CN108632270B - Low-rate TCP DoS attack prevention method based on software defined network - Google Patents
Low-rate TCP DoS attack prevention method based on software defined network Download PDFInfo
- Publication number
- CN108632270B CN108632270B CN201810413887.5A CN201810413887A CN108632270B CN 108632270 B CN108632270 B CN 108632270B CN 201810413887 A CN201810413887 A CN 201810413887A CN 108632270 B CN108632270 B CN 108632270B
- Authority
- CN
- China
- Prior art keywords
- loss rate
- low
- flow
- rate
- traffic
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Active
Links
Images
Classifications
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/14—Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
- H04L63/1441—Countermeasures against malicious traffic
- H04L63/1458—Denial of Service
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/14—Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
- H04L63/1408—Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic by monitoring network traffic
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/14—Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
- H04L63/1408—Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic by monitoring network traffic
- H04L63/1416—Event detection, e.g. attack signature detection
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/14—Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
- H04L63/1441—Countermeasures against malicious traffic
- H04L63/1466—Active attacks involving interception, injection, modification, spoofing of data unit addresses, e.g. hijacking, packet injection or TCP sequence number attacks
Landscapes
- Engineering & Computer Science (AREA)
- Computer Security & Cryptography (AREA)
- Computer Hardware Design (AREA)
- Computing Systems (AREA)
- General Engineering & Computer Science (AREA)
- Computer Networks & Wireless Communication (AREA)
- Signal Processing (AREA)
- Data Exchanges In Wide-Area Networks (AREA)
Abstract
The invention discloses a low-rate TCP DoS attack prevention method based on a software defined network, which comprises the steps that an integrated controller detects the uniform loss rate of each flow, when the uniform loss rate exceeds a preset value, the flow is identified as an attack flow, and the integrated controller detects and stops the flow; the centralized controller discards traffic packets responsible for congestion with a certain probability. The invention monitors all the flows through the centralized controller, analyzes the flows, then instructs the router to execute different routing and forwarding strategies to different flows, discards the flow data packet responsible for congestion according to the loss rate, does not cause any performance reduction to benign flows, but can effectively resist the low-speed TCP DoS attack and the general DoS attack.
Description
Technical Field
The invention relates to a low-rate TCP DoS attack prevention method based on a software defined network, belonging to the field of communication.
Background
To launch a DoS attack, which is initiated by an attacker of a "low-rate TCP DoS attack" using a TCP retransmission timeout mechanism, the attacker sets a periodic switched "square wave" transport stream whose peak transmission rate is large enough to exhaust the network bandwidth. Under attack, the legitimate TCP stream experiences severe packet loss and enters retransmission timeout. If the period of the attack traffic is close to the retransmission timeout time, legitimate TCP flows will face another peak in attempting to recover from the timeout, and as a result, they will again suffer severe packet loss and be forced to enter a longer retransmission timeout. The loop repeats and legitimate TCP traffic is throttled to almost zero throughput. In a normal DoS attack, a malicious user sends a continuous high-rate stream to cause a legitimate user to be refused to serve, so that compared with the normal DoS attack, the time-average bandwidth utilization rate of low-rate TCP DoS attack traffic is very low and even far lower than the total available bandwidth.
Another feature of the low-rate TCP DoS attack flow is that its periodic traffic pattern is similar to that of legitimate TCP periodic traffic, e.g., video traffic using, for example, the DASH standard. Despite similar traffic patterns, the fundamental difference between benign TCP periodic traffic and low-speed TCP DoS attack traffic is: when a packet is lost, the former is backed off by entering a retransmission timeout, while the latter is not. Although the low rate TCP DoS attack has been proposed for nearly a decade, this problem has not been fully solved.
Sun et al use signal processing (autocorrelation of traffic) to detect periodic burst attacks (H.Sun, J.C.S. L ui, and D.K.Y.Yau, "Deffending against attack tcp attacks: Dynamic detection and protection," in IEEE ICNP, 2004.) whenever an attack is detected, a router traces back to its upstream routers to find the source of the attack, and if the congested router has multiple upstream routers, such a solution may not work because the burst traffic it detects contains aggregated traffic from these upstream routers, and thus the upstream routers may not detect the burst of attack traffic, thus stopping the tracing back process.
Chang et al assign high priority to TCP application port packets with high packet loss rate to solve this problem (C. -W. Chang, S. L ee, B. L in, and J. Wang, "The tagging of The shred: Mitiging low-ratettp-targeted attach," IEEE TON, 2010.). however, if an attacker sends a large amount of traffic to a particular protected port, resulting in a high loss rate for this port, this defense mechanism is broken.
Both of the above solutions only aim at an ideal low-rate TCP DoS attack, so an attacker can divide attack traffic into multiple (i.e. distributed attack) tear-off defenses, triggering a distributed denial of service attack. A new method of preventing low rate TCP DoS attacks is now continuing.
Disclosure of Invention
In order to solve the technical problem, the invention provides a low-rate TCPDoS attack prevention method based on a software defined network.
In order to achieve the purpose, the invention adopts the technical scheme that:
the method for preventing the low-rate TCP DoS attack based on the software defined network comprises the following steps,
the centralized controller detects the uniform loss rate of each flow, when the uniform loss rate exceeds a preset value, the flow is identified as an attack flow, and the centralized controller detects and stops the flow;
the centralized controller discards traffic packets responsible for congestion with a certain probability.
The uniform loss rate is the product of the loss rate and the usage rate of the traffic.
The process by which the centralized controller drops traffic responsible for congestion is,
in a period, the centralized controller divides all the flows into two groups, namely a high loss rate group and a low loss rate group, the flows of which the ratio of the upper period loss rate to the upper period total loss rate is greater than a set threshold value are divided into the high loss rate group, and the flows of which the ratio of the upper period loss rate to the upper period total loss rate is not greater than the set threshold value are divided into the low loss rate group;
the centralized controller discards flow data packets in the high loss rate group with a certain probability;
when the number of queued packets in the router is greater than a set threshold, the centralized controller discards the traffic packets in the low loss rate group.
In the high loss rate group, the higher the upper cycle loss rate is, the greater the responsibility for congestion is, the greater the probability of dropping traffic packets is.
And dividing the flow with the upper period loss rate more than half of the total upper period loss rate into a high loss rate group, and dividing the flow with the upper period loss rate not more than half of the total upper period loss rate into a low loss rate group.
When the current period is the first period, the upper period loss rate and the upper period total loss rate are both 0, and the traffic is not divided.
The invention achieves the following beneficial effects: the invention monitors all the flows through the centralized controller, analyzes the flows, then instructs the router to execute different routing and forwarding strategies to different flows, discards the flow data packet responsible for congestion according to the loss rate, does not cause any performance reduction to benign flows, but can effectively resist the low-speed TCP DoS attack and the general DoS attack.
Drawings
FIG. 1 is a flow chart of the present invention;
FIG. 2 illustrates the effectiveness of the present invention;
FIG. 3 is a graph of the convergence time of the present invention;
FIG. 4(a) is a graph illustrating the effectiveness of the present invention in defending against common DoS or DDoS attacks;
figure 4(b) is a graph of the effectiveness of the present invention in resisting SSTF attacks.
Detailed Description
The invention is further described below with reference to the accompanying drawings. The following examples are only for illustrating the technical solutions of the present invention more clearly, and the protection scope of the present invention is not limited thereby.
As shown in fig. 1, the method for preventing low-rate TCP DoS attacks based on the software defined network includes the following steps:
1) the centralized controller detects the uniform loss rate of each flow, when the uniform loss rate exceeds a preset value, the flow is identified as an attack flow, and the centralized controller detects and stops the flow.
A direct way to distinguish legitimate traffic from attack traffic is to use loss rates that are always high, while during some detections some legitimate traffic have even higher loss rates. Thus, relying purely on loss rates to detect attack traffic may result in false detections. Thus, a uniform loss rate, i.e., the product of the loss rate and the usage rate of traffic, is used here to distinguish between attack traffic and legitimate traffic. When the unified loss rate of the flow is detected to exceed a preset value A (the value of A needs to be set according to actual conditions and actual requirements and is generally more than 0.01) and the unified loss rate of other flows is close to 0 (when the unified loss rate is not more than a threshold value B (the value of B needs to be set according to actual conditions and actual requirements and is generally less than 0.005), the centralized controller recognizes the unified loss rate as an attack flow and completely prevents the flow when the unified loss rate is close to 0.
2) The centralized controller discards traffic packets responsible for congestion with a certain probability.
The specific process is as follows:
A) in one period, the centralized controller divides all the flows into two groups, namely a high loss rate group and a low loss rate group; dividing the flow with the ratio of the upper period loss rate to the total upper period loss rate larger than a set threshold into a high loss rate group, and dividing the flow with the ratio of the upper period loss rate to the total upper period loss rate not larger than the set threshold into a low loss rate group;
the method is specifically divided into the following steps: dividing the flow with the upper period loss rate more than half of the total upper period loss rate into a high loss rate group, and dividing the flow with the upper period loss rate not more than half of the total upper period loss rate into a low loss rate group;
B) the centralized controller discards flow data packets in the high loss rate group with a certain probability; in the high loss rate group, the higher the upper cycle loss rate is, the greater the responsibility for congestion is, and the greater the probability of dropping traffic packets is
C) When the number of queued packets in the router is greater than a set threshold, the centralized controller discards the traffic packets in the low loss rate group.
When the current period is the first period, the upper period loss rate and the upper period total loss rate are both 0, and the traffic is not divided.
To further illustrate the above approach, three attacks in table one were simulated,
table one three kinds of attacks
The effectiveness of the method is shown in fig. 2, which does not cause any performance degradation to benign traffic, but can effectively resist low-speed TCP DoS attacks and general DoS attacks. Under the three settings, the method can effectively defend the legal TCP traffic from being attacked. The throughput achieved by each legitimate traffic is almost the same as its original transmission rate, and the convergence times for the three settings are shown in fig. 3. The effectiveness of the above method for defending against common dos (ddos) attacks and SSTF defense is shown in fig. 4(a) and 4(b), respectively.
The centralized controller monitors all the flows, performs flow analysis, then instructs the router to execute different routing and forwarding strategies for different flows, discards the flow data packet responsible for congestion according to the loss rate, does not cause any performance degradation to benign flows, but can effectively resist low-speed TCP DoS attacks and general DoS attacks.
The above description is only a preferred embodiment of the present invention, and it should be noted that, for those skilled in the art, several modifications and variations can be made without departing from the technical principle of the present invention, and these modifications and variations should also be regarded as the protection scope of the present invention.
Claims (5)
1. The method for preventing the low-rate TCP DoS attack based on the software defined network is characterized in that: comprises the steps of (a) preparing a mixture of a plurality of raw materials,
the centralized controller detects the uniform loss rate of each flow, when the uniform loss rate exceeds a preset value, the flow is identified as an attack flow, and the centralized controller detects and stops the flow;
the centralized controller discards traffic data packets responsible for congestion with a certain probability;
the process by which the centralized controller drops traffic responsible for congestion is,
in a period, the centralized controller divides all the flows into two groups, namely a high loss rate group and a low loss rate group, the flows of which the ratio of the upper period loss rate to the upper period total loss rate is greater than a set threshold value are divided into the high loss rate group, and the flows of which the ratio of the upper period loss rate to the upper period total loss rate is not greater than the set threshold value are divided into the low loss rate group;
the centralized controller discards flow data packets in the high loss rate group with a certain probability;
when the number of queued packets in the router is greater than a set threshold, the centralized controller discards the traffic packets in the low loss rate group.
2. The method for preventing the low-rate TCP DoS attack based on the software defined network as claimed in claim 1, wherein: the uniform loss rate is the product of the loss rate and the usage rate of the traffic.
3. The method for preventing the low-rate TCP DoS attack based on the software defined network as claimed in claim 1, wherein: in the high loss rate group, the higher the upper cycle loss rate is, the greater the responsibility for congestion is, the greater the probability of dropping traffic packets is.
4. The method for preventing the low-rate TCP DoS attack based on the software defined network as claimed in claim 1, wherein: and dividing the flow with the upper period loss rate more than half of the total upper period loss rate into a high loss rate group, and dividing the flow with the upper period loss rate not more than half of the total upper period loss rate into a low loss rate group.
5. The method for preventing the low-rate TCP DoS attack based on the software defined network as claimed in claim 1, wherein: when the current period is the first period, the upper period loss rate and the upper period total loss rate are both 0, and the traffic is not divided.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN201810413887.5A CN108632270B (en) | 2018-05-03 | 2018-05-03 | Low-rate TCP DoS attack prevention method based on software defined network |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN201810413887.5A CN108632270B (en) | 2018-05-03 | 2018-05-03 | Low-rate TCP DoS attack prevention method based on software defined network |
Publications (2)
| Publication Number | Publication Date |
|---|---|
| CN108632270A CN108632270A (en) | 2018-10-09 |
| CN108632270B true CN108632270B (en) | 2020-07-24 |
Family
ID=63695289
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN201810413887.5A Active CN108632270B (en) | 2018-05-03 | 2018-05-03 | Low-rate TCP DoS attack prevention method based on software defined network |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN108632270B (en) |
Citations (9)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN101102323A (en) * | 2007-08-09 | 2008-01-09 | 华为技术有限公司 | Method and device for preventing DOS attack |
| CN101383832A (en) * | 2008-10-07 | 2009-03-11 | 成都市华为赛门铁克科技有限公司 | Challenging black hole attack defense method and device |
| CN101958833A (en) * | 2010-09-20 | 2011-01-26 | 云南省科学技术情报研究院 | RED-based network congestion control algorithm |
| CN102025640A (en) * | 2010-12-24 | 2011-04-20 | 北京星网锐捷网络技术有限公司 | Flow control method, device and network device |
| CN102436400A (en) * | 2011-12-06 | 2012-05-02 | 曙光信息产业股份有限公司 | Method and device for implementing zero copy drive |
| CN104158823A (en) * | 2014-09-01 | 2014-11-19 | 江南大学 | Simulation method oriented to LDoS (Low-rate Denial of Service) and LDDoS (Low-rate Distributed Denial of Service) |
| CN105100017A (en) * | 2014-05-12 | 2015-11-25 | 中国民航大学 | LDoS attack detection method based on signal cross correlation |
| CN105517047A (en) * | 2015-11-26 | 2016-04-20 | 京信通信技术(广州)有限公司 | Base station traffic shaping method and system |
| CN107959690A (en) * | 2018-01-16 | 2018-04-24 | 中国人民解放军国防科技大学 | DDoS attack cross-layer cooperative defense method based on software defined network |
Family Cites Families (1)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| US7426520B2 (en) * | 2003-09-10 | 2008-09-16 | Exeros, Inc. | Method and apparatus for semantic discovery and mapping between data sources |
-
2018
- 2018-05-03 CN CN201810413887.5A patent/CN108632270B/en active Active
Patent Citations (9)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN101102323A (en) * | 2007-08-09 | 2008-01-09 | 华为技术有限公司 | Method and device for preventing DOS attack |
| CN101383832A (en) * | 2008-10-07 | 2009-03-11 | 成都市华为赛门铁克科技有限公司 | Challenging black hole attack defense method and device |
| CN101958833A (en) * | 2010-09-20 | 2011-01-26 | 云南省科学技术情报研究院 | RED-based network congestion control algorithm |
| CN102025640A (en) * | 2010-12-24 | 2011-04-20 | 北京星网锐捷网络技术有限公司 | Flow control method, device and network device |
| CN102436400A (en) * | 2011-12-06 | 2012-05-02 | 曙光信息产业股份有限公司 | Method and device for implementing zero copy drive |
| CN105100017A (en) * | 2014-05-12 | 2015-11-25 | 中国民航大学 | LDoS attack detection method based on signal cross correlation |
| CN104158823A (en) * | 2014-09-01 | 2014-11-19 | 江南大学 | Simulation method oriented to LDoS (Low-rate Denial of Service) and LDDoS (Low-rate Distributed Denial of Service) |
| CN105517047A (en) * | 2015-11-26 | 2016-04-20 | 京信通信技术(广州)有限公司 | Base station traffic shaping method and system |
| CN107959690A (en) * | 2018-01-16 | 2018-04-24 | 中国人民解放军国防科技大学 | DDoS attack cross-layer cooperative defense method based on software defined network |
Non-Patent Citations (2)
| Title |
|---|
| A Low-rate DoS Detection Based on Rate Anomalies;Libing Wu , et.;《IEEE 2010 3rd International Conference on Computational Intelligence and Industrial Application (PACIIA)》;20101231;第89-92页 * |
| 低速率拒绝服务攻击研究与进展综述;文坤等;《软件学报》;20150331;第25卷(第3期);第591-605页 * |
Also Published As
| Publication number | Publication date |
|---|---|
| CN108632270A (en) | 2018-10-09 |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| EP2158740B1 (en) | Processing packet flows | |
| Zhang et al. | On denial of service attacks in software defined networks | |
| US7043759B2 (en) | Architecture to thwart denial of service attacks | |
| US7278159B2 (en) | Coordinated thwarting of denial of service attacks | |
| US7124440B2 (en) | Monitoring network traffic denial of service attacks | |
| US7836498B2 (en) | Device to protect victim sites during denial of service attacks | |
| US7743134B2 (en) | Thwarting source address spoofing-based denial of service attacks | |
| US7702806B2 (en) | Statistics collection for network traffic | |
| US7398317B2 (en) | Thwarting connection-based denial of service attacks | |
| US8443444B2 (en) | Mitigating low-rate denial-of-service attacks in packet-switched networks | |
| CN107438066B (en) | DoS/DDoS attack defense module and method based on SDN controller | |
| US7818795B1 (en) | Per-port protection against denial-of-service and distributed denial-of-service attacks | |
| Huang et al. | An effective DDoS defense scheme for SDN | |
| Xu et al. | An enhanced saturation attack and its mitigation mechanism in software-defined networking | |
| Wang et al. | SECOD: SDN sEcure control and data plane algorithm for detecting and defending against DoS attacks | |
| US11153342B2 (en) | Method and system for providing ddos protection by detecting changes in a preferred set of hierarchically structured items in stream data | |
| WO2008080324A1 (en) | A method and apparatus for preventing igmp message attack | |
| CN106657126A (en) | Device and method for detecting and defending DDos attack | |
| Zhang et al. | Control plane reflection attacks and defenses in software-defined networks | |
| Xu et al. | On the robustness of router-based denial-of-service (DoS) defense systems | |
| Luo et al. | The NewShrew attack: A new type of low-rate TCP-Targeted DoS attack | |
| CN108632270B (en) | Low-rate TCP DoS attack prevention method based on software defined network | |
| WO2017000861A1 (en) | Method and apparatus for learning mac address in virtual local area network of switch | |
| Zhu et al. | Research and survey of low-rate denial of service attacks | |
| Sanjeetha et al. | Mitigating HTTP GET FLOOD DDoS attack using an SDN controller |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| PB01 | Publication | ||
| PB01 | Publication | ||
| SE01 | Entry into force of request for substantive examination | ||
| SE01 | Entry into force of request for substantive examination | ||
| GR01 | Patent grant | ||
| GR01 | Patent grant |