CN111585951A - SDN network host position attack detection method and device and controller - Google Patents
SDN network host position attack detection method and device and controller Download PDFInfo
- Publication number
- CN111585951A CN111585951A CN202010205209.7A CN202010205209A CN111585951A CN 111585951 A CN111585951 A CN 111585951A CN 202010205209 A CN202010205209 A CN 202010205209A CN 111585951 A CN111585951 A CN 111585951A
- Authority
- CN
- China
- Prior art keywords
- host
- information
- flow table
- switch
- table entry
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Pending
Links
Images
Classifications
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/14—Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
- H04L63/1408—Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic by monitoring network traffic
- H04L63/1416—Event detection, e.g. attack signature detection
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L45/00—Routing or path finding of packets in data switching networks
- H04L45/74—Address processing for routing
- H04L45/745—Address table lookup; Address filtering
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L61/00—Network arrangements, protocols or services for addressing or naming
- H04L61/50—Address allocation
- H04L61/5053—Lease time; Renewal aspects
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L2101/00—Indexing scheme associated with group H04L61/00
- H04L2101/60—Types of network addresses
- H04L2101/618—Details of network addresses
- H04L2101/622—Layer-2 addresses, e.g. medium access control [MAC] addresses
Landscapes
- Engineering & Computer Science (AREA)
- Computer Networks & Wireless Communication (AREA)
- Signal Processing (AREA)
- Computer Security & Cryptography (AREA)
- Computer Hardware Design (AREA)
- Computing Systems (AREA)
- General Engineering & Computer Science (AREA)
- Data Exchanges In Wide-Area Networks (AREA)
Abstract
The invention discloses a method, a device and a controller for detecting the position attack of a host of an SDN network, wherein the method comprises the following steps: when a Packet-In message sent by a switch is received, extracting the position information of a host to be checked according to the Packet-In message; the position information comprises the MAC address of the host to be checked, switch ID information and switch port information; judging whether the host to be checked has a matched flow table item in a preset adjacent host information table or not according to the MAC address of the host to be checked; when the matched flow table entry exists, acquiring the switch ID information, the switch port information and the host state in the matched flow table entry; and when the switch ID information or/and the switch port information in the matched flow table entry changes and the host state is UP, determining that the attack behavior is detected. By adopting the technical scheme of the invention, the attack behavior can be simply and effectively detected, so that the host is prevented from being hijacked.
Description
Technical Field
The invention relates to the technical field of network security, in particular to a method and a device for detecting a host position attack of an SDN network and a controller.
Background
An SDN (Software Defined Network) is a novel Network innovation architecture, and unlike a conventional Network, the SDN is a logically centralized Network, and in the SDN, a controller is responsible for calculating Network routing to realize Network routing selection; the exchanger realizes the forwarding of the data packet by searching the flow table items and executing the operation of the flow table items; to achieve network management and programmability, the controller needs to maintain network topology information and provide topology information to upper layer applications and services (e.g., load balancing and shortest path routing services, etc.); the topology management service of the controller includes three partial functions: discovering switches, discovering hosts, and discovering links; the host discovery principle is as follows: the host computer newly accessed to the network sends a data packet to the switch, and the switch reports the data packet to the controller; the controller acquires the information of the host (the physical address, the IP address, the position information and the like of the host) through the data packet and then issues a relevant flow table item; when the controller receives the message of the inquiry rule of the switch again, whether the host is stored is inquired according to the message, if the host is inquired, but the position information is not matched, the position of the host is considered to be changed, and the controller updates the position information of the host stored by the controller.
However, in the host discovery process, the controller lacks verification of network topology messages, traffic hijacking attacks are easy to occur, an attacker sends data packets to the SDN switch by using the physical address and the IP address of the network server, according to the host discovery principle, since the data packet sent by the attacker is the data packet of the new flow, the SDN switch will report to the controller, the controller can not verify whether the data packet sender is a legal user, and can determine that the position of the network server has moved according to the content of the message, so that the position information is updated, and if other normal hosts try to access the network server, since the location of the network server in the topology management information has been changed to the location of the attacker, the access traffic of the normal user is forwarded to the attacker, so that the user cannot access the network server.
The existing topology pollution defense scheme is typically TopoGuard, and the scheme is to judge whether the host position hijacking attack exists or not by verifying the preposed condition and the postpositional condition of host migration; the host migration precondition is that the controller receives a Port _ Down signal of a Port, and the postcondition is that after the migration is finished, the controller sends an ICMP detection result to the original position of the host, so as to ensure that the host can not be accessed any more at the original position; only if these two conditions are met can it be determined that the host position move is true. However, the detection attack algorithm of the scheme is complex and has poor effect.
Disclosure of Invention
The technical problem to be solved by the embodiments of the present invention is to provide a method, an apparatus and a controller for detecting a host location attack in an SDN network, which can simply and effectively detect an attack behavior, thereby preventing the host from being hijacked.
In order to solve the above technical problem, an embodiment of the present invention provides a method for detecting a host location attack in an SDN network, where the method is executed by a controller; the method comprises the following steps:
when a Packet-In message sent by a switch is received, extracting the position information of a host to be checked according to the Packet-In message; the position information comprises the MAC address of the host to be checked, switch ID information and switch port information;
judging whether the host to be checked has a matched flow table item in a preset adjacent host information table or not according to the MAC address of the host to be checked;
when the matched flow table entry exists, acquiring the switch ID information, the switch port information and the host state in the matched flow table entry;
when the switch ID information or/and the switch port information in the matched flow table entry changes and the host state is UP, determining that an attack behavior is detected;
the adjacent host information table comprises a plurality of flow table entries, and each flow table entry at least comprises an MAC address, switch ID information, switch port information and a host state of a corresponding host; and when the host state is UP, the host is accessed into the SDN network, and when the host state is DOWN, the host is not accessed into the SDN network.
Further, the method further comprises:
and when the switch ID information or/and the switch port information in the matched flow table entry changes and the host state is DOWN, updating the switch ID information or/and the switch port information in the matched flow table entry, and setting the host state to be UP.
Further, the method further comprises:
and when the flow table item does not match, adding the position information of the host to be checked into the adjacent host information table, and setting the host state of the host to be checked to be UP.
Further, the method further comprises:
when a flow table signal message is received, acquiring matching field information of a flow table entry to be updated according to the flow table signal message;
if the flow table signal message is a down-stream table entry message, judging whether the to-be-updated flow table entry has a matched flow table entry in the adjacent host information table according to the matching field information of the to-be-updated flow table entry;
when the matched flow table entry exists, the reference count of the matched flow table entry is updated according to a preset updating rule;
when the flow table entry does not match, the flow table entry to be updated is added to the adjacent host information table, the reference count of the flow table entry to be updated is set to 1, and the host state of the corresponding matching host is set to UP.
Further, the method further comprises:
if the flow table signal message is a delete flow table entry message, judging whether the flow table entry to be updated has a matched flow table entry in the adjacent host information table according to the matching field information of the flow table entry to be updated;
when the flow table entry does not match with the flow table entry, the reference count of the flow table entry to be updated is subjected to subtraction updating according to a preset subtraction updating rule;
when the matched flow table entry exists, the reference count of the matched flow table entry is subjected to subtraction updating according to the subtraction updating rule, and whether the reference count after subtraction updating is 0 is judged; and if so, deleting the matched flow table entry from the adjacent host information table, and setting the host state of the corresponding matched host as DOWN.
Further, the method further comprises:
sending a data detection packet to each host in the adjacent host information table according to a preset time period;
and updating the adjacent host information table according to the received data response packet returned by the host.
Further, the updating the adjacent host information table according to the received data response packet returned by the host specifically includes:
for the jth data response packet returned by the ith host, judging whether the ith host has a matched flow table item in the adjacent host information table or not according to the MAC address of the ith host carried in the jth data response packet; wherein i >0, j > 0;
when the matched flow table items exist, judging whether the switch ID information, the switch port information and the host state in the matched flow table items are correspondingly the same as the switch ID information, the switch port information and the host state carried in the jth data response packet; if the data response packet is different from the current data response packet, correspondingly updating the switch ID information, the switch port information and the host state in the matched flow table item according to the switch ID information, the switch port information and the host state carried in the jth data response packet;
and when the flow table entry does not match with the flow table entry, adding the MAC address, the switch ID information, the switch port information and the host state of the ith host carried in the jth data response packet into the adjacent host information table.
Further, the updating the adjacent host information table according to the received data response packet returned by the host specifically includes:
matching detection is carried out on the adjacent host information table according to the received data response packet returned by the host;
and deleting the unmatched flow table entries from the adjacent host information table.
In order to solve the above technical problem, an embodiment of the present invention further provides an SDN network host location attack detection apparatus, where the apparatus is disposed in a controller; the device comprises:
the system comprises a position information acquisition module, a position information analysis module and a position information analysis module, wherein the position information acquisition module is used for extracting the position information of a host to be inspected according to a Packet-In message sent by a switch when the Packet-In message is received; the position information comprises the MAC address of the host to be checked, switch ID information and switch port information;
the position matching judgment module is used for judging whether the host to be checked has a matched flow table item in a preset adjacent host information table or not according to the MAC address of the host to be checked;
the position matching processing module is used for acquiring the switch ID information, the switch port information and the host state in the matched flow table item when the matched flow table item exists;
the attack detection module is used for determining that attack behavior is detected when the switch ID information or/and the switch port information in the matched flow table entry changes and the host state is UP;
the adjacent host information table comprises a plurality of flow table entries, and each flow table entry at least comprises an MAC address, switch ID information, switch port information and a host state of a corresponding host; and when the host state is UP, the host is accessed into the SDN network, and when the host state is DOWN, the host is not accessed into the SDN network.
An embodiment of the present invention further provides a controller, which includes a processor, a memory, and a computer program stored in the memory and configured to be executed by the processor, where the processor, when executing the computer program, implements the SDN network host location attack detection method described in any one of the above.
Compared with the prior art, the embodiment of the invention provides a method, a device and a controller for detecting the position attack of a host of an SDN network, wherein when the controller receives a Packet-In message sent by a switch, the position information of the host to be detected is extracted according to the Packet-In message; the position information comprises the MAC address of the host to be checked, switch ID information and switch port information; judging whether the host to be checked has a matched flow table item in a preset adjacent host information table or not according to the MAC address of the host to be checked; when the matched flow table entry exists, acquiring the switch ID information, the switch port information and the host state in the matched flow table entry; when the switch ID information or/and the switch port information in the matched flow table entry changes and the host state is UP, determining that an attack behavior is detected; therefore, the attack behavior can be simply and effectively detected, and the host is prevented from being hijacked and attacked.
Drawings
Fig. 1 is a flowchart of a preferred embodiment of a method for detecting a host location attack in an SDN network according to the present invention;
fig. 2 is a block diagram of a preferred embodiment of an SDN network host location attack detection apparatus according to the present invention;
fig. 3 is a block diagram of a preferred embodiment of a controller according to the present invention.
Detailed Description
The technical solutions in the embodiments of the present invention will be clearly and completely described below with reference to the drawings in the embodiments of the present invention, and it is obvious that the described embodiments are only a part of the embodiments of the present invention, and not all of the embodiments. All other embodiments, which can be derived by a person skilled in the art from the embodiments given herein without any inventive step, are within the scope of the present invention.
An embodiment of the present invention provides a method for detecting a host location attack of an SDN network, which is a flowchart of an preferred embodiment of the method for detecting a host location attack of an SDN network provided by the present invention, and the method is executed by a controller, as shown in fig. 1; the method includes steps S11 to S14:
step S11, when receiving a Packet-In message sent by a switch, extracting the position information of a host to be checked according to the Packet-In message; the position information comprises the MAC address of the host to be checked, switch ID information and switch port information;
step S12, judging whether the host to be checked has a matched flow table item in a preset adjacent host information table according to the MAC address of the host to be checked;
step S13, when there is a matched flow table item, the switch ID information, the switch port information and the host state in the matched flow table item are obtained;
step S14, when the switch ID information or/and the switch port information in the matched flow list item changes and the host state is UP, the attack behavior is determined to be detected;
the adjacent host information table comprises a plurality of flow table entries, and each flow table entry at least comprises an MAC address, switch ID information, switch port information and a host state of a corresponding host; and when the host state is UP, the host is accessed into the SDN network, and when the host state is DOWN, the host is not accessed into the SDN network.
Specifically, In the SDN network, when a flow entry of a switch is not matched or a matched flow entry ACTION is OFPR _ ACTION, a Packet-In message is sent to a controller, so as to send a Packet arriving at OpenFlow (a network communication protocol of a data link layer capable of controlling a forwarding plane of a switch or a router on a network, thereby changing a network path through which the network Packet passes) to the controller of OpenFlow; an adjacent host information table is preset in a controller, the adjacent host information table comprises flow table entries corresponding to a plurality of hosts, each flow table entry at least comprises a MAC address, switch ID information, switch port information (such as a port number) and a host state (namely the state of the host in a network) of the corresponding host, the host state comprises an UP state and a DOWN state, when the host state is the UP state, the host is accessed into the SDN network, and when the host state is the DOWN state, the host is not accessed into the SDN network; in a specific attack detection process, when a controller receives a Packet-In message sent by a switch, the controller extracts position information of a host to be checked (the position information at least comprises an MAC address, switch ID information and switch port information of the host to be checked) contained In the received Packet-In message, judges whether the host to be checked has a matched flow table item In a preset adjacent host information table according to the extracted MAC address of the host to be checked, acquires the switch ID information, the switch port information and the host state In the matched flow table item when judging that the adjacent host information table has the matched flow table item, compares the switch ID information, the switch port information and the host state with the switch ID information and the switch port information extracted from the Packet-In message, and when judging that the switch ID information or/and the switch port information In the matched flow table item are changed, and when the host state in the matched flow table entry is the UP state, the host state is considered as an attack behavior, and the FALSE is returned to perform corresponding attack defense processing.
According to the method for detecting the host position attack of the SDN network, provided by the embodiment of the invention, the attack behavior can be detected according to the matching comparison result and the corresponding host state information by acquiring the Packet-In message and performing matching comparison with the adjacent host information table according to the MAC address, the switch ID and the port number In the Packet-In message, so that the purposes of identifying a real host and defending the host position hijack attack are achieved, and the scheme is easy to implement, and is simpler and more effective.
As an improvement of the above, the method further comprises:
and when the switch ID information or/and the switch port information in the matched flow table entry changes and the host state is DOWN, updating the switch ID information or/and the switch port information in the matched flow table entry, and setting the host state to be UP.
Specifically, with reference to the above embodiment, when comparing the obtained switch ID information, switch port information, and host status In the matched flow table entry with the switch ID information and switch port information extracted from the Packet-In message, if it is determined that the switch ID information or/and switch port information In the matched flow table entry changes and the host status In the matched flow table entry is DOWN, because the switch ID information or/and switch port information changes, the controller updates the switch ID information or/and switch port information In the matched flow table entry (replaces the switch ID information or/and switch port information In the matched flow table entry with the switch ID information or/and switch port information extracted from the Packet-In message), and setting the host state in the matched flow table entry to be UP, and returning to TRUE.
As an improvement of the above, the method further comprises:
and when the flow table item does not match, adding the position information of the host to be checked into the adjacent host information table, and setting the host state of the host to be checked to be UP.
Specifically, with reference to the above embodiment, when the controller determines whether the host to be checked has a matching flow entry In the preset adjacent host information table according to the extracted MAC address of the host to be checked, if it is determined that the adjacent host information table does not have a matching flow entry, the controller correspondingly adds the MAC address of the host to be checked, the switch ID information, and the switch port information, which are extracted from the Packet-In message, to the adjacent host information table, sets the host state of the host to be checked to be In an UP state, and returns to TRUE.
In another preferred embodiment, the method further comprises:
when a flow table signal message is received, acquiring matching field information of a flow table entry to be updated according to the flow table signal message;
if the flow table signal message is a down-stream table entry message, judging whether the to-be-updated flow table entry has a matched flow table entry in the adjacent host information table according to the matching field information of the to-be-updated flow table entry;
when the matched flow table entry exists, the reference count of the matched flow table entry is updated according to a preset updating rule;
when the flow table entry does not match, the flow table entry to be updated is added to the adjacent host information table, the reference count of the flow table entry to be updated is set to 1, and the host state of the corresponding matching host is set to UP.
Specifically, with reference to the above embodiment, each time a flow table signal message is received, the controller acquires matching field information of a flow table entry to be updated according to the received flow table signal message (the flow table entry is composed of matching field information (the matching field information includes information such as MAC address and VLAN), priority, counter, instruction, timeout time, and attachment attribute, and can match the flow table entry by the matching field information), and determines the type of the received flow table signal message (the type includes a flow entry issuing message and a flow entry deleting message), and when it is determined that the received flow table signal message is a flow entry issuing message, determines whether the flow table entry to be updated has a matching flow table entry in the adjacent host information table according to the acquired matching field information of the flow table entry to be updated, and if the flow table entry to be updated has a matching flow table entry, updating the reference count of the matched flow table entry according to a preset updating rule (for example, updating the reference count of the matched flow table entry by + 1), and not updating the state of the flow table entry in the adjacent host information table; if the adjacent host information table does not have the matched flow table entry, adding the flow table entry to be updated into the adjacent host information table, setting the reference count of the flow table entry to be updated to be 1, and simultaneously, matching the MAC address in the matching field information of the flow table entry to be updated with the flow table entry in the adjacent host information table, and setting the host state of the host in the matched flow table entry to be an UP state.
As an improvement of the above, the method further comprises:
if the flow table signal message is a delete flow table entry message, judging whether the flow table entry to be updated has a matched flow table entry in the adjacent host information table according to the matching field information of the flow table entry to be updated;
when the flow table entry does not match with the flow table entry, the reference count of the flow table entry to be updated is subjected to subtraction updating according to a preset subtraction updating rule;
when the matched flow table entry exists, the reference count of the matched flow table entry is subjected to subtraction updating according to the subtraction updating rule, and whether the reference count after subtraction updating is 0 is judged; and if so, deleting the matched flow table entry from the adjacent host information table, and setting the host state of the corresponding matched host as DOWN.
Specifically, with reference to the foregoing embodiment, when it is determined that the received flow table signal message is a delete flow table entry message, it is determined whether the flow table entry to be updated has a matched flow table entry in the adjacent host information table according to the obtained matching field information of the flow table entry to be updated, and if the adjacent host information table does not have a matched flow table entry, the reference count of the flow table entry to be updated is updated by subtracting according to a preset update subtraction rule (for example, the reference count of the flow table entry to be updated is updated by-1); if the adjacent host information table has the matched flow table entry, the reference count of the matched flow table entry is also subjected to subtraction updating according to the subtraction updating rule; after the subtraction update is carried out, judging whether the reference count after the subtraction update is 0 or not; if the number of the flow table entries is 0, the matched flow table entries are directly deleted from the adjacent host information table, and meanwhile, the host state of the host in the matched flow table entries is set to be a DOWN state through the fact that MAC addresses in the matching field information of the flow table entries to be updated are matched with the flow table entries in the adjacent host information table; it is understood that if not 0, the state of the flow entry in the adjacent host information table is not updated.
It should be noted that the state of the flow table entry in the adjacent host information table is mainly detected and updated through flow table issuing and deleting messages, and when the issuing or deleting message of the flow table is acquired, the corresponding information is updated in the matched flow table, and when the reference count of the flow table entry reaches 0 or the reference count is changed from 0 to 1, the state of the entry in the adjacent host information table is correspondingly modified.
In yet another preferred embodiment, the method further comprises:
sending a data detection packet to each host in the adjacent host information table according to a preset time period;
and updating the adjacent host information table according to the received data response packet returned by the host.
Specifically, in combination with the above embodiments, when the controller performs the host access detection and the flow table entry detection, the controller does not delete the failed flow table entry in the adjacent host information table of the controller, and as the network hosts are continuously increased and updated, the adjacent host information table is continuously enlarged, and if the adjacent host information table is not cleared for a long time, the efficiency of the controller will be affected, or even the problem of crash will occur.
As an improvement of the above scheme, the updating the adjacent host information table according to the received data response packet returned by the host specifically includes:
for the jth data response packet returned by the ith host, judging whether the ith host has a matched flow table item in the adjacent host information table or not according to the MAC address of the ith host carried in the jth data response packet; wherein i >0, j > 0;
when the matched flow table items exist, judging whether the switch ID information, the switch port information and the host state in the matched flow table items are correspondingly the same as the switch ID information, the switch port information and the host state carried in the jth data response packet; if the data response packet is different from the current data response packet, correspondingly updating the switch ID information, the switch port information and the host state in the matched flow table item according to the switch ID information, the switch port information and the host state carried in the jth data response packet;
and when the flow table entry does not match with the flow table entry, adding the MAC address, the switch ID information, the switch port information and the host state of the ith host carried in the jth data response packet into the adjacent host information table.
Specifically, with reference to the foregoing embodiment, after the controller sends the data probe packet to each host stored in the adjacent host information table, the controller receives data response packets returned by a plurality of hosts (the data response packets carry the MAC address, the switch ID information, the switch port information, and the host status of the host), and the processing procedure of each data response packet returned by each host by the controller is the same, where the jth data response packet returned by the ith host is taken as an example to describe: judging whether the ith host has a matched flow table item in the adjacent host information table or not according to the MAC address of the ith host carried in the jth data response packet, and judging whether the switch ID information, the switch port information and the host state in the matched flow table item are corresponding to the switch ID information, the switch port information and the host state carried in the jth data response packet or not when the adjacent host information table is judged to have the matched flow table item; if the data response packet is different from the data response packet, the switch ID information, the switch port information and the host state in the matched flow table entry are correspondingly updated according to the switch ID information, the switch port information and the host state carried in the jth data response packet (namely, the switch ID information, the switch port information and the host state in the matched flow table entry are correspondingly modified into the switch ID information, the switch port information and the host state carried in the jth data response packet); it can be understood that, if the states are the same, the states of the flow entries matched in the adjacent host information table are not processed; when the adjacent host information table is judged not to have the matched flow table entry, a flow table entry is directly added into the adjacent host information table, namely the MAC address, the switch ID information, the switch port information and the host state of the ith host carried in the jth data response packet are added into the adjacent host information table.
As an improvement of the above scheme, the updating the adjacent host information table according to the received data response packet returned by the host specifically includes:
matching detection is carried out on the adjacent host information table according to the received data response packet returned by the host;
and deleting the unmatched flow table entries from the adjacent host information table.
Specifically, with reference to the foregoing embodiment, the controller performs matching detection on the adjacent host information table according to the received conditions of all data response packets returned by the host, and directly performs deletion processing on information entries that are not matched in the adjacent host information table.
It should be noted that, by correcting the erroneous flow table entry and clearing the invalid flow table entry information, the normal and continuous use of the adjacent host information table can be ensured, and meanwhile, correcting the erroneous flow table entry information can prevent an attacker from accessing the network through other ports after the server leaves the network and pretending to be an attack behavior of the server for traffic hijacking, and as long as a proper time interval is set, the correctness of the network host information can be effectively ensured.
The embodiment of the present invention further provides a device for detecting a host location attack of an SDN network, which can implement all the processes of the method for detecting a host location attack of an SDN network described in any one of the embodiments, and the functions and technical effects of each module and unit in the device are respectively the same as those of the method for detecting a host location attack of an SDN network described in the embodiment and the technical effects of the implementation, and are not described herein again.
Referring to fig. 2, the structural block diagram of a preferred embodiment of an SDN network host location attack detection apparatus provided in the present invention is shown, where the apparatus is disposed in a controller; the device comprises:
the position information acquisition module 11 is configured to, when receiving a Packet-In message sent by a switch, extract position information of a host to be inspected according to the Packet-In message; the position information comprises the MAC address of the host to be checked, switch ID information and switch port information;
a position matching judgment module 12, configured to judge, according to the MAC address of the host to be checked, whether the host to be checked has a matched flow entry in a preset adjacent host information table;
the position matching processing module 13 is configured to, when there is a matched flow table entry, obtain switch ID information, switch port information, and a host state in the matched flow table entry;
the attack detection module 14 is configured to determine that an attack behavior is detected when the switch ID information or/and the switch port information in the matched flow table entry changes and the host state is UP;
the adjacent host information table comprises a plurality of flow table entries, and each flow table entry at least comprises an MAC address, switch ID information, switch port information and a host state of a corresponding host; and when the host state is UP, the host is accessed into the SDN network, and when the host state is DOWN, the host is not accessed into the SDN network.
Preferably, the apparatus further comprises:
and the position information updating module is used for updating the switch ID information or/and the switch port information in the matched flow table entry and setting the host state to be UP when the switch ID information or/and the switch port information in the matched flow table entry changes and the host state is DOWN.
Preferably, the apparatus further comprises:
and the position mismatch processing module is used for adding the position information of the host to be checked into the adjacent host information table and setting the host state of the host to be checked to be UP when the flow table entry does not match.
Preferably, the apparatus further comprises:
the flow table signal acquisition module is used for acquiring the matching field information of the flow table entry to be updated according to the flow table signal message when the flow table signal message is received;
a first flow table item matching judgment module, configured to, if the flow table signal message is a down-flow table item message, judge, according to matching field information of the flow table item to be updated, whether the flow table item to be updated has a matched flow table item in the adjacent host information table;
the first flow table item matching processing module is used for updating the reference count of the matched flow table item according to a preset updating rule when the matched flow table item exists;
and the first flow table entry mismatch processing module is used for adding the flow table entry to be updated into the adjacent host information table when the flow table entry does not have a matched flow table entry, setting the reference count of the flow table entry to be updated to be 1, and setting the host state of the corresponding matched host to be UP.
Preferably, the apparatus further comprises:
a second flow table item matching judgment module, configured to, if the flow table signal message is a delete flow table item message, judge, according to matching field information of the flow table item to be updated, whether the flow table item to be updated has a matched flow table item in the adjacent host information table;
the second flow table item mismatching processing module is used for performing minus update on the reference count of the flow table item to be updated according to a preset minus update rule when the flow table item to be updated does not have a matching flow table item;
the second flow table item matching processing module is used for performing subtraction update on the reference count of the matched flow table item according to the subtraction update rule when the matched flow table item exists, and judging whether the reference count after subtraction update is 0 or not; and if so, deleting the matched flow table entry from the adjacent host information table, and setting the host state of the corresponding matched host as DOWN.
Preferably, the apparatus further comprises:
the detection packet sending module is used for sending a data detection packet to each host in the adjacent host information table according to a preset time period;
and the response packet receiving module is used for updating the adjacent host information table according to the received data response packet returned by the host.
Preferably, the response packet receiving module specifically includes:
a response packet matching judgment unit, configured to judge, for a jth data response packet returned by an ith host, whether the ith host has a matched flow entry in the adjacent host information table according to an MAC address of the ith host carried in the jth data response packet; wherein i >0, j > 0;
the response packet matching processing unit is used for judging whether the switch ID information, the switch port information and the host state in the matched flow table item are correspondingly the same as the switch ID information, the switch port information and the host state carried in the jth data response packet or not when the matched flow table item exists; if the data response packet is different from the current data response packet, correspondingly updating the switch ID information, the switch port information and the host state in the matched flow table item according to the switch ID information, the switch port information and the host state carried in the jth data response packet;
and the response packet mismatching processing unit is used for adding the MAC address, the switch ID information, the switch port information and the host state of the ith host carried in the jth data response packet into the adjacent host information table when the response packet does not have a matched flow table entry.
Preferably, the response packet receiving module specifically includes:
the matching detection unit is used for carrying out matching detection on the adjacent host information table according to the received data response packet returned by the host;
and the flow table entry deleting unit is used for deleting the unmatched flow table entry from the adjacent host information table.
An embodiment of the present invention further provides a controller, which is shown in fig. 3 and is a block diagram of a preferred embodiment of the controller provided in the present invention, where the controller includes a processor 10, a memory 20, and a computer program stored in the memory 20 and configured to be executed by the processor 10, and when the computer program is executed, the processor 10 implements the SDN network host location attack detection method according to any of the above embodiments.
Preferably, the computer program can be divided into one or more modules/units (e.g. computer program 1, computer program 2,) which are stored in the memory 20 and executed by the processor 10 to accomplish the present invention. The one or more modules/units may be a series of computer program instruction segments capable of performing specific functions, which are used to describe the execution of the computer program in the controller.
The Processor 10 may be a Central Processing Unit (CPU), other general purpose Processor, a Digital Signal Processor (DSP), an Application Specific Integrated Circuit (ASIC), an off-the-shelf Programmable Gate Array (FPGA) or other Programmable logic device, a discrete Gate or transistor logic device, a discrete hardware component, etc., the general purpose Processor may be a microprocessor, or the Processor 10 may be any conventional Processor, the Processor 10 is a control center of the controller, and various interfaces and lines are used to connect various parts of the controller.
The memory 20 mainly includes a program storage area that may store an operating system, an application program required for at least one function, and the like, and a data storage area that may store related data and the like. In addition, the memory 20 may be a high speed random access memory, may also be a non-volatile memory, such as a plug-in hard disk, a Smart Media Card (SMC), a Secure Digital (SD) Card, a Flash Card (Flash Card), and the like, or the memory 20 may also be other volatile solid state memory devices.
It should be noted that the above controller may include, but is not limited to, a processor and a memory, and those skilled in the art will understand that the structural block diagram of fig. 3 is only an example of the above controller, and does not constitute a limitation to the controller, and may include more or less components than those shown, or combine some components, or different components.
To sum up, the SDN network host location attack detection method, device and controller provided by the embodiments of the present invention have the following beneficial effects:
(1) by acquiring the Packet-In message, matching and comparing the MAC address, the switch ID and the port number with the adjacent host information table, and detecting the attack behavior according to the matching and comparing result and the corresponding host state information, the purposes of identifying a real host and defending the host position hijack attack are achieved, and the scheme is easy to implement and is simpler and more effective;
(2) the flow table entry state In the adjacent host information table is updated through updating of flow table entry reference counting, and attack behaviors can be detected by combining the table entry state and the content of Packet-In information, so that the host is prevented from being hijacked, and signals issued by the flow table and deleted are easy to detect, judge and process;
(3) the flow table entry state of the adjacent host information table is regularly detected to correct the wrong host position information and clear the invalid host position information, so that the influence on the performance of the controller can be reduced, and the fault tolerance of the scheme is enhanced.
The above description is only a preferred embodiment of the present invention, and it should be noted that, for those skilled in the art, several modifications and variations can be made without departing from the technical principle of the present invention, and these modifications and variations should also be regarded as the protection scope of the present invention.
Claims (10)
1. An SDN network host location attack detection method, characterized in that the method is executed by a controller; the method comprises the following steps:
when a Packet-In message sent by a switch is received, extracting the position information of a host to be checked according to the Packet-In message; the position information comprises the MAC address of the host to be checked, switch ID information and switch port information;
judging whether the host to be checked has a matched flow table item in a preset adjacent host information table or not according to the MAC address of the host to be checked;
when the matched flow table entry exists, acquiring the switch ID information, the switch port information and the host state in the matched flow table entry;
when the switch ID information or/and the switch port information in the matched flow table entry changes and the host state is UP, determining that an attack behavior is detected;
the adjacent host information table comprises a plurality of flow table entries, and each flow table entry at least comprises an MAC address, switch ID information, switch port information and a host state of a corresponding host; and when the host state is UP, the host is accessed into the SDN network, and when the host state is DOWN, the host is not accessed into the SDN network.
2. The SDN network host location attack detection method of claim 1, the method further comprising:
and when the switch ID information or/and the switch port information in the matched flow table entry changes and the host state is DOWN, updating the switch ID information or/and the switch port information in the matched flow table entry, and setting the host state to be UP.
3. The SDN network host location attack detection method of claim 1, the method further comprising:
and when the flow table item does not match, adding the position information of the host to be checked into the adjacent host information table, and setting the host state of the host to be checked to be UP.
4. The SDN network host location attack detection method of claim 1, the method further comprising:
when a flow table signal message is received, acquiring matching field information of a flow table entry to be updated according to the flow table signal message;
if the flow table signal message is a down-stream table entry message, judging whether the to-be-updated flow table entry has a matched flow table entry in the adjacent host information table according to the matching field information of the to-be-updated flow table entry;
when the matched flow table entry exists, the reference count of the matched flow table entry is updated according to a preset updating rule;
when the flow table entry does not match, the flow table entry to be updated is added to the adjacent host information table, the reference count of the flow table entry to be updated is set to 1, and the host state of the corresponding matching host is set to UP.
5. The SDN network host location attack detection method of claim 4, the method further comprising:
if the flow table signal message is a delete flow table entry message, judging whether the flow table entry to be updated has a matched flow table entry in the adjacent host information table according to the matching field information of the flow table entry to be updated;
when the flow table entry does not match with the flow table entry, the reference count of the flow table entry to be updated is subjected to subtraction updating according to a preset subtraction updating rule;
when the matched flow table entry exists, the reference count of the matched flow table entry is subjected to subtraction updating according to the subtraction updating rule, and whether the reference count after subtraction updating is 0 is judged; and if so, deleting the matched flow table entry from the adjacent host information table, and setting the host state of the corresponding matched host as DOWN.
6. The SDN network host location attack detection method of any one of claims 1 to 5, wherein the method further comprises:
sending a data detection packet to each host in the adjacent host information table according to a preset time period;
and updating the adjacent host information table according to the received data response packet returned by the host.
7. The SDN network host location attack detection method of claim 6, wherein the updating the neighbor host information table according to the received data response packet returned by the host specifically includes:
for the jth data response packet returned by the ith host, judging whether the ith host has a matched flow table item in the adjacent host information table or not according to the MAC address of the ith host carried in the jth data response packet; wherein i >0, j > 0;
when the matched flow table items exist, judging whether the switch ID information, the switch port information and the host state in the matched flow table items are correspondingly the same as the switch ID information, the switch port information and the host state carried in the jth data response packet; if the data response packet is different from the current data response packet, correspondingly updating the switch ID information, the switch port information and the host state in the matched flow table item according to the switch ID information, the switch port information and the host state carried in the jth data response packet;
and when the flow table entry does not match with the flow table entry, adding the MAC address, the switch ID information, the switch port information and the host state of the ith host carried in the jth data response packet into the adjacent host information table.
8. The SDN network host location attack detection method of claim 6, wherein the updating the neighbor host information table according to the received data response packet returned by the host specifically includes:
matching detection is carried out on the adjacent host information table according to the received data response packet returned by the host;
and deleting the unmatched flow table entries from the adjacent host information table.
9. An SDN network host location attack detection apparatus, the apparatus being disposed in a controller; the device comprises:
the system comprises a position information acquisition module, a position information analysis module and a position information analysis module, wherein the position information acquisition module is used for extracting the position information of a host to be inspected according to a Packet-In message sent by a switch when the Packet-In message is received; the position information comprises the MAC address of the host to be checked, switch ID information and switch port information;
the position matching judgment module is used for judging whether the host to be checked has a matched flow table item in a preset adjacent host information table or not according to the MAC address of the host to be checked;
the position matching processing module is used for acquiring the switch ID information, the switch port information and the host state in the matched flow table item when the matched flow table item exists;
the attack detection module is used for determining that attack behavior is detected when the switch ID information or/and the switch port information in the matched flow table entry changes and the host state is UP;
the adjacent host information table comprises a plurality of flow table entries, and each flow table entry at least comprises an MAC address, switch ID information, switch port information and a host state of a corresponding host; and when the host state is UP, the host is accessed into the SDN network, and when the host state is DOWN, the host is not accessed into the SDN network.
10. A controller comprising a processor, a memory, and a computer program stored in the memory and configured to be executed by the processor, the processor when executing the computer program implementing the SDN network host location attack detection method of any one of claims 1-8.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202010205209.7A CN111585951A (en) | 2020-03-24 | 2020-03-24 | SDN network host position attack detection method and device and controller |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202010205209.7A CN111585951A (en) | 2020-03-24 | 2020-03-24 | SDN network host position attack detection method and device and controller |
Publications (1)
| Publication Number | Publication Date |
|---|---|
| CN111585951A true CN111585951A (en) | 2020-08-25 |
Family
ID=72111474
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN202010205209.7A Pending CN111585951A (en) | 2020-03-24 | 2020-03-24 | SDN network host position attack detection method and device and controller |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN111585951A (en) |
Cited By (1)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN113824609A (en) * | 2021-08-16 | 2021-12-21 | 紫光云(南京)数字技术有限公司 | SDN controller radar detection method |
Citations (6)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN1744528A (en) * | 2004-09-01 | 2006-03-08 | 华为技术有限公司 | Method for realizing user detection based on neightbour discovery technique |
| CN103269278A (en) * | 2013-04-19 | 2013-08-28 | 中国(南京)未来网络产业创新中心 | Terminal equipment real-time connecting and disconnecting sensing method based on SDN |
| US20130291117A1 (en) * | 2012-04-30 | 2013-10-31 | Cisco Technology, Inc. | Protecting address resolution protocol neighbor discovery cache against denial of service attacks |
| CN106790239A (en) * | 2017-01-19 | 2017-05-31 | 湖北工业大学 | A kind of car networking information transfer of anti-pollution attack and distribution method and system |
| CN108632267A (en) * | 2018-04-28 | 2018-10-09 | 清华大学深圳研究生院 | A kind of topology pollution attack defense method and system |
| US20180375760A1 (en) * | 2015-11-19 | 2018-12-27 | Teloip Inc. | System, apparatus and method for providing a virtual network edge and overlay with virtual control plane |
-
2020
- 2020-03-24 CN CN202010205209.7A patent/CN111585951A/en active Pending
Patent Citations (6)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN1744528A (en) * | 2004-09-01 | 2006-03-08 | 华为技术有限公司 | Method for realizing user detection based on neightbour discovery technique |
| US20130291117A1 (en) * | 2012-04-30 | 2013-10-31 | Cisco Technology, Inc. | Protecting address resolution protocol neighbor discovery cache against denial of service attacks |
| CN103269278A (en) * | 2013-04-19 | 2013-08-28 | 中国(南京)未来网络产业创新中心 | Terminal equipment real-time connecting and disconnecting sensing method based on SDN |
| US20180375760A1 (en) * | 2015-11-19 | 2018-12-27 | Teloip Inc. | System, apparatus and method for providing a virtual network edge and overlay with virtual control plane |
| CN106790239A (en) * | 2017-01-19 | 2017-05-31 | 湖北工业大学 | A kind of car networking information transfer of anti-pollution attack and distribution method and system |
| CN108632267A (en) * | 2018-04-28 | 2018-10-09 | 清华大学深圳研究生院 | A kind of topology pollution attack defense method and system |
Non-Patent Citations (1)
| Title |
|---|
| 郑正 等: "SDN网络拓扑污染攻击防御机制研究", 《计算机研究与发展 2018年》 * |
Cited By (1)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN113824609A (en) * | 2021-08-16 | 2021-12-21 | 紫光云(南京)数字技术有限公司 | SDN controller radar detection method |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| CN101589595B (en) | A containment mechanism for potentially contaminated end systems | |
| US7688716B2 (en) | Method, apparatus, and system for improving ethernet ring convergence time | |
| US7167922B2 (en) | Method and apparatus for providing automatic ingress filtering | |
| CN1656731B (en) | Multi-method gateway-based network security systems and methods | |
| US7508757B2 (en) | Network with MAC table overflow protection | |
| US8122494B2 (en) | Apparatus and method of securing network | |
| US8200798B2 (en) | Address security in a routed access network | |
| US20150334089A1 (en) | Managing mac moves with secure port groups | |
| CN108353068B (en) | SDN controller assisted intrusion prevention system | |
| US8949458B1 (en) | Automatic filtering to prevent network attacks | |
| KR100863313B1 (en) | Apparatus and Method for automatically blocking spoofing by address resolution protocol | |
| CN101656638B (en) | Inter-domain prefix hijacking detection method for error configuration | |
| US7596808B1 (en) | Zero hop algorithm for network threat identification and mitigation | |
| Ubaid et al. | Mitigating address spoofing attacks in hybrid SDN | |
| US11102172B2 (en) | Transfer apparatus | |
| CN112929200A (en) | SDN multi-controller oriented anomaly detection method | |
| US20050190752A1 (en) | Method and system for locating the incoming port of a MAC address in an Ethernet switch network | |
| US10911466B2 (en) | Network protection device and network protection system | |
| CN111585951A (en) | SDN network host position attack detection method and device and controller | |
| CN116566752B (en) | Safety drainage system, cloud host and safety drainage method | |
| CN107634971B (en) | Method and device for detecting flood attack | |
| JP2019213182A (en) | Network protection device and network protection system | |
| CN112217780A (en) | Apparatus and method for identifying attacks in a computer network | |
| Mugitama et al. | An evidence-based technical process for openflow-based SDN forensics | |
| JP3715628B2 (en) | Packet transfer system, packet transfer apparatus, program, and packet transfer method |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| PB01 | Publication | ||
| PB01 | Publication | ||
| SE01 | Entry into force of request for substantive examination | ||
| SE01 | Entry into force of request for substantive examination | ||
| AD01 | Patent right deemed abandoned |
Effective date of abandoning: 20221223 |
|
| AD01 | Patent right deemed abandoned |