CN110351286A - Link flood attack detects response mechanism in a kind of software defined network - Google Patents

Link flood attack detects response mechanism in a kind of software defined network Download PDF

Info

Publication number
CN110351286A
CN110351286A CN201910643617.8A CN201910643617A CN110351286A CN 110351286 A CN110351286 A CN 110351286A CN 201910643617 A CN201910643617 A CN 201910643617A CN 110351286 A CN110351286 A CN 110351286A
Authority
CN
China
Prior art keywords
link
network
interchanger
controller
congestion
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Granted
Application number
CN201910643617.8A
Other languages
Chinese (zh)
Other versions
CN110351286B (en
Inventor
于尧
张召
刘树美
高宵佳
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
Northeastern University China
Original Assignee
Northeastern University China
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Northeastern University China filed Critical Northeastern University China
Priority to CN201910643617.8A priority Critical patent/CN110351286B/en
Publication of CN110351286A publication Critical patent/CN110351286A/en
Application granted granted Critical
Publication of CN110351286B publication Critical patent/CN110351286B/en
Active legal-status Critical Current
Anticipated expiration legal-status Critical

Links

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/14Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
    • H04L63/1408Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic by monitoring network traffic
    • H04L63/1416Event detection, e.g. attack signature detection
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/14Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
    • H04L63/1441Countermeasures against malicious traffic
    • H04L63/1458Denial of Service
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L2463/00Additional details relating to network architectures or network communication protocols for network security covered by H04L63/00
    • H04L2463/146Tracing the source of attacks
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L43/00Arrangements for monitoring or testing data switching networks
    • H04L43/08Monitoring or testing based on specific metrics, e.g. QoS, energy consumption or environmental parameters
    • H04L43/0876Network utilisation, e.g. volume of load or congestion level
    • H04L43/0882Utilisation of link capacity
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L43/00Arrangements for monitoring or testing data switching networks
    • H04L43/10Active monitoring, e.g. heartbeat, ping or trace-route
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L47/00Traffic control in data switching networks
    • H04L47/10Flow control; Congestion control

Abstract

The present invention provides link flood attack detection response mechanism in a kind of software defined network, it include: potential target link identification module, link congestion monitoring module, traffic engineering module and malicious host identification module, the following steps are included: the potential target link identification module analyzes the flow path obtained in network topology by head space by SDN controller, the Target Link of attacker in analysis identification network topology;The link congestion monitoring module monitors the Target Link of the attacker of identification in real time;It is collected and analyzes by link topology information to network and load distribution information after the case where traffic engineering module knows congestion link, congestion link is alleviated by multiple heavy-route, while the source host information malicious host identification module that is recorded analyzes malicious host in source host.The detection response system of link flood attack proposed by the present invention can be suitable for the network scenarios of various scales.

Description

Link flood attack detects response mechanism in a kind of software defined network
Technical field
The present invention relates to link flood attacks to detect response technology field, specifically, more particularly to a kind of software definition Link in network flood attack detects response mechanism.
Background technique
SDN (Software-Defined Networking, software defined network) originates from Stanford Univ USA Nick The Clean Slate project of McKeown professor.In order to using in network extensive real traffic and application tested, Nick McKeown professor et al. proposes the concept of the framework of software defined network, and on this basis, how research carries out The separation of logic control and data forwarding, and improve flexibility, reliability, efficiency and the network security problem of network.SDN is general The it is proposed of thought is so that there are specific direction in each scientific research institution, enterprise, manufacturer for the research of next generation network.But due to each spontaneous Exhibition and demand are different, and each research institution joined oneself corresponding demand and understanding, implementation for SDN network framework Varied, even irregular, although such case makes SDN have diversity and has a variety of possibilities, still Also result in standard is difficult to unification.Nick McKeown professor and his team propose in SIGCOMM meeting in 2008 OpenFlow:Enabling Innovation in Campus Networks [1] formally enters people from this OpenFlow agreement Sight, and in 2009 12 publication have milestone significance OpenFlow1.0 version.Pass through a centralized control Device easily defines the safety control strategy based on network flow, and is applied in the network equipment, to realize logical to whole network The security control and management of letter.
The initial thought that SDN occurs is liberation underlying device, allows the network equipment is more economical, facilitates management and planning. From the point of view of broader aspects, the network architecture that there is control layer mutually to separate with forwarding, and the controller as control layer core Centralized control is carried out to data plane by communication interface, application layer is write using corresponding api interface to be applied to meet itself The conditions such as demand, this network can be referred to as a kind of SDN.
The current demand of many SDN researchers and device manufacturer and enterprise to SDN framework and understand federation according to The cognition and understanding of oneself, cause implementation varied, but the basic framework of SDN is consistent.Open net in 2012 Network fund association (Open Networking Foundation, ONF) [2] proposes SDN three tiers model, receives the extensive of industry Approval, and using it as standard.For ONF as a non-profit organization, the purpose established is exactly to innovate to the network architecture, And then push network technical development.SDN framework includes three levels: data Layer (infrastructure layer), control layer, application layer and two A communication interface: southbound interface and northbound interface.Entire framework is mainly set by the controller of logical centralization and distributed forwarding It is standby to constitute, application layer applications can be formulated according to the business demand of network manager itself by controller corresponding strategies, under It is interacted up to control instruction and with the forwarding device of data Layer.What wherein responsible controller and application layer communication interacted is north orientation Interface protocol, responsible management configuration data Layer and control layer interaction are southbound interface agreements.
Application layer is mainly made of multiple SDN application, carries out communication interaction by northbound interface also controller.SDN is answered Network service is managed by programmable logic with program and it is handed down to controller, controller receives application layer system Then fixed strategy and the logic for converting it to oneself generate control information and are issued to data Layer, interchanger completes controller The control command issued.The network management personnel of process in this way, SDN is carried out by the programmable features in application layer The implementation management of network.
Summary of the invention
According to technical problem set forth above, and provide link flood attack detection response machine in a kind of software defined network System.The present invention mainly detects response mechanism using link flood attack in a kind of software defined network, comprising: potential target link Identification module, link congestion monitoring module, traffic engineering module and malicious host identification module, which is characterized in that at least wrap Include following steps:
Step S1: the potential target link identification module is analyzed by head space by SDN controller and obtains network Flow path in topology, analysis identify the Target Link of attacker in network topology;
Step S2: the link congestion monitoring module monitors the Target Link of the attacker of identification in real time, Whether the utilization rate by monitoring the potential target link reaches preset threshold value to judge whether link occurs congestion;
Step S3: pass through the link topology information to network after the case where traffic engineering module knows congestion link And load distribution information is collected and analyzes, and sorts from small to large to the flow of the congestion link, then by high-speed Flow carries out priority scheduling and is scheduled, and the situation of the network congestion is reduced to 75% or less;
Step S4: it is recorded by the source host information of flow on congestion link described in multiple heavy-route;The evil Malicious host sends detection after the source host information and heavy-route that host identification module is recorded in conjunction with the multiple heavy-route of anticipating The malicious host that the behavior of routing command traceroute identifies potential malicious host, and will identify that carries out packet loss Limitation.
Further, the potential target link identification module constructs net according to the topology information of the network of acquisition Then the set Link Map of network link is planned according to the Link Map and is attacked;By the intersection for calculating flow path in network Come global network view and head space the analysis network for carrying out the identification selection of potential target link and controller being combined to control Topology ambiguity obtains;The flow path indicates the path that a flow carried out.
Further, the network topology perception obtains first according to OpenFlow agreement, controller and interchanger phase It mutually sends hello data packet and establishes communication connection.
Further, after the completion of connection is established, the controller issues feature request data packet to the interchanger The data packet of features_request obtains the essential information of the interchanger, including interchanger number dpid and friendship The each port numbers port_no to change planes, wherein the interchanger number dpid is the unique identification of the interchanger in a network; The LLDP data packet for carrying dpid and port_no information is passed through packet_out message to corresponding interchanger by the controller Port send, interchanger receives packet_in message interrogation control such as where sent to controller after LLDP data packet Reason, the interchanger number dpid of last controller combination packet_in message header, interchanger inbound port in_port with And dpid in LLDP message and port_no obtain a link information.
Further, it is until controller is communicated with the all-router that it is controlled and obtains its relevant information Only, the network topological diagram for the interchanger and corresponding terminal device composition in network that the controller obtains passes through NetworkX storage waits link congestion judgment module and traffic engineering module to call at figure.
Further, the whole network view and periodically obtain that the link congestion monitoring module is grasped by Ryu controller Network link status is taken to judge whether potential target link occurs congestion.
Further, the traffic engineering module introduces third party and wraps NetworkX to carry out depositing for network topology view Storage, realizes the calculating of best forward-path, needs to sort from large to small the flow of congestion link, to realize efficient Alleviate congestion situation.
Further, the controller obtains the process of the topological view of the whole network are as follows:
To obtain potential target link set in network, the present invention analyzes HSA using head space to obtain in network Flow path.
When carrying out head space analysis, the packet header of a data packet is looked at as the sequence of one 0 and 1, packet header Space representation is { 0,1 }L, wherein L indicates the length of grouping, and as unit of bit;Forwarding device T in network, passes through T To indicate the repeating process of interchanger;
When a packet header h is reached, it is forwarded to the port p of interchanger, is indicated are as follows:
T(h,p)→{(h1,p1),(h2,p2,...)};
The flow path between a pair of of node is established according to the sequence of { switch, rule }, wherein rule indicates interchanger The processing rule of middle data packet, then flow path can indicate are as follows:
FPi=(s1,r1)→...→(sn-1,rn-1)→(sn,rn);
The detailed step of flow path is obtained in SDN network once specifically described herein.The starting point of flow path is first looked for, The full mesh topology controlled using OpenFlow controller, obtains the routing iinformation of network, it is assumed that interchanger s1For head node;
The header information of the data packet in flow table is read, and these information are converted to binary vector, and calculate head knot The purpose IP address IP_Dst (h) and s of point1Source IP address IP_Src (s1) intersection, wherein x indicate asterisk wildcard, z indicate position The empty set of intersection;The intersection of two packet headers is gradually to carry out intersection to each, if any return z, all positions Intersection be all empty set;The purpose IP address and s of the head node1The result of intersection of source IP address be not empty set, by s1Add Be added to flow path, obtained according to network topology in s1Next-hop interchanger, by s1Purpose IP address and its next-hop source IP, the interchanger s2It seeks common ground;If if not empty set, then by s2It is added to flow path.
Further, the controller combines the information of upper a cycle, obtains each interchanger in a cycle T The byte number of received byte number and forwarding obtains the shape of potential target link in conjunction with the network topological diagram that controller is grasped State, the byte number of flow and the ratio of cycle T that are forwarded by each of the links acquire the present load of link are as follows:
Wherein, btIndicate the byte number of link t moment forwarding, bt-TIndicate the byte number of moment t-T link forwarding, then Link utilization is acquired by the present load load of link and the ratio of link bandwidth are as follows:
Wherein, B indicates link bandwidth.
Compared with the prior art, the invention has the following advantages that being gradually increased with network size, detection in the present invention The average attack remission time of response system is basically unchanged, and amplification was maintained within 0.5 second.The increase of network size is to the present invention The influence of the detection response system of proposition is smaller, and the detection response system of link flood attack proposed by the present invention can be suitable for The network scenarios of various scales.
Detailed description of the invention
In order to more clearly explain the embodiment of the invention or the technical proposal in the existing technology, to embodiment or will show below There is attached drawing needed in technical description to do simply to introduce, it should be apparent that, the accompanying drawings in the following description is this hair Bright some embodiments for those of ordinary skill in the art without any creative labor, can be with It obtains other drawings based on these drawings.
Fig. 1 is challenge model schematic diagram of the present invention.
Fig. 2 is that the present invention obtains flow path process schematic.
Fig. 3 is link flood attack mitigation scheme flow diagram of the present invention.
Fig. 4 is that link flood attack of the present invention detects response structure schematic diagram.
Fig. 5 is that link utilization of the embodiment of the present invention changes contrast schematic diagram.
Fig. 6 is that the present invention enlivens malicious host number of variations schematic diagram.
Fig. 7 is flow entry number of variations schematic diagram of the present invention.
Fig. 8 is average attack remission time contrast schematic diagram under heterogeneous networks scale of the present invention.
Specific embodiment
In order to enable those skilled in the art to better understand the solution of the present invention, below in conjunction in the embodiment of the present invention Attached drawing, technical scheme in the embodiment of the invention is clearly and completely described, it is clear that described embodiment is only The embodiment of a part of the invention, instead of all the embodiments.Based on the embodiments of the present invention, ordinary skill people The model that the present invention protects all should belong in member's every other embodiment obtained without making creative work It encloses.
It should be noted that description and claims of this specification and term " first " in above-mentioned attached drawing, " Two " etc. be to be used to distinguish similar objects, without being used to describe a particular order or precedence order.It should be understood that using in this way Data be interchangeable under appropriate circumstances, so as to the embodiment of the present invention described herein can in addition to illustrating herein or Sequence other than those of description is implemented.In addition, term " includes " and " having " and their any deformation, it is intended that cover Cover it is non-exclusive include, for example, the process, method, system, product or equipment for containing a series of steps or units are not necessarily limited to Step or unit those of is clearly listed, but may include be not clearly listed or for these process, methods, product Or other step or units that equipment is intrinsic.
As Figure 1-Figure 8, the present invention includes link flood attack detection response mechanism, packet in a kind of software defined network It includes: potential target link identification module, link congestion monitoring module, traffic engineering module and malicious host identification module, It is characterized in that, at least includes the following steps:
Step S1: the potential target link identification module is analyzed by head space by SDN controller and obtains network Flow path in topology, analysis identify the Target Link of attacker in network topology;By the preceding part σ of the link set after sequence For potential target link, σ is the ratio being manually set, and is depended on the circumstances.
Step S2: the link congestion monitoring module monitors the Target Link of the attacker of identification in real time, Whether the utilization rate by monitoring the potential target link reaches preset threshold value to judge whether link occurs congestion;
Step S3: pass through the link topology information to network after the case where traffic engineering module knows congestion link And load distribution information is collected and analyzes, and sorts from small to large to the flow of the congestion link, then by high-speed Flow carries out priority scheduling and is scheduled, and the situation of the network congestion is reduced to 75% or less.In the present embodiment, institute The collection stated refers to and records the information of above-mentioned potential target link and relevant link utilization information;And divide Analysis, refer to found from above- mentioned information congestion link i.e. link utilization be more than 75% link for congestion link.
Step S4: it is recorded by the source host information of flow on congestion link described in multiple heavy-route;The evil Malicious host sends detection after the source host information and heavy-route that host identification module is recorded in conjunction with the multiple heavy-route of anticipating The malicious host that the behavior of routing command traceroute identifies potential malicious host, and will identify that carries out packet loss Limitation.
As a preferred embodiment, the potential target link identification module is tied according to the topology of the network of acquisition Structure information constructs the set Link Map of network link, is then planned and attacks according to the Link Map;By calculating network The intersection of middle flow path is to carry out the identification selection of potential target link and in conjunction with the global network view and head of controller control The perception of portion's spatial analysis network topology obtains;The flow path indicates the path that a flow carried out.
It is as follows that link flood attack simulates attack parameter:
1. randomly selecting 20 hosts in 41 hosts as malicious host;
2. normal link average bandwidth is 10Mbps in default network;
3. the attack traffic that each malicious host divides equally balanced 0.5Mbps.
4. randomly selecting three Target Links in network link, it is respectively labeled as link A, link B, link C, is attacked It hits.
Fig. 5 is reflected during link flood attack detection response system alleviation link flood attack proposed by the invention The link utilization variation tendency of link A, B, C.By taking link A as an example, the link utilization of the link is in 0s to during 140s one It is directly in lower and stable state, is begun to decline after then steeply rising to peak value 75%, last link utilization is stablized 38.0% or so.This is because attacker attacks Target Link A at the 200s moment, the link that this subsequent paper is proposed There is exception to Target Link in blocking monitor module monitors, and link utilization steeply rises.When link utilization reaches 75%, Traffic engineering module is started to work, and is carried out intervention schedule to the flow of congestion link to alleviate the congestion situation of link, is kept its extensive Normal condition is arrived again.As attacker switches Target Link, link congestion monitoring module can accurately monitor object chain always There is exception in road, and traffic engineering module always can alleviate in time link congestion.Simulation results show this paper institute The validity of the traffic engineering functions of modules of proposition, while being cooperateed between visible flow stage die block and link congestion monitoring module Work can effectively alleviate network link congestion caused by link flood attack, to maintain the normal communication of network link.
To prove system performance superiority, below just in above-mentioned experimentation holding normal host transmitted traffic time with And in the case that quantity remains unchanged, the quantity variation of the forwarding behavior flow entry of interchanger in network is illustrated.Such as Fig. 7 Reflect the quantity variation tendency of interchanger forwarding behavior flow entry in network.Curve steeply rises in 0s to during 60s in figure, Then start constantly to reduce after the 200s moment, and tends to be steady after the 600s moment.This is because with malicious host pair Network is attacked, and the waste flow list item quantity in network sharply increases, and then detects the malicious host identification in response system Module starts to limit malicious host transmission data, and forwarding behavior flow entry is constantly deleted after reaching hard time-out in interchanger. Simulation result shows that link flood attack detection response system proposed by the present invention can effectively reduce malicious host injection net The junk traffic of network.
In the present embodiment, network topology perception obtains first according to OpenFlow agreement, controller with exchange Machine mutually sends hello data packet and establishes communication connection.
As a preferred embodiment, the controller issues spy to the interchanger after the completion of connection is established The data packet of sign request data package features_request obtains the essential information of the interchanger, compiles including interchanger Each port numbers port_no of number dpid and interchanger, wherein the interchanger number dpid is the interchanger in network In unique identification;The controller disappears the LLDP data packet for carrying dpid and port_no information by packet_out It ceases and is sent to the port of corresponding interchanger, interchanger is ask after receiving LLDP data packet to controller transmission packet_in message Ask how controller is handled, the interchanger number dpid of last controller combination packet_in message header, interchanger enter end Dpid and port_no in slogan in_port and LLDP message obtain a link information;
Until controller is communicated with the all-router that it is controlled and obtains its relevant information, the controller The network topological diagram of interchanger and corresponding terminal device composition in the network of acquisition is stored by NetworkX into figure etc. It is called to link congestion judgment module and traffic engineering module.
In the present embodiment, the whole network view and week that the link congestion monitoring module is grasped by Ryu controller Phase property obtains network link status to judge whether potential target link occurs congestion.
As preferred embodiment, the traffic engineering module introduces third party's packet NetworkX and opens up to carry out network The calculating of best forward-path is realized in the storage for flutterring view, needs to sort from large to small the flow of congestion link, thus Realize efficient alleviation congestion situation.
In the present embodiment, the controller obtains the process of the topological view of the whole network are as follows:
To obtain potential target link set in network, the present invention analyzes HSA using head space to obtain in network Flow path.
When carrying out head space analysis, the packet header of a data packet is looked at as the sequence of one 0 and 1, packet header Space representation is { 0,1 }L, wherein L indicates the length of grouping, and as unit of bit;Forwarding device T in network, passes through T To indicate the repeating process of interchanger;
When a packet header h is reached, it is forwarded to the port p of interchanger, is indicated are as follows:
T(h,p)→{(h1,p1),(h2,p2,...)};
The flow path between a pair of of node is established according to the sequence of { switch, rule }, wherein rule indicates interchanger The processing rule of middle data packet, then flow path can indicate are as follows:
FPi=(s1,r1)→...→(sn-1,rn-1)→(sn,rn);
The detailed step of flow path is obtained in SDN network once specifically described herein.The starting point of flow path is first looked for, The full mesh topology controlled using OpenFlow controller, obtains the routing iinformation of network, it is assumed that interchanger s1For head node;
The header information of the data packet in flow table is read, and these information are converted to binary vector, and calculate head knot The purpose IP address IP_Dst (h) and s of point1Source IP address IP_Src (s1) intersection, wherein x indicate asterisk wildcard, z indicate position The empty set of intersection;The intersection of two packet headers is gradually to carry out intersection to each, if any return z, all positions Intersection be all empty set;The purpose IP address and s of the head node1The result of intersection of source IP address be not empty set, by s1Add Be added to flow path, obtained according to network topology in s1Next-hop interchanger, by s1Purpose IP address and its next-hop source IP, the interchanger s2It seeks common ground;If if not empty set, then by s2It is added to flow path.
As preferred embodiment, the controller combines the information of upper a cycle, obtains each interchanger and exists The byte number of received byte number and forwarding in a cycle T obtains potential mesh in conjunction with the network topological diagram that controller is grasped The state for marking link, the byte number of flow and the ratio of cycle T that are forwarded by each of the links acquire the present load of link are as follows:
Wherein, btIndicate the byte number of link t moment forwarding, bt-TIndicate the byte number of moment t-T link forwarding, then Link utilization is acquired by the present load load of link and the ratio of link bandwidth are as follows:
Wherein, B indicates link bandwidth.
The serial number of the above embodiments of the invention is only for description, does not represent the advantages or disadvantages of the embodiments.
In the above embodiment of the invention, it all emphasizes particularly on different fields to the description of each embodiment, does not have in some embodiment The part of detailed description, reference can be made to the related descriptions of other embodiments.
In several embodiments provided herein, it should be understood that disclosed technology contents can pass through others Mode is realized.Wherein, the apparatus embodiments described above are merely exemplary, such as the division of the unit, Ke Yiwei A kind of logical function partition, there may be another division manner in actual implementation, for example, multiple units or components can combine or Person is desirably integrated into another system, or some features can be ignored or not executed.Another point, shown or discussed is mutual Between coupling, direct-coupling or communication connection can be through some interfaces, the INDIRECT COUPLING or communication link of unit or module It connects, can be electrical or other forms.
The unit as illustrated by the separation member may or may not be physically separated, aobvious as unit The component shown may or may not be physical unit, it can and it is in one place, or may be distributed over multiple On unit.It can some or all of the units may be selected to achieve the purpose of the solution of this embodiment according to the actual needs.
It, can also be in addition, the functional units in various embodiments of the present invention may be integrated into one processing unit It is that each unit physically exists alone, can also be integrated in one unit with two or more units.Above-mentioned integrated list Member both can take the form of hardware realization, can also realize in the form of software functional units.
If the integrated unit is realized in the form of SFU software functional unit and sells or use as independent product When, it can store in a computer readable storage medium.Based on this understanding, technical solution of the present invention is substantially The all or part of the part that contributes to existing technology or the technical solution can be in the form of software products in other words It embodies, which is stored in a storage medium, including some instructions are used so that a computer Equipment (can for personal computer, server or network equipment etc.) execute each embodiment the method for the present invention whole or Part steps.And storage medium above-mentioned includes: that USB flash disk, read-only memory (ROM, Read-Only Memory), arbitrary access are deposited Reservoir (RAM, Random Access Memory), mobile hard disk, magnetic or disk etc. be various to can store program code Medium.
Finally, it should be noted that the above embodiments are only used to illustrate the technical solution of the present invention., rather than its limitations;To the greatest extent Pipe present invention has been described in detail with reference to the aforementioned embodiments, those skilled in the art should understand that: its according to So be possible to modify the technical solutions described in the foregoing embodiments, or to some or all of the technical features into Row equivalent replacement;And these are modified or replaceed, various embodiments of the present invention technology that it does not separate the essence of the corresponding technical solution The range of scheme.

Claims (7)

1. link flood attack detects response mechanism in a kind of software defined network, comprising: potential target link identification module, chain Road blocking monitor module, traffic engineering module and malicious host identification module, which is characterized in that at least include the following steps:
S1: the potential target link identification module is analyzed by head space by SDN controller and is obtained in network topology Flow path, analysis identify the Target Link of attacker in network topology;
S2: the link congestion monitoring module monitors the Target Link of the attacker of identification in real time, passes through monitoring Whether the utilization rate of the potential target link reaches preset threshold value to judge whether link occurs congestion;
S3: pass through the link topology information and load to network after the case where traffic engineering module knows congestion link Distributed intelligence is collected and analyzes, and sorts to the flow of the congestion link, then carries out high-speed flow from small to large Priority scheduling is scheduled, and the situation of the network congestion is reduced to 75% or less;
S4: it is recorded by the source host information of flow on congestion link described in multiple heavy-route;The malicious host is known Malicious host sends detection routing command after source host information and heavy-route that other module is recorded in conjunction with the multiple heavy-route The malicious host that the behavior of traceroute identifies potential malicious host, and will identify that carries out packet loss limitation.
2. link flood attack detects response mechanism in a kind of software defined network according to claim 1, feature is also It is:
The network topology perception, which obtains, mutually sends hello data according to OpenFlow agreement, controller and interchanger first Packet establishes communication connection;
After the completion of connection is established, the controller issues feature request data packet features_request to the interchanger Data packet obtain the essential information of the interchanger, including each port numbers of interchanger number dpid and interchanger Port_no, wherein the interchanger number dpid is the unique identification of the interchanger in a network;The controller will carry The LLDP data packet of dpid and port_no information is sent by packet_out message to the port of corresponding interchanger, exchange How machine is handled after receiving LLDP data packet to controller transmission packet_in message interrogation control, last controller knot In the interchanger number dpid of conjunction packet_in message header, inbound port in_port and the LLDP message of interchanger Dpid and port_no obtains a link information;
Until controller is communicated with the all-router that it is controlled and obtains its relevant information, the controller is obtained Network in interchanger and corresponding terminal device composition network topological diagram by NetworkX store at figure waiting chain Road congestion judgment module and traffic engineering module are called.
3. link flood attack detects response mechanism in a kind of software defined network according to claim 1, feature is also It is:
The potential target link identification module constructs the set of network link according to the topology information of the network of acquisition Then Link Map is planned according to the Link Map and is attacked;Potential mesh is carried out by calculating the intersection of flow path in network It marks the identification selection of link and global network view and head space the analysis network topology perception for combining controller to control obtains; The flow path indicates the path that a flow carried out.
4. link flood attack detects response mechanism in a kind of software defined network according to claim 1, feature is also It is:
The whole network view and periodically acquire network link status that the link congestion monitoring module is grasped by Ryu controller To judge whether potential target link occurs congestion.
5. link flood attack detects response mechanism in a kind of software defined network according to claim 1, feature is also It is:
The traffic engineering module introduces third party and wraps NetworkX to carry out the storage of network topology view, realizes best turn The calculating for sending out path, needs to sort from large to small the flow of congestion link, to realize efficient alleviation congestion situation.
6. link flood attack detects response mechanism in a kind of software defined network according to claim 3, feature is also It is:
The controller obtains the process of flow path are as follows:
To obtain potential target link set in network, the present invention analyzes HSA using head space to obtain the flow path in network Diameter.
When carrying out head space analysis, the packet header of a data packet is looked at as the sequence of one 0 and 1, packet header space It is expressed as { 0,1 }L, wherein L indicates the length of grouping, and as unit of bit;Forwarding device T in network, by T come table Show the repeating process of interchanger;
When a packet header h is reached, it is forwarded to the port p of interchanger, is indicated are as follows:
T(h,p)→{(h1,p1),(h2,p2,...)};
The flow path between a pair of of node is established according to the sequence of { switch, rule }, wherein rule indicates number in interchanger According to the processing rule of packet, then flow path can indicate are as follows:
FPi=(s1,r1)→...→(sn-1,rn-1)→(sn,rn);
The detailed step of flow path is obtained in SDN network once specifically described herein.The starting point of flow path is first looked for, is utilized The full mesh topology that OpenFlow controller is controlled, obtains the routing iinformation of network, it is assumed that interchanger s1For head node;
The header information of the data packet in flow table is read, and these information are converted to binary vector, and calculate a node Purpose IP address IP_Dst (h) and s1Source IP address IP_Src (s1) intersection, wherein x indicate asterisk wildcard, z indicate position intersection Empty set;The intersection of two packet headers is gradually to carry out intersection to each, if any return z, all friendships Collection is all empty set;The purpose IP address and s of the head node1The result of intersection of source IP address be not empty set, by s1It is added to Flow path, obtained according to network topology in s1Next-hop interchanger, by s1Purpose IP address and its next-hop source IP, The interchanger s2It seeks common ground;If if not empty set, then by s2It is added to flow path.
7. link flood attack detects response mechanism in a kind of software defined network according to claim 1, feature is also Be: the controller combines the information of upper a cycle, obtains each interchanger received byte number in a cycle T The state of potential target link is obtained, every chain is passed through in conjunction with the network topological diagram that controller is grasped with the byte number of forwarding The byte number of flow and the ratio of cycle T of road forwarding acquire the present load of link are as follows:
Wherein, btIndicate the byte number of link t moment forwarding, bt-TThe byte number for indicating the forwarding of moment t-T link, then passes through chain The present load load on road and the ratio of link bandwidth acquire link utilization are as follows:
Wherein, B indicates link bandwidth.
CN201910643617.8A 2019-07-17 2019-07-17 Link flooding attack detection response mechanism in software defined network Active CN110351286B (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN201910643617.8A CN110351286B (en) 2019-07-17 2019-07-17 Link flooding attack detection response mechanism in software defined network

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN201910643617.8A CN110351286B (en) 2019-07-17 2019-07-17 Link flooding attack detection response mechanism in software defined network

Publications (2)

Publication Number Publication Date
CN110351286A true CN110351286A (en) 2019-10-18
CN110351286B CN110351286B (en) 2021-05-18

Family

ID=68175779

Family Applications (1)

Application Number Title Priority Date Filing Date
CN201910643617.8A Active CN110351286B (en) 2019-07-17 2019-07-17 Link flooding attack detection response mechanism in software defined network

Country Status (1)

Country Link
CN (1) CN110351286B (en)

Cited By (8)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN110912833A (en) * 2019-12-27 2020-03-24 国家计算机网络与信息安全管理中心 Intelligent link forwarding method
CN111490989A (en) * 2020-04-10 2020-08-04 全球能源互联网研究院有限公司 Network system, attack detection method and device and electronic equipment
CN111556054A (en) * 2020-04-28 2020-08-18 南京大学 Method for detecting wormhole attack aiming at SDN
CN113364810A (en) * 2021-07-02 2021-09-07 东北大学秦皇岛分校 Link flooding attack detection and defense system and method
CN113992539A (en) * 2021-10-28 2022-01-28 中国人民解放军战略支援部队信息工程大学 Network security dynamic route hopping method and system
WO2022078063A1 (en) * 2020-10-12 2022-04-21 中兴通讯股份有限公司 Congestion information collection method, optimal path determination method, and network switch
CN115225540A (en) * 2022-05-02 2022-10-21 东北大学 Software defined network-oriented data plane fault detection and recovery method
CN115398870A (en) * 2020-05-01 2022-11-25 思科技术公司 Detecting and communicating with silent hosts in a software defined network

Citations (1)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN105516184A (en) * 2015-12-31 2016-04-20 清华大学深圳研究生院 Increment deployment SDN network-based method for defending link flooding attack

Patent Citations (1)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN105516184A (en) * 2015-12-31 2016-04-20 清华大学深圳研究生院 Increment deployment SDN network-based method for defending link flooding attack

Non-Patent Citations (1)

* Cited by examiner, † Cited by third party
Title
刘世辉: "基于SDN和NFV的链路洪泛攻击检测与防御", 《CNKI 中国优秀硕士学位论文全文数据库 信息科技辑》 *

Cited By (12)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN110912833A (en) * 2019-12-27 2020-03-24 国家计算机网络与信息安全管理中心 Intelligent link forwarding method
CN111490989A (en) * 2020-04-10 2020-08-04 全球能源互联网研究院有限公司 Network system, attack detection method and device and electronic equipment
CN111556054A (en) * 2020-04-28 2020-08-18 南京大学 Method for detecting wormhole attack aiming at SDN
CN111556054B (en) * 2020-04-28 2021-04-06 南京大学 Method for detecting wormhole attack aiming at SDN
CN115398870A (en) * 2020-05-01 2022-11-25 思科技术公司 Detecting and communicating with silent hosts in a software defined network
WO2022078063A1 (en) * 2020-10-12 2022-04-21 中兴通讯股份有限公司 Congestion information collection method, optimal path determination method, and network switch
CN113364810A (en) * 2021-07-02 2021-09-07 东北大学秦皇岛分校 Link flooding attack detection and defense system and method
CN113364810B (en) * 2021-07-02 2022-04-01 东北大学秦皇岛分校 Link flooding attack detection and defense system and method
CN113992539A (en) * 2021-10-28 2022-01-28 中国人民解放军战略支援部队信息工程大学 Network security dynamic route hopping method and system
CN113992539B (en) * 2021-10-28 2023-03-24 中国人民解放军战略支援部队信息工程大学 Network security dynamic route hopping method and system
CN115225540A (en) * 2022-05-02 2022-10-21 东北大学 Software defined network-oriented data plane fault detection and recovery method
CN115225540B (en) * 2022-05-02 2023-07-18 东北大学 Data plane fault detection and recovery method for software defined network

Also Published As

Publication number Publication date
CN110351286B (en) 2021-05-18

Similar Documents

Publication Publication Date Title
CN110351286A (en) Link flood attack detects response mechanism in a kind of software defined network
CN106664261B (en) A kind of methods, devices and systems configuring flow entry
CN104158753B (en) Dynamic stream scheduling method and system based on software defined network
CN106656801B (en) Reorientation method, device and the Business Stream repeater system of the forward-path of Business Stream
CN105765946B (en) Support the method and system of the service chaining in data network
US11005781B2 (en) Networking method for data center network and data center network
CN104079492B (en) The methods, devices and systems that flow table is configured in a kind of OpenFlow networks
CN104982013B (en) A kind of method, equipment and the system of business routing
CN103746911B (en) A kind of SDN structure and its communication means
CN108521375A (en) The transmission of the network multi-service flow QoS based on SDN a kind of and dispatching method
CN103716208B (en) Support network management, system, interchanger and the network of elephant stream
CN104717098B (en) A kind of data processing method and device
CN107005462A (en) The method, apparatus and system of data forwarding in software defined network
CN106416132A (en) Systems and methods for controlling network switches using a switch modeling interface at a controller
CN108809857A (en) A method of the traffic monitoring based on SDN and service quality securing strategy
CN106899503B (en) A kind of route selection method and network manager of data center network
CN106713137A (en) VPN method based on segment routing and SDN technology and device and system thereof
CN106341330A (en) Topology discovery method and system of SDN controller
CN103634423B (en) Three-layered interface based MPLS-TP (multi-protocol label switching-transport profile) configuration method and device
CN106161275A (en) Prediction for service quality exports packet classification
CN105556916B (en) The information statistical method and device of network flow
CN101841487A (en) Configuration method for aggregating link service flow and packet switching device
CN104852859B (en) A kind of aggregation interface method for processing business and equipment
CN106063202A (en) State-dependent data forwarding
CN101789949B (en) Method and router equipment for realizing load sharing

Legal Events

Date Code Title Description
PB01 Publication
PB01 Publication
SE01 Entry into force of request for substantive examination
SE01 Entry into force of request for substantive examination
GR01 Patent grant
GR01 Patent grant