CN110868392A - Block chain safety control method and device based on SDN and block chain network - Google Patents
Block chain safety control method and device based on SDN and block chain network Download PDFInfo
- Publication number
- CN110868392A CN110868392A CN201910899470.9A CN201910899470A CN110868392A CN 110868392 A CN110868392 A CN 110868392A CN 201910899470 A CN201910899470 A CN 201910899470A CN 110868392 A CN110868392 A CN 110868392A
- Authority
- CN
- China
- Prior art keywords
- list
- item
- message
- new item
- packet
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Pending
Links
Images
Classifications
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/14—Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
- H04L63/1441—Countermeasures against malicious traffic
- H04L63/1458—Denial of Service
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L47/00—Traffic control in data switching networks
- H04L47/10—Flow control; Congestion control
- H04L47/215—Flow control; Congestion control using token-bucket
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/10—Network architectures or network communication protocols for network security for controlling access to devices or network resources
- H04L63/101—Access control lists [ACL]
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/14—Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
- H04L63/1408—Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic by monitoring network traffic
- H04L63/1416—Event detection, e.g. attack signature detection
Abstract
The patent provides a block chain security control method, a block chain security control device and a block chain based on a software defined network, which can control security threats in an SDN environment according to a black and white list, and protect block chain link points against DoS attacks and unauthorized access by using the SDN, so that the security of the nodes in the block chain is ensured.
Description
Technical Field
The invention relates to the technical field of block chains, in particular to a block chain security control method and device based on an SDN (software defined network) and a block chain network.
Background
Blockchains serve as a common ledger, allowing many applications to benefit from the advantages of blockchains in various application scenarios. However, the public download nature of blockchains makes it difficult to protect the privacy security of applications. First, the entire blockchain can be downloaded at any time, making the data available to the public. Second, anyone can deploy a node, join the blockchain network and participate in the consensus establishment process. Private and federation chains place more stringent requirements on the entities participating in the blockchain, which is why the number of nodes storing and expanding these blockchains is relatively small. However, by attacking a particular node, an attacker may influence the way in which consensus is achieved and may even stop certain operations of the blockchain. Therefore, there is a need to design a method to address security attacks on specific nodes in a blockchain.
Since there are many nodes in the public chain, it is difficult for more than half of the nodes to be attacked to cause the blockchain to fail, and thus, the work for DoS (Denial of Service) attack and node protection can be neglected. But security attacks cannot be ignored in private and federation chains.
Currently, blockchain networks are composed of nodes with different roles, and these nodes provide different services, for example, some blockchain networks support storage on blockchains by using a distributed database system, and store information in blockchains down-link in the form of block storage. And voting is carried out on the block chain on the newly generated blocks through the distributed storage server to realize chain consensus, and most votes determine whether the block is effective. The nodes currently voting on the chain may be distributed databases running in the cluster, DoS attacks may target servers and prohibit their voting, and as the number of voting servers decreases, the network becomes weaker in terms of failures or other misbehaviours, eventually creating problems. Therefore, for malicious attacks on nodes in a blockchain, a method needs to be designed to detect malicious traffic and take measures to the malicious traffic, so as to implement secure voting and accounting on the blockchain.
Disclosure of Invention
The technical problem to be solved by the present invention is to provide a method, an apparatus and a blockchain for controlling blockchain security based on Software Defined Networking (SDN), which can protect blockchain nodes against DoS attacks and unauthorized access by using SDN, thereby ensuring the security of nodes in the blockchain.
In order to solve the technical problems, the invention adopts the technical scheme that: the block chain safety control method based on the SDN comprises the following steps:
step S11, the SDN controller monitors Packet-In messages from an OpenFlow switch and extracts IP addresses, ports and transmission protocol information of relevant remote nodes from the Packet-In messages;
step S12, determining whether the Packet-In message relates to any protected node In the block chain, if the message does not relate to any protected node In the block chain, forwarding the message; otherwise, searching whether a matching item exists in a preset white list, a preset black list and a preset grey list;
step S13, if the search result is that no matching item exists, generating a new item according to the Packet-In message, attaching the new item to a grey list, and forwarding the message; and if the retrieval result is that the matched item exists, processing the message according to the list type corresponding to the matched item.
In step S13, if the search result indicates that there is a matching item, the processing the message according to the list type corresponding to the matching item specifically includes:
if the matching item exists in a blacklist, instructing the OpenFlow switch to install a flow entry with a delete operation;
if the matching item exists in the white list, stopping processing the message and forwarding the message;
and if the matching item exists in a grey list, instructing the OpenFlow switch to add the matching item to a switch list of the item, and installing a flow item corresponding to the message.
In step S13, the step of generating a new item according to the Packet-In message and attaching the new item to a gray list further includes:
generating a new item according to the Packet-In message, the switch and the protected node information, adding timeout duration, adding the new item to a grey list, and setting the timeout duration;
under the condition that a blockchain network allows remote nodes to be connected, taking the related remote nodes In the Packet-In message as the peer points of protected nodes, transferring the new item from the grey list to a white list, resetting the timeout duration of the new item, and deleting the new item from the white list after the timeout duration expires;
and under the condition that the blockchain network does not allow the remote node to connect, if the time of the new item reserved in the grey list exceeds the corresponding timeout duration, moving the item from the grey list to the black list, and indicating the OpenFlow receiving switch to discard the corresponding flow lattice item; resetting its timeout duration and deleting said new item from the blacklist upon expiry of said timeout duration.
Wherein, further include:
limiting the capacity of the grey list, and pre-configuring the capacity of the grey list; and when the fact that the grey list is full is checked, no new item is added, and when the new item exists, the SDN controller controls the OpenFlow switch to generate and install a short-term flow entry, wherein the short-term flow entry comprises a description of discarding similar data packets.
Wherein, further include:
setting a token bucket, and initializing the storage bucket by using a configurable number of tokens when the grey list is in the maximum free capacity; deleting a token each time a new item is added to the grey list; if the bucket is empty, if a new item exists, controlling that the token cannot be deleted or the new item is added to a grey list, and simultaneously controlling the OpenFlow switch to generate and install a short-term flow entry by the SDN controller, wherein the short-term flow entry contains a reaction to deletion operation and generates a flow deletion message when a new item data packet is deleted.
Accordingly, in another aspect of the present invention, there is also provided an SDN-based blockchain security control apparatus, including:
the monitoring unit is used for monitoring Packet-In messages from the OpenFlow switch to extract IP addresses, ports and transmission protocol information from the Packet-In messages and determining whether the messages relate to any protected node In a block chain;
the first processing unit is used for determining whether the Packet-In message relates to any protected node In the block chain, and forwarding the message if the Packet-In message does not relate to any protected node In the block chain; otherwise, searching whether a matching item exists in a preset white list, a preset black list and a preset grey list;
the second processing unit is used for generating a new item according to the Packet-In message and attaching the new item to a grey list when the retrieval result shows that no matched item exists, and forwarding the message; if the retrieval result is that the matched item exists, processing the message according to the list type corresponding to the matched item;
and the list storage unit is used for storing a preset white list, a preset black list and a preset grey list.
Wherein the second processing unit further comprises a matching processing unit for:
if the matching item exists in a blacklist, instructing the OpenFlow switch to install a flow entry with a delete operation;
if the matching item exists in the white list, stopping processing the message and forwarding the message;
and if the matching item exists in a grey list, instructing the OpenFlow switch to add the matching item to a switch list of the item, and installing a flow item corresponding to the message.
Wherein the second processing unit further comprises a new item processing unit comprising:
a new item generation additional unit, configured to generate a new item according to the Packet-In message, the switch, and the protected node information, add the timeout duration, and add the new item to the grey list;
a forwarding processing unit, configured to, when a blockchain network allows a remote node to connect, use a relevant remote node In the Packet-In message as a peer of a protected node, transfer the new item from the grey list to a white list, reset a timeout duration of the new item, and delete the new item from the white list after the timeout duration expires;
and means for moving the item from the grey list to the black list if the time that the new item remains in the grey list exceeds the corresponding timeout duration, instructing the OpenFlow receiving switch to discard the corresponding flow lattice entry, in the case that the blockchain network does not allow the remote node to connect; resetting its timeout duration and deleting said new item from the blacklist upon expiry of said timeout duration.
Wherein, further include:
the grey list capacity limiting unit is used for limiting the grey list capacity and pre-configuring the grey list capacity; and when the fact that the grey list is full is checked, no new item is added, and when the new item exists, the SDN controller controls the OpenFlow switch to generate and install a short-term flow entry, wherein the short-term flow entry comprises a description of discarding similar data packets.
Wherein, further include:
the token processing unit is used for setting a token bucket and initializing the storage bucket by using a configurable number of tokens when the grey list is in the maximum free capacity; deleting a token each time a new item is added to the grey list; if the bucket is empty, if a new item exists, controlling that the token cannot be deleted or the new item is added to a grey list, and simultaneously controlling the OpenFlow switch to generate and install a short-term flow entry by the SDN controller, wherein the short-term flow entry contains a reaction to deletion operation and generates a flow deletion message when a new item data packet is deleted.
Accordingly, in yet another aspect of the present invention, there is provided a block chain network, which at least includes:
an OpenFlow switch;
a plurality of block link nodes connected to the OpenFlow switch, the plurality of block link nodes including protected block link points;
an SDN control node connected with the OpenFlow switch;
wherein the SDN control node comprises the SDN-based block chain security control device.
Compared with the prior art, the invention has the beneficial effects that:
the invention discloses a block chain safety control method and device based on an SDN (software defined network) and a block chain network.
According to the method and the device, a safety control mechanism is integrated in the SDN controller, and malicious attacks in the block chain can be resisted through a grey list capacity limiting measure and a token bucket processing measure.
In summary, the block chain application security protection method for stream entries provided by the present invention is specific to the block chain application, and periodically and directly communicates with the block chain nodes protected by the block chain application. By distinguishing between legitimate and illegitimate traffic sent to a node, the proposed method can filter malicious traffic from the source.
Drawings
Fig. 1 is a main flow diagram of an embodiment of a block chain security control method based on an SDN according to the present invention;
FIG. 2 is a schematic diagram of the handling of new items in the gray list referred to in FIG. 1;
FIG. 3 is a schematic structural diagram of a blockchain according to the present invention;
fig. 4 is a schematic structural diagram of an embodiment of a block chain security control apparatus based on SDN according to the present invention;
fig. 5 is a schematic structural diagram of the second processing module in fig. 4.
Detailed Description
The technical solutions in the embodiments of the present invention will be clearly and completely described below with reference to the drawings in the embodiments of the present invention, and it is obvious that the described embodiments are only a part of the embodiments of the present invention, and not all of the embodiments.
To facilitate understanding of the invention, the following description refers to several terms of art:
DoS attack: the main goal of DoS attacks is to make the target service unavailable to other users. A successful DoS attack results in one or more nodes failing to transmit or receive any information, including transactions or blocks. For private and federation chains, although such attacks do not directly threaten data information on the blockchain, the attacked node can no longer transmit transactions and blocks on the chain, and computing power is wasted.
And (3) access control: access to private or federated chains is limited to only participating entities. Thus, the network devices only allow them to access the node and block any other connections as early as possible, directly blocking access on the edge network.
The OpenFlow protocol is a method for applying a Flow table to a controller by a switch when message matching fails, relevant information of a mismatched message is packaged In Packet-In information and sent to the controller, the controller is made to know message mismatch conditions, and the controller installs a new Flow table to the switch through messages such as Flow-Mod and the like. The controller responds with a Flow-mod message, providing the switch with instructions on how to handle the Packet and a Flow to handle the Packet-In message. This entry is still valid until the idle timeout or hard timeout expires, which allows the switch to eventually delete the unused or old flow entry. In this case, the switch sends a Flow-removed message to notify the controller to delete the Flow entry. Counters may be used to collect statistics or to determine how often packets match flow entries, from which information flow entries may be reinstalled if they match a significant number of packets. This is particularly useful for short-term flow entries, from which networks and systems would benefit. The SDN component filters traffic, so the blockchain nodes are mostly unaffected.
Fig. 1 is a main flow chart illustrating an embodiment of a block chain security control method based on an SDN according to the present invention, and is shown in fig. 2 and fig. 3 together.
In this embodiment, the block chain is implemented in a block chain, where the block chain includes an OpenFlow switch, and a plurality of block chain nodes connected to the OpenFlow switch, where the plurality of block chain nodes include a protected block chain node; an SDN control node (SDN controller) connected with the OpenFlow switch; the invention mainly improves the SDN control node, and particularly the method comprises the following steps:
step S11, the SDN controller monitors Packet-In messages from an OpenFlow switch and extracts IP addresses, ports and transmission protocol information of relevant remote nodes from the Packet-In messages;
step S12, determining whether the Packet-In message relates to any protected node In the block chain, if the message does not relate to any protected node In the block chain, forwarding the message; otherwise, searching whether a matching item exists in a preset white list, a preset black list and a preset grey list;
step S13, if the search result is that no matching item exists, generating a new item according to the Packet-In message, attaching the new item to a grey list, and forwarding the message; and if the retrieval result is that the matched item exists, processing the message according to the list type corresponding to the matched item.
It can be understood that the mount control mechanism employed in the SDN controller of the present invention may divide the remote node into three states: legal nodes, illegal nodes and uncertain nodes. Where legitimate nodes are block-chain nodes that are known to allow connection to block chains, the SDN controller of the present invention tracks these nodes and does not interfere with the forwarding of traffic originating from them. The uncertain node has not installed the corresponding flow entry on the switch and sends a Packet-In message to the controller. This message, along with pre-configured information on the protected node, determines whether the remote node is connected to the blockchain network. An illegal node is a blockchain node that is not connected to the blockchain network permission. The security control module also keeps track of these nodes so as to be able to react quickly when Packet-In messages are received from such nodes.
To determine the type of blockchain node, the security control module periodically retrieves peer information from the API of the protected blockchain node. Only nodes allowed to connect to the blockchain can become peers. Here access control information is needed, and once the type of remote node is determined, the flow entry installed by the SDN controller decides whether to forward or drop the packet.
And the three node types: the legal nodes, the illegal nodes and the uncertain nodes respectively correspond to a white list, a black list and a gray list in the list. In the list of these lists, items that may also be included may be Packet-In messages attempting to connect, timeout times, and information about the protected node to which the connection is directed. The entries In the gray list also contain information about the switch that generated the Packet-In message. This allows the security control module to install the flow entry wherever needed.
More specifically, referring to fig. 2, In step S13, the step of generating a new item according to the Packet-In message and attaching the new item to a gray list further includes:
generating a new item according to the Packet-In message, the switch and the protected node information, adding timeout duration, adding the new item to a grey list, and setting the timeout duration;
under the condition that a blockchain network allows remote nodes to be connected (namely authorized connection), taking the related remote nodes In the Packet-In message as the peer points of protected nodes, transferring the new item from the grey list to a white list, resetting the timeout duration of the new item, and deleting the new item from the white list after the timeout duration expires;
and in case the blockchain network does not allow a remote node to connect (i.e. no authorized connection), if the time that the new item remains in the grey list exceeds the corresponding timeout duration, moving the item from the grey list to the black list, instructing the OpenFlow receiving switch to discard the corresponding flow lattice entry; resetting its timeout duration and deleting said new item from the blacklist upon expiry of said timeout duration.
It is to be understood that in particular examples, the functionality described above may be implemented by employing threads. The thread communicates with the protected tile chain nodes, retrieving peer information through its API. The relevant information, i.e. the IP address and port of the peer node, is then extracted. The thread then searches the list for expired items. Expired items in the grey list will be moved to the black list, while expired items in other lists will be deleted from the system and they are no longer needed. Finally, the thread installs the flow entry for the item that transitioned from the grey list to the black list. The IP address, port and transport protocol are taken from the entry itself and the flow entry is operated to discard the matching packet.
In step S13, if the search result indicates that there is a matching item, the processing the message according to the list type corresponding to the matching item specifically includes:
if the matching item exists in a blacklist, instructing the OpenFlow switch to install a flow entry with a delete operation;
if the matching item exists in the white list, stopping processing the message and forwarding the message;
and if the matching item exists in a grey list, instructing the OpenFlow switch to add the matching item to a switch list of the item, and installing a flow item corresponding to the message.
In the present invention, the following steps are further adopted to migrate attacks from multiple sources, specifically, the following steps are included:
limiting the capacity of the grey list, and pre-configuring the capacity of the grey list; when the gray list is checked to be full, no new entries are added, and since entries are deleted from the gray list at the latest when the timer expires, the complete gray list indicates an unusually large number of packets being sent to any protected block link point. When a new item exists, the SDN controller controls the OpenFlow switch to generate and install a short-term flow entry, and the short-term flow entry contains a description for discarding similar data packets. The match of the flow entry is determined from the Packet-In message containing information extracted from the Packet-In message.
Wherein, further include:
setting a token bucket, and initializing the storage bucket by using a configurable number of tokens when the grey list is in the maximum free capacity; deleting a token each time a new item is added to the grey list; if the bucket is empty, if a new item exists, controlling that the token cannot be deleted or the new item is added to a grey list, and simultaneously controlling the OpenFlow switch to generate and install a short-term flow entry by the SDN controller, wherein the short-term flow entry contains a reaction to deletion operation and generates a flow deletion message when a new item data packet is deleted.
It is to be understood that in an embodiment of the invention, all traffic is always forwarded by at least one OpenFlow switch of the SDN controller at a certain point. This can be used to enable malicious activity monitoring and furthermore, unauthorized users cannot connect to the blockchain nodes, the method of the present invention is transparent to the blockchain and can be used to protect many different types of blockchains without any modification to the nodes or blockchain software.
In the present invention, a node of a blockchain network can send new transactions and blocks to all other nodes in the network and needs to synchronize as quickly as possible with the current state of the blockchain.
Thus, the primary goal of ensuring blockchain consistency is to ensure that nodes are always available through the network, while also preventing access such as denial of service (DoS) attacks and unauthorized access.
It can be understood that the block chain security control method based on the SDN provided by the present invention runs in a module of an SDN controller, and designs a black list, a white list and a gray list. The mechanism provided by the present invention can be made available with a variety of blockchain techniques and does not rely on any modification of blockchain software, without requiring rebooting or updating of blockchain nodes, since SDN provides the possibility to easily modify network behavior and adapt it to additional entity requirements, providing the possibility to deploy control modules.
As shown in fig. 4, which is a schematic structural diagram of a SDN-based blockchain security control device provided in the present invention, and is also shown in fig. 5, the SDN-based blockchain security control device 1 is implemented in an SDN control node in fig. 3, and includes:
a monitoring unit 10, configured to monitor a Packet-In message from an OpenFlow switch, extract an IP address, a port, and transport protocol information from the Packet-In message, and determine whether the message relates to any protected node In a block chain;
a first processing unit 11, configured to determine whether the Packet-In message relates to any protected node In a block chain, and if the Packet-In message does not relate to any protected node In the block chain, forward the Packet-In message; otherwise, searching whether a matching item exists in a preset white list, a preset black list and a preset grey list;
a second processing unit 12, configured to generate a new item according to the Packet-In message and attach the new item to a grey list if the search result indicates that there is no matching item, and forward the new item; if the retrieval result is that the matched item exists, processing the message according to the list type corresponding to the matched item;
and the list storage unit 13 is used for storing a preset white list, a preset black list and a preset grey list.
Wherein the second processing unit 12 further comprises a new item processing unit 120, comprising:
a new item generation additional unit, configured to generate a new item according to the Packet-In message, the switch, and the protected node information, add the timeout duration, and add the new item to the grey list;
a forwarding processing unit, configured to, when a blockchain network allows a remote node to connect, use a relevant remote node In the Packet-In message as a peer of a protected node, transfer the new item from the grey list to a white list, reset a timeout duration of the new item, and delete the new item from the white list after the timeout duration expires;
and means for moving the item from the grey list to the black list if the time that the new item remains in the grey list exceeds the corresponding timeout duration, instructing the OpenFlow receiving switch to discard the corresponding flow lattice entry, in the case that the blockchain network does not allow the remote node to connect; resetting its timeout duration and deleting said new item from the blacklist upon expiry of said timeout duration.
Wherein the second processing unit 12 further comprises a matching processing unit 121 for:
if the matching item exists in a blacklist, instructing the OpenFlow switch to install a flow entry with a delete operation;
if the matching item exists in the white list, stopping processing the message and forwarding the message;
and if the matching item exists in a grey list, instructing the OpenFlow switch to add the matching item to a switch list of the item, and installing a flow item corresponding to the message.
Wherein the SDN-based blockchain security control apparatus 1 further comprises:
the grey list capacity limiting unit is used for limiting the grey list capacity and pre-configuring the grey list capacity; when the gray list is checked to be filled, no new item is added, and when the new item exists, the SDN controller controls the OpenFlow switch to generate and install a short-term flow entry, wherein the short-term flow entry comprises a description of discarding similar data packets; and
the token processing unit is used for setting a token bucket and initializing the storage bucket by using a configurable number of tokens when the grey list is in the maximum free capacity; deleting a token each time a new item is added to the grey list; if the bucket is empty, if a new item exists, controlling that the token cannot be deleted or the new item is added to a grey list, and simultaneously controlling the OpenFlow switch to generate and install a short-term flow entry by the SDN controller, wherein the short-term flow entry contains a reaction to deletion operation and generates a flow deletion message when a new item data packet is deleted.
It is to be understood that the SDN based blockchain security control apparatus 1 of the present invention may be regarded as implementing an OpenFlow based blockchain firewall function, which in some embodiments is implemented as a module on a Software Defined Network (SDN) controller, which may be applied in a network supporting SDN; meanwhile, in some other embodiments, the virtual switch may also be deployed in a virtualized environment together with the virtual switch, for example, Open vSwitch and the like.
Accordingly, as shown in fig. 3, a further aspect of the present invention also provides a blockchain network, which at least includes:
an OpenFlow switch;
a plurality of block link nodes connected to the OpenFlow switch, the plurality of block link nodes including protected block link points;
an SDN control node connected with the OpenFlow switch;
wherein the SDN control node comprises the SDN-based blockchain security control device 1 described in fig. 4 and 5.
The protected blockchain link point refers to a private chain or a alliance chain with built-in functions, which remote nodes are determined to be allowed to establish a link with the protected blockchain link point, different authorities are given to different nodes, and the operation of each node on a blockchain network can be accurately controlled. A protected blockchain is a blockchain that stores permissions in the blockchain. The protected blockchain may be compatible with bitcoin and provide a similar interface (API) that may be used to obtain information about the node peers. This information contains, among other things, the IP address of the peer, the identity in hash form, and the port used for the connection. The protected blockchain only allows remote blockchain nodes to become peers if appropriate permissions have been given.
For more details, reference may be made to the foregoing description of fig. 4 and fig. 5, which is not repeated herein.
The implementation of the invention has the following beneficial effects:
the invention discloses a block chain safety control method and device based on an SDN (software defined network) and a block chain network.
According to the method and the device, a safety control mechanism is integrated in the SDN controller, and malicious attacks in the block chain can be resisted through a grey list capacity limiting measure and a token bucket processing measure.
In summary, the block chain application security protection method for stream entries provided by the present invention is specific to the block chain application, and periodically and directly communicates with the block chain nodes protected by the block chain application. By distinguishing between legitimate and illegitimate traffic sent to a node, the proposed method can filter malicious traffic from the source.
The above description is only for the preferred embodiment of the present invention, but the scope of the present invention is not limited thereto, and any person skilled in the art should be considered to be within the technical scope of the present invention, and the technical solutions and the inventive concepts thereof according to the present invention should be equivalent or changed within the scope of the present invention.
Claims (11)
1. A block chain safety control method based on SDN is characterized by comprising the following steps:
step S11, the SDN controller monitors Packet-In messages from an OpenFlow switch and extracts IP addresses, ports and transmission protocol information of relevant remote nodes from the Packet-In messages;
step S12, determining whether the Packet-In message relates to any protected node In the block chain, if the message does not relate to any protected node In the block chain, forwarding the message; otherwise, searching whether a matching item exists in a preset white list, a preset black list and a preset grey list;
step S13, if the search result is that no matching item exists, generating a new item according to the Packet-In message, attaching the new item to a grey list, and forwarding the message; and if the retrieval result is that the matched item exists, processing the message according to the list type corresponding to the matched item.
2. The method according to claim 1, wherein in step S13, if the retrieval result is that there is a matching item, the processing the message according to the list type corresponding to the matching item specifically includes:
if the matching item exists in a blacklist, instructing the OpenFlow switch to install a flow entry with a delete operation;
if the matching item exists in the white list, stopping processing the message and forwarding the message;
and if the matching item exists in a grey list, instructing the OpenFlow switch to add the matching item to a switch list of the item, and installing a flow item corresponding to the message.
3. The method of claim 2, wherein the step of generating a new item from the Packet-In message and attaching it to a gray list In the step S13 further comprises:
generating a new item according to the Packet-In message, the OpenFlow switch and the protected node information, adding timeout duration, adding the new item to a grey list, and setting the timeout duration;
under the condition that a blockchain network allows remote nodes to be connected, taking the related remote nodes In the Packet-In message as the peer points of protected nodes, transferring the new item from the grey list to a white list, resetting the timeout duration of the new item, and deleting the new item from the white list after the timeout duration expires;
and under the condition that the blockchain network does not allow the remote node to connect, if the time of the new item reserved in the grey list exceeds the corresponding timeout duration, moving the item from the grey list to the black list, and indicating the OpenFlow receiving switch to discard the corresponding flow lattice item; resetting its timeout duration and deleting said new item from the blacklist upon expiry of said timeout duration.
4. The method of claim 3, further comprising:
limiting the capacity of the grey list, and pre-configuring the capacity of the grey list; and when the fact that the grey list is full is checked, no new item is added, and when the new item exists, the SDN controller controls the OpenFlow switch to generate and install a short-term flow entry, wherein the short-term flow entry comprises a description of discarding similar data packets.
5. The method of claim 4, further comprising:
setting a token bucket, and initializing the storage bucket by using a configurable number of tokens when the grey list is in the maximum free capacity; deleting a token each time a new item is added to the grey list; if the bucket is empty, if a new item exists, controlling that the token cannot be deleted or the new item is added to a grey list, and simultaneously controlling the OpenFlow switch to generate and install a short-term flow entry by the SDN controller, wherein the short-term flow entry contains a reaction to deletion operation and generates a flow deletion message when a new item data packet is deleted.
6. An SDN-based blockchain security control device, comprising:
the monitoring unit is used for monitoring Packet-In messages from the OpenFlow switch to extract IP addresses, ports and transmission protocol information from the Packet-In messages and determining whether the messages relate to any protected node In a block chain;
the first processing unit is used for determining whether the Packet-In message relates to any protected node In the block chain, and forwarding the message if the Packet-In message does not relate to any protected node In the block chain; otherwise, searching whether a matching item exists in a preset white list, a preset black list and a preset grey list;
the second processing unit is used for generating a new item according to the Packet-In message and attaching the new item to a grey list when the retrieval result shows that no matched item exists, and forwarding the message; if the retrieval result is that the matched item exists, processing the message according to the list type corresponding to the matched item;
and the list storage unit is used for storing a preset white list, a preset black list and a preset grey list.
7. The apparatus of claim 6, wherein the second processing unit further comprises a matching processing unit to:
if the matching item exists in a blacklist, instructing the OpenFlow switch to install a flow entry with a delete operation;
if the matching item exists in the white list, stopping processing the message and forwarding the message;
and if the matching item exists in a grey list, instructing the OpenFlow switch to add the matching item to a switch list of the item, and installing a flow item corresponding to the message.
8. The apparatus of claim 7, wherein the second processing unit further comprises a new item processing unit comprising:
a new item generation additional unit, configured to generate a new item according to the Packet-In message, the switch, and the protected node information, add the timeout duration, and add the new item to the grey list;
a forwarding processing unit, configured to, when a blockchain network allows a remote node to connect, use a relevant remote node In the Packet-In message as a peer of a protected node, transfer the new item from the grey list to a white list, reset a timeout duration of the new item, and delete the new item from the white list after the timeout duration expires;
and means for moving the item from the grey list to the black list if the time that the new item remains in the grey list exceeds the corresponding timeout duration, instructing the OpenFlow receiving switch to discard the corresponding flow lattice entry, in the case that the blockchain network does not allow the remote node to connect; resetting its timeout duration and deleting said new item from the blacklist upon expiry of said timeout duration.
9. The method of claim 8, further comprising:
the grey list capacity limiting unit is used for limiting the grey list capacity and pre-configuring the grey list capacity; and when the fact that the grey list is full is checked, no new item is added, and when the new item exists, the SDN controller controls the OpenFlow switch to generate and install a short-term flow entry, wherein the short-term flow entry comprises a description of discarding similar data packets.
10. The apparatus of claim 9, further comprising:
the token processing unit is used for setting a token bucket and initializing the storage bucket by using a configurable number of tokens when the grey list is in the maximum free capacity; deleting a token each time a new item is added to the grey list; if the bucket is empty, if a new item exists, controlling that the token cannot be deleted or the new item is added to a grey list, and simultaneously controlling the OpenFlow switch to generate and install a short-term flow entry by the SDN controller, wherein the short-term flow entry contains a reaction to deletion operation and generates a flow deletion message when a new item data packet is deleted.
11. A blockchain network, comprising:
an OpenFlow switch;
a plurality of block link nodes connected to the OpenFlow switch, the plurality of block link nodes including protected block link points;
an SDN control node connected with the OpenFlow switch;
characterized in that the SDN control node comprises an SDN based blockchain security control apparatus according to any of claims 6 to 10.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN201910899470.9A CN110868392A (en) | 2019-09-23 | 2019-09-23 | Block chain safety control method and device based on SDN and block chain network |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN201910899470.9A CN110868392A (en) | 2019-09-23 | 2019-09-23 | Block chain safety control method and device based on SDN and block chain network |
Publications (1)
| Publication Number | Publication Date |
|---|---|
| CN110868392A true CN110868392A (en) | 2020-03-06 |
Family
ID=69652092
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN201910899470.9A Pending CN110868392A (en) | 2019-09-23 | 2019-09-23 | Block chain safety control method and device based on SDN and block chain network |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN110868392A (en) |
Cited By (3)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN111614610A (en) * | 2020-03-31 | 2020-09-01 | 华南理工大学 | Private block chain network DDoS defense method based on software definition |
| CN113191733A (en) * | 2021-04-30 | 2021-07-30 | 金坤建设集团有限公司 | Project multi-party collaborative management system and method based on Internet |
| CN114844902A (en) * | 2022-06-30 | 2022-08-02 | 南京邮电大学 | SDN controller and equipment interaction method based on block chain technology |
Citations (1)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN107689942A (en) * | 2016-08-04 | 2018-02-13 | 中兴通讯股份有限公司 | Method for processing business and device |
-
2019
- 2019-09-23 CN CN201910899470.9A patent/CN110868392A/en active Pending
Patent Citations (1)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN107689942A (en) * | 2016-08-04 | 2018-02-13 | 中兴通讯股份有限公司 | Method for processing business and device |
Non-Patent Citations (1)
| Title |
|---|
| MATHIS STEICHEN等: "ChainGuard-A Firewall for Blockchain Applications using SDN with OpenFlow", 《2017 PRINCIPLES, SYSTEMS AND APPLICATIONS OF IP TELECOMMUNICATIONS (IPTCOMM)》 * |
Cited By (3)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN111614610A (en) * | 2020-03-31 | 2020-09-01 | 华南理工大学 | Private block chain network DDoS defense method based on software definition |
| CN113191733A (en) * | 2021-04-30 | 2021-07-30 | 金坤建设集团有限公司 | Project multi-party collaborative management system and method based on Internet |
| CN114844902A (en) * | 2022-06-30 | 2022-08-02 | 南京邮电大学 | SDN controller and equipment interaction method based on block chain technology |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| US20230035336A1 (en) | Systems and methods for mitigating and/or preventing distributed denial-of-service attacks | |
| US10839075B2 (en) | System and method for providing network security to mobile devices | |
| Steichen et al. | ChainGuard—A firewall for blockchain applications using SDN with OpenFlow | |
| US10057295B2 (en) | System and method for providing network and computer firewall protection with dynamic address isolation to a device | |
| Habibi et al. | Heimdall: Mitigating the internet of insecure things | |
| Arce et al. | An analysis of the slapper worm | |
| US20170293760A1 (en) | System and method for providing data and device security between external and host devices | |
| EP2132643B1 (en) | System and method for providing data and device security between external and host devices | |
| CN110868392A (en) | Block chain safety control method and device based on SDN and block chain network | |
| US20190166095A1 (en) | Information Security Using Blockchain Technology | |
| CN101589595A (en) | A containment mechanism for potentially contaminated end systems | |
| CN105262738A (en) | Router and method for preventing ARP attacks thereof | |
| CN108810008B (en) | Transmission control protocol flow filtering method, device, server and storage medium | |
| Nehra et al. | TILAK: A token‐based prevention approach for topology discovery threats in SDN | |
| CN114928564A (en) | Function verification method and device of security component | |
| Prasad et al. | IP traceback for flooding attacks on Internet threat monitors (ITM) using Honeypots | |
| US10122686B2 (en) | Method of building a firewall for networked devices | |
| Sridhar et al. | Content Censorship in the InterPlanetary File System | |
| KR20230139984A (en) | Malicious file detection mathod using honeypot and system using the same | |
| Khirwadkar | Defense against network attacks using game theory | |
| JP5393286B2 (en) | Access control system, access control apparatus and access control method | |
| AU2018304187B2 (en) | Systems and methods for mitigating and/or preventing distributed denial-of-service attacks | |
| KR20100133859A (en) | Distributed firewall system and method thereof | |
| CN117544429B (en) | Attack protection method, apparatus, electronic device and computer readable storage medium | |
| KR102046612B1 (en) | The system for defending dns amplification attacks in software-defined networks and the method thereof |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| PB01 | Publication | ||
| PB01 | Publication | ||
| SE01 | Entry into force of request for substantive examination | ||
| SE01 | Entry into force of request for substantive examination | ||
| RJ01 | Rejection of invention patent application after publication |
Application publication date: 20200306 |
|
| RJ01 | Rejection of invention patent application after publication |