step A3
Described in update D specific implementation include following sub-step:
Step A3.1: the quantity n of DHCP packet in statistics current periodk;
Step A3.2: the quantity n of DHCP packet in the current period is calculatedkIn each port accounting, choose corresponding to maximum accounting
Port numbers r counts its pond IP surplus S;
Step A3.3: judgement;
If nk< D then updates A '=(Am+nk-nk-m)/m;
If nk>=D, then with (2D-nk)/(nD) probability updating A value, update mode be A '=(Am+nk-nk-m)/m;N's
Value can be 2,3,4, to adapt to the variation of DHCP packet rate;
Step A3.4: D '=A '+S (2e is updated-A′/r-1)/u。
3. to the detection method of DHCP extensive aggression under SDN network according to claim 2, which is characterized in that step A4
Specific implementation process be: in current period all of the port DHCP message sum be nk, calculate each port DHCP message quantity
The ratio for accounting for sum, selects the maximum port numbers r of accounting | and (0/1) is pushed into message queue Q, wherein 0,1 respectively indicates 2D > nk
>=D and nk>=2D two states;Start attack defending, and return step A2 again.
4. to the defence method of DHCP extensive aggression under a kind of SDN network, which comprises the following steps:
Step B1: scanning message queue Q;
Step B2: judge whether queue is non-empty;Head of the queue r is taken out if not for sky | (0/1) port numbers execute step B3;It is no
Then terminate;
Step B3: judge whether that the pond IP is maliciously consumed;
If so, thening follow the steps B4;
If it is not, thening follow the steps B5;
Step B4: DHCP Discover message is intercepted;
Step B5: judging whether that malice occupies link circuit resource, if so, intercepting whole DHCP messages;
Step B6: controller issues openflow flow table for the port, and the effective time for setting flow table as v, allow interchanger
The ARP protocol packet that the port receives is sent to controller;
Step B7: the cleaning pond IP.
5. to the defence method of DHCP extensive aggression under SDN network according to claim 4, which is characterized in that step B4
Specific implementation process be: head of the queue is if it is r | 0, controller issues openflow flow table for the port, and sets flow table
Effective time be v, allow interchanger to be discarded in the DHCP Discover packet that the port receives, prevent the pond DHCP IP by maliciously
Consumption;Controller issues openflow flow table for the port, and the effective time for setting flow table as v, allow interchanger by the end
The ARP protocol packet that mouth receives is sent to controller;Wherein, the value of time v was set in 1 to 5 minutes.
6. to the defence method of DHCP extensive aggression under SDN network according to claim 4, which is characterized in that step B5
Specific implementation process be: head of the queue is if it is r | 1, controller issues openflow flow table for the port, and sets flow table
Effective time is v, and interchanger is allowed to be discarded in whole DHCP packets that the port receives, and DHCP attack message malice is prevented to occupy chain
Road resource;Controller issues openflow flow table for the port, and the effective time for setting flow table as v, allow interchanger should
The ARP protocol packet that port receives is sent to controller.
7. to the defence method of DHCP extensive aggression under SDN network according to claim 4, which is characterized in that step B6
Specific implementation process be: controller timing clears up the reply mistake or IP host do not replied if the time is more than v
Address stops receiving ARP reply;Otherwise it continues to and handles ARP reply;It obtains ARP to reply, if its destination address is not controlled
Device processed then forwards ARP by the destination address in topological structure;If destination address is controller address, its MAC returned is judged
Whether MAC corresponding with the DHCP host ip is identical, identical, regards the IP as legal IP, and otherwise the IP is considered as illegal IP, when
Between after v, be cleaned out.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN201711012757.2A CN107612937B (en) | 2017-10-26 | 2017-10-26 | Detection and defence method under a kind of SDN network to DHCP extensive aggression |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN201711012757.2A CN107612937B (en) | 2017-10-26 | 2017-10-26 | Detection and defence method under a kind of SDN network to DHCP extensive aggression |
Publications (2)
| Publication Number | Publication Date |
|---|---|
| CN107612937A CN107612937A (en) | 2018-01-19 |
| CN107612937B true CN107612937B (en) | 2019-11-26 |
Family
ID=61079825
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN201711012757.2A Active CN107612937B (en) | 2017-10-26 | 2017-10-26 | Detection and defence method under a kind of SDN network to DHCP extensive aggression |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN107612937B (en) |
Families Citing this family (4)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN108234516B (en) * | 2018-01-26 | 2021-01-26 | 北京安博通科技股份有限公司 | Method and device for detecting network flooding attack |
| CN111628982B (en) * | 2020-05-22 | 2022-03-18 | 哈尔滨工程大学 | Flooding attack mitigation method based on credit degree and kini impurities |
| CN112714133B (en) * | 2021-01-04 | 2022-04-19 | 烽火通信科技股份有限公司 | ND attack prevention method and device suitable for DHCPv6 server |
| CN113364810B (en) * | 2021-07-02 | 2022-04-01 | 东北大学秦皇岛分校 | Link flooding attack detection and defense system and method |
Citations (3)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN105610851A (en) * | 2016-01-14 | 2016-05-25 | 北京乐动卓越科技有限公司 | Method and system for defending distributed denial of service (DDoS) attack |
| CN105791238A (en) * | 2014-12-24 | 2016-07-20 | 天津诸子科技有限公司 | Method for preventing DHCP flooding attacks of wireless local area network |
| CN106060085A (en) * | 2016-07-15 | 2016-10-26 | 杭州华三通信技术有限公司 | Method and device for preventing ARP (Address Resolution Protocol) message attack |
Family Cites Families (1)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| US9531632B2 (en) * | 2013-02-05 | 2016-12-27 | Rajant Corporation | Method for controlling flood broadcasts in a wireless mesh network |
-
2017
- 2017-10-26 CN CN201711012757.2A patent/CN107612937B/en active Active
Patent Citations (3)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN105791238A (en) * | 2014-12-24 | 2016-07-20 | 天津诸子科技有限公司 | Method for preventing DHCP flooding attacks of wireless local area network |
| CN105610851A (en) * | 2016-01-14 | 2016-05-25 | 北京乐动卓越科技有限公司 | Method and system for defending distributed denial of service (DDoS) attack |
| CN106060085A (en) * | 2016-07-15 | 2016-10-26 | 杭州华三通信技术有限公司 | Method and device for preventing ARP (Address Resolution Protocol) message attack |
Non-Patent Citations (1)
| Title |
|---|
| SIP网络中入侵检测与防御系统关键技术的研究;李鸿彬;《中国博士学位论文全文数据库 信息科技辑》;20130615(第06期);I136-15 * |
Also Published As
| Publication number | Publication date |
|---|---|
| CN107612937A (en) | 2018-01-19 |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| CN107612937B (en) | Detection and defence method under a kind of SDN network to DHCP extensive aggression | |
| US10958555B2 (en) | Real-time application-driven synthetic probing | |
| CN111770028B (en) | Method and network device for computer network | |
| US10050840B2 (en) | Method and system for an internet of things (IOT) device access in a software-defined networking (SDN) system | |
| US20170295207A1 (en) | Attack Data Packet Processing Method, Apparatus, and System | |
| US20160301601A1 (en) | Method and system for traffic pattern generation in a software-defined networking (sdn) system | |
| EP2767047B1 (en) | Distributed ipv6 neighbor discovery for large datacenter switching systems | |
| CN105634956B (en) | A kind of message forwarding method, device and system | |
| CN101106518B (en) | Service denial method for providing load protection of central processor | |
| CN109525601B (en) | Method and device for isolating transverse flow between terminals in intranet | |
| CN106982206A (en) | A kind of malice scanning defence method adaptively changed based on IP address and system | |
| CN101286996A (en) | Storm attack resisting method and apparatus | |
| CN105337890B (en) | A kind of control strategy generation method and device | |
| CN105812318B (en) | For preventing method, controller and the system of attack in a network | |
| CN105357180B (en) | Network system, the hold-up interception method of attack message, device and equipment | |
| CN106657126B (en) | The device and method of detection and defending DDoS (Distributed Denial of Service) attacks | |
| CN103701818A (en) | ARP (address resolution protocol) attack centralized detection and defense method for wireless controller system | |
| CN104184708A (en) | Method of inhabiting MAC address attack in EVI (Ethernet Virtualization Interconnection) network and ED (edge device) | |
| CN113114666B (en) | Moving target defense method for scanning attack in SDN network | |
| CN107690004A (en) | The processing method and processing device of address analysis protocol message | |
| CN108650237B (en) | Message security check method and system based on survival time | |
| CN107579875B (en) | Network message statistical method and device | |
| EP3440810A1 (en) | Quality of service (qos) support for tactile traffic | |
| CN113259387B (en) | Method for preventing honeypot from being controlled to jump board machine based on virtual exchange | |
| US9025494B1 (en) | IPv6 network device discovery |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| PB01 | Publication | ||
| PB01 | Publication | ||
| SE01 | Entry into force of request for substantive examination | ||
| SE01 | Entry into force of request for substantive examination | ||
| GR01 | Patent grant | ||
| GR01 | Patent grant |