CN107888619A - Integrate the method for work for the SDN systems for threatening processing and routing optimality - Google Patents
Integrate the method for work for the SDN systems for threatening processing and routing optimality Download PDFInfo
- Publication number
- CN107888619A CN107888619A CN201711302100.XA CN201711302100A CN107888619A CN 107888619 A CN107888619 A CN 107888619A CN 201711302100 A CN201711302100 A CN 201711302100A CN 107888619 A CN107888619 A CN 107888619A
- Authority
- CN
- China
- Prior art keywords
- message
- attack
- ids
- plane
- ddos
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Withdrawn
Links
Classifications
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/14—Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
- H04L63/1408—Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic by monitoring network traffic
- H04L63/1416—Event detection, e.g. attack signature detection
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L45/00—Routing or path finding of packets in data switching networks
- H04L45/12—Shortest path evaluation
- H04L45/123—Evaluation of link metrics
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L45/00—Routing or path finding of packets in data switching networks
- H04L45/12—Shortest path evaluation
- H04L45/125—Shortest path evaluation based on throughput or bandwidth
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L49/00—Packet switching elements
- H04L49/20—Support for services
- H04L49/208—Port mirroring
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/02—Network architectures or network communication protocols for network security for separating internal from external traffic, e.g. firewalls
- H04L63/0227—Filtering policies
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/02—Network architectures or network communication protocols for network security for separating internal from external traffic, e.g. firewalls
- H04L63/0227—Filtering policies
- H04L63/0236—Filtering by address, protocol, port number or service, e.g. IP-address or URL
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/14—Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
- H04L63/1408—Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic by monitoring network traffic
- H04L63/1425—Traffic logging, e.g. anomaly detection
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/14—Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
- H04L63/1441—Countermeasures against malicious traffic
- H04L63/1458—Denial of Service
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/20—Network architectures or network communication protocols for network security for managing network security; network security policies in general
Abstract
The invention discloses it is a kind of integrate threaten processing and routing optimality SDN systems method of work, this SDN framework, including:Using plane, datum plane and control plane;Wherein datum plane, when any IDS equipment detects that attack threatens in datum plane, during the message of ddos attack feature, i.e., reported to by SSL traffic channel using plane;Using plane, for analyzing attack type, and corresponding attack is customized according to attack type and threatens processing strategy;Control plane, Processing Interface is threatened to provide attack using plane, and optimal path computation and/or attack threat identification interface are provided for datum plane.The present invention can make network when being threatened by extensive DDoS, and the flow forwarding of routing optimality can be realized according to the real time status of link, while rapid accurately progress DDoS threat identifications and processing respond, full-scope safeguards network communication quality.
Description
Technical field
The present invention relates to network safety filed, more particularly to a kind of SDN for integrating and threatening and handling with routing optimality
The method of work of system.
Background technology
Currently, the network connected extensively at a high speed has become the important infrastructure of modern society.However, with interconnection
The expansion of network planning mould, also increasingly show the defects of traditional specificationses system.
The report of national computer network emergence technology processing Consultation Center (CNCERT/CC) newest issue shows:Hacker
Activity is increased, and the attack such as website back door, phishing, Web malice extension horses is in the trend that increases substantially, country, enterprise
The internet security of industry is faced with severe challenge.
Wherein, distributed denial of service attack (Distributed Denial of Service, DDoS) is still to influence
One of internet most important threat safe for operation.In the past few years, the number of ddos attack, size, type be all significantly
Go up.
Software defined network (Software Defined Network, SDN) has can real-time update routing policy and rule
Then, the characteristics such as profound data packet analysis are supported, thus the DDoS that can be directed in complex network ring environment threatens offer more fast
Fast accurately network monitoring and defense function.
The content of the invention
Integrate threat processing and the SDN frameworks and method of work of routing optimality it is an object of the invention to provide a kind of,
To solve the network security problem in existing network caused by a large amount of ddos attacks, quickly, efficiently, comprehensively identified with realizing
With defending DDoS (Distributed Denial of Service) attacks.
In order to solve the above-mentioned technical problem, the invention provides a kind of SDN framework, including:Using plane, data
Plane and control plane;Wherein
Datum plane is when any IDS equipment detects the message of ddos attack feature in datum plane, i.e., logical
SSL traffic channel is crossed to report to using plane;
Using plane, corresponding attack threat processing is customized for analyzing attack type, and according to attack type
Strategy;
Control plane, Processing Interface is threatened to provide attack using plane, and optimal path computation is provided for datum plane
And/or attack threat identification interface.
Preferably, in order to realize that DDoS is detected in IDS equipment, include in the IDS equipment:Cheat packet check mould
Block, the deceptive practices to link layer and internet layer address detect;Packet check module is destroyed, to internetwork layer and transport layer
The abnormal behaviour that flag bit is set is detected;Exception message detection module, flood formula attack to application layer and transport layer
Detected;By the deception packet check module, packet check module, exception message detection module are destroyed successively to report
Text is detected;And if the message is transferred to using flat when above-mentioned respective behavior be present by any detection module detection outgoing packet
Face.
Preferably, the application plane when message suitable for having deceptive practices, and attacks and threaten in OpenFlow domains,
Main frame is then shielded by the controller in control plane;Or threatened when attacking not in OpenFlow domains, then will by controller
Interchanger access interface flow corresponding to the message is redirected to flow cleaning center and filtered;
The application plane is further adapted for having abnormal behaviour when message, then by controller to attacker or attack main frame
Flow shielded;And
Flooded formula attack when message has, then it is described to be suitable to corresponding to the message using plane by controller
Interchanger access interface flow is redirected to flow cleaning center and filtered.
Beneficial effects of the present invention:DDoS is threatened monitoring, threatens the business function moulds such as protection, routing optimality by the present invention
Block is respectively deployed in datum plane, control plane and using plane.Network can be made when being threatened by extensive DDoS, can
The flow for realizing routing optimality according to the real time status of link forwards, while rapid accurately progress DDoS threat identifications and place
Reason response, full-scope safeguards network communication quality.
Another aspect, present invention also offers the method for work that a kind of DDoS threatens filtering SDN systems, to solve to defend
The technical problem of ddos attack.
In order to solve the above-mentioned technical problem, the DDoS threatens the method for work of filtering SDN systems to include:As any IDS
When equipment detects the message with ddos attack feature, i.e., IDS policy servers are reported to by SSL traffic channel;It is described
IDS policy servers make processing strategy corresponding with the message with ddos attack feature, then according to information is reported
The message is shielded by controller or the interchanger access interface flow corresponding to the message is redirected to flow cleaning
Filtered at center.
Preferably, in order to realize that DDoS is detected in IDS equipment, include in the IDS equipment:Cheat packet check mould
Block, the deceptive practices to link layer and internet layer address detect;Packet check module is destroyed, to internetwork layer and transport layer
The abnormal behaviour that flag bit is set is detected;Exception message detection module, flood formula attack to application layer and transport layer
Detected;By the deception packet check module, packet check module, exception message detection module are destroyed successively to report
Text is detected;And if the message is transferred to IDS and determined when above-mentioned respective behavior be present by any detection module detection outgoing packet
Plan server.
Preferably, the IDS policy servers when message suitable for having deceptive practices, and attacks and threaten in OpenFlow
In domain, then main frame is shielded by controller;Or when attack is threatened not in OpenFlow domains, then by controller by the message
Corresponding interchanger access interface flow is redirected to flow cleaning center and filtered;The IDS policy servers are also suitable
In there is abnormal behaviour when message, then the flow of attacker or attack main frame is shielded by controller;And when report
Stationery floods formula attack, then the IDS policy servers are suitable to pass through interchanger of the controller corresponding to by the message
Access interface flow is redirected to flow cleaning center and filtered.
The third aspect, present invention also offers a kind of work for the SDN systems for integrating and threatening processing and routing optimality
Method, to solve the distributed monitoring to ddos attack, formulating the corresponding technical problem for threatening processing strategy.
In order to solve the above-mentioned technical problem, threat processing and routing optimality are integrated present invention also offers a kind of
The method of work of SDN systems, comprises the following steps:
Step S100, netinit;Step S200, distributed DDoS threaten monitoring;And step S300, at threat
Reason and/or routing optimality.
Preferably, in order to preferably realize network configuration, the device bag in the step S100 involved by netinit
Include:Controller, IDS policy servers and distributed IDS equipment;
The step of netinit, is as follows:
The controller builds network equipment information binding table, and by network equipment information binding table real-time update to respectively
In IDS equipment;
The controller issues the flow table of mirror policy, i.e., all drag of OF interchangers is loaded with into the port flow mirror image of main frame
It is transmitted to corresponding IDS equipment in domain;And
The controller issues DDoS threat identifications rule to corresponding each IDS equipment in each domain;
Distributed DDoS threatens the method for monitoring to include in the step S200:
Abnormal behaviour is set to the deceptive practices of link layer and internet layer address, internetwork layer and transport layer flag bit successively,
And the formula attack that floods of application layer and transport layer is detected;
If any detection judges that outgoing packet has respective behavior in said process, the message is transferred to step S300.
Preferably, the method that the deceptive practices to link layer and internet layer address are detected includes:
Deceptive practices are detected by cheating packet check module, i.e., first, adjusted by cheating packet check module
With network equipment information binding table;Secondly, message in Packet-In message will be encapsulated in by cheating packet check module
Type is parsed, to obtain corresponding source, purpose IP address, MAC Address and the exchange for uploading this Packet-In message
Machine DPID and port numbers, and above-mentioned each information is compared with the corresponding information in network equipment information binding table respectively;
If the above- mentioned information matching in message, next detection is carried out by message;, will report if the above- mentioned information in message mismatches
Text is transferred to step S300;The method that internetwork layer and the transport layer flag bit sets abnormal behaviour to be detected includes:By broken
Bad packet check module sets abnormal behaviour to detect flag bit, i.e., each flag bit of message is detected, to judge
Whether each flag bit meets ICP/IP protocol specification;If each flag bit of message meets, message is transferred to and carries out next inspection
Survey;If each flag bit of message is not met, message is transferred to step S300;The formula of flooding of the application layer and transport layer is attacked
The method that the behavior of hitting is detected includes:The formula attack that floods is detected by exception message detection module, i.e., different
Normal packet check module construction is used for the Hash table for identifying the formula attack message that floods, and according to the threshold values set in the Hash table
Judge whether message has the formula attack that floods, and will determine that result is transferred to step S300.
Preferably, the method for processing and/or routing optimality is threatened to include in the step S300:If message has deception
Behavior, and attack and threaten in OpenFlow domains, then the IDS policy servers are suitable to shield main frame by controller;And
When attack is threatened not in OpenFlow domains, then by controller by the interchanger access interface flow weight corresponding to the message
Flow cleaning center is directed to be filtered;If message has abnormal behaviour, the IDS policy servers pass through controller
Attacker or the flow for attacking main frame are shielded;If message has the formula attack that floods, the IDS decision-makings clothes
Interchanger access interface flow corresponding to the message is redirected to flow cleaning center by controller and carried out by business device
Filter;And/or path optimizing is calculated according to link load coefficient, that is, the link remaining bandwidth of two adjacent nodes is detected, is somebody's turn to do
The load factor of link, the optimal path of any two points, institute are being obtained according to the load factor and the network topological diagram of initialization
Controller is stated to forward flow table according to corresponding to being drawn the optimal path and issue each interchanger.
Preferably, the IDS policy servers shielding sends the program of message and/or the method for main frame and included:First,
Build the corresponding Hash table and setting respective threshold of counting, i.e., in the unit interval, structure pair in the IDS policy servers
The first Hash table that deceptive practices are counted, flag bit set the second Hash table that abnormal behaviour is counted, and to general
The 3rd Hash table that big vast formula attack is counted;Concurrently set in first, second, third Hash table first, second,
3rd threshold values;Secondly, shielding sends the program and/or main frame of the message, the i.e. message for being transferred to IDS policy servers
Behavior, counted using corresponding Hash table, when count value exceedes respective thresholds, shielding send the message program and/or
Main frame.
Beneficial effects of the present invention:(1) present invention merges DDoS threat filtering techniques with route-optimization technique, is entering
When row monitoring, shielding DDOS attack, the congestion of data can't be caused, and by that will monitor and threaten processing to separate, effectively
The burden for alleviating control plane, ensure that network is safer, operations of colleges and universities;(2) the invention enables legacy network system
The problem that ddos attack is identified and traced to the source can not be forged under framework to address to be fundamentally resolved.In a network
In the case of ddos attack or normal big flow business being present, controller can be based on to network parameters such as link remaining bandwidths
Real-time perception, the routing optimality of normal stream amount is realized, the experience of user is substantially improved;(3) processing framework of the invention uses
Open-ended modularity designs, and realizes to the DDoS efficient detections threatened and flexibly processing;(4) each module obtains packet
Information uses independent Interface design, reduces the coupling relevance of intermodule;(5) each module uses the routine data optimized
Structure, it is careful to split each processing sub-process, improve the high cohesion characteristic of module.
Brief description of the drawings
In order that present disclosure is more likely to be clearly understood, below according to specific embodiment and with reference to accompanying drawing,
The present invention is further detailed explanation, wherein
Fig. 1 shows the theory diagram of data Layer in software defined network;
Fig. 2 shows ddos attack identification and the theory diagram of guard system based on SDN frameworks;
Fig. 3 shows the workflow diagram of deception packet check module;
Fig. 4 shows the workflow diagram for destroying packet check module;
Fig. 5 shows UDP Floodling overhaul flow chart;
Fig. 6 shows ICMP Floodling overhaul flow chart.
Embodiment
To make the object, technical solutions and advantages of the present invention of greater clarity, with reference to embodiment and join
According to accompanying drawing, the present invention is described in more detail.It should be understood that these descriptions are merely illustrative, and it is not intended to limit this hair
Bright scope.In addition, in the following description, the description to known features and technology is eliminated, to avoid unnecessarily obscuring this
The concept of invention.
Fig. 1 shows the theory diagram of data Layer in software defined network.
As shown in figure 1, in software defined network (Software Defined Network, SDN) framework, when one
When message (Packet) reaches interchanger, the flow table of institute's band in interchanger is matched first.If the match is successful,
The action executing just specified according to flow table forwards rule.If it fails to match, the message is encapsulated in PacketIn by interchanger
In message, controller is sent to, and interchanger has this message in local cache.How controller is waited to make decisions
Handle this message.
There are many main frames in network, then it is the Hash table of key to need to establish one to be directed to All hosts in network, is referred to as
" violation number Hash table group ", it includes:Suitable for the first Hash table counted to deception message, suitable for destroying message
The second Hash table counted, suitable for the 3rd Hash table counted to the formula attack that floods.Record the violation of respective hosts
Number, that is, the credibility of main frame.
Packet in network is real-time, so needing to establish a kind of Hash of the threat packet counting in unit interval
Table, and a key in the corresponding Hash table of each main frame, corresponding key assignments are corresponding keys in the unit interval of record
The number for the threat data bag that main frame is sent.Such Hash table at first must be by Hash table in the unit interval " timeslice "
Key assignments corresponding to interior all keys is set to 0;And the message of every kind of detection has been required for such table, just such as 100 are have detected
Kind message, it is desirable to 100 such Hash tables.
Moreover, each Hash table must have a corresponding threshold value.As long as one has main frame to tire out in analog value in Hash table
Add counting.Check whether the value exceedes the threshold value of setting after counting.If it exceeds corresponding threshold value, then in violation number Hash
Key assignments in table corresponding record counts.
Also, the parameter such as threshold value, Hash table time leaf length of each Hash table can all be adjusted by interface.
Such as:The Hash table of main frame is:
Unit interval cheats packet counting Hash table
Host1 | Host2 | Host3 | Host4 | Host5 | Host6 | Host7 | Host8 | …… | Host n |
1 | 2 | 2 | 1 | 100 | 2 | 0 | 0 | …… | 0 |
Unit interval destroys packet counting Hash table
Host1 | Host2 | Host3 | Host4 | Host5 | Host6 | Host7 | Host8 | …… | Host n |
1 | 2 | 2 | 1 | 100 | 2 | 0 | 0 | …… | 0 |
Unit interval SYN counts Hash table
Host1 | Host2 | Host3 | Host4 | Host5 | Host6 | Host7 | Host8 | …… | Host n |
1 | 1 | 0 | 1 | 100 | 2 | 0 | 0 | …… | 0 |
Unit interval UDP Flood counts Hash table
Host1 | Host2 | Host3 | Host4 | Host5 | Host6 | Host7 | Host8 | …… | Host n |
1 | 1 | 0 | 1 | 10 | 2 | 0 | 0 | …… | 0 |
Unit interval ICMP Flood counts Hash table
Host1 | Host2 | Host3 | Host4 | Host5 | Host6 | Host7 | Host8 | …… | Host n |
1 | 1 | 0 | 1 | 100 | 2 | 0 | 0 | …… | 0 |
……
Above all of Hash table is all unit interval count table, and timeslice, which counts, starts that all corresponding key assignments can be set to 0;
Violation number Hash table
On the basis of foregoing invention principle, the specific implementation process of the present embodiment is as follows.
Embodiment 1
Fig. 2 shows the SDN block architecture diagram of the present invention.
As shown in Fig. 2 a kind of SDN framework, including:Using plane, datum plane and control plane;Wherein data
Plane, when any IDS (i.e. intrusion detection device) equipment detects the message of ddos attack feature in datum plane,
Reported to by SSL traffic channel using plane;Using plane, for analyzing attack type, and according to attack class
The corresponding attack of type customization threatens processing strategy;Control plane, Processing Interface is threatened to provide attack using plane, and be number
Optimal path computation and/or attack threat identification interface are provided according to plane.
Wherein, ddos attack characterizing definition is:Deceptive practices to link layer and internet layer address, to internetwork layer and biography
The abnormal behaviour that defeated layer flag bit is set, and the formula attack that flooded to application layer and transport layer.
Include in the IDS equipment:
Packet check module is cheated, the deceptive practices to link layer and internet layer address detect;Destroy packet check
Module, the abnormal behaviour set to internetwork layer and transport layer flag bit detect;Exception message detection module, to application layer
Detected with the transport layer formula attack that floods;By the deception packet check module, destroy packet check module, different
Normal packet check module detects to message successively;And if there is above-mentioned respective behavior in any detection module detection outgoing packet
When, then the message is transferred to using plane.
The application plane is attacked and threatened in OpenFlow domains suitable for having deceptive practices when message, then passes through control
Controller shielding main frame in plane processed;Or when attack is threatened not in OpenFlow domains, then by controller by the message institute
Corresponding interchanger access interface flow is redirected to flow cleaning center and filtered;The application plane is further adapted for when report
Stationery has abnormal behaviour, then the flow of attacker or attack main frame is shielded by controller;And when message has
The formula that floods attack, then it is described to be suitable to pass through controller by the interchanger access interface stream corresponding to the message using plane
Amount is redirected to flow cleaning center and filtered.
In Fig. 2 processing strategy, the attack of datum plane are threatened using plane on attack type analysis, attack
Monitoring, attack threaten shielding and routing optimality, and attack threat processing, attack threat identification and the optimal road of control plane
Footpath, which will calculate, to deploy in the following embodiments.
Wherein, can be realized using plane by IDS policy servers, control plane can be by controller come real
It is existing.Following examples can specifically be referred to.
Embodiment 2
Fig. 3 shows the structured flowchart of the SDN systems of the present invention.
As shown in figure 3, threatening a kind of method of work in filtering SDN system-baseds in the DDoS, it includes:When appoint
When one IDS equipment detects the message with ddos attack feature, i.e., IDS decision services are reported to by SSL traffic channel
Device;The IDS policy servers make processing plan corresponding with the message with ddos attack feature according to information is reported
Slightly, then the message is shielded by controller or is redirected to the interchanger access interface flow corresponding to the message
Flow cleaning center is filtered.
Fig. 4 shows the theory diagram of SDN systems.
As shown in figure 4, further, include in the IDS equipment:
Packet check module is cheated, the deceptive practices to link layer and internet layer address detect;
Packet check module is destroyed, the abnormal behaviour set to internetwork layer and transport layer flag bit detects;
Exception message detection module, the formula attack that flooded to application layer and transport layer detect;
By the deception packet check module, packet check module, exception message detection module are destroyed successively to message
Detected;
And if the message is transferred to IDS decision-makings clothes when above-mentioned respective behavior be present by any detection module detection outgoing packet
Business device.
Further, the IDS policy servers when message suitable for having deceptive practices, and attacks and threaten in OpenFlow
In domain, then main frame is shielded by controller;Or when attack is threatened not in OpenFlow domains, then by controller by the message
Corresponding interchanger access interface flow is redirected to flow cleaning center and filtered;The IDS policy servers are also suitable
In there is abnormal behaviour when message, then the flow of attacker or attack main frame is shielded by controller;And when report
Stationery floods formula attack, then the IDS policy servers are suitable to pass through interchanger of the controller corresponding to by the message
Access interface flow is redirected to flow cleaning center and filtered.
The present invention using from deception packet check module to destroy packet check module, then to exception message detection module according to
The order of secondary detection, wherein, each module obtains packet information and uses independent Interface design, reduces the coupling of intermodule
Relevance;And each module uses the program data structure of optimization, careful to split each processing sub-process, improves the height of module
Cohesive characteristic.This detection ordering improves the detection efficiency to message data, and reduces loss.
Fig. 5 shows the workflow diagram of deception packet check module.
As shown in figure 5, network equipment information binding table is called by the deception packet check module, and in the IDS
The first Hash table that is counted to packet cheating behavior of being suitable in the unit interval is built in policy server, and is set
The first threshold values in first Hash table;The deception packet check module, will be encapsulated in the message in Packet-In message
Type parsed, with obtain corresponding source, purpose IP address, MAC Address and upload Packet- In message exchange
Machine DPID and port number information, and each information is compared with the corresponding information in network equipment information binding table respectively;
If the above- mentioned information matching in message, message is transferred to and destroys packet check module;If above- mentioned information in message is not
Match somebody with somebody, be then transferred to the IDS policy servers, message is abandoned, and deceptive practices are counted simultaneously, when the counting
When value is more than the first threshold values, shielding sends the program and/or main frame of the message.
Specifically, the deception packet check module is used to carry out first time judgement to message, that is, judge message whether be
IP spoofing attack message, port spoofing attack message or MAC spoofing attack messages.
Specific steps include:Parse source, target MAC (Media Access Control) address and interchanger entrance, Ran Hougen in ethernet frames first
Different messages is parsed according to different type of messages.When type of message is IP, ARP, RARP, then parse corresponding source,
Then these information are carried out matching of tabling look-up by purpose IP address to the information in network equipment information binding table, if matched
Corresponding information, then give and destroy packet check resume module.If mismatching, the message is transferred at IDS policy servers
Reason;And accumulated counts are carried out to deceptive practices simultaneously, when the count value is more than the first threshold values, shielding sends the journey of the message
Sequence and/or main frame.
There is a device manager module Device Manager Impl in Floodlight, when an equipment is in network
Tracking equipment when middle mobile device, and equipment is defined according to new stream.
Equipment manager learns equipment from PacketIn requests, and device network ginseng is obtained from PacketIn messages
Number information (information such as source, purpose IP, MAC, VLAN), is made a distinction equipment for interchanger or main frame by entity classification device.
Entity classification device shows an equipment using MAC Address and/or vlan table under default situations, and the two attributes can be marked uniquely
Know an equipment.Another important information be equipment mount point (No. DPID of interchanger and port numbers) (, at one
In openflow regions, an equipment can only have a mount point, herein openflow regions refer to it is same
The set of the connected multiple switch of Floodlight examples.Equipment manager is also IP addresses, mount point, equipment are provided with
Expired time, the last time timestamp foundation whether expired as them are judged.)
Therefore it need to only call what Device Manager Impl modules provided inside network equipment information binding table module
IDevice Service, while add to the service IDevice Listener monitoring interface.
The monitoring interface that wherein IDevice Listener are provided has:
ISP:IFloodlight Provider Service,IDevice Service
Rely on interface:IFloodlight Module,IDevice Listener
Record in table according to the low and high level trigger mechanism of interchanger (netting twine extracts triggering PortDown low level,
Netting twine pulls out triggering PortUp high level) record that can refresh in real time in binding table.
Traditional ddos attack can not touch, change Switch DPID and Switch Port information, excellent using this
Gesture, it can more flexibly detect spoofing attack.
Fig. 6 shows the workflow diagram for destroying packet check module.
It is suitable to set the flag bit of message as shown in fig. 6, building in the IDS policy servers in the unit interval
The second Hash table that abnormal behaviour is counted is put, and sets the second threshold values in second Hash table;The destruction message
Detection module detects to each flag bit of message, to judge whether each flag bit meets ICP/IP protocol specification;If message
Each flag bit meet, then message is transferred to exception message detection module;If each flag bit of message is not met, institute is transferred to
IDS policy servers are stated, message is abandoned, and set abnormal behaviour to count flag bit simultaneously, when the count value
During more than the second threshold values, shielding sends the program and/or main frame of the message.
Specifically, the destruction packet check module, for carrying out second to message judges whether judge message
For the attack message with malice flag bit feature.Wherein, the attack message with malice flag bit feature includes but is not limited to
IP attack message, TCP attack messages.Implementation steps include:IP attack message and TCP/UDP attack messages therein are realized
The detection of the flag bit of each message, that is, identify whether each flag bit meets ICP/IP protocol specification.If meeting, just
Directly transfer to abnormal number packet check resume module.If not meeting, it is judged as attack message, is transferred at IDS policy servers
Reason.
Using typical attacks such as TearDrop as row, there are an offset field and a burst mark (MF) in IP packet header,
If offset field is arranged to incorrect value by attacker, the situation for overlapping or disconnecting, target machine just occurs in IP fragmentation message
System will collapse.
In IP headings, there are a protocol fields, the field specifies which kind of agreement the IP messages carry.The field
Value be less than 100, if attacker to target machine send largely band more than 100 protocol fields IP messages, target
Protocol stack in machine system will be destroyed, and form attack.
Therefore in packet check module is destroyed, each flag bit of outgoing packet is extracted first, is then checked whether normal.
If normal, subsequent module for processing is given.
If abnormal, the packet is abandoned, and to corresponding Hash table rolling counters forward.If counted in the unit interval
When number devices exceed second threshold values of setting, then IDS policy servers are called to be shielded to corresponding program and/or directly
Connect the corresponding main frame of shielding.
After packet by cheating packet check module filters out, the follow-up number destroyed handled by packet check module
All it is real according to the address in bag.So, effectively avoid target machine and have received destruction message, mesh may be directly resulted in
The protocol stack collapse of mark machine, or even target machine directly collapse.
It is substantially similar to destroy processing function and the deception packet check handling process of packet check module, distinguishes and is to destroy
What packet check module parsed is the flag bit of each message, whether normal then detects each flag bit.
If normal, just handled directly to follow-up exception message detection module.
If abnormal, the packet is abandoned, and to the corresponding Hash table inside counting device of main frame application reference mechanism
Count.If it exceeds the threshold values of setting, then shield corresponding attacker or directly shielding attack main frame.
The Hash table for identifying the formula attack message that floods is built in the exception message detection module, is determined in the IDS
The 3rd Hash table that is counted to the formula attack that floods of being suitable in the unit interval is built in plan server, and is set
The 3rd threshold values in 3rd Hash table;The exception message detection module, suitable for according to the threshold values set in the Hash table
Judge whether the message has attack;If without attack, by data distributing;If having attack, it is transferred to
The IDS policy servers, are abandoned to message, and attack is counted simultaneously, when count value is more than the 3rd valve
During value, shielding sends the program and/or main frame of the message.
Specifically, whether the exception message detection module, for carrying out third time judgement to message, that is, judge message
It is the formula attack message that floods.
Specific steps include:Using the identification to structure flood formula attack message in Hash table respective record carry out
It is cumulative, and detect whether to exceed threshold value, to judge whether the being formula attack message that floods.
By above-mentioned deception packet check module, destroy filtering out for packet check two modules of module, subsequent module for processing
Packet substantially belong to packet under normal circumstances.However, under normal circumstances, ddos attack generation is also had, existing
In technology, normally only carry out cheating packet check module, destroy packet check module, and in the technical program, in order to the greatest extent may be used
Energy avoids ddos attack.
Following examples are to after carrying out cheating packet check module, destroying packet check modular filtration, then pass through exception
The embodiment of packet check module shield ddos attack.The embodiment is with UDP Flooding and ICMP
Exemplified by Flooding.
On UDP Floodling, using mechanism of the udp protocol without establishing connection, a large amount of UDP are sent to target machine
Message.Target machine can devote a tremendous amount of time processing UDP messages, and these UDP attack messages can not only make storage UDP messages
Cache overflow, and substantial amounts of network bandwidth can be taken, target machine can not (or seldom) receive legal UDP messages.
Because different main frames is to a large amount of UDP message bags of single main frame transmission, so having udp port occupancy certainly
Situation, so the technical program can receive an ICMP unreachable bag in port.
So the technical program can establish All hosts one Hash table, it is specifically used to receive in the storage unit interval
The number of the unreachable bag in ICMP ports.If it exceeds the threshold values of setting, then directly shield corresponding attacker.
On ICMP Floodling, unit interval inside counting is directly carried out for ICMP Flooding.If it exceeds
Corresponding threshold values, then directly respective host is accordingly shielded, although this method is simple, directly effectively.
Therefore, exception message detection module, if the type of message detected is exception message detection type, carry out
Corresponding counter detects whether to exceed threshold value, if it does not exceed the threshold, optimal route plan also can be passed through to the packet
Slightly issue.Threshold value if more than, then corresponding attacker is shielded, or directly respective host is accordingly shielded.
The deception packet check module, destroy any module judgement in packet check module and exception message detection module
When the message is above-mentioned attack message, then the attack message is transferred to IDS policy servers, i.e. the message is abandoned, and
Shielding sends the program and/or main frame of the message.
When " deception packet check module ", " destroying packet check module " and " exception message detection module " need to abandon
When packet or needs shield threat main frame.Directly invoke IDS policy servers and carry out corresponding threat processing behaviour
Make.
The specific implementation steps of the IDS policy servers include:
The step of abandoning the message, i.e. packet discard includes as follows:
OpenFlow interchangers can disappear the data envelope mounted in PacketIn in the case of corresponding flow table is not matched
In breath, while there is this packet in local caching in exchange opportunity, and packet is deposited in the buffer, there is a buffer area
ID number, this ID number can be also encapsulated in the buffer_id of PacketIn message, by Packetout form, simultaneously
Buffer_id in Packetout message fills in the buffer area ID for the packet to be abandoned (in corresponding PacketIn message
Buffer_id).
The step of shielding main frame includes as follows:
OpenFlow agreement flow table structures are as follows:
Packet header domain | Counter | Action |
The structure in its middle wrapping head domain is:
The step of IDS policy servers include shielding application program includes as follows:
Step 1:Corresponding matching field is filled in the packet header domain of flow table, and by setting Wildcards mask fields,
To obtain shielding attacker or host information.Wherein, attacker need to be such as shielded, then is filled in the domain of flow table packet header following
Matching field:IP, MAC, VLAN, Switch DPID, Switch Port, protocol type and its port numbers etc..Shielding is such as needed to lead
Machine, then filled in the domain of flow table packet header:The matching field such as IP, MAC, VLAN, Switch DPID, Switch Port.
Step 2:Flow table action lists are empty, realize the data packet discarding of attacker/main frame.
Step 3:The record value in each Hash table is called, flow table time-out is calculated and is automatically deleted the time.
Step 4:Issue flow table mask program or main frame.
Therefore, the network of the technical program can effectively identify and filter out attack bag.
Optionally, after by above-mentioned each module, by issuing for the real-time optimal routing policy of normal message.
Comprise the following steps that:
Initially enter step S1 come to controller topological interface (API) submit obtain request, then by step S2 come
Obtain full mesh topology.
Then, by carrying out the acquisition of total network links state.Step S3 is initially entered, is then obtained by step S10
Total network links state, then calculate total network links remaining bandwidth.
Then it is exactly the calculating of real-time optimal path, algorithm is changed to using classical dijkstra's algorithm, the weights of algorithm
The inverse for the total network links remaining bandwidth that previous step obtains, this ensures that the path calculated is most unobstructed, propagation delay time
Minimum path.(specific algorithm of optimal path is referring to related content in embodiment 3)
Finally, the optimal path calculated is converted into the real-time optimal path strategy being made up of flow table, passes through step S11
Issue.
Step S1 uses topological interface, and the api interface that a kind of controller carries, using LLDP, (link layer finds association
View) and broadcast packet discovery link, then controller calculate network topology automatically.
The topological interface of step S2 controllers is opened up to " the full mesh topology acquisition module " of " real-time optimal path computation module "
Flutter the feedback for obtaining request.
In step S3, " total network links state acquisition module " files a request to " switch query interface module ", obtains complete
Network chain line state.Wherein, " switch query interface module " be " the interchanger characteristic enquiry module " that is carried in controller and
Expanded on the basis of " switch status enquiry module ", realize calculating and the query function of link remaining bandwidth.
Then, " switch query module " by step S4, all interchangers into network send interchanger property requests
Broadcast packet.The message fed back come interchanger characteristic in automatic network is received by step S5 again, parsed inside outgoing packet
Curr fields, obtain each switch ports themselves current bandwidth B.
Next, the module is by step S6, all interchangers into network send the broadcast packet that switch status is asked,
Bag number is sent including port, port sends byte number, port receives the message status such as byte number, port receiver packet number.Then,
The module receives the message fed back come switch status in automatic network by step S7, parses tx_bytes fields, is sent out
Byte number N1 is sent, obtains current time t1.
Next, the module is by step S8, all interchangers into network send the broadcast packet that switch status is asked,
Then, the message that the module is fed back by S9 receptions come switch status in automatic network, timing stop, and obtain current time t2.
Tx_bytes fields are parsed, obtain sending byte number N2.
Present port remaining bandwidth, which can then be calculated, is:B-(N2-N1)/(t2-t1).
Then, the network topology of acquisition is recycled to carry out the remaining bandwidth calculating of each of the links:
If the connection between interchanger and interchanger, then obtain the tape remaining of the switch ports themselves of this both link ends
Width, the remaining bandwidth of the link is the smaller in two port remaining bandwidths.
If the connection between main frame and interchanger, then the remaining bandwidth of the switch ports themselves of connection main frame is obtained, should
Bar link remaining bandwidth is the switch ports themselves remaining bandwidth for connecting the main frame.
Step S4 controllers send Feature Request message in the form of broadcasting to all interchangers of the whole network.
Step S5 controllers, which receive, carrys out the Feature Reply message that interchanger in automatic network feeds back to controller.
Step S6 controllers send Stats Request message in the form of broadcasting to all interchangers of the whole network.
Step S7 controllers, which receive, carrys out the Stats Reply message that interchanger in automatic network feeds back to controller.
Step S8 controllers send Stats Request message in the form of broadcasting to all interchangers of the whole network.
Step S9 controllers, which receive, carrys out the Stats Reply message that interchanger in automatic network feeds back to controller.
Step S10 switch queries interface is by the link remaining bandwidth feedback of the information calculated to " total network links state obtains
Modulus block ".
Step S11 routing policies issue the real-time optimal routing policy that module calculates, and the flow table calculated is passed through into step
Rapid S12 is handed down to the interchanger of correlation.
The step S12 interfaces are the api interfaces that controller carries, for issuing the optimal routing policy calculated.
It is while DDOS attack is defendd by the optimal path strategy, the average transmission delay of network does not swash
Increase.
Embodiment 3
A kind of on the basis of embodiment 1 and embodiment 2 integrates the SDN systems that threaten processing and routing optimality
Method of work, by distributed detection and the processing of centralization, effectively to alleviate the work load of controller, improve
Detection efficiency and data transmission rate.
The method of work for integrating the SDN systems for threatening processing and routing optimality of the present invention, comprises the following steps:
Step S100, netinit;Step S200, distributed DDoS threaten monitoring;And step S300, at threat
Reason and/or routing optimality.
Further, the device in the step S100 involved by netinit includes:Controller, IDS policy servers
With distributed IDS equipment;
The step of netinit, is as follows:
Step S101, the IDS policy servers establish special SSL traffic channel (step with each IDS equipment
S101 is optional embodiment);Step S102, the controller builds network equipment information binding table, and network is set
Standby information binding table real-time update is into each IDS equipment;Step S104, the controller issue the flow table of mirror policy, will
OF interchangers are all to drag the port flow mirror image for being loaded with main frame to be transmitted to corresponding IDS equipment in domain;And step S105,
The controller issues DDoS threat identifications rule to corresponding each IDS equipment in each domain.
Distributed DDoS threatens the method for monitoring to include in the step S200:Successively to link layer and internet layer address
Deceptive practices, internetwork layer and transport layer flag bit set abnormal behaviour, and the formula attack row that floods of application layer and transport layer
To be detected;If any detection judges that outgoing packet has respective behavior in said process, the message is transferred to step
S300。
Specific implementation steps include:
Step S210, the deceptive practices to link layer and internet layer address detect.
Step S220, the abnormal behaviour set to internetwork layer and transport layer flag bit detect.
Step S230, the formula attack that floods to application layer and transport layer detect.
Step S240, if after message is passed sequentially through into the step S210, step S220, step S230, either step is sentenced
When disconnected outgoing packet has deception, exception, attack, then the message is transferred to step S300.
The method that deceptive practices in the step S210 to link layer and internet layer address are detected includes following step
Suddenly:Step S211, network equipment information binding table is called by cheating packet check module;Step S212, reported by cheating
Literary detection module is parsed the type for being encapsulated in message in Packet-In message, to obtain corresponding source, purpose IP
Location, MAC Address and the interchanger DPID and port numbers that upload this Packet-In message, and by above-mentioned each information respectively with
Corresponding information in network equipment information binding table is compared;If the above- mentioned information matching in message, step is transferred to by message
Rapid S220;If the above- mentioned information in message mismatches, message is transferred to step S300.
The method for setting abnormal behaviour to be detected internetwork layer and transport layer flag bit in the step S220 includes:It is right
Each flag bit of message is detected, to judge whether each flag bit meets ICP/IP protocol specification;If each flag bit of message
Meet, then message is transferred to S230;If each flag bit of message is not met, message is transferred to step S300.
The method that the formula attack that floods in the step S230 to application layer and transport layer is detected includes as follows
Step:Step S231, the Hash table for identifying the formula attack message that floods is built in exception message detection module;Step
S232, judge whether the message is the formula of flooding according to the threshold values set in the Hash table by exception message detection module
Attack message, and will determine that result is transferred to step S300, even without attack, then data are normally issued or by above-mentioned
Optimal path policy distribution;If having attack, corresponding shielding measure is taken.
The method of processing and/or routing optimality is threatened to include in the step S300:
If message has deceptive practices, and attacks and threaten in OpenFlow domains, then the IDS policy servers are suitable to
Main frame is shielded by controller;And threatened when attacking not in OpenFlow domains, then by controller by corresponding to the message
Interchanger access interface flow be redirected to flow cleaning center and filtered;
If message has abnormal behaviour, the IDS policy servers are by controller to attacker or attack main frame
Flow shielded;Specific implementation steps include:For destroying message aggression, due to the currently processed message of IDS equipment
Deception packet check is passed through, so the message address is real.IDS policy servers need to only pass through the north orientation of controller
Interface issues action and shields the flow of attacker or attack main frame for Drop flow table.But this is all determining for coarseness
Plan, it is only applicable to attack and wraps a small amount of destruction message aggression.
If message has the formula attack that floods, the IDS policy servers are by controller by corresponding to the message
Interchanger access interface flow be redirected to flow cleaning center and filtered;Optionally, the safety of flow cleaning center is set
It is standby that the result of protection can also be fed back to controller, network strategy is adjusted, SDN is realized and is mixed with legacy network
In the case of Multidimensional protection.
Further, path optimizing is calculated according to link load coefficient, that is, detects the link remaining bandwidth of two adjacent nodes,
The load factor of the link is obtained, the optimal of any two points is being obtained according to the load factor and the network topological diagram of initialization
Path, the controller forward flow table according to corresponding to being drawn the optimal path and issue each interchanger.
The specific algorithm flow of path optimizing is as follows:
If rN, (n+1)For the link remaining bandwidth of two adjacent nodes, then its link load coefficient is:
/ * by controller calculate load factors of the link load coefficient */U (a, b) between any two points and:
If initial network topology figure is G*, the optimal path between any two points is calculated,
The IDS policy servers shielding, which sends the program of message and/or the method for main frame, to be included:
First, the corresponding Hash table and setting respective threshold of counting are built, i.e.,
The first Hash table counted to deceptive practices, mark are built in unit interval, in the IDS policy servers
Will position sets the second Hash table for being counted of abnormal behaviour, and to the 3rd Hash that the formula attack that floods is counted
Table;
Concurrently set first, second, third threshold values in first, second, third Hash table;
Secondly, shielding sends the program and/or main frame of the message, i.e.,
For the behavior for the message for being transferred to IDS policy servers, counted using corresponding Hash table, when count value surpasses
When crossing respective thresholds, shielding sends the program and/or main frame of the message.
Embodiment 4
The SDN frameworks and system of the present invention can define SDNQA (SDN Communication Quality
Assurance Strategy) it is SDN communication quality guarantee strategies.
Target design and scene deployment dependence test.
Present invention has been deployment and test, prevailing test environment and test content are as follows:
(1) OpenFlow1.3 agreements are based on, test threatens filtering to ensure component with communication quality equipped with DDoS
Communication between Floodlight controllers, OF interchangers, IDS equipment and IDS policy servers.
(2) test IDS equipment whether abnormal aggression flow that can be in real time monitoring network, and believed by SSL traffic
Road reports IDS policy servers.
(3) test IDS policy servers whether the information that can be reported according to IDS equipment, make the corresponding attack of processing
The strategy of threat, and issued by the northbound interface of controller.
(4) whether test controller can generate according to network real time status and issue the forward-path of real-time optimization, carry
Rise Consumer's Experience.
The specific deployment of experiment scene.Network area based on centre, there are two empty nets.Wherein empty net A deploys this
SDNQA systems, and empty net B is not yet disposed, and some ddos attack puppet machines all be present in each empty net.Imitated for experiment on right side
Fruit contrast district, including a Web server and two subscriber's main stations, Tomcat is run wherein on Web server and is externally provided
Web service, subscriber's main station A, B are empty net A, the B of access main frame respectively.Left side is attack simulating region, there is a ddos attack
Machine, attack plane will control puppet's machine in empty net A and empty net B to initiate hybrid-type DDoS to Web server as main control computer and attack
Hit.
Based on above-mentioned experimental situation, the performance of SDNQA frameworks is verified in terms of two:(1) contrast hybrid-type
The attack frequency that Web server end is born under ddos attack;(2) the network average transmission caused by the formula attack that floods is contrasted
Delay.
First, situation is flowed into Web server end flow to analyze.Puppet's machine in each empty net of attack plane control is same
When initiate Web server hybrid-type ddos attack, its highest frequency is 55Hz, a length of 100 seconds during attack.Intercept Web clothes
All sequence of data packet of business device, and the request sequence of each empty net is isolated, show that empty net A flows into service with empty net B respectively
The request sequence of device, the attack frequency contrast that Web server is born.
As can be seen that SDNQA systems quickly identify typical ddos attack within 0s~5s periods, and 0s~
Filter protection measure is taken in 40s period.After 40s, network traffics tend to be normal, and test subscriber's main station A is always
Web-page requests response can normally be obtained.And do not dispose in the empty net B of SDNQA systems has substantial amounts of attack traffic to flow into always, survey
Examination subscriber's main station B can not obtain web-page requests response.
Secondly, we extract test subscriber's main station A and test subscriber's main station B from the sequence of data packet intercepted before
Request sequence, the time delay of the average transmission of statistical data packet from each request sequence, draw the average biographies of two empty nets
Defeated delay contrast.
As can be seen that by routing optimality, void net A average transfer delay is not increased sharply with the increase of data volume.
As can be seen here, SDNQA frameworks can be optimized based on the perception to network real time status, convection current forward-path, so as in net
Ensure optimal user experience in the case of ddos attack or normal big flow business in network being present.
It should be appreciated that the above-mentioned embodiment of the present invention is used only for exemplary illustration or explains the present invention's
Principle, without being construed as limiting the invention.Therefore, that is done without departing from the spirit and scope of the present invention appoints
What modification, equivalent substitution, improvement etc., should be included in the scope of the protection.In addition, right appended by the present invention will
Ask the whole changes for being intended to fall into scope and border or this scope and the equivalents on border
Change and modification.
Claims (3)
1. a kind of DDoS threatens the method for work of filtering SDN systems, including:
When any IDS equipment detects the message with ddos attack feature, i.e., IDS is reported to by SSL traffic channel and determined
Plan server;
The IDS policy servers make processing plan corresponding with the message with ddos attack feature according to information is reported
Slightly, then the message is shielded by controller or the interchanger access interface flow corresponding to the message is redirected into stream
Amount cleaning center is filtered.
2. DDoS threatens the method for work of filtering SDN systems according to claim 1, include in the IDS equipment:
By the deception packet check module, packet check module, exception message detection module are destroyed successively to message progress
Detection;And if the message is transferred to IDS decision services when above-mentioned respective behavior be present by any detection module detection outgoing packet
Device.
3. DDoS threatens the method for work of filtering SDN systems according to claim 2, it is characterised in that
The IDS policy servers are attacked and threatened in OpenFlow domains suitable for having deceptive practices when message, then pass through control
Device processed shields main frame;Or when attack threaten not in OpenFlow domains, then by controller by the message corresponding to interchanger
Access interface flow is redirected to flow cleaning center and filtered;
The IDS policy servers are further adapted for having abnormal behaviour when message, then attacker or attack are led by controller
The flow of machine is shielded;And
When message has the formula attack that floods, then the IDS policy servers are suitable to corresponding to the message by controller
Interchanger access interface flow be redirected to flow cleaning center and filtered.
Priority Applications (1)
Application Number | Priority Date | Filing Date | Title |
---|---|---|---|
CN201711302100.XA CN107888619A (en) | 2014-12-17 | 2014-12-17 | Integrate the method for work for the SDN systems for threatening processing and routing optimality |
Applications Claiming Priority (2)
Application Number | Priority Date | Filing Date | Title |
---|---|---|---|
CN201410788069.5A CN104539595B (en) | 2014-12-17 | 2014-12-17 | It is a kind of to integrate the SDN frameworks and method of work for threatening processing and routing optimality |
CN201711302100.XA CN107888619A (en) | 2014-12-17 | 2014-12-17 | Integrate the method for work for the SDN systems for threatening processing and routing optimality |
Related Parent Applications (1)
Application Number | Title | Priority Date | Filing Date |
---|---|---|---|
CN201410788069.5A Division CN104539595B (en) | 2014-12-17 | 2014-12-17 | It is a kind of to integrate the SDN frameworks and method of work for threatening processing and routing optimality |
Publications (1)
Publication Number | Publication Date |
---|---|
CN107888619A true CN107888619A (en) | 2018-04-06 |
Family
ID=52855064
Family Applications (4)
Application Number | Title | Priority Date | Filing Date |
---|---|---|---|
CN201711302100.XA Withdrawn CN107888619A (en) | 2014-12-17 | 2014-12-17 | Integrate the method for work for the SDN systems for threatening processing and routing optimality |
CN201410788069.5A Expired - Fee Related CN104539595B (en) | 2014-12-17 | 2014-12-17 | It is a kind of to integrate the SDN frameworks and method of work for threatening processing and routing optimality |
CN201711302098.6A Withdrawn CN107888618A (en) | 2014-12-17 | 2014-12-17 | The DDoS for solving network security threatens the method for work of filtering SDN systems |
CN201711302091.4A Withdrawn CN107786578A (en) | 2014-12-17 | 2014-12-17 | Suitable for solving the SDN frameworks and method of work of network security problem |
Family Applications After (3)
Application Number | Title | Priority Date | Filing Date |
---|---|---|---|
CN201410788069.5A Expired - Fee Related CN104539595B (en) | 2014-12-17 | 2014-12-17 | It is a kind of to integrate the SDN frameworks and method of work for threatening processing and routing optimality |
CN201711302098.6A Withdrawn CN107888618A (en) | 2014-12-17 | 2014-12-17 | The DDoS for solving network security threatens the method for work of filtering SDN systems |
CN201711302091.4A Withdrawn CN107786578A (en) | 2014-12-17 | 2014-12-17 | Suitable for solving the SDN frameworks and method of work of network security problem |
Country Status (1)
Country | Link |
---|---|
CN (4) | CN107888619A (en) |
Families Citing this family (11)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
CN108028828B (en) * | 2015-08-29 | 2020-10-27 | 华为技术有限公司 | Distributed denial of service (DDoS) attack detection method and related equipment |
CN105610854B (en) * | 2016-01-18 | 2019-08-06 | 上海交通大学 | A kind of network cooperating system of defense |
CN105897750A (en) * | 2016-06-03 | 2016-08-24 | 中国电子科技集团公司第三十研究所 | Method and system for defending Dos attacks of SDN controller |
JP6898846B2 (en) * | 2017-12-28 | 2021-07-07 | 株式会社日立製作所 | Abnormal cause identification support system and abnormal cause identification support method |
CN108289104B (en) * | 2018-02-05 | 2020-07-17 | 重庆邮电大学 | Industrial SDN network DDoS attack detection and mitigation method |
US10659484B2 (en) | 2018-02-19 | 2020-05-19 | Cisco Technology, Inc. | Hierarchical activation of behavioral modules on a data plane for behavioral analytics |
CN109508435A (en) * | 2018-10-26 | 2019-03-22 | 张派瑞 | A kind of anti-network bullying and humiliation method |
CN109922048B (en) * | 2019-01-31 | 2022-04-19 | 国网山西省电力公司长治供电公司 | Method and system for detecting serial scattered hidden threat intrusion attacks |
CN111181910B (en) * | 2019-08-12 | 2021-10-08 | 腾讯科技(深圳)有限公司 | Protection method and related device for distributed denial of service attack |
CN111885092A (en) * | 2020-09-10 | 2020-11-03 | 中国联合网络通信集团有限公司 | DDoS attack detection method and processing method for edge nodes and SDN |
CN114726602A (en) * | 2022-03-29 | 2022-07-08 | 中国工程物理研究院计算机应用研究所 | Self-adaptive threat blocking method for enterprise intranet under network zero change condition |
Family Cites Families (4)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
CN102487339B (en) * | 2010-12-01 | 2015-06-03 | 中兴通讯股份有限公司 | Attack preventing method for network equipment and device |
US9392010B2 (en) * | 2011-11-07 | 2016-07-12 | Netflow Logic Corporation | Streaming method and system for processing network metadata |
CN103561011B (en) * | 2013-10-28 | 2016-09-07 | 中国科学院信息工程研究所 | A kind of SDN controller method and system for preventing blind DDoS attacks on |
CN104023034B (en) * | 2014-06-25 | 2017-05-10 | 武汉大学 | Security defensive system and defensive method based on software-defined network |
-
2014
- 2014-12-17 CN CN201711302100.XA patent/CN107888619A/en not_active Withdrawn
- 2014-12-17 CN CN201410788069.5A patent/CN104539595B/en not_active Expired - Fee Related
- 2014-12-17 CN CN201711302098.6A patent/CN107888618A/en not_active Withdrawn
- 2014-12-17 CN CN201711302091.4A patent/CN107786578A/en not_active Withdrawn
Also Published As
Publication number | Publication date |
---|---|
CN104539595A (en) | 2015-04-22 |
CN104539595B (en) | 2018-04-10 |
CN107888618A (en) | 2018-04-06 |
CN107786578A (en) | 2018-03-09 |
Similar Documents
Publication | Publication Date | Title |
---|---|---|
CN104539594B (en) | Merge DDoS and threaten filtering and SDN frameworks, system and the method for work of routing optimality | |
CN104660582B (en) | The network architecture of the software definition of DDoS identifications, protection and path optimization | |
CN104539625B (en) | A kind of network security protection system and its method of work based on software definition | |
CN104539595B (en) | It is a kind of to integrate the SDN frameworks and method of work for threatening processing and routing optimality | |
CN104378380A (en) | System and method for identifying and preventing DDoS attacks on basis of SDN framework | |
CN104468636A (en) | SDN structure for DDoS threatening filtering and link reallocating and working method | |
US9258323B1 (en) | Distributed filtering for networks | |
CN102263788B (en) | Method and equipment for defending against denial of service (DDoS) attack to multi-service system | |
US20030145232A1 (en) | Denial of service attacks characterization | |
CN103428224B (en) | A kind of method and apparatus of intelligence defending DDoS (Distributed Denial of Service) attacks | |
US20070248084A1 (en) | Symmetric connection detection | |
WO2002021278A1 (en) | Coordinated thwarting of denial of service attacks | |
WO2002021296A1 (en) | Statistics collection for network traffic | |
CN105871773A (en) | DDoS filtering method based on SDN network architecture | |
WO2002021302A1 (en) | Monitoring network traffic denial of service attacks | |
WO2002021279A1 (en) | Thwarting source address spoofing-based denial of service attacks | |
WO2002021297A1 (en) | Architecture to thwart denial of service attacks | |
Rengaraju et al. | Detection and prevention of DoS attacks in Software-Defined Cloud networks | |
WO2002021771A1 (en) | Device to protect victim sites during denial of service attacks | |
CN109327426A (en) | A kind of firewall attack defense method | |
TW201124876A (en) | System and method for guarding against dispersive blocking attacks | |
CN108833430A (en) | A kind of topological guard method of software defined network | |
Jiang et al. | Bsd-guard: a collaborative blockchain-based approach for detection and mitigation of sdn-targeted ddos attacks | |
CN105871771A (en) | SDN network architecture aimed at DDoS network attack | |
CN105871772A (en) | Working method of SDN network architecture aimed at network attack |
Legal Events
Date | Code | Title | Description |
---|---|---|---|
PB01 | Publication | ||
PB01 | Publication | ||
SE01 | Entry into force of request for substantive examination | ||
SE01 | Entry into force of request for substantive examination | ||
WW01 | Invention patent application withdrawn after publication | ||
WW01 | Invention patent application withdrawn after publication |
Application publication date: 20180406 |