CN107888619A - Integrate the method for work for the SDN systems for threatening processing and routing optimality - Google Patents

Integrate the method for work for the SDN systems for threatening processing and routing optimality Download PDF

Info

Publication number
CN107888619A
CN107888619A CN201711302100.XA CN201711302100A CN107888619A CN 107888619 A CN107888619 A CN 107888619A CN 201711302100 A CN201711302100 A CN 201711302100A CN 107888619 A CN107888619 A CN 107888619A
Authority
CN
China
Prior art keywords
message
attack
ids
plane
ddos
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Withdrawn
Application number
CN201711302100.XA
Other languages
Chinese (zh)
Inventor
不公告发明人
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
Cai Liufeng
Original Assignee
Cai Liufeng
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Cai Liufeng filed Critical Cai Liufeng
Priority to CN201711302100.XA priority Critical patent/CN107888619A/en
Publication of CN107888619A publication Critical patent/CN107888619A/en
Withdrawn legal-status Critical Current

Links

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/14Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
    • H04L63/1408Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic by monitoring network traffic
    • H04L63/1416Event detection, e.g. attack signature detection
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L45/00Routing or path finding of packets in data switching networks
    • H04L45/12Shortest path evaluation
    • H04L45/123Evaluation of link metrics
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L45/00Routing or path finding of packets in data switching networks
    • H04L45/12Shortest path evaluation
    • H04L45/125Shortest path evaluation based on throughput or bandwidth
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L49/00Packet switching elements
    • H04L49/20Support for services
    • H04L49/208Port mirroring
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/02Network architectures or network communication protocols for network security for separating internal from external traffic, e.g. firewalls
    • H04L63/0227Filtering policies
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/02Network architectures or network communication protocols for network security for separating internal from external traffic, e.g. firewalls
    • H04L63/0227Filtering policies
    • H04L63/0236Filtering by address, protocol, port number or service, e.g. IP-address or URL
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/14Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
    • H04L63/1408Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic by monitoring network traffic
    • H04L63/1425Traffic logging, e.g. anomaly detection
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/14Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
    • H04L63/1441Countermeasures against malicious traffic
    • H04L63/1458Denial of Service
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/20Network architectures or network communication protocols for network security for managing network security; network security policies in general

Abstract

The invention discloses it is a kind of integrate threaten processing and routing optimality SDN systems method of work, this SDN framework, including:Using plane, datum plane and control plane;Wherein datum plane, when any IDS equipment detects that attack threatens in datum plane, during the message of ddos attack feature, i.e., reported to by SSL traffic channel using plane;Using plane, for analyzing attack type, and corresponding attack is customized according to attack type and threatens processing strategy;Control plane, Processing Interface is threatened to provide attack using plane, and optimal path computation and/or attack threat identification interface are provided for datum plane.The present invention can make network when being threatened by extensive DDoS, and the flow forwarding of routing optimality can be realized according to the real time status of link, while rapid accurately progress DDoS threat identifications and processing respond, full-scope safeguards network communication quality.

Description

Integrate the method for work for the SDN systems for threatening processing and routing optimality
Technical field
The present invention relates to network safety filed, more particularly to a kind of SDN for integrating and threatening and handling with routing optimality The method of work of system.
Background technology
Currently, the network connected extensively at a high speed has become the important infrastructure of modern society.However, with interconnection The expansion of network planning mould, also increasingly show the defects of traditional specificationses system.
The report of national computer network emergence technology processing Consultation Center (CNCERT/CC) newest issue shows:Hacker Activity is increased, and the attack such as website back door, phishing, Web malice extension horses is in the trend that increases substantially, country, enterprise The internet security of industry is faced with severe challenge.
Wherein, distributed denial of service attack (Distributed Denial of Service, DDoS) is still to influence One of internet most important threat safe for operation.In the past few years, the number of ddos attack, size, type be all significantly Go up.
Software defined network (Software Defined Network, SDN) has can real-time update routing policy and rule Then, the characteristics such as profound data packet analysis are supported, thus the DDoS that can be directed in complex network ring environment threatens offer more fast Fast accurately network monitoring and defense function.
The content of the invention
Integrate threat processing and the SDN frameworks and method of work of routing optimality it is an object of the invention to provide a kind of, To solve the network security problem in existing network caused by a large amount of ddos attacks, quickly, efficiently, comprehensively identified with realizing With defending DDoS (Distributed Denial of Service) attacks.
In order to solve the above-mentioned technical problem, the invention provides a kind of SDN framework, including:Using plane, data Plane and control plane;Wherein
Datum plane is when any IDS equipment detects the message of ddos attack feature in datum plane, i.e., logical SSL traffic channel is crossed to report to using plane;
Using plane, corresponding attack threat processing is customized for analyzing attack type, and according to attack type Strategy;
Control plane, Processing Interface is threatened to provide attack using plane, and optimal path computation is provided for datum plane And/or attack threat identification interface.
Preferably, in order to realize that DDoS is detected in IDS equipment, include in the IDS equipment:Cheat packet check mould Block, the deceptive practices to link layer and internet layer address detect;Packet check module is destroyed, to internetwork layer and transport layer The abnormal behaviour that flag bit is set is detected;Exception message detection module, flood formula attack to application layer and transport layer Detected;By the deception packet check module, packet check module, exception message detection module are destroyed successively to report Text is detected;And if the message is transferred to using flat when above-mentioned respective behavior be present by any detection module detection outgoing packet Face.
Preferably, the application plane when message suitable for having deceptive practices, and attacks and threaten in OpenFlow domains, Main frame is then shielded by the controller in control plane;Or threatened when attacking not in OpenFlow domains, then will by controller Interchanger access interface flow corresponding to the message is redirected to flow cleaning center and filtered;
The application plane is further adapted for having abnormal behaviour when message, then by controller to attacker or attack main frame Flow shielded;And
Flooded formula attack when message has, then it is described to be suitable to corresponding to the message using plane by controller Interchanger access interface flow is redirected to flow cleaning center and filtered.
Beneficial effects of the present invention:DDoS is threatened monitoring, threatens the business function moulds such as protection, routing optimality by the present invention Block is respectively deployed in datum plane, control plane and using plane.Network can be made when being threatened by extensive DDoS, can The flow for realizing routing optimality according to the real time status of link forwards, while rapid accurately progress DDoS threat identifications and place Reason response, full-scope safeguards network communication quality.
Another aspect, present invention also offers the method for work that a kind of DDoS threatens filtering SDN systems, to solve to defend The technical problem of ddos attack.
In order to solve the above-mentioned technical problem, the DDoS threatens the method for work of filtering SDN systems to include:As any IDS When equipment detects the message with ddos attack feature, i.e., IDS policy servers are reported to by SSL traffic channel;It is described IDS policy servers make processing strategy corresponding with the message with ddos attack feature, then according to information is reported The message is shielded by controller or the interchanger access interface flow corresponding to the message is redirected to flow cleaning Filtered at center.
Preferably, in order to realize that DDoS is detected in IDS equipment, include in the IDS equipment:Cheat packet check mould Block, the deceptive practices to link layer and internet layer address detect;Packet check module is destroyed, to internetwork layer and transport layer The abnormal behaviour that flag bit is set is detected;Exception message detection module, flood formula attack to application layer and transport layer Detected;By the deception packet check module, packet check module, exception message detection module are destroyed successively to report Text is detected;And if the message is transferred to IDS and determined when above-mentioned respective behavior be present by any detection module detection outgoing packet Plan server.
Preferably, the IDS policy servers when message suitable for having deceptive practices, and attacks and threaten in OpenFlow In domain, then main frame is shielded by controller;Or when attack is threatened not in OpenFlow domains, then by controller by the message Corresponding interchanger access interface flow is redirected to flow cleaning center and filtered;The IDS policy servers are also suitable In there is abnormal behaviour when message, then the flow of attacker or attack main frame is shielded by controller;And when report Stationery floods formula attack, then the IDS policy servers are suitable to pass through interchanger of the controller corresponding to by the message Access interface flow is redirected to flow cleaning center and filtered.
The third aspect, present invention also offers a kind of work for the SDN systems for integrating and threatening processing and routing optimality Method, to solve the distributed monitoring to ddos attack, formulating the corresponding technical problem for threatening processing strategy.
In order to solve the above-mentioned technical problem, threat processing and routing optimality are integrated present invention also offers a kind of The method of work of SDN systems, comprises the following steps:
Step S100, netinit;Step S200, distributed DDoS threaten monitoring;And step S300, at threat Reason and/or routing optimality.
Preferably, in order to preferably realize network configuration, the device bag in the step S100 involved by netinit Include:Controller, IDS policy servers and distributed IDS equipment;
The step of netinit, is as follows:
The controller builds network equipment information binding table, and by network equipment information binding table real-time update to respectively In IDS equipment;
The controller issues the flow table of mirror policy, i.e., all drag of OF interchangers is loaded with into the port flow mirror image of main frame It is transmitted to corresponding IDS equipment in domain;And
The controller issues DDoS threat identifications rule to corresponding each IDS equipment in each domain;
Distributed DDoS threatens the method for monitoring to include in the step S200:
Abnormal behaviour is set to the deceptive practices of link layer and internet layer address, internetwork layer and transport layer flag bit successively, And the formula attack that floods of application layer and transport layer is detected;
If any detection judges that outgoing packet has respective behavior in said process, the message is transferred to step S300.
Preferably, the method that the deceptive practices to link layer and internet layer address are detected includes:
Deceptive practices are detected by cheating packet check module, i.e., first, adjusted by cheating packet check module With network equipment information binding table;Secondly, message in Packet-In message will be encapsulated in by cheating packet check module Type is parsed, to obtain corresponding source, purpose IP address, MAC Address and the exchange for uploading this Packet-In message Machine DPID and port numbers, and above-mentioned each information is compared with the corresponding information in network equipment information binding table respectively; If the above- mentioned information matching in message, next detection is carried out by message;, will report if the above- mentioned information in message mismatches Text is transferred to step S300;The method that internetwork layer and the transport layer flag bit sets abnormal behaviour to be detected includes:By broken Bad packet check module sets abnormal behaviour to detect flag bit, i.e., each flag bit of message is detected, to judge Whether each flag bit meets ICP/IP protocol specification;If each flag bit of message meets, message is transferred to and carries out next inspection Survey;If each flag bit of message is not met, message is transferred to step S300;The formula of flooding of the application layer and transport layer is attacked The method that the behavior of hitting is detected includes:The formula attack that floods is detected by exception message detection module, i.e., different Normal packet check module construction is used for the Hash table for identifying the formula attack message that floods, and according to the threshold values set in the Hash table Judge whether message has the formula attack that floods, and will determine that result is transferred to step S300.
Preferably, the method for processing and/or routing optimality is threatened to include in the step S300:If message has deception Behavior, and attack and threaten in OpenFlow domains, then the IDS policy servers are suitable to shield main frame by controller;And When attack is threatened not in OpenFlow domains, then by controller by the interchanger access interface flow weight corresponding to the message Flow cleaning center is directed to be filtered;If message has abnormal behaviour, the IDS policy servers pass through controller Attacker or the flow for attacking main frame are shielded;If message has the formula attack that floods, the IDS decision-makings clothes Interchanger access interface flow corresponding to the message is redirected to flow cleaning center by controller and carried out by business device Filter;And/or path optimizing is calculated according to link load coefficient, that is, the link remaining bandwidth of two adjacent nodes is detected, is somebody's turn to do The load factor of link, the optimal path of any two points, institute are being obtained according to the load factor and the network topological diagram of initialization Controller is stated to forward flow table according to corresponding to being drawn the optimal path and issue each interchanger.
Preferably, the IDS policy servers shielding sends the program of message and/or the method for main frame and included:First, Build the corresponding Hash table and setting respective threshold of counting, i.e., in the unit interval, structure pair in the IDS policy servers The first Hash table that deceptive practices are counted, flag bit set the second Hash table that abnormal behaviour is counted, and to general The 3rd Hash table that big vast formula attack is counted;Concurrently set in first, second, third Hash table first, second, 3rd threshold values;Secondly, shielding sends the program and/or main frame of the message, the i.e. message for being transferred to IDS policy servers Behavior, counted using corresponding Hash table, when count value exceedes respective thresholds, shielding send the message program and/or Main frame.
Beneficial effects of the present invention:(1) present invention merges DDoS threat filtering techniques with route-optimization technique, is entering When row monitoring, shielding DDOS attack, the congestion of data can't be caused, and by that will monitor and threaten processing to separate, effectively The burden for alleviating control plane, ensure that network is safer, operations of colleges and universities;(2) the invention enables legacy network system The problem that ddos attack is identified and traced to the source can not be forged under framework to address to be fundamentally resolved.In a network In the case of ddos attack or normal big flow business being present, controller can be based on to network parameters such as link remaining bandwidths Real-time perception, the routing optimality of normal stream amount is realized, the experience of user is substantially improved;(3) processing framework of the invention uses Open-ended modularity designs, and realizes to the DDoS efficient detections threatened and flexibly processing;(4) each module obtains packet Information uses independent Interface design, reduces the coupling relevance of intermodule;(5) each module uses the routine data optimized Structure, it is careful to split each processing sub-process, improve the high cohesion characteristic of module.
Brief description of the drawings
In order that present disclosure is more likely to be clearly understood, below according to specific embodiment and with reference to accompanying drawing, The present invention is further detailed explanation, wherein
Fig. 1 shows the theory diagram of data Layer in software defined network;
Fig. 2 shows ddos attack identification and the theory diagram of guard system based on SDN frameworks;
Fig. 3 shows the workflow diagram of deception packet check module;
Fig. 4 shows the workflow diagram for destroying packet check module;
Fig. 5 shows UDP Floodling overhaul flow chart;
Fig. 6 shows ICMP Floodling overhaul flow chart.
Embodiment
To make the object, technical solutions and advantages of the present invention of greater clarity, with reference to embodiment and join According to accompanying drawing, the present invention is described in more detail.It should be understood that these descriptions are merely illustrative, and it is not intended to limit this hair Bright scope.In addition, in the following description, the description to known features and technology is eliminated, to avoid unnecessarily obscuring this The concept of invention.
Fig. 1 shows the theory diagram of data Layer in software defined network.
As shown in figure 1, in software defined network (Software Defined Network, SDN) framework, when one When message (Packet) reaches interchanger, the flow table of institute's band in interchanger is matched first.If the match is successful, The action executing just specified according to flow table forwards rule.If it fails to match, the message is encapsulated in PacketIn by interchanger In message, controller is sent to, and interchanger has this message in local cache.How controller is waited to make decisions Handle this message.
There are many main frames in network, then it is the Hash table of key to need to establish one to be directed to All hosts in network, is referred to as " violation number Hash table group ", it includes:Suitable for the first Hash table counted to deception message, suitable for destroying message The second Hash table counted, suitable for the 3rd Hash table counted to the formula attack that floods.Record the violation of respective hosts Number, that is, the credibility of main frame.
Packet in network is real-time, so needing to establish a kind of Hash of the threat packet counting in unit interval Table, and a key in the corresponding Hash table of each main frame, corresponding key assignments are corresponding keys in the unit interval of record The number for the threat data bag that main frame is sent.Such Hash table at first must be by Hash table in the unit interval " timeslice " Key assignments corresponding to interior all keys is set to 0;And the message of every kind of detection has been required for such table, just such as 100 are have detected Kind message, it is desirable to 100 such Hash tables.
Moreover, each Hash table must have a corresponding threshold value.As long as one has main frame to tire out in analog value in Hash table Add counting.Check whether the value exceedes the threshold value of setting after counting.If it exceeds corresponding threshold value, then in violation number Hash Key assignments in table corresponding record counts.
Also, the parameter such as threshold value, Hash table time leaf length of each Hash table can all be adjusted by interface.
Such as:The Hash table of main frame is:
Unit interval cheats packet counting Hash table
Host1 Host2 Host3 Host4 Host5 Host6 Host7 Host8 …… Host n
1 2 2 1 100 2 0 0 …… 0
Unit interval destroys packet counting Hash table
Host1 Host2 Host3 Host4 Host5 Host6 Host7 Host8 …… Host n
1 2 2 1 100 2 0 0 …… 0
Unit interval SYN counts Hash table
Host1 Host2 Host3 Host4 Host5 Host6 Host7 Host8 …… Host n
1 1 0 1 100 2 0 0 …… 0
Unit interval UDP Flood counts Hash table
Host1 Host2 Host3 Host4 Host5 Host6 Host7 Host8 …… Host n
1 1 0 1 10 2 0 0 …… 0
Unit interval ICMP Flood counts Hash table
Host1 Host2 Host3 Host4 Host5 Host6 Host7 Host8 …… Host n
1 1 0 1 100 2 0 0 …… 0
……
Above all of Hash table is all unit interval count table, and timeslice, which counts, starts that all corresponding key assignments can be set to 0;
Violation number Hash table
On the basis of foregoing invention principle, the specific implementation process of the present embodiment is as follows.
Embodiment 1
Fig. 2 shows the SDN block architecture diagram of the present invention.
As shown in Fig. 2 a kind of SDN framework, including:Using plane, datum plane and control plane;Wherein data Plane, when any IDS (i.e. intrusion detection device) equipment detects the message of ddos attack feature in datum plane, Reported to by SSL traffic channel using plane;Using plane, for analyzing attack type, and according to attack class The corresponding attack of type customization threatens processing strategy;Control plane, Processing Interface is threatened to provide attack using plane, and be number Optimal path computation and/or attack threat identification interface are provided according to plane.
Wherein, ddos attack characterizing definition is:Deceptive practices to link layer and internet layer address, to internetwork layer and biography The abnormal behaviour that defeated layer flag bit is set, and the formula attack that flooded to application layer and transport layer.
Include in the IDS equipment:
Packet check module is cheated, the deceptive practices to link layer and internet layer address detect;Destroy packet check Module, the abnormal behaviour set to internetwork layer and transport layer flag bit detect;Exception message detection module, to application layer Detected with the transport layer formula attack that floods;By the deception packet check module, destroy packet check module, different Normal packet check module detects to message successively;And if there is above-mentioned respective behavior in any detection module detection outgoing packet When, then the message is transferred to using plane.
The application plane is attacked and threatened in OpenFlow domains suitable for having deceptive practices when message, then passes through control Controller shielding main frame in plane processed;Or when attack is threatened not in OpenFlow domains, then by controller by the message institute Corresponding interchanger access interface flow is redirected to flow cleaning center and filtered;The application plane is further adapted for when report Stationery has abnormal behaviour, then the flow of attacker or attack main frame is shielded by controller;And when message has The formula that floods attack, then it is described to be suitable to pass through controller by the interchanger access interface stream corresponding to the message using plane Amount is redirected to flow cleaning center and filtered.
In Fig. 2 processing strategy, the attack of datum plane are threatened using plane on attack type analysis, attack Monitoring, attack threaten shielding and routing optimality, and attack threat processing, attack threat identification and the optimal road of control plane Footpath, which will calculate, to deploy in the following embodiments.
Wherein, can be realized using plane by IDS policy servers, control plane can be by controller come real It is existing.Following examples can specifically be referred to.
Embodiment 2
Fig. 3 shows the structured flowchart of the SDN systems of the present invention.
As shown in figure 3, threatening a kind of method of work in filtering SDN system-baseds in the DDoS, it includes:When appoint When one IDS equipment detects the message with ddos attack feature, i.e., IDS decision services are reported to by SSL traffic channel Device;The IDS policy servers make processing plan corresponding with the message with ddos attack feature according to information is reported Slightly, then the message is shielded by controller or is redirected to the interchanger access interface flow corresponding to the message Flow cleaning center is filtered.
Fig. 4 shows the theory diagram of SDN systems.
As shown in figure 4, further, include in the IDS equipment:
Packet check module is cheated, the deceptive practices to link layer and internet layer address detect;
Packet check module is destroyed, the abnormal behaviour set to internetwork layer and transport layer flag bit detects;
Exception message detection module, the formula attack that flooded to application layer and transport layer detect;
By the deception packet check module, packet check module, exception message detection module are destroyed successively to message Detected;
And if the message is transferred to IDS decision-makings clothes when above-mentioned respective behavior be present by any detection module detection outgoing packet Business device.
Further, the IDS policy servers when message suitable for having deceptive practices, and attacks and threaten in OpenFlow In domain, then main frame is shielded by controller;Or when attack is threatened not in OpenFlow domains, then by controller by the message Corresponding interchanger access interface flow is redirected to flow cleaning center and filtered;The IDS policy servers are also suitable In there is abnormal behaviour when message, then the flow of attacker or attack main frame is shielded by controller;And when report Stationery floods formula attack, then the IDS policy servers are suitable to pass through interchanger of the controller corresponding to by the message Access interface flow is redirected to flow cleaning center and filtered.
The present invention using from deception packet check module to destroy packet check module, then to exception message detection module according to The order of secondary detection, wherein, each module obtains packet information and uses independent Interface design, reduces the coupling of intermodule Relevance;And each module uses the program data structure of optimization, careful to split each processing sub-process, improves the height of module Cohesive characteristic.This detection ordering improves the detection efficiency to message data, and reduces loss.
Fig. 5 shows the workflow diagram of deception packet check module.
As shown in figure 5, network equipment information binding table is called by the deception packet check module, and in the IDS The first Hash table that is counted to packet cheating behavior of being suitable in the unit interval is built in policy server, and is set The first threshold values in first Hash table;The deception packet check module, will be encapsulated in the message in Packet-In message Type parsed, with obtain corresponding source, purpose IP address, MAC Address and upload Packet- In message exchange Machine DPID and port number information, and each information is compared with the corresponding information in network equipment information binding table respectively; If the above- mentioned information matching in message, message is transferred to and destroys packet check module;If above- mentioned information in message is not Match somebody with somebody, be then transferred to the IDS policy servers, message is abandoned, and deceptive practices are counted simultaneously, when the counting When value is more than the first threshold values, shielding sends the program and/or main frame of the message.
Specifically, the deception packet check module is used to carry out first time judgement to message, that is, judge message whether be IP spoofing attack message, port spoofing attack message or MAC spoofing attack messages.
Specific steps include:Parse source, target MAC (Media Access Control) address and interchanger entrance, Ran Hougen in ethernet frames first Different messages is parsed according to different type of messages.When type of message is IP, ARP, RARP, then parse corresponding source, Then these information are carried out matching of tabling look-up by purpose IP address to the information in network equipment information binding table, if matched Corresponding information, then give and destroy packet check resume module.If mismatching, the message is transferred at IDS policy servers Reason;And accumulated counts are carried out to deceptive practices simultaneously, when the count value is more than the first threshold values, shielding sends the journey of the message Sequence and/or main frame.
There is a device manager module Device Manager Impl in Floodlight, when an equipment is in network Tracking equipment when middle mobile device, and equipment is defined according to new stream.
Equipment manager learns equipment from PacketIn requests, and device network ginseng is obtained from PacketIn messages Number information (information such as source, purpose IP, MAC, VLAN), is made a distinction equipment for interchanger or main frame by entity classification device. Entity classification device shows an equipment using MAC Address and/or vlan table under default situations, and the two attributes can be marked uniquely Know an equipment.Another important information be equipment mount point (No. DPID of interchanger and port numbers) (, at one In openflow regions, an equipment can only have a mount point, herein openflow regions refer to it is same The set of the connected multiple switch of Floodlight examples.Equipment manager is also IP addresses, mount point, equipment are provided with Expired time, the last time timestamp foundation whether expired as them are judged.)
Therefore it need to only call what Device Manager Impl modules provided inside network equipment information binding table module IDevice Service, while add to the service IDevice Listener monitoring interface.
The monitoring interface that wherein IDevice Listener are provided has:
ISP:IFloodlight Provider Service,IDevice Service
Rely on interface:IFloodlight Module,IDevice Listener
Record in table according to the low and high level trigger mechanism of interchanger (netting twine extracts triggering PortDown low level, Netting twine pulls out triggering PortUp high level) record that can refresh in real time in binding table.
Traditional ddos attack can not touch, change Switch DPID and Switch Port information, excellent using this Gesture, it can more flexibly detect spoofing attack.
Fig. 6 shows the workflow diagram for destroying packet check module.
It is suitable to set the flag bit of message as shown in fig. 6, building in the IDS policy servers in the unit interval The second Hash table that abnormal behaviour is counted is put, and sets the second threshold values in second Hash table;The destruction message Detection module detects to each flag bit of message, to judge whether each flag bit meets ICP/IP protocol specification;If message Each flag bit meet, then message is transferred to exception message detection module;If each flag bit of message is not met, institute is transferred to IDS policy servers are stated, message is abandoned, and set abnormal behaviour to count flag bit simultaneously, when the count value During more than the second threshold values, shielding sends the program and/or main frame of the message.
Specifically, the destruction packet check module, for carrying out second to message judges whether judge message For the attack message with malice flag bit feature.Wherein, the attack message with malice flag bit feature includes but is not limited to IP attack message, TCP attack messages.Implementation steps include:IP attack message and TCP/UDP attack messages therein are realized The detection of the flag bit of each message, that is, identify whether each flag bit meets ICP/IP protocol specification.If meeting, just Directly transfer to abnormal number packet check resume module.If not meeting, it is judged as attack message, is transferred at IDS policy servers Reason.
Using typical attacks such as TearDrop as row, there are an offset field and a burst mark (MF) in IP packet header, If offset field is arranged to incorrect value by attacker, the situation for overlapping or disconnecting, target machine just occurs in IP fragmentation message System will collapse.
In IP headings, there are a protocol fields, the field specifies which kind of agreement the IP messages carry.The field Value be less than 100, if attacker to target machine send largely band more than 100 protocol fields IP messages, target Protocol stack in machine system will be destroyed, and form attack.
Therefore in packet check module is destroyed, each flag bit of outgoing packet is extracted first, is then checked whether normal.
If normal, subsequent module for processing is given.
If abnormal, the packet is abandoned, and to corresponding Hash table rolling counters forward.If counted in the unit interval When number devices exceed second threshold values of setting, then IDS policy servers are called to be shielded to corresponding program and/or directly Connect the corresponding main frame of shielding.
After packet by cheating packet check module filters out, the follow-up number destroyed handled by packet check module All it is real according to the address in bag.So, effectively avoid target machine and have received destruction message, mesh may be directly resulted in The protocol stack collapse of mark machine, or even target machine directly collapse.
It is substantially similar to destroy processing function and the deception packet check handling process of packet check module, distinguishes and is to destroy What packet check module parsed is the flag bit of each message, whether normal then detects each flag bit.
If normal, just handled directly to follow-up exception message detection module.
If abnormal, the packet is abandoned, and to the corresponding Hash table inside counting device of main frame application reference mechanism Count.If it exceeds the threshold values of setting, then shield corresponding attacker or directly shielding attack main frame.
The Hash table for identifying the formula attack message that floods is built in the exception message detection module, is determined in the IDS The 3rd Hash table that is counted to the formula attack that floods of being suitable in the unit interval is built in plan server, and is set The 3rd threshold values in 3rd Hash table;The exception message detection module, suitable for according to the threshold values set in the Hash table Judge whether the message has attack;If without attack, by data distributing;If having attack, it is transferred to The IDS policy servers, are abandoned to message, and attack is counted simultaneously, when count value is more than the 3rd valve During value, shielding sends the program and/or main frame of the message.
Specifically, whether the exception message detection module, for carrying out third time judgement to message, that is, judge message It is the formula attack message that floods.
Specific steps include:Using the identification to structure flood formula attack message in Hash table respective record carry out It is cumulative, and detect whether to exceed threshold value, to judge whether the being formula attack message that floods.
By above-mentioned deception packet check module, destroy filtering out for packet check two modules of module, subsequent module for processing Packet substantially belong to packet under normal circumstances.However, under normal circumstances, ddos attack generation is also had, existing In technology, normally only carry out cheating packet check module, destroy packet check module, and in the technical program, in order to the greatest extent may be used Energy avoids ddos attack.
Following examples are to after carrying out cheating packet check module, destroying packet check modular filtration, then pass through exception The embodiment of packet check module shield ddos attack.The embodiment is with UDP Flooding and ICMP Exemplified by Flooding.
On UDP Floodling, using mechanism of the udp protocol without establishing connection, a large amount of UDP are sent to target machine Message.Target machine can devote a tremendous amount of time processing UDP messages, and these UDP attack messages can not only make storage UDP messages Cache overflow, and substantial amounts of network bandwidth can be taken, target machine can not (or seldom) receive legal UDP messages.
Because different main frames is to a large amount of UDP message bags of single main frame transmission, so having udp port occupancy certainly Situation, so the technical program can receive an ICMP unreachable bag in port.
So the technical program can establish All hosts one Hash table, it is specifically used to receive in the storage unit interval The number of the unreachable bag in ICMP ports.If it exceeds the threshold values of setting, then directly shield corresponding attacker.
On ICMP Floodling, unit interval inside counting is directly carried out for ICMP Flooding.If it exceeds Corresponding threshold values, then directly respective host is accordingly shielded, although this method is simple, directly effectively.
Therefore, exception message detection module, if the type of message detected is exception message detection type, carry out Corresponding counter detects whether to exceed threshold value, if it does not exceed the threshold, optimal route plan also can be passed through to the packet Slightly issue.Threshold value if more than, then corresponding attacker is shielded, or directly respective host is accordingly shielded.
The deception packet check module, destroy any module judgement in packet check module and exception message detection module When the message is above-mentioned attack message, then the attack message is transferred to IDS policy servers, i.e. the message is abandoned, and Shielding sends the program and/or main frame of the message.
When " deception packet check module ", " destroying packet check module " and " exception message detection module " need to abandon When packet or needs shield threat main frame.Directly invoke IDS policy servers and carry out corresponding threat processing behaviour Make.
The specific implementation steps of the IDS policy servers include:
The step of abandoning the message, i.e. packet discard includes as follows:
OpenFlow interchangers can disappear the data envelope mounted in PacketIn in the case of corresponding flow table is not matched In breath, while there is this packet in local caching in exchange opportunity, and packet is deposited in the buffer, there is a buffer area ID number, this ID number can be also encapsulated in the buffer_id of PacketIn message, by Packetout form, simultaneously Buffer_id in Packetout message fills in the buffer area ID for the packet to be abandoned (in corresponding PacketIn message Buffer_id).
The step of shielding main frame includes as follows:
OpenFlow agreement flow table structures are as follows:
Packet header domain Counter Action
The structure in its middle wrapping head domain is:
The step of IDS policy servers include shielding application program includes as follows:
Step 1:Corresponding matching field is filled in the packet header domain of flow table, and by setting Wildcards mask fields, To obtain shielding attacker or host information.Wherein, attacker need to be such as shielded, then is filled in the domain of flow table packet header following Matching field:IP, MAC, VLAN, Switch DPID, Switch Port, protocol type and its port numbers etc..Shielding is such as needed to lead Machine, then filled in the domain of flow table packet header:The matching field such as IP, MAC, VLAN, Switch DPID, Switch Port.
Step 2:Flow table action lists are empty, realize the data packet discarding of attacker/main frame.
Step 3:The record value in each Hash table is called, flow table time-out is calculated and is automatically deleted the time.
Step 4:Issue flow table mask program or main frame.
Therefore, the network of the technical program can effectively identify and filter out attack bag.
Optionally, after by above-mentioned each module, by issuing for the real-time optimal routing policy of normal message.
Comprise the following steps that:
Initially enter step S1 come to controller topological interface (API) submit obtain request, then by step S2 come Obtain full mesh topology.
Then, by carrying out the acquisition of total network links state.Step S3 is initially entered, is then obtained by step S10 Total network links state, then calculate total network links remaining bandwidth.
Then it is exactly the calculating of real-time optimal path, algorithm is changed to using classical dijkstra's algorithm, the weights of algorithm The inverse for the total network links remaining bandwidth that previous step obtains, this ensures that the path calculated is most unobstructed, propagation delay time Minimum path.(specific algorithm of optimal path is referring to related content in embodiment 3)
Finally, the optimal path calculated is converted into the real-time optimal path strategy being made up of flow table, passes through step S11 Issue.
Step S1 uses topological interface, and the api interface that a kind of controller carries, using LLDP, (link layer finds association View) and broadcast packet discovery link, then controller calculate network topology automatically.
The topological interface of step S2 controllers is opened up to " the full mesh topology acquisition module " of " real-time optimal path computation module " Flutter the feedback for obtaining request.
In step S3, " total network links state acquisition module " files a request to " switch query interface module ", obtains complete Network chain line state.Wherein, " switch query interface module " be " the interchanger characteristic enquiry module " that is carried in controller and Expanded on the basis of " switch status enquiry module ", realize calculating and the query function of link remaining bandwidth.
Then, " switch query module " by step S4, all interchangers into network send interchanger property requests Broadcast packet.The message fed back come interchanger characteristic in automatic network is received by step S5 again, parsed inside outgoing packet Curr fields, obtain each switch ports themselves current bandwidth B.
Next, the module is by step S6, all interchangers into network send the broadcast packet that switch status is asked, Bag number is sent including port, port sends byte number, port receives the message status such as byte number, port receiver packet number.Then, The module receives the message fed back come switch status in automatic network by step S7, parses tx_bytes fields, is sent out Byte number N1 is sent, obtains current time t1.
Next, the module is by step S8, all interchangers into network send the broadcast packet that switch status is asked, Then, the message that the module is fed back by S9 receptions come switch status in automatic network, timing stop, and obtain current time t2. Tx_bytes fields are parsed, obtain sending byte number N2.
Present port remaining bandwidth, which can then be calculated, is:B-(N2-N1)/(t2-t1).
Then, the network topology of acquisition is recycled to carry out the remaining bandwidth calculating of each of the links:
If the connection between interchanger and interchanger, then obtain the tape remaining of the switch ports themselves of this both link ends Width, the remaining bandwidth of the link is the smaller in two port remaining bandwidths.
If the connection between main frame and interchanger, then the remaining bandwidth of the switch ports themselves of connection main frame is obtained, should Bar link remaining bandwidth is the switch ports themselves remaining bandwidth for connecting the main frame.
Step S4 controllers send Feature Request message in the form of broadcasting to all interchangers of the whole network.
Step S5 controllers, which receive, carrys out the Feature Reply message that interchanger in automatic network feeds back to controller.
Step S6 controllers send Stats Request message in the form of broadcasting to all interchangers of the whole network.
Step S7 controllers, which receive, carrys out the Stats Reply message that interchanger in automatic network feeds back to controller.
Step S8 controllers send Stats Request message in the form of broadcasting to all interchangers of the whole network.
Step S9 controllers, which receive, carrys out the Stats Reply message that interchanger in automatic network feeds back to controller.
Step S10 switch queries interface is by the link remaining bandwidth feedback of the information calculated to " total network links state obtains Modulus block ".
Step S11 routing policies issue the real-time optimal routing policy that module calculates, and the flow table calculated is passed through into step Rapid S12 is handed down to the interchanger of correlation.
The step S12 interfaces are the api interfaces that controller carries, for issuing the optimal routing policy calculated.
It is while DDOS attack is defendd by the optimal path strategy, the average transmission delay of network does not swash Increase.
Embodiment 3
A kind of on the basis of embodiment 1 and embodiment 2 integrates the SDN systems that threaten processing and routing optimality Method of work, by distributed detection and the processing of centralization, effectively to alleviate the work load of controller, improve Detection efficiency and data transmission rate.
The method of work for integrating the SDN systems for threatening processing and routing optimality of the present invention, comprises the following steps:
Step S100, netinit;Step S200, distributed DDoS threaten monitoring;And step S300, at threat Reason and/or routing optimality.
Further, the device in the step S100 involved by netinit includes:Controller, IDS policy servers With distributed IDS equipment;
The step of netinit, is as follows:
Step S101, the IDS policy servers establish special SSL traffic channel (step with each IDS equipment S101 is optional embodiment);Step S102, the controller builds network equipment information binding table, and network is set Standby information binding table real-time update is into each IDS equipment;Step S104, the controller issue the flow table of mirror policy, will OF interchangers are all to drag the port flow mirror image for being loaded with main frame to be transmitted to corresponding IDS equipment in domain;And step S105, The controller issues DDoS threat identifications rule to corresponding each IDS equipment in each domain.
Distributed DDoS threatens the method for monitoring to include in the step S200:Successively to link layer and internet layer address Deceptive practices, internetwork layer and transport layer flag bit set abnormal behaviour, and the formula attack row that floods of application layer and transport layer To be detected;If any detection judges that outgoing packet has respective behavior in said process, the message is transferred to step S300。
Specific implementation steps include:
Step S210, the deceptive practices to link layer and internet layer address detect.
Step S220, the abnormal behaviour set to internetwork layer and transport layer flag bit detect.
Step S230, the formula attack that floods to application layer and transport layer detect.
Step S240, if after message is passed sequentially through into the step S210, step S220, step S230, either step is sentenced When disconnected outgoing packet has deception, exception, attack, then the message is transferred to step S300.
The method that deceptive practices in the step S210 to link layer and internet layer address are detected includes following step Suddenly:Step S211, network equipment information binding table is called by cheating packet check module;Step S212, reported by cheating Literary detection module is parsed the type for being encapsulated in message in Packet-In message, to obtain corresponding source, purpose IP Location, MAC Address and the interchanger DPID and port numbers that upload this Packet-In message, and by above-mentioned each information respectively with Corresponding information in network equipment information binding table is compared;If the above- mentioned information matching in message, step is transferred to by message Rapid S220;If the above- mentioned information in message mismatches, message is transferred to step S300.
The method for setting abnormal behaviour to be detected internetwork layer and transport layer flag bit in the step S220 includes:It is right Each flag bit of message is detected, to judge whether each flag bit meets ICP/IP protocol specification;If each flag bit of message Meet, then message is transferred to S230;If each flag bit of message is not met, message is transferred to step S300.
The method that the formula attack that floods in the step S230 to application layer and transport layer is detected includes as follows Step:Step S231, the Hash table for identifying the formula attack message that floods is built in exception message detection module;Step S232, judge whether the message is the formula of flooding according to the threshold values set in the Hash table by exception message detection module Attack message, and will determine that result is transferred to step S300, even without attack, then data are normally issued or by above-mentioned Optimal path policy distribution;If having attack, corresponding shielding measure is taken.
The method of processing and/or routing optimality is threatened to include in the step S300:
If message has deceptive practices, and attacks and threaten in OpenFlow domains, then the IDS policy servers are suitable to Main frame is shielded by controller;And threatened when attacking not in OpenFlow domains, then by controller by corresponding to the message Interchanger access interface flow be redirected to flow cleaning center and filtered;
If message has abnormal behaviour, the IDS policy servers are by controller to attacker or attack main frame Flow shielded;Specific implementation steps include:For destroying message aggression, due to the currently processed message of IDS equipment Deception packet check is passed through, so the message address is real.IDS policy servers need to only pass through the north orientation of controller Interface issues action and shields the flow of attacker or attack main frame for Drop flow table.But this is all determining for coarseness Plan, it is only applicable to attack and wraps a small amount of destruction message aggression.
If message has the formula attack that floods, the IDS policy servers are by controller by corresponding to the message Interchanger access interface flow be redirected to flow cleaning center and filtered;Optionally, the safety of flow cleaning center is set It is standby that the result of protection can also be fed back to controller, network strategy is adjusted, SDN is realized and is mixed with legacy network In the case of Multidimensional protection.
Further, path optimizing is calculated according to link load coefficient, that is, detects the link remaining bandwidth of two adjacent nodes, The load factor of the link is obtained, the optimal of any two points is being obtained according to the load factor and the network topological diagram of initialization Path, the controller forward flow table according to corresponding to being drawn the optimal path and issue each interchanger.
The specific algorithm flow of path optimizing is as follows:
If rN, (n+1)For the link remaining bandwidth of two adjacent nodes, then its link load coefficient is: / * by controller calculate load factors of the link load coefficient */U (a, b) between any two points and:
If initial network topology figure is G*, the optimal path between any two points is calculated,
The IDS policy servers shielding, which sends the program of message and/or the method for main frame, to be included:
First, the corresponding Hash table and setting respective threshold of counting are built, i.e.,
The first Hash table counted to deceptive practices, mark are built in unit interval, in the IDS policy servers Will position sets the second Hash table for being counted of abnormal behaviour, and to the 3rd Hash that the formula attack that floods is counted Table;
Concurrently set first, second, third threshold values in first, second, third Hash table;
Secondly, shielding sends the program and/or main frame of the message, i.e.,
For the behavior for the message for being transferred to IDS policy servers, counted using corresponding Hash table, when count value surpasses When crossing respective thresholds, shielding sends the program and/or main frame of the message.
Embodiment 4
The SDN frameworks and system of the present invention can define SDNQA (SDN Communication Quality Assurance Strategy) it is SDN communication quality guarantee strategies.
Target design and scene deployment dependence test.
Present invention has been deployment and test, prevailing test environment and test content are as follows:
(1) OpenFlow1.3 agreements are based on, test threatens filtering to ensure component with communication quality equipped with DDoS Communication between Floodlight controllers, OF interchangers, IDS equipment and IDS policy servers.
(2) test IDS equipment whether abnormal aggression flow that can be in real time monitoring network, and believed by SSL traffic Road reports IDS policy servers.
(3) test IDS policy servers whether the information that can be reported according to IDS equipment, make the corresponding attack of processing The strategy of threat, and issued by the northbound interface of controller.
(4) whether test controller can generate according to network real time status and issue the forward-path of real-time optimization, carry Rise Consumer's Experience.
The specific deployment of experiment scene.Network area based on centre, there are two empty nets.Wherein empty net A deploys this SDNQA systems, and empty net B is not yet disposed, and some ddos attack puppet machines all be present in each empty net.Imitated for experiment on right side Fruit contrast district, including a Web server and two subscriber's main stations, Tomcat is run wherein on Web server and is externally provided Web service, subscriber's main station A, B are empty net A, the B of access main frame respectively.Left side is attack simulating region, there is a ddos attack Machine, attack plane will control puppet's machine in empty net A and empty net B to initiate hybrid-type DDoS to Web server as main control computer and attack Hit.
Based on above-mentioned experimental situation, the performance of SDNQA frameworks is verified in terms of two:(1) contrast hybrid-type The attack frequency that Web server end is born under ddos attack;(2) the network average transmission caused by the formula attack that floods is contrasted Delay.
First, situation is flowed into Web server end flow to analyze.Puppet's machine in each empty net of attack plane control is same When initiate Web server hybrid-type ddos attack, its highest frequency is 55Hz, a length of 100 seconds during attack.Intercept Web clothes All sequence of data packet of business device, and the request sequence of each empty net is isolated, show that empty net A flows into service with empty net B respectively The request sequence of device, the attack frequency contrast that Web server is born.
As can be seen that SDNQA systems quickly identify typical ddos attack within 0s~5s periods, and 0s~ Filter protection measure is taken in 40s period.After 40s, network traffics tend to be normal, and test subscriber's main station A is always Web-page requests response can normally be obtained.And do not dispose in the empty net B of SDNQA systems has substantial amounts of attack traffic to flow into always, survey Examination subscriber's main station B can not obtain web-page requests response.
Secondly, we extract test subscriber's main station A and test subscriber's main station B from the sequence of data packet intercepted before Request sequence, the time delay of the average transmission of statistical data packet from each request sequence, draw the average biographies of two empty nets Defeated delay contrast.
As can be seen that by routing optimality, void net A average transfer delay is not increased sharply with the increase of data volume. As can be seen here, SDNQA frameworks can be optimized based on the perception to network real time status, convection current forward-path, so as in net Ensure optimal user experience in the case of ddos attack or normal big flow business in network being present.
It should be appreciated that the above-mentioned embodiment of the present invention is used only for exemplary illustration or explains the present invention's Principle, without being construed as limiting the invention.Therefore, that is done without departing from the spirit and scope of the present invention appoints What modification, equivalent substitution, improvement etc., should be included in the scope of the protection.In addition, right appended by the present invention will Ask the whole changes for being intended to fall into scope and border or this scope and the equivalents on border Change and modification.

Claims (3)

1. a kind of DDoS threatens the method for work of filtering SDN systems, including:
When any IDS equipment detects the message with ddos attack feature, i.e., IDS is reported to by SSL traffic channel and determined Plan server;
The IDS policy servers make processing plan corresponding with the message with ddos attack feature according to information is reported Slightly, then the message is shielded by controller or the interchanger access interface flow corresponding to the message is redirected into stream Amount cleaning center is filtered.
2. DDoS threatens the method for work of filtering SDN systems according to claim 1, include in the IDS equipment:
By the deception packet check module, packet check module, exception message detection module are destroyed successively to message progress Detection;And if the message is transferred to IDS decision services when above-mentioned respective behavior be present by any detection module detection outgoing packet Device.
3. DDoS threatens the method for work of filtering SDN systems according to claim 2, it is characterised in that
The IDS policy servers are attacked and threatened in OpenFlow domains suitable for having deceptive practices when message, then pass through control Device processed shields main frame;Or when attack threaten not in OpenFlow domains, then by controller by the message corresponding to interchanger Access interface flow is redirected to flow cleaning center and filtered;
The IDS policy servers are further adapted for having abnormal behaviour when message, then attacker or attack are led by controller The flow of machine is shielded;And
When message has the formula attack that floods, then the IDS policy servers are suitable to corresponding to the message by controller Interchanger access interface flow be redirected to flow cleaning center and filtered.
CN201711302100.XA 2014-12-17 2014-12-17 Integrate the method for work for the SDN systems for threatening processing and routing optimality Withdrawn CN107888619A (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN201711302100.XA CN107888619A (en) 2014-12-17 2014-12-17 Integrate the method for work for the SDN systems for threatening processing and routing optimality

Applications Claiming Priority (2)

Application Number Priority Date Filing Date Title
CN201410788069.5A CN104539595B (en) 2014-12-17 2014-12-17 It is a kind of to integrate the SDN frameworks and method of work for threatening processing and routing optimality
CN201711302100.XA CN107888619A (en) 2014-12-17 2014-12-17 Integrate the method for work for the SDN systems for threatening processing and routing optimality

Related Parent Applications (1)

Application Number Title Priority Date Filing Date
CN201410788069.5A Division CN104539595B (en) 2014-12-17 2014-12-17 It is a kind of to integrate the SDN frameworks and method of work for threatening processing and routing optimality

Publications (1)

Publication Number Publication Date
CN107888619A true CN107888619A (en) 2018-04-06

Family

ID=52855064

Family Applications (4)

Application Number Title Priority Date Filing Date
CN201711302100.XA Withdrawn CN107888619A (en) 2014-12-17 2014-12-17 Integrate the method for work for the SDN systems for threatening processing and routing optimality
CN201410788069.5A Expired - Fee Related CN104539595B (en) 2014-12-17 2014-12-17 It is a kind of to integrate the SDN frameworks and method of work for threatening processing and routing optimality
CN201711302098.6A Withdrawn CN107888618A (en) 2014-12-17 2014-12-17 The DDoS for solving network security threatens the method for work of filtering SDN systems
CN201711302091.4A Withdrawn CN107786578A (en) 2014-12-17 2014-12-17 Suitable for solving the SDN frameworks and method of work of network security problem

Family Applications After (3)

Application Number Title Priority Date Filing Date
CN201410788069.5A Expired - Fee Related CN104539595B (en) 2014-12-17 2014-12-17 It is a kind of to integrate the SDN frameworks and method of work for threatening processing and routing optimality
CN201711302098.6A Withdrawn CN107888618A (en) 2014-12-17 2014-12-17 The DDoS for solving network security threatens the method for work of filtering SDN systems
CN201711302091.4A Withdrawn CN107786578A (en) 2014-12-17 2014-12-17 Suitable for solving the SDN frameworks and method of work of network security problem

Country Status (1)

Country Link
CN (4) CN107888619A (en)

Families Citing this family (11)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN108028828B (en) * 2015-08-29 2020-10-27 华为技术有限公司 Distributed denial of service (DDoS) attack detection method and related equipment
CN105610854B (en) * 2016-01-18 2019-08-06 上海交通大学 A kind of network cooperating system of defense
CN105897750A (en) * 2016-06-03 2016-08-24 中国电子科技集团公司第三十研究所 Method and system for defending Dos attacks of SDN controller
JP6898846B2 (en) * 2017-12-28 2021-07-07 株式会社日立製作所 Abnormal cause identification support system and abnormal cause identification support method
CN108289104B (en) * 2018-02-05 2020-07-17 重庆邮电大学 Industrial SDN network DDoS attack detection and mitigation method
US10659484B2 (en) 2018-02-19 2020-05-19 Cisco Technology, Inc. Hierarchical activation of behavioral modules on a data plane for behavioral analytics
CN109508435A (en) * 2018-10-26 2019-03-22 张派瑞 A kind of anti-network bullying and humiliation method
CN109922048B (en) * 2019-01-31 2022-04-19 国网山西省电力公司长治供电公司 Method and system for detecting serial scattered hidden threat intrusion attacks
CN111181910B (en) * 2019-08-12 2021-10-08 腾讯科技(深圳)有限公司 Protection method and related device for distributed denial of service attack
CN111885092A (en) * 2020-09-10 2020-11-03 中国联合网络通信集团有限公司 DDoS attack detection method and processing method for edge nodes and SDN
CN114726602A (en) * 2022-03-29 2022-07-08 中国工程物理研究院计算机应用研究所 Self-adaptive threat blocking method for enterprise intranet under network zero change condition

Family Cites Families (4)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN102487339B (en) * 2010-12-01 2015-06-03 中兴通讯股份有限公司 Attack preventing method for network equipment and device
US9392010B2 (en) * 2011-11-07 2016-07-12 Netflow Logic Corporation Streaming method and system for processing network metadata
CN103561011B (en) * 2013-10-28 2016-09-07 中国科学院信息工程研究所 A kind of SDN controller method and system for preventing blind DDoS attacks on
CN104023034B (en) * 2014-06-25 2017-05-10 武汉大学 Security defensive system and defensive method based on software-defined network

Also Published As

Publication number Publication date
CN104539595A (en) 2015-04-22
CN104539595B (en) 2018-04-10
CN107888618A (en) 2018-04-06
CN107786578A (en) 2018-03-09

Similar Documents

Publication Publication Date Title
CN104539594B (en) Merge DDoS and threaten filtering and SDN frameworks, system and the method for work of routing optimality
CN104660582B (en) The network architecture of the software definition of DDoS identifications, protection and path optimization
CN104539625B (en) A kind of network security protection system and its method of work based on software definition
CN104539595B (en) It is a kind of to integrate the SDN frameworks and method of work for threatening processing and routing optimality
CN104378380A (en) System and method for identifying and preventing DDoS attacks on basis of SDN framework
CN104468636A (en) SDN structure for DDoS threatening filtering and link reallocating and working method
US9258323B1 (en) Distributed filtering for networks
CN102263788B (en) Method and equipment for defending against denial of service (DDoS) attack to multi-service system
US20030145232A1 (en) Denial of service attacks characterization
CN103428224B (en) A kind of method and apparatus of intelligence defending DDoS (Distributed Denial of Service) attacks
US20070248084A1 (en) Symmetric connection detection
WO2002021278A1 (en) Coordinated thwarting of denial of service attacks
WO2002021296A1 (en) Statistics collection for network traffic
CN105871773A (en) DDoS filtering method based on SDN network architecture
WO2002021302A1 (en) Monitoring network traffic denial of service attacks
WO2002021279A1 (en) Thwarting source address spoofing-based denial of service attacks
WO2002021297A1 (en) Architecture to thwart denial of service attacks
Rengaraju et al. Detection and prevention of DoS attacks in Software-Defined Cloud networks
WO2002021771A1 (en) Device to protect victim sites during denial of service attacks
CN109327426A (en) A kind of firewall attack defense method
TW201124876A (en) System and method for guarding against dispersive blocking attacks
CN108833430A (en) A kind of topological guard method of software defined network
Jiang et al. Bsd-guard: a collaborative blockchain-based approach for detection and mitigation of sdn-targeted ddos attacks
CN105871771A (en) SDN network architecture aimed at DDoS network attack
CN105871772A (en) Working method of SDN network architecture aimed at network attack

Legal Events

Date Code Title Description
PB01 Publication
PB01 Publication
SE01 Entry into force of request for substantive examination
SE01 Entry into force of request for substantive examination
WW01 Invention patent application withdrawn after publication
WW01 Invention patent application withdrawn after publication

Application publication date: 20180406