CN111490989A - Network system, attack detection method and device and electronic equipment - Google Patents
Network system, attack detection method and device and electronic equipment Download PDFInfo
- Publication number
- CN111490989A CN111490989A CN202010279853.9A CN202010279853A CN111490989A CN 111490989 A CN111490989 A CN 111490989A CN 202010279853 A CN202010279853 A CN 202010279853A CN 111490989 A CN111490989 A CN 111490989A
- Authority
- CN
- China
- Prior art keywords
- attack
- message
- port
- switch
- detection
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Pending
Links
Images
Classifications
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/14—Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
- H04L63/1408—Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic by monitoring network traffic
- H04L63/1416—Event detection, e.g. attack signature detection
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/14—Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
- H04L63/1441—Countermeasures against malicious traffic
- H04L63/1458—Denial of Service
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L61/00—Network arrangements, protocols or services for addressing or naming
- H04L61/09—Mapping addresses
- H04L61/10—Mapping addresses of different types
- H04L61/103—Mapping addresses of different types across network layers, e.g. resolution of network layer into physical layer addresses or address resolution protocol [ARP]
Abstract
The invention relates to the technical field of network security, in particular to a network system, an attack detection method, an attack detection device and electronic equipment. The network system comprises: a controller and at least one switch; a first port of the attack processor is connected with the controller, and a second port of the attack processor is connected with the switch; and the attack handler is used for carrying out attack detection on the message received from the second port. By adding the attack processor between the controller and the switch and utilizing the attack processor to detect the message data and forward the message data, the centralized processing pressure of the controller can be reduced by the preposed processing of the distributed attack processor when the network attack is dealt with, and the safety of the controller is ensured while the network bandwidth is saved.
Description
Technical Field
The invention relates to the technical field of network security, in particular to a network system, an attack detection method, an attack detection device and electronic equipment.
Background
Software Defined Networking (SDN) is a network architecture that separates control and forwarding functions, and its centralized control mode makes network management and application service configuration more flexible and convenient, and at the same time, it is also convenient to deploy new network technologies and new protocols, and to promote network innovation. But while gaining development, SDN network security has also attracted more and more attention. Particularly, the SDN controller is used as a core of the SDN, and how to guarantee network security of the SDN controller becomes one of the focuses of research.
Distributed denial of service (DDoS) attacks are a very damaging network attack approach to Distributed, large-scale collaborative operations. A defense architecture commonly used in the existing SDN network is to collect network traffic by using a switch, encapsulate new flows that are not matched with current switch flow entries into packets, and forward the packets to an SDN controller; the controller analyzes the transferred message, generates normal forwarding routing data or a corresponding attack rule base according to the analysis result, and then sends the data or the corresponding attack rule base to the switch in a flow table mode for execution, thereby completing the forwarding of normal service flow or the attack defense work of attack flow.
But since the DDos attack is implemented by occupying the processing resources of the attacked device for a short time. Therefore, for the existing defense architecture, the purpose of real-time defense cannot be achieved by a method of performing timing collection and analysis by an SDN centralized controller and then making a defense decision; meanwhile, the acquired data needs to be directly uploaded to the SDN controller for storage analysis, if the acquired data is attack data, most of resources of the acquired attack data are already in an occupied state when the SDN controller analyzes the acquired attack data, and DDos attack is achieved. The attack also causes huge waste of communication bandwidth resources while causing the breakdown of the SDN controller and causing large-area communication faults.
Disclosure of Invention
In view of this, embodiments of the present invention provide a network system, an attack detection method, an attack detection device, and an electronic device, so as to solve the problem that a controller is occupied with a large amount of data bandwidth when dealing with a network attack, so that data processing pressure of the controller is large, and the network is forced to be broken down.
According to a first aspect, an embodiment of the present invention provides a network system, including: a controller and at least one switch;
the first port of the attack processor is connected with the controller, and the second port of the attack processor is connected with the switch; the attack handler is used for carrying out attack detection on the message received from the second port.
By adding the attack processor between the controller and the switch and utilizing the attack processor to detect the attack message and normally forward the message, the centralized processing pressure of the controller can be reduced by the preposed processing of the distributed attack processor when dealing with network attack, and the safety of the controller is ensured while the network bandwidth is saved.
With reference to the first aspect, in a first implementation manner of the first aspect, the attack handlers correspond to the switches one to one.
By using the attack processor to be connected with the switch, the message data received by the switch is analyzed to relieve the processing pressure of the controller and improve the network robustness.
According to a second aspect, an embodiment of the present invention provides an attack detection method, including:
receiving a message to be detected from a local second port; the second port is connected with the switch, the message to be detected is sent from the preset port of the switch, and the local first port is connected with the controller;
analyzing the message to be detected to obtain a source IP address;
forming a detection message based on the source IP address and sending the detection message to the switch;
and detecting whether the second port receives a response message based on the detection message from a preset port of the switch or not within a preset time interval so as to determine whether the message to be detected is an attack message or not.
The method comprises the steps of receiving a message to be detected, analyzing the message to be detected to obtain a source IP address, generating a detection message according to the obtained source IP address, and sending the detection message to corresponding information of a waiting switch of a switch so as to determine whether the message to be detected is an attack message.
And the second port receives the message to be detected sent by the switch, analyzes the received message to be detected to obtain a source IP address, generates a detection message for the analyzed source IP address, returns the generated detection message to the switch, and waits for a response of connecting a preset port of the switch so as to determine whether an attack message exists. Thereby, the processing pressure of the rear-end controller can be reduced, and accurate identification can be realized.
With reference to the second aspect, in a first implementation manner of the first aspect, detecting whether the second port receives a response packet based on the detection packet from a preset port of the switch within a preset time interval to determine whether the packet to be detected is an attack packet includes:
when the second port does not receive a response message from the preset port of the switch within a preset time interval, determining that the message to be detected is an attack message and discarding the message to be detected;
and when the second port receives a response message from the preset port of the switch within a preset time interval, sending the message to be detected to the controller through the first port.
Whether the attack message exists is determined by analyzing the response of the preset port of the switch, so that the timeliness of message analysis and processing can be improved.
With reference to the second aspect, in a second implementation manner of the first aspect, detecting whether the second port receives a response packet based on the detection packet from a preset port of the switch within a preset time interval to determine whether the packet to be detected is an attack packet, further includes:
when the second port does not receive a response message from the preset port of the switch within a preset time interval, counting the attack times of the preset port of the switch;
and when the attack times of the preset port of the switch exceed the preset value, sending a disabling instruction to the switch to disable the preset port.
Whether an attack message exists is determined by analyzing the response of the preset port of the switch, if the attack message exists, the attack times of the preset port of the switch are counted, the preset value is set, and when the attack times exceed the preset value, the preset port is forbidden, so that the attack range can be further reduced to a specific port, the possibility that the switch is attacked is reduced, and the attack resistance strength of the switch is improved.
According to a third aspect, an embodiment of the present invention provides an attack detection method, including: receiving a detection message sent from a second port of the attack handler; wherein, the detection message is formed by the attack processor based on the source IP address in the message to be detected sent from the preset port of the switch;
determining whether to send a response message to the attack handler through a preset port or not based on the IP address in the detection message; wherein the IP address is a source IP address.
By analyzing the source IP address, whether the network attack exists is detected, so that the possibility that the switch is attacked can be reduced, the attack resistance strength of the switch is improved, and the network safety is ensured.
According to a fourth aspect, an embodiment of the present invention provides an attack detection apparatus, including:
the first receiving module is used for receiving the message to be detected from the local second port; the second port is connected with the switch, the message to be detected is sent from the preset port of the switch, and the local first port is connected with the controller;
the analysis module is used for analyzing the message to be detected to obtain a source IP address;
the first module is used for forming a detection message based on the source IP address and sending the detection message to the switch;
and the second module is used for detecting whether the second port receives a response message based on the detection message from the preset port of the switch within a preset time interval so as to determine whether the message to be detected is an attack message.
According to a fifth aspect, an embodiment of the present invention provides an attack detection apparatus, where the second receiving module is configured to receive a detection packet sent from a second port of an attack handler; wherein, the detection message is formed by the attack processor based on the source IP address in the message to be detected sent from the preset port of the switch;
the judging module is used for determining whether to send a response message to the attack processor through a preset port or not based on the IP address in the detection message; wherein the IP address is a source IP address.
By using the receiving module, the analyzing module, the first module, the second module and the judging module, the data processing pressure of the controller is prevented from being large due to the fact that the controller occupies a large amount of data bandwidth when the network attack is handled, and the network safety is guaranteed.
According to a sixth aspect, an embodiment of the present invention provides an electronic device, including: the attack detection method includes a memory and a processor, wherein the memory and the processor are connected with each other in a communication mode, the memory stores computer instructions, and the processor executes the computer instructions to execute the attack detection method in any one of the second aspect and the third aspect.
According to a seventh aspect, an embodiment of the present invention provides a computer-readable storage medium, which stores computer instructions for causing a computer to execute the attack detection method in any one of the implementation manners of the second aspect or the third aspect.
Drawings
The features and advantages of the present invention will be more clearly understood by reference to the accompanying drawings, which are illustrative and not to be construed as limiting the invention in any way, and in which:
FIG. 1 is a schematic diagram of an application scenario of an embodiment of the present invention;
fig. 2 is a schematic structural diagram of a network system according to an embodiment of the present invention;
fig. 3 is a schematic structural diagram of a network system according to embodiment 1 of the present invention;
fig. 4 is a schematic structural diagram of a DDoS attack processing front-end processor provided in embodiment 1 of the present invention;
fig. 5 is a schematic view of an application scenario of an attack detection system according to an embodiment of the present invention;
fig. 6 is a flowchart of an attack detection method according to an embodiment of the present invention;
fig. 7 is a flowchart of an attack detection method executed on an attack handler according to an embodiment of the present invention;
fig. 8 is a flowchart of an attack detection method executed on an attack handler according to an embodiment of the present invention;
fig. 9 is a flowchart of an attack detection method executed on a switch according to an embodiment of the present invention;
fig. 10 is a flowchart of an attack detection method provided in embodiment 2 of the present invention;
fig. 11 is a flowchart of an attack detection method provided in embodiment 3 of the present invention;
fig. 12 is a block diagram of an attack detection apparatus relating to an attack handler according to an embodiment of the present invention;
fig. 13 is a block diagram of an attack detection apparatus relating to a switch according to an embodiment of the present invention;
fig. 14 is an electronic device according to an embodiment of the present invention.
Reference numerals
1-a switch; 2-attack handler; 3-a controller; 4-a terminal; 21-physical port; 22-packet messaging module; 23-Packet _ In message analysis processing module; 24-a message storage unit; 30-a first receiving module; 31-an analysis module; 32-a first module; 33-a second module; 40-a second receiving module; 41-judgment module; 51-a processor; 52-a memory; 53-bus; 54-communication interface.
Detailed Description
In order to make the objects, technical solutions and advantages of the embodiments of the present invention clearer, the technical solutions in the embodiments of the present invention will be clearly and completely described below with reference to the drawings in the embodiments of the present invention, and it is obvious that the described embodiments are some, but not all, embodiments of the present invention. All other embodiments, which can be derived by a person skilled in the art from the embodiments given herein without making any creative effort, shall fall within the protection scope of the present invention.
Fig. 1 is a schematic view of an application scenario according to an embodiment of the present invention. The method comprises the following steps that a switch receives data requests sent by various intelligent terminals; the exchanger carries out information interaction with the controller through the attack processor and carries out data transmission by utilizing the data link. The intelligent terminal can be an electronic device such as a mobile phone, a computer and a tablet computer with an IP address or an MAC address. And the intelligent terminal can be provided with application software/protocol supporting the attack detection method. The intelligent terminal packages and sends the data to the controller through the switch and the attack processor, and the controller stores and inquires the data sent by the intelligent terminal so as to determine that a flow table preset in the controller can be matched with the data sent by the terminal and execute corresponding actions.
Fig. 2 is a schematic structural diagram of a network system according to an embodiment of the present invention; the network system comprises: a controller 3 and at least one switch 1; the first port of the attack processor 2 is connected with the controller, and the second port of the attack processor 2 is connected with the switch 1; the attack handler 2 is configured to perform attack detection on the packet received from the second port.
Further, the controller 3 may be a software defined application responsible for flow control to ensure proper use of the intelligent network. The attack handler 2 may be an independent device/module, or may be a module integrated in the switch 1, and is responsible for forwarding the data received by the switch 1 to the controller 3 or assisting the switch 1 to perform data exchange; the switch 1 is provided with a plurality of terminal connection ports, and data transmission between the plurality of ports can be performed at the same time.
In the conventional network attack, the attacker performing the network attack pretends to be the target host or the control target host to make the target host become a puppet host, and launch an attack (occupying data bandwidth) on the server/controller 3 to make the controller 3 perform resource allocation flawlessly, increase the data processing pressure, and force the network to be down. In the traditional defense system, the attack processor 2 is added between the original switch 1 and the controller 3, and the attack processor 2 detects the data to be forwarded in the switch 1 so as to ensure the security of the data between the switch 1 and the controller 3, thereby ensuring the security of the whole network.
For example: among the plurality of terminals 4, a puppet terminal controlled by the network attack initiator exists, and the terminal 4 transmits a packet to the controller 3 to execute a network attack. And an attack handler 2 is added between the controller 3 and the switch 1; before the puppet terminal transmits the attack data to the controller 3, the attack handler 2 can be used to perform attack detection, thereby ensuring network security. Specifically, the attack processor 2 parses, from the received data packet, a dummy IP address of the puppet host, which can perform data transmission but changes the IP address of the controlled puppet host to ensure network attack concealment, so that the dummy address of the puppet host is a dynamic address and cannot perform data response. Another example is: the attack processor 2 sends a detection data packet to the terminal 4, waits for response data returned by the detection data packet, and if the attack processor 2 can receive the response data returned by the terminal, can determine that the terminal corresponding to the IP address in the sent detection data packet is a real terminal, can consider that the terminal is in a normal state, and forwards the data packet sent by a target terminal to the controller 3; if the attack processor 2 fails to receive the response data returned by the IP address corresponding to the detection data packet sent, the data packet without response is discarded, and the IP address can be determined to be a forged IP, the data packet sent by the terminal is illegal data, and a network attack behavior exists. The network system provided by the invention can monitor the change of network data in advance to reduce the data processing pressure in the controller.
By adding the attack processor 2 between the controller 3 and the switch 1 and utilizing the attack processor 2 to detect the message data and forward the message data, the data processing pressure of the controller caused by the fact that the controller 3 occupies a large amount of data bandwidth when dealing with network attack can be prevented from being large, and the network safety is ensured.
Optionally, the attack handler 2 is further in one-to-one correspondence with the switch 1. By using the attack processor to be connected with the switch, the message data received by the switch is analyzed to relieve the processing pressure of the controller and improve the network robustness.
Example 1
Fig. 3 is a schematic structural diagram of a network system according to embodiment 1 of the present invention, where the network system is suitable for an SDN network to deal with a DDos attack, and specifically relates to a plurality of terminals 4, a switch 1, an attack handler 2, and a controller 3.
The terminals 4 may be mobile phones, computers, tablets and other intelligent devices capable of realizing network data transmission; in addition, the terminal 4 further includes a normal service terminal and a puppet terminal controlled by a DDoS attack initiator. The terminal 4 may also be a sender/receiver/sender of abnormal traffic of the SDN network bearer service traffic. The terminal 4 may send traffic to the SDN network or receive traffic sent by other devices from the network. The service traffic comprises normal service access traffic and DDoS attack traffic sent by the terminal after being attacked.
Alternatively, the terminal 4 may process the response data traffic resulting from the service request issued by itself.
Optionally, the terminal 4 may respond to protocol request messages (e.g., ARP request, icmp request) from other terminals/devices.
The switch 1 may be an OpenFlow switch, and a data forwarding plane of the SDN network may be formed by using the OpenFlow switch, and specifically, the data forwarding plane of the SDN network may be formed by networking a plurality of switches 1. The OpenFlow switch is configured to match a flow entry to the data traffic generated by the terminal 4 and perform an action according to a result of the matched flow entry: and when the flow table entry is matched with a certain flow table entry in the OpenFlow switch, processing according to the action defined by the flow table entry. And when the flow table entry cannot be matched with any flow table entry In the OpenFlow switch, generating a corresponding Packet _ In message and reporting the Packet _ In message to the SDN controller. Meanwhile, the OpenFlow switch receives the unified management of the SDN controller to maintain and update the flow table items of the OpenFlow switch, and processes the flow generated by the terminal 4 according to the matched flow table items.
The attack processor 2 can be a DDoS attack processing front-end processor; the DDoS attack processing front-end processor comprises a first port and a second port, wherein the first port is connected with an OpenFlow switch, and the second port is connected with an SDN controller and used for processing interactive messages between the switch 1 and the controller 3: and for the Packet _ In message from the switch, carrying out attack judgment by sending an ARP message and judging whether an ARP response can be received within a fixed time limit. When the ARP response is not received within a fixed time limit, the detection is that the source IP address is forged, the existing network is attacked by DDoS, and the Packet _ In message sent by the source IP address is required to be discarded; when the ARP response is received within a fixed time limit, the current network is considered not to be attacked by DDoS, and then the Packet _ In message from the switch is forwarded to the SDN controller. The attack processor 2 may directly forward the packet from the controller 3 to the connected switch 1 through the second port of the DDoS attack processing front-end processor.
In the front-end processor for DDoS attack processing provided In this embodiment, as shown In fig. 4, the front-end processor for DDoS attack processing is a schematic structural diagram, and may be composed of a physical port 21, a Packet message transceiver module 22, a Packet _ In message analysis processing module 23, and a message storage unit 24, specifically:
a physical port 21 for performing a function of transmitting and receiving data streams of a data link layer and below; the physical port 21 may be divided into a first port and a second port, which may also be referred to as an uplink port and a downlink port; the physical port connected with the SDN controller is defined as a first port, and the port connected with the OpenFlow switch is a second port.
And a packet message transceiving module 22, configured to complete a network layer and a data message encapsulation/decapsulation function, and implement interaction with the physical port 21 to complete message transceiving.
And the Packet _ In message analysis processing module 23 is configured to complete analysis processing of a transmission message between the OpenFlow switch and the SDN controller. Specifically, the analysis processing of uploading the Packet _ In message to the controller 3 by the switch 1 may be completed, all DDoS attack messages initiated by forging a source IP address are discarded, and other normal flows which cannot be matched with the switch flow table are forwarded to the controller 3 for processing; the control instruction issued by the controller 3 is directly forwarded without being processed.
The Packet storage unit 24 is configured to cache temporary Packet information generated In the processing process of the Packet _ In Packet analysis processing module 23, so as to provide subsequent access to the module.
Optionally, the DDoS attack processing front-end processor may be arranged between the original OpenFlow switch and SDN control, located adjacent to the OpenFlow switch, and configured in a one-to-one manner with the switch; by using the DDoS attack processing front-end processor, the timeliness of the analysis processing of the DDoS attack messages can be improved, and the processing pressure of the controller 3 is relieved.
The controller 3 may be an SDN controller, and the SDN controller analyzes and processes a Packet _ In Packet processed by the DDoS attack processing front-end processor, generates a decision result, and transparently forwards the decision result to the corresponding switch 1 for execution through the DDoS attack processing front-end processor In the form of a flow entry through an OpenFlow protocol.
Optionally, a plurality of terminals 4 may be connected to the same OpenFlow switch; each OpenFlow switch can configure a DDoS attack processing front-end processor one to one; a second port of the DDoS attack processing front-end processor is connected with the OpenFlow switch, and a first port of the DDoS attack processing front-end processor is connected with the SDN controller; an SDN controller is connected with a plurality of DDoS attack processing front-end processors in a management area.
In addition, when the network system provided by the present invention is actually applied, the switch 1, the controller 3, and the attack handler 2 used by the network system need to be replaced accordingly, so as to satisfy different types of network attacks.
The advantages of this embodiment:
in an SDN network, a DDoS attack processing front-end processor is introduced between an OpenFlow switch and an SDN controller to process the DDoS attack initiated in a mode of forging a source IP address: the command switch 1 sends out a protocol request message aiming at a source IP address through a message receiving port, and when a protocol response message from the IP address is not received in a fixed time interval, the message is considered to be a suspected DDoS attack. Compared with the traditional attack detection technology, the network system provided by the embodiment is simple to realize, and has better identification precision and timeliness; meanwhile, all analysis is carried out on the attack processor, so that the processing pressure of the controller is relieved, and the robustness of the network is improved.
Example 2
Fig. 5 is a schematic view of a network system according to an embodiment of the present invention. The network is also applicable to an attack detection network, and compared with embodiment 1, the network is different in that a local area network is first constructed by connecting 1 switch with a plurality of terminals, wherein each local area network is provided with an attack processor. Secondly, a plurality of same local area networks are established, the network system provided by the embodiment is obtained by connecting the local area networks with the controller, so that the purpose of distributed detection of a plurality of terminals is realized, the attack range can be reduced, the normal operation of the network is ensured, meanwhile, as a plurality of switches are connected with the attack processor one by one, whether the terminal has network attack or not can be determined by quick response, the attack resistance of the attack detection system is improved, and the safety of the system network is ensured.
The attack detection method provided by the embodiment of the invention is applicable to the network system structure or the embodiment. The execution steps of the attack detection method, as shown in fig. 6, include:
s10, receiving the message to be detected from the second port of the attack handler; the second port is connected with the switch, the message to be detected is sent from the preset port of the switch, and the first port of the attack processor is connected with the controller; in addition, before the attack processor receives the message to be detected, the message to be detected needs to inquire the flow table item of the corresponding terminal in the switch, if the flow table item cannot be inquired, the flow table item is required to be reported to the controller, and then the attack processor detects the message to be detected.
S11, analyzing the message to be detected to obtain a source IP address; specifically, the message to be detected is stored first, and the address field of the IP address is extracted from the message to be detected, for example: 162.168.1.12, respectively;
s12, forming a detection message based on the source IP address and sending the detection message to the switch; the method comprises the following steps: the request message/protocol is regenerated using the source IP address, for example: ARP, or ICMP.
And S13, detecting whether the second port receives a response message based on the detection message from the preset port of the switch within a preset time interval so as to determine whether the message to be detected is an attack message. Optionally, the attack handler is provided with a timer for setting a preset time interval, and when the attack handler detects a response packet within a preset time, the attack handler may confirm that the data packet sent by the terminal is normal data, otherwise, the data packet is abnormal data.
Specifically, as shown in fig. 7, S13 includes the following steps:
s131, judging whether the second port receives a response message from a preset port of the switch within a preset time interval;
s132, when the second port does not receive the response message from the preset port of the switch within the preset time interval, determining that the message to be detected is an attack message and discarding the message to be detected.
And S133, when the second port receives the response message from the preset port of the switch within the preset time interval, the message to be detected is sent to the controller through the first port.
Optionally, as shown in fig. 8, S131 may further include, in addition to discarding the detection packet:
s132a, when the second port does not receive the response message from the preset port of the switch within the preset time interval, counting the attack times of the preset port of the switch;
and S132b, when the attack times of the preset port of the switch exceed the preset value, sending a disabling instruction to the switch to disable the preset port.
As shown in fig. 9, it is a flowchart of an attack detection method executed on a switch according to an embodiment of the present invention, and the specific steps are as follows:
s20, receiving the detection message sent from the second port of the attack handler; wherein, the detection message is formed by the attack processor based on the source IP address in the message to be detected sent from the preset port of the switch;
s21, determining whether to send a response message to the attack handler through a preset port based on the IP address in the detection message; wherein the IP address is a source IP address.
Example 2
Fig. 10 shows a flowchart of an attack detection method according to an embodiment of the present invention, which is a flowchart of an attack detection method according to an embodiment 2 of the present invention. The attack detection method needs to use the network system provided in embodiment 1 to explain how the method provided in this embodiment implements network attack detection.
The specific steps of this example are as follows:
s30, the attack processor receives the message information from the controller and the exchanger;
s31, the attack processor processes the Packet _ In message from the switch; the method comprises the following steps: caching the message by using a storage unit, and simultaneously extracting a source IP address field contained in the message;
s32, the attack processor takes the source IP address as the target address to construct an ARP request message and send the ARP request message to the connected switches;
s33, the switch triggers an original message receiving port of the Packet _ In message to send out an ARP response message from the terminal;
s34, if the attack handler receives the ARP response message from the terminal before the timer expires, the Packet _ In message cached by the storage unit is taken out and forwarded to the controller;
s35, if the attack processor does not receive the ARP response message from the terminal before the timer expires, discarding the cached Packet _ In message and updating the attack threat counter statistic value of the port corresponding to the switch: once the attack threat number exceeds a preset threshold, the corresponding port is forbidden and reported to the network manager;
where S35 is a step that the attack handler will perform when it does not receive the ARP response message from the terminal before the expiration of the timer, S35 is indicated by a dotted line in fig. 10 for indicating an action to be performed if the attack handler does not receive the ARP response message from the terminal before the expiration of the timer.
S36, the message sent by the controller is forwarded to the corresponding switch using the downstream port of the attack handler as it is.
Advantages of the preferred embodiment:
the attack detection method is simple to implement and is implemented based on the front-end processor deployed in a distributed mode, so that the pressure of analyzing and processing the network attack of the controller is relieved, and the risk of network paralysis caused by the attack of the controller is greatly reduced. Meanwhile, attack counters and threshold values are set for all physical ports of the switch at the front-end processor, the attack range can be further reduced to the ports through the method, and the attack resistance strength of the switch is improved.
Example 3
As shown in fig. 11, it is a flowchart of an attack detection method provided in embodiment 3 of the present invention. The interactive process among the terminal, the switch, the attack processor and the controller is related. Taking an SDN network as an example, the network system provided in embodiment 1 is configured, and an apparatus for implementing the attack detection method includes: an OpenFlow switch, an SDN controller, an attack handler, and a terminal (computer host). The specific steps of the attack detection method are shown in fig. 11:
s40, the attack handler receives a message sent from the OpenFlow switch: an attack handler is inserted between a traditional OpenFlow switch and an SDN controller, and the attack handler is transparent to the switch/controller, namely, the existence of the attack handler cannot be reflected by the interactive message address between the switch and the controller. Therefore, it is necessary to modify the message receiving module of the attack handler so that it can forward the message whose destination address is not itself to the Packet _ In message analysis processing module for further processing, instead of discarding.
S41, the attack handler stores the message information sent by the OpenFlow switch: and storing the Packet _ In message from the downlink port In the message storage unit, and returning a source IP address contained In the message to the Packet _ In message analysis and processing module.
S42, the attack processor sends ARP request message to the appointed port of the switch: firstly, constructing an ARP address resolution request message which takes a source IP address contained In a Packet _ In message as a target IP; secondly, the message is sent to an OpenFlow switch through a downlink port; and then instructing the switch to send the ARP message out from the specified port. Specifically, the designated port corresponds to a switch port to which a terminal that sends a data Packet that triggers the Packet _ In Packet is connected; and finally starting an internal timer.
S43, the attack processor processes the subsequent processing of the Packet _ In message according to whether the ARP response message is received on time:
specifically, a timer is arranged in the attack handler, and when an ARP reply message from a certain terminal forwarded by the switch is received before the internal timer expires, it indicates that the ARP reply message is a non-attack service request from a real terminal. At the moment, the Packet _ In message cached In the previous stage is taken out from the storage unit and forwarded to the SDN controller through the uplink port; otherwise, the DDoS attack is initiated by a forged address, and the following processing is carried out: firstly, clearing a corresponding Packet _ In message from a storage unit and not forwarding the Packet _ In message to a controller; secondly, updating and counting an attack threat counter corresponding to the port of the switch; and finally, when the threshold value is exceeded, the switch is instructed to disable the port and report to the network manager.
Because most of existing DDoS attacks are carried out in a mode of forging source IP addresses, the invention mainly carries out attack identification in a mode of identifying whether the source IP addresses exist in messages, and identifies whether the source IP addresses are legal or not, wherein the source IP addresses can pass an ICMP protocol or an ARP protocol. In consideration of the fact that most hosts and firewalls in the network shield ports corresponding to the ICMP protocol, the ARP message is used to detect the terminal address in this embodiment.
Specifically, when an ARP response from a terminal is not received within a fixed time interval, it is assumed that the terminal does not exist in the network, and traffic corresponding to the address is also detected as an attack. However, since the attack handler is deployed at the back end of the switch, when multiple ports of a certain switch are simultaneously subjected to DDoS attack, although the controller may be protected from being damaged due to the existence of the attack handler, any one switch may still cause performance degradation or even failure due to the limitation of processing resources, so that all terminals connected downstream of the switch cannot normally communicate. For this problem, the present embodiment sets an attack counter for each physical port of each switch, and once the attack count corresponding to a certain port exceeds a preset threshold, the port is disabled. Therefore, the attack range is further narrowed to specific ports, and the possibility that the switch is attacked is reduced.
S44: the attack processor transparently forwards the message from the SDN controller: for a Packet from the SDN controller that responds to the Packet _ In Packet, the Packet _ In Packet analysis processing module does not perform any processing (including storage), but is directly forwarded by the switch downstream port.
The advantages of this embodiment:
the method provided by the embodiment determines whether the DDoS attack exists in the flow by detecting the validity of the message source IP address, is simple to implement and is implemented based on the distributed deployed attack processor, so that the DDoS attack analysis processing pressure of the SDN controller can be relieved, and the risk of network paralysis caused by the attack of the controller is greatly reduced. Meanwhile, the attack range can be further reduced to the ports by setting the attack counters and the threshold values for all the physical ports of the switches connected in the lower part of the attack processor, and the attack resistance strength of the switches is improved.
Fig. 12-13 are block diagrams illustrating structures of an attack detection apparatus according to an embodiment of the present invention; wherein, the structural block diagram of the attack device relates to an attack processor and a switch,
fig. 12 is a block diagram of an attack detection apparatus relating to an attack handler according to an embodiment of the present invention, including:
a first receiving module 30, configured to receive a message to be detected from a second port of the attack handler; the second port is connected with the switch, the message to be detected is sent from the preset port of the switch, and the first port of the attack processor is connected with the controller;
the analysis module 31 is configured to analyze the packet to be detected to obtain a source IP address;
a first module 32, configured to form a detection packet based on the source IP address and send the detection packet to the switch;
the second module 33 is configured to detect whether the second port receives a response packet based on the detection packet from a preset port of the switch within a preset time interval, so as to determine whether the packet to be detected is an attack packet.
Fig. 13 is a block diagram of an attack detection apparatus relating to a switch according to an embodiment of the present invention, where the apparatus includes:
a second receiving module 40, configured to receive a detection packet sent from a second port of the attack handler; wherein, the detection message is formed by the attack processor based on the source IP address in the message to be detected sent from the preset port of the switch;
a judging module 41, configured to determine whether to send a response packet to the attack handler through a preset port based on the IP address in the detection packet; wherein the IP address is a source IP address.
By using the first receiving module 30, the analyzing module 31, the first module 32, the second module 33, the second receiving module 40 and the judging module 41, the data processing pressure of the controller caused by the occupation of a large amount of data bandwidth of the controller is prevented from being large when the network attack is handled, and the network safety is ensured.
In addition, an embodiment of the present invention further provides an electronic device, as shown in fig. 14, the electronic device may include a processor 51 and a memory 52, where the processor 51 and the memory 52 may be connected through a bus 53, a communication interface 54, or in other manners, and fig. 14 takes the connection through the bus as an example.
The processor 51 may be a Central Processing Unit (CPU). The Processor 51 may also be other general purpose processors, Digital Signal Processors (DSPs), Application Specific Integrated Circuits (ASICs), Field Programmable Gate Arrays (FPGAs) or other Programmable logic devices, discrete Gate or transistor logic devices, discrete hardware components, or combinations thereof.
The memory 52 is a non-transitory computer readable storage medium, and can be used to store non-transitory software programs, non-transitory computer executable programs, and modules, such as program instructions/modules corresponding to the key shielding method of the in-vehicle display device in the embodiment of the present invention (for example, the first receiving module 30, the parsing module 31, the first module 32, the second module 33, the second receiving module 40, and the determining module 41 shown in fig. 12-13). The processor 51 executes various functional applications and data processing of the processor by running non-transitory software programs, instructions and modules stored in the memory 52, namely, implements an attack detection method in the above method embodiment.
The memory 52 may include a storage program area and a storage data area, wherein the storage program area may store an operating system, an application program required for at least one function; the storage data area may store data created by the processor 51, and the like. Further, the memory 52 may include high speed random access memory, and may also include non-transitory memory, such as at least one magnetic disk storage device, flash memory device, or other non-transitory solid state storage device. In some embodiments, the memory 52 may optionally include memory located remotely from the processor 51, and these remote memories may be connected to the processor 51 via a network. Examples of such networks include, but are not limited to, the internet, intranets, local area networks, mobile communication networks, and combinations thereof.
One or more modules are stored in the memory 52 and, when executed by the processor 51, perform the attack detection method in the embodiment shown in fig. 7-11.
The details of the electronic device may be understood by referring to the corresponding descriptions and effects in the embodiments shown in fig. 2 to 13, which are not described herein again.
It will be understood by those skilled in the art that all or part of the processes of the methods of the embodiments described above can be implemented by hardware related to instructions of a computer program, and the program can be stored in a computer readable storage medium, and when executed, can include the processes of the embodiments of the methods described above. The storage medium may be a magnetic Disk, an optical Disk, a Read-Only Memory (ROM), a Random Access Memory (RAM), a Flash Memory (Flash Memory), a Hard Disk (Hard Disk Drive, abbreviated as HDD), a Solid State Drive (SSD), or the like; the storage medium may also comprise a combination of memories of the kind described above.
Although the embodiments of the present invention have been described in conjunction with the accompanying drawings, those skilled in the art may make various modifications and variations without departing from the spirit and scope of the invention, and such modifications and variations fall within the scope defined by the appended claims.
Claims (10)
1. A network system, comprising:
a controller and at least one switch;
a first port of the attack processor is connected with the controller, and a second port of the attack processor is connected with the switch; and the attack handler is used for carrying out attack detection on the message received from the second port.
2. The network system of claim 1, wherein the attack handlers correspond one-to-one to the switches.
3. An attack detection method, characterized in that the method comprises:
receiving a message to be detected from a local second port; the second port is connected with a switch, the message to be detected is sent from a preset port of the switch, and the local first port is connected with the controller;
analyzing the message to be detected to obtain a source IP address;
forming a detection message based on the source IP address and sending the detection message to the switch;
and detecting whether the second port receives a response message based on the detection message from a preset port of the switch or not within a preset time interval so as to determine whether the message to be detected is an attack message or not.
4. The method according to claim 3, wherein the detecting whether the second port receives a response packet based on the detection packet from a preset port of the switch within a preset time interval to determine whether the packet to be detected is an attack packet comprises:
when the second port does not receive the response message from the preset port of the switch within a preset time interval, determining that the message to be detected is an attack message and discarding the message to be detected;
and when the second port receives the response message from the preset port of the switch within a preset time interval, sending the message to be detected to the controller through the first port.
5. The method according to claim 4, wherein the detecting whether the second port receives a response packet based on the detection packet from a preset port of the switch within a preset time interval to determine whether the packet to be detected is an attack packet further comprises:
when the second port does not receive the response message from the preset port of the switch within a preset time interval, counting the attack times of the preset port of the switch;
and when the attack times of the preset port of the switch exceed a preset value, sending a disabling instruction to the switch to disable the preset port.
6. An attack detection method, comprising: receiving a detection message sent from a second port of the attack handler; the detection message is formed by the attack processor based on a source IP address in a message to be detected sent from a preset port of the switch;
determining whether to send a response message to the attack processor through the preset port or not based on the IP address in the detection message; wherein the IP address is a source IP address.
7. An attack detection apparatus, comprising:
the first receiving module is used for receiving the message to be detected from the local second port; the second port is connected with a switch, the message to be detected is sent from a preset port of the switch, and the local first port is connected with the controller;
the analysis module is used for analyzing the message to be detected to obtain a source IP address;
the first module is used for forming a detection message based on the source IP address and sending the detection message to the switch;
and the second module is used for detecting whether the second port receives a response message based on the detection message from a preset port of the switch within a preset time interval so as to determine whether the message to be detected is an attack message.
8. An attack detection apparatus, comprising:
the second receiving module is used for receiving the detection message sent from the second port of the attack handler; the detection message is formed by the attack processor based on a source IP address in a message to be detected sent from a preset port of the switch;
the judging module is used for determining whether to send a response message to the attack processor through the preset port or not based on the IP address in the detection message; wherein the IP address is a source IP address.
9. An electronic device, comprising:
a memory and a processor, the memory and the processor being communicatively coupled to each other, the memory having stored therein computer instructions, the processor executing the computer instructions to perform the attack detection method of any one of claims 3-5, or claim 6.
10. A computer-readable storage medium storing computer instructions for causing a computer to perform the attack detection method of any one of claims 3-5, or claim 6.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202010279853.9A CN111490989A (en) | 2020-04-10 | 2020-04-10 | Network system, attack detection method and device and electronic equipment |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202010279853.9A CN111490989A (en) | 2020-04-10 | 2020-04-10 | Network system, attack detection method and device and electronic equipment |
Publications (1)
| Publication Number | Publication Date |
|---|---|
| CN111490989A true CN111490989A (en) | 2020-08-04 |
Family
ID=71797922
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN202010279853.9A Pending CN111490989A (en) | 2020-04-10 | 2020-04-10 | Network system, attack detection method and device and electronic equipment |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN111490989A (en) |
Cited By (1)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN113709147A (en) * | 2021-08-26 | 2021-11-26 | 北京天融信网络安全技术有限公司 | Network security event response method, device and equipment |
Citations (8)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN101321055A (en) * | 2008-06-28 | 2008-12-10 | 华为技术有限公司 | Attack protection method and device |
| CN101370019A (en) * | 2008-09-26 | 2009-02-18 | 北京星网锐捷网络技术有限公司 | Method and switchboard for preventing packet cheating attack of address analysis protocol |
| CN104539625A (en) * | 2015-01-09 | 2015-04-22 | 江苏理工学院 | Network security defense system based on software-defined network and working method of network security defense system |
| CN106131039A (en) * | 2016-07-26 | 2016-11-16 | 广州华多网络科技有限公司 | The processing method and processing device of SYN flood attack |
| CN106341418A (en) * | 2016-10-08 | 2017-01-18 | 中国科学院信息工程研究所 | Domain name system (DNS) distributed reflection denial of service attack (DRDoS) detection and defense methods and systems |
| CN106506534A (en) * | 2016-12-09 | 2017-03-15 | 河南工业大学 | A kind of ARP attack detection methods of SDN |
| US20180109556A1 (en) * | 2016-10-17 | 2018-04-19 | Foundation Of Soongsil University Industry Cooperation | SOFTWARE DEFINED NETWORK CAPABLE OF DETECTING DDoS ATTACKS AND SWITCH INCLUDED IN THE SAME |
| CN110351286A (en) * | 2019-07-17 | 2019-10-18 | 东北大学 | Link flood attack detects response mechanism in a kind of software defined network |
-
2020
- 2020-04-10 CN CN202010279853.9A patent/CN111490989A/en active Pending
Patent Citations (8)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN101321055A (en) * | 2008-06-28 | 2008-12-10 | 华为技术有限公司 | Attack protection method and device |
| CN101370019A (en) * | 2008-09-26 | 2009-02-18 | 北京星网锐捷网络技术有限公司 | Method and switchboard for preventing packet cheating attack of address analysis protocol |
| CN104539625A (en) * | 2015-01-09 | 2015-04-22 | 江苏理工学院 | Network security defense system based on software-defined network and working method of network security defense system |
| CN106131039A (en) * | 2016-07-26 | 2016-11-16 | 广州华多网络科技有限公司 | The processing method and processing device of SYN flood attack |
| CN106341418A (en) * | 2016-10-08 | 2017-01-18 | 中国科学院信息工程研究所 | Domain name system (DNS) distributed reflection denial of service attack (DRDoS) detection and defense methods and systems |
| US20180109556A1 (en) * | 2016-10-17 | 2018-04-19 | Foundation Of Soongsil University Industry Cooperation | SOFTWARE DEFINED NETWORK CAPABLE OF DETECTING DDoS ATTACKS AND SWITCH INCLUDED IN THE SAME |
| CN106506534A (en) * | 2016-12-09 | 2017-03-15 | 河南工业大学 | A kind of ARP attack detection methods of SDN |
| CN110351286A (en) * | 2019-07-17 | 2019-10-18 | 东北大学 | Link flood attack detects response mechanism in a kind of software defined network |
Cited By (1)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN113709147A (en) * | 2021-08-26 | 2021-11-26 | 北京天融信网络安全技术有限公司 | Network security event response method, device and equipment |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| WO2021008028A1 (en) | Network attack source tracing and protection method, electronic device and computer storage medium | |
| CN108040057B (en) | Working method of SDN system suitable for guaranteeing network security and network communication quality | |
| US9491189B2 (en) | Revival and redirection of blocked connections for intention inspection in computer networks | |
| EP3923551A1 (en) | Method and system for entrapping network threat, and forwarding device | |
| CN101589595B (en) | A containment mechanism for potentially contaminated end systems | |
| CN108173812B (en) | Method, device, storage medium and equipment for preventing network attack | |
| US20150229669A1 (en) | Method and device for detecting distributed denial of service attack | |
| EP3119052B1 (en) | Method, device and switch for identifying attack flow in a software defined network | |
| CN111800401B (en) | Service message protection method, device, system and computer equipment | |
| CN110266650B (en) | Identification method of Conpot industrial control honeypot | |
| US7854000B2 (en) | Method and system for addressing attacks on a computer connected to a network | |
| CN113422774B (en) | Automatic penetration testing method and device based on network protocol and storage medium | |
| US20140115686A1 (en) | Method for Managing Connections in Firewalls | |
| CN104113559A (en) | Method for resisting tcp full-link attack | |
| Wang et al. | Efficient and low‐cost defense against distributed denial‐of‐service attacks in SDN‐based networks | |
| CN105812318A (en) | Method, controller and system for preventing attack in network | |
| US8973143B2 (en) | Method and system for defeating denial of service attacks | |
| CN107690004B (en) | Method and device for processing address resolution protocol message | |
| Almaini et al. | Delegation of authentication to the data plane in software-defined networks | |
| CN111490989A (en) | Network system, attack detection method and device and electronic equipment | |
| EP3133790B1 (en) | Message sending method and apparatus | |
| EP3985920A1 (en) | Network traffic analysis | |
| CN112968913B (en) | DDOS defense method, device, equipment and medium based on programmable switch | |
| CN112565259B (en) | Method and device for filtering DNS tunnel Trojan communication data | |
| CN110505176A (en) | Determination, sending method and device, the route system of message priority |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| PB01 | Publication | ||
| PB01 | Publication | ||
| SE01 | Entry into force of request for substantive examination | ||
| SE01 | Entry into force of request for substantive examination | ||
| RJ01 | Rejection of invention patent application after publication | ||
| RJ01 | Rejection of invention patent application after publication |
Application publication date: 20200804 |