CN114844708B - Method, equipment and storage medium for relieving flooding attack based on traffic rerouting link - Google Patents

Abstract

The invention relates to the field of computer network and network space security, and discloses a link flooding attack relieving method, equipment and a storage medium based on traffic rerouting. The method comprises the following steps: step 1, searching a congestion link; step 2, searching a repair path; and 3, rerouting the traffic. According to the method, the SDN controller runs a related simple and efficient algorithm, so that the forwarding path of the congestion data packet is changed, the flow rerouting of the congestion link is realized, the link flooding attack is relieved, and the defending cost is effectively reduced.

Description

Method, equipment and storage medium for relieving flooding attack based on traffic rerouting link

Technical Field

The present invention relates to the field of computer network and network space security, and in particular, to a method, an apparatus, and a storage medium for link flooding attack mitigation based on traffic rerouting.

Background

The national computer network emergency technology processes the data display issued by the coordination center: distributed denial of service attacks (Distributed denial of service, DDoS) are one of the more common and severely impacted cyber security threats faced by internet users at present. In recent years, link-type DDoS attacks, typified by link flooding attacks (Link Flooding Attack, LFA), have become a hotspot of interest in industry and academia.

Currently, the defense methods against LFA mainly include: 1. by deploying high-performance flow and data processing equipment, abnormal requests and flows are analyzed, identified and filtered, so that resource isolation is realized; 2. on the premise of meeting normal service, user rules such as a limited flow type, a request frequency, a data packet characteristic, a service interval time and the like are set; 3. analyzing and modeling the big data, modeling the legal user, and filtering by using the characteristics of the models to realize the accurate cleaning of the LFA flow; 4. LFA attacks are countered by tiling bandwidth resources and hardware resources. The existing main methods for dealing with LFA attacks are that the service provider needs to pay high hardware cost, deployment cost, calculation cost and operation and maintenance cost, are severely limited by technical forces on network infrastructure and cloud platform, and cannot effectively defend LFA attacks in the actual use process due to the limited detection precision and operation efficiency of the prior art.

The rise of software defined networks (Software Defined Network, SDN) provides new ideas for LFA detection and defense. SDN is a novel network architecture, and by separating a control plane and a data plane of physical equipment, a programmable logic centralized controller is used for managing the whole network, and a data forwarding function is realized by using bottom forwarding equipment. The SDN controller can acquire the performance index of the network on line, and can allocate resources in time to realize global decision. Meanwhile, the SDN flexible matching domain enables any given source address and destination address in the network to have a plurality of loop-free paths, so that flexible and fine flow control is realized.

Therefore, there is an urgent need to provide a link flooding attack mitigation method based on traffic rerouting to solve the above technical problems.

Disclosure of Invention

The invention aims to provide a method for relieving flooding attack based on a traffic rerouting link, which is characterized in that a SDN controller is used for running a related simple and efficient algorithm to change the forwarding path of a congestion data packet, thereby realizing traffic rerouting of the congestion link, relieving the flooding attack of the link and effectively reducing the defending cost.

In order to achieve the above object, the present invention provides a traffic-based rerouting link flooding attack mitigation method, which includes:

Step 1, searching a congestion link, searching the congestion link from network topology according to real-time information such as bandwidth utilization rate, flow and the like of each link in a network after link flooding attack occurs, and extracting characteristics such as flow in the congestion link, destination address distribution of data packets and the like;

Step 2, searching repair paths, and searching and screening a plurality of repair paths with more residual capacity by using a network flow algorithm according to the topological structure of the network, the constraint condition of a link, the bandwidth utilization rate of the link and other information;

And 3, traffic rerouting, namely converting the traffic distribution problem of the repair paths into an optimization problem according to the destination address distribution, traffic information, bandwidth utilization rate of the links, constraint conditions of the links and the like of the data packets before rerouting of the congested links, distributing congestion traffic to each repair path by using a greedy algorithm with the maximum link bandwidth utilization rate as a target, obtaining an optimal solution, modifying a routing table in the router by using an SDN controller according to the distribution result, realizing the rerouting of the congestion traffic, and finally realizing the relief of link flooding attack.

Preferably, step 1 comprises:

For a given network, constructing a network topology model G= (V; E) according to SDN switch distribution, server distribution, communication link position, communication service and other information in the network, and obtaining information such as each node V, a link E between each node, traffic T (E), capacity C (E), bandwidth utilization U (E) and the like of each link; wherein V represents a set of nodes in the network and E represents a set of links in the network;

Firstly, setting a bandwidth utilization rate threshold value of a congestion condition of a link as U _th, monitoring the bandwidth utilization rate of each link in a network, and comparing the bandwidth utilization rate of each link with the threshold value; when the bandwidth utilization rate of the link exceeds a threshold value, the link is considered to be attacked by the LFA and is severely congested, a congested link P _c is output, and a network flow algorithm is used for searching and repairing the link according to related link information; otherwise, continuing to monitor links in the network.

Preferably, step 2 comprises:

When a congestion link appears in the network, firstly, calculating the bandwidth utilization rate of a path in the network according to the link information in the network; wherein n e (1, …, |v|) passes through a plurality of intermediate nodes (V ₁,v₂,…,v_n) from a start node s of a failed link, where |v| represents the number of nodes in the network, and a forward path to a destination node d is defined as follows:

P_s,d＝(s,v₁,v₂,…,v_n,d) (1)

the bandwidth utilization rate of the forward path is considered as the maximum value of the bandwidth utilization rate of the link between any two adjacent nodes in the forward path, and the bandwidth utilization rate of the forward path is calculated as follows:

According to the information of the current network in terms of links, flow, capacity, bandwidth utilization rate and the like, setting rules of a network flow algorithm, and related constraint conditions are as follows:

Wherein equation (3) indicates that for two nodes x, y of any one link in the network topology, the traffic from node x to node y cannot exceed the capacity of that link. Equation (4) represents that for two nodes x, y of any one link in the network topology, the traffic f (x, y) from node x to node y is equal to the opposite number of traffic f (y, x) from node y to node x. Equation (5) shows that for any node x which is not an initial node or a non-destination node, the sum of the flows of all adjacent nodes flowing into the node x is equal to the sum of the flows of all adjacent nodes flowing out of the node x, so that the conservation of network flows is reflected.

Taking formulas (3) - (5) as constraint conditions, using a network flow algorithm, taking information such as network topology, flow, capacity, bandwidth utilization rate and the like of the existing links before rerouting as input, taking the maximum residual capacity of the repair path before rerouting as a target, and searching for an optimal path. Each round of running the network flow algorithm, firstly removing paths which do not meet related constraint conditions; then, starting from the initial node of the fault link, gradually optimizing the path; calculating the residual capacity of the current link for the current node by considering the condition of the neighbor link; then, comparing the residual capacity obtained by the calculation in the previous step with the current residual capacity, and taking a smaller value as the residual capacity of the current path; and searching by adopting the steps until the searching process is extended to the target node, and outputting the repair link. Each time the network flow algorithm is run, the round of searched repair links are removed from the link set. Repeating the steps for multiple times, running the network flow algorithm for multiple times, and searching to obtain multiple repair paths with larger residual capacity.

According to the information of the hop count, bandwidth utilization rate, capacity and the like of the repair path obtained by searching the network flow algorithm, setting a rule of repair path screening, and related constraint conditions are as follows:

wherein formula (6) represents a repair path Hop count/>The limit of the maximum hop count n _max of the repair path is not more than that of the set, the transmission time of the data packet and the hop count passing through in the transmission process are positively correlated, the transmission time of the data packet is shorter when the hop count in the forwarding path is smaller, the time required by rerouting the flow can be shortened by limiting the hop count of the forwarding, and the forwarding link of the data packet can be prevented from looping; formula (7) represents repair path/>Bandwidth utilization/>, before traffic reroutingThis path would otherwise be removed if it is within the set range; equation (8) shows that the repair path is not congested after traffic is rerouted; if the path does not meet this condition, the path will be removed,/>Representing repair Path/>Capacity of/>Expressed in repair Path/>Traffic before rerouting, T (P _c) represents traffic on pre-rerouted congested link P _c, β being a set coefficient;

Screening the obtained repair paths by taking formulas (6) to (8) as constraint conditions to obtain m repair paths; repair path m And its capacity/>Traffic before rerouting/>Bandwidth utilization/>, before reroutingAnd congestion link P _c before traffic rerouting and its capacity C (P _c), traffic T _pre(P_c before rerouting, bandwidth utilization U _pre(P_c before rerouting) as outputs for use as inputs to traffic rerouting.

Preferably, step 3 comprises:

After obtaining a plurality of repair paths according to the step 2, the SDN controller sends m repair paths And/>The congestion link P _c before traffic rerouting, the destination addresses of C (P _c)、T_pre(P_c)、U_pre(P_c) and k data packets of the congestion link P _c before traffic rerouting are used as input, and the SDN controller performs traffic rerouting after being processed by a greedy algorithm;

firstly, the calculation formula of the network bandwidth utilization rate after rerouting each path is as follows:

Wherein, formula (9) indicates that the bandwidth utilization of the path P _i after traffic is rerouted is equal to the bandwidth utilization before rerouting plus the increase in bandwidth utilization caused by the traffic that needs to be changed to be transmitted in the path P _i after rerouting to the destination address d _j in the congestion link P _c before rerouting after rerouting;

the maximum bandwidth utilization of the network after traffic rerouting is defined as follows:

the formula (10) represents that the maximum utilization rate of the network path after the flow is rerouted takes the maximum value of the bandwidth utilization rate of the repair path after each rerouted and the bandwidth utilization rate of the congestion link before the rerouted;

Using the congestion path and m repair paths as paths through which traffic of the rerouted needs to pass, wherein the data packets needing to be rerouted have k destination addresses in total, and solving how to distribute the traffic to the paths participating in the rerouting, so that the maximum bandwidth utilization rate of the network after the traffic rerouting is minimum;

Setting decision variables as follows:

The problem of how to allocate traffic to paths participating in rerouting can be expressed as the following mathematical model:

min U_m (12)

U(P_i)≤U_max (15)

Wherein equation (12) represents the goal of optimization to minimize the maximum bandwidth utilization of the network after traffic rerouting; equation (13) indicates that traffic in the network remains conserved; equation (14) indicates that traffic on path P _i needs to remain within a certain range of link capacities after traffic rerouting, where a is a set coefficient, Representing traffic that is transmitted in the congested link before the rerouting but is instead transmitted in path P _i after the rerouting; equation (15) indicates that the bandwidth utilization of path P _i after traffic rerouting needs to be within a set range; equation (16) shows that path P _i involved in traffic rerouting is m repair paths/>And a path in the congested link P _c before rerouting;

By converting the flow distribution problem after rerouting into an optimization problem, adopting a greedy algorithm to obtain an optimal solution, and outputting an optimal strategy of flow rerouting:

According to the optimal strategy of traffic rerouting, the SDN controller modifies the port number of a routing table in a router related to the repair path and the congestion path before rerouting, changes the path of a data packet forwarded in the congestion path before rerouting, realizes traffic rerouting, and relieves link flooding attack.

A second aspect of the invention provides an apparatus comprising a processor and a memory; the memory is used for storing a computer program, and the processor is used for executing the traffic rerouting link flooding attack mitigation method according to the first aspect according to the computer program.

A third aspect of the present invention provides a computer readable storage medium storing a computer program for executing the traffic-based rerouting link flooding attack mitigation method according to the first aspect.

According to the technical scheme, the method does not need to add a limiting rule of a new user or deploy additional data and flow processing equipment, searches and screens a plurality of repair paths by using a network flow algorithm according to the constraint conditions of network information and repair paths, solves an optimization problem by a greedy algorithm according to the constraint conditions of links and destination address distribution of data packets, distributes flow to each repair path with the minimum maximum link bandwidth utilization ratio as a target, and modifies a flow table in a switch by an SDN controller to realize flow rerouting so as to achieve the effect of effectively relieving link flooding attack.

Additional features and advantages of the invention will be set forth in the detailed description which follows.

Drawings

The accompanying drawings are included to provide a further understanding of the invention, and are incorporated in and constitute a part of this specification, illustrate the invention and together with the description serve to explain, without limitation, the invention. In the drawings:

FIG. 1 is a flow chart of a flow-based rerouting link flooding attack mitigation method provided by the invention;

fig. 2 is a schematic diagram of searching for a congested link in a flooding attack mitigation method based on a traffic rerouting link provided by the present invention;

fig. 3 is a schematic diagram of link congestion in the flow-based rerouting link flooding attack mitigation method provided by the present invention;

FIG. 4 is a network frame diagram for mitigating link flooding attacks based on traffic rerouting provided by the present invention;

fig. 5 is a schematic diagram of an execution flow for alleviating a link flooding attack based on traffic rerouting provided by the present invention;

FIG. 6 is a schematic diagram of a specific defense scenario in one embodiment provided by the present invention;

fig. 7 is a flow chart of an architecture for alleviating link flooding attack based on traffic rerouting provided by the present invention.

Detailed Description

The following describes specific embodiments of the present invention in detail with reference to the drawings. It should be understood that the detailed description and specific examples, while indicating and illustrating the invention, are not intended to limit the invention.

Referring to fig. 1, fig. 4, fig. 5, and fig. 7, the present invention provides a method for mitigating flooding attack based on traffic rerouting link, the method comprising:

Step 1, searching a congestion link, searching the congestion link from network topology according to real-time information such as bandwidth utilization rate, flow and the like of each link in a network after link flooding attack occurs, and extracting characteristics such as flow in the congestion link, destination address distribution of data packets and the like;

Step2, searching repair paths, and searching and screening a plurality of repair paths by using a network flow algorithm according to the topological structure of the network, the constraint condition of a link, the bandwidth utilization rate of the link and other information;

And 3, traffic rerouting, namely converting the traffic distribution problem of the repair paths into an optimization problem according to the destination address distribution, traffic information, bandwidth utilization rate of the links, constraint conditions of the links and the like of the data packets before rerouting of the congested links, solving an optimal strategy by using a greedy algorithm with the minimum maximum link bandwidth utilization rate as a target, distributing the congested traffic to each repair path, modifying a routing table in the router by an SDN controller according to the distribution result, realizing the rerouting of the congested traffic, and finally realizing the relief of link flooding attack.

As shown in fig. 1, step 1 includes:

For a given network, constructing a network topology model G= (V; E) according to SDN switch distribution, server distribution, communication link position, communication service and other information in the network, and obtaining information such as each node V, a link E between each node, traffic T (E), capacity C (E), bandwidth utilization U (E) and the like of each link; wherein V represents a set of nodes in the network and E represents a set of links in the network;

Firstly, setting a bandwidth utilization rate threshold value of a congestion condition of a link as U _th, monitoring the bandwidth utilization rate of each link in a network, and comparing the bandwidth utilization rate of each link with the threshold value; when the bandwidth utilization rate of the link exceeds a threshold value, the link is considered to be attacked by the LFA and is severely congested, a congested link P _c is output, and a network flow algorithm is used for searching and repairing the link according to related link information; otherwise, continuing to monitor links in the network.

The searching of a plurality of repair paths in the step2 comprises the following steps:

When a congestion link in a network is found (see figure 3), firstly, calculating the bandwidth utilization rate of a path in the network according to the link information in the network; wherein n e (1, …, |v|) passes through a plurality of intermediate nodes (V ₁,v₂,…,v_n) from a start node s of a failed link, where |v| represents the number of nodes in the network, and a forward path to a destination node d is defined as follows:

P_s,d＝(s,v₁,v₂,…,v_n,d) (1)

the bandwidth utilization rate of the forward path is considered as the maximum value of the bandwidth utilization rate of the link between any two adjacent nodes in the forward path, and the bandwidth utilization rate of the forward path is calculated as follows:

According to the information of flow, capacity, bandwidth utilization rate and the like in the current network, setting rules of a shortest path search algorithm, and related constraint conditions are as follows:

Wherein equation (3) indicates that for two nodes x, y of any one link in the network topology, the traffic from node x to node y cannot exceed the capacity of that link. Equation (4) represents that for two nodes x, y of any one link in the network topology, the traffic f (x, y) from node x to node y is equal to the opposite number of traffic f (y, x) from node y to node x. Equation (5) shows that for any node x which is not an initial node or a non-destination node, the sum of the flows of all adjacent nodes flowing into the node x is equal to the sum of the flows of all adjacent nodes flowing out of the node x, so that the conservation of network flows is reflected.

Taking formulas (3) - (5) as constraint conditions, using a network flow algorithm, taking information such as network topology, flow, capacity, bandwidth utilization rate and the like of the existing links before rerouting as input, taking the maximum residual capacity of the repair path before rerouting as a target, and searching for an optimal path. Each round of running the network flow algorithm, firstly removing paths which do not meet related constraint conditions; then, starting from the initial node of the fault link, gradually optimizing the path; calculating the residual capacity of the current link for the current node by considering the condition of the neighbor link; then, comparing the residual capacity obtained by the calculation in the previous step with the current residual capacity, and taking a smaller value as the residual capacity of the current path; and searching by adopting the steps until the searching process is extended to the target node, and outputting the repair link. Each time the network flow algorithm is run, the round of searched repair links are removed from the link set. Repeating the steps for multiple times, running the network flow algorithm for multiple times, and searching to obtain multiple repair paths with larger residual capacity.

According to the information of the hop count, bandwidth utilization rate, capacity and the like of the repair path obtained by searching the network flow algorithm, setting a rule of repair path screening, and related constraint conditions are as follows:

wherein formula (6) represents a repair path Hop count/>The limit of the maximum hop count n _max of the repair path is not more than that of the set, the transmission time of the data packet and the hop count passing through in the transmission process are positively correlated, the transmission time of the data packet is shorter when the hop count in the forwarding path is smaller, the time required by rerouting the flow can be shortened by limiting the hop count of the forwarding, and the forwarding link of the data packet can be prevented from looping; formula (7) represents repair path/>Bandwidth utilization/>, before traffic reroutingThis path would otherwise be removed if it is within the set range; equation (8) shows that the repair path is not congested after traffic is rerouted; if the path does not meet this condition, the path will be removed,/>Representing repair Path/>Capacity of/>Expressed in repair Path/>Traffic before rerouting, T (P _c) represents traffic on pre-rerouted congested link P _c, β being a set coefficient;

Screening the obtained repair paths by taking formulas (6) to (8) as constraint conditions to obtain m repair paths; repair path m And its capacity/>Traffic before rerouting/>Bandwidth utilization/>, before reroutingAnd congestion link P _c before traffic rerouting and its capacity C (P _c), traffic T _pre(P_c before rerouting, bandwidth utilization U _pre(P_c before rerouting) as outputs for use as inputs to traffic rerouting.

The flow rerouting in step3 comprises:

After obtaining a plurality of repair paths according to the step 2, the SDN controller sends m repair paths And/>The congestion link P _c before traffic rerouting, the destination addresses of C (P _c)、T_pre(P_c)、U_pre(P_c) and k data packets of the congestion link P _c before traffic rerouting are used as input, and the SDN controller performs traffic rerouting after being processed by a greedy algorithm;

firstly, the calculation formula of the network bandwidth utilization rate after rerouting each path is as follows:

Wherein, formula (9) indicates that the bandwidth utilization of the path P _i after traffic is rerouted is equal to the bandwidth utilization before rerouting plus the increase in bandwidth utilization caused by the traffic that needs to be changed to be transmitted in the path P _i after rerouting to the destination address d _j in the congestion link P _c before rerouting after rerouting;

the maximum bandwidth utilization of the network after traffic rerouting is defined as follows:

the formula (10) represents that the maximum utilization rate of the network path after the flow is rerouted takes the maximum value of the bandwidth utilization rate of the repair path after each rerouted and the bandwidth utilization rate of the congestion link before the rerouted;

Using the congestion path and m repair paths as paths through which traffic of the rerouted needs to pass, wherein the data packets needing to be rerouted have k destination addresses in total, and solving how to distribute the traffic to the paths participating in the rerouting, so that the maximum bandwidth utilization rate of the network after the traffic rerouting is minimum;

Setting decision variables as follows:

The problem of how to allocate traffic to paths participating in rerouting can be expressed as the following mathematical model:

min U_m (12)

U(P_i)≤U_max (15)

Wherein equation (12) represents the goal of optimization to minimize the maximum bandwidth utilization of the network after traffic rerouting; equation (13) indicates that traffic in the network remains conserved; equation (14) indicates that traffic on path P _i needs to remain within a certain range of link capacities after traffic rerouting, where a is a set coefficient, Representing traffic that is transmitted in the congested link before the rerouting but is instead transmitted in path P _i after the rerouting; equation (15) indicates that the bandwidth utilization of path P _i after traffic rerouting needs to be within a set range; equation (16) shows that path P _i involved in traffic rerouting is m repair paths/>And a path in the congested link P _c before rerouting;

By converting the flow distribution problem after rerouting into an optimization problem, adopting a greedy algorithm to obtain an optimal solution, and outputting an optimal strategy of flow rerouting:

According to the optimal strategy of traffic rerouting, the SDN controller modifies the port number of a routing table in a router related to the repair path and the congestion path before rerouting, changes the path of a data packet forwarded in the congestion path before rerouting, realizes traffic rerouting, and relieves link flooding attack.

In summary, compared with other link flooding attack defense methods, the method provided by the invention does not need to newly increase the limit rule of the user or deploy additional data and flow processing equipment, and the SDN controller operates related simple and efficient algorithms to change the forwarding path of the congestion data packet, thereby realizing the flow rerouting of the congestion link, relieving the link flooding attack and effectively reducing the defense cost.

Specifically, as shown in fig. 6, a topology structure of a campus network connected to the Internet is shown, where a link L4 is located near an exit link of the campus network, and has a relatively high bandwidth utilization rate for a long period of time, and a zombie host implements a generic Hong Lianlu L4 by accessing a server, so that congestion occurs in the link L4. After the SDN controller discovers that the link L4 is congested, a network flow algorithm is used, repair links such as L10, L11 and L12 are obtained through screening, a greedy algorithm is used for processing, an optimal strategy with minimum network bandwidth utilization rate after traffic rerouting is obtained, a port number in a routing table of the router R3 is modified, traffic in the congested link L4 before rerouting is distributed to the links such as L4, L10, L11 and L12 for transmission, traffic rerouting is achieved, and link flooding attack is effectively relieved.

In addition, the invention also provides equipment, which comprises a processor and a memory; the memory is used for storing a computer program, and the processor is used for executing the traffic-based rerouting link flooding attack mitigation method according to the computer program.

Still further, the present invention provides a computer readable storage medium storing a computer program for executing the above-mentioned traffic-rerouting-link-based flooding attack mitigation method.

The preferred embodiments of the present invention have been described in detail above with reference to the accompanying drawings, but the present invention is not limited to the specific details of the above embodiments, and various simple modifications can be made to the technical solution of the present invention within the scope of the technical concept of the present invention, and all the simple modifications belong to the protection scope of the present invention.

In addition, the specific features described in the above embodiments may be combined in any suitable manner, and in order to avoid unnecessary repetition, various possible combinations are not described further.

Moreover, any combination of the various embodiments of the invention can be made without departing from the spirit of the invention, which should also be considered as disclosed herein.

Claims (4)

1. A traffic-based rerouting link flooding attack mitigation method, the method comprising:

step 1, searching a congestion link, searching the congestion link from the network topology according to the bandwidth utilization rate and the flow real-time information of each link in the network after the link flooding attack occurs, and extracting the flow in the congestion link and the destination address distribution characteristics of the data packet;

Step 2, searching repair paths, and searching and screening a plurality of repair paths with more residual capacity by using a network flow algorithm according to the topological structure of the network, the constraint condition of the link and the bandwidth utilization information of the link;

step 3, traffic rerouting, namely converting the traffic distribution problem of the repair paths into an optimization problem according to destination address distribution, traffic information, bandwidth utilization rate of the links and constraint condition information of the links of the data packets before rerouting of the congested links, and distributing congestion traffic to each repair path by using a greedy algorithm with the minimum maximum link bandwidth utilization rate as a target to obtain an optimal solution, and modifying a routing table in the router by using an SDN controller according to the distribution result to realize congestion traffic rerouting and finally realize relieving link flooding attack;

the step 2 comprises the following steps:

When a congestion link appears in the network, firstly, calculating the bandwidth utilization rate of a path in the network according to the link information in the network; wherein n e (1,., |v|) passes from the starting node s of the failed link through a plurality of intermediate nodes (V ₁,v₂,…,v_n), where |v| represents the number of nodes in the network, and the forward path to the destination node d is defined as follows:

P_s,d＝(s,v₁,v₂,…,v_n，d) (1)

The remaining capacity of the forward path is considered as the minimum value of the remaining capacity of the link between any two adjacent nodes in the forward path, and the remaining capacity calculation formula of the forward path is as follows:

according to the information on the link, flow, capacity and bandwidth utilization in the current network, setting rules of a network flow algorithm, and related constraint conditions are as follows:

Wherein, the formula (3) represents that for two nodes x, y of any one link in the network topology, the traffic from the node x to the node y cannot exceed the capacity of the link; equation (4) represents that for two nodes x, y of any one link in the network topology, the traffic f (x, y) from node x to node y is equal to the opposite number of traffic f (y, x) from node y to node x; the formula (5) shows that for any node x which is not an initial node or a non-destination node, the sum of the flows of all adjacent nodes flowing into the node x is equal to the sum of the flows of all adjacent nodes flowing out of the node x, so that the conservation of network flows is reflected;

Taking formulas (3) - (5) as constraint conditions, using a network flow algorithm, taking the network topology, the flow, capacity and bandwidth utilization rate of the existing link before rerouting as input, and searching an optimal path by taking the maximum residual capacity of the repair path before rerouting as a target; each round of running the network flow algorithm, firstly removing paths which do not meet related constraint conditions; then, starting from the initial node of the fault link, gradually optimizing the path; calculating the residual capacity of the current link for the current node by considering the condition of the neighbor link; then, comparing the residual capacity obtained by the calculation in the previous step with the current residual capacity, and taking a smaller value as the residual capacity of the current path; searching by adopting the steps until the searching process is expanded to the target node, and outputting a repair link; removing the repair link searched for in the round from the link set every time the network flow algorithm is run; repeating the steps for a plurality of times, running a network flow algorithm for a plurality of times, and searching to obtain a plurality of repair paths with larger residual capacity;

According to the information of hop count, bandwidth utilization rate and capacity of the repair path obtained by searching the network flow algorithm, setting a rule of repair path screening, and related constraint conditions are as follows:

wherein formula (6) represents a repair path Hop count/>The limit of the maximum hop count n _max of the repair path is not more than that of the set, the transmission time of the data packet and the hop count passing through in the transmission process are positively correlated, the transmission time of the data packet is shorter when the hop count in the forwarding path is smaller, the time required by rerouting the flow can be shortened by limiting the hop count of the forwarding, and the forwarding link of the data packet can be prevented from looping; formula (7) represents repair path/>Bandwidth utilization before traffic reroutingThis path would otherwise be removed if it is within the set range; equation (8) shows that the repair path is not congested after traffic is rerouted; if the path does not meet this condition, the path will be removed,/>Representing repair Path/>Capacity of/>Expressed in repair Path/>Traffic before rerouting, T (P _c) represents traffic on pre-rerouted congested link P _c, β being a set coefficient;

Screening the obtained repair paths by taking formulas (6) to (8) as constraint conditions to obtain m repair paths; repair path m And its capacity/>Traffic before rerouting/>Bandwidth utilization/>, before reroutingAnd congestion link P _c before traffic rerouting and its capacity C (P _c), traffic T _pre(P_c before rerouting, bandwidth utilization U _pre(P_c before rerouting) as outputs for use as inputs to traffic rerouting.

2. The method of claim 1, wherein step 1 comprises:

For a given network, constructing a network topology model G= (V; E) according to SDN switch distribution, server distribution, communication link position and communication service information in the network, and obtaining information of each node V, a link E between each node, traffic T (E), capacity C (E) and bandwidth utilization U (E) of each link; wherein V represents a set of nodes in the network and E represents a set of links in the network;

Firstly, setting a bandwidth utilization rate threshold value of a congestion condition of a link as U _th, monitoring the bandwidth utilization rate of each link in a network, and comparing the bandwidth utilization rate of each link with the threshold value; when the bandwidth utilization rate of the link exceeds a threshold value, the link is considered to be attacked by the LFA and is severely congested, a congested link P _c is output, and a network flow algorithm is used for searching and repairing the link according to related link information; otherwise, continuing to monitor links in the network.

3. The method of claim 1, wherein step 3 comprises:

After obtaining a plurality of repair paths according to the step 2, the SDN controller sends m repair paths And to the process for preparing the sameThe congestion link P _c before traffic rerouting, the destination addresses of C (P _c)、T_pre(P_c)、U_pre(P_c) and k data packets of the congestion link P _c before traffic rerouting are used as input, and the SDN controller performs traffic rerouting after being processed by a greedy algorithm;

firstly, the calculation formula of the network bandwidth utilization rate after rerouting each path is as follows:

Wherein, formula (9) indicates that the bandwidth utilization of the path P _i after traffic is rerouted is equal to the bandwidth utilization before rerouting plus the increase in bandwidth utilization caused by the traffic that needs to be changed to be transmitted in the path P _i after rerouting to the destination address d _j in the congestion link P _c before rerouting after rerouting;

the maximum bandwidth utilization of the network after traffic rerouting is defined as follows:

the formula (10) represents that the maximum utilization rate of the network path after the flow is rerouted takes the maximum value of the bandwidth utilization rate of the repair path after each rerouted and the bandwidth utilization rate of the congestion link before the rerouted;

Using the congestion path and m repair paths as paths through which traffic of the rerouted needs to pass, wherein the data packets needing to be rerouted have k destination addresses in total, and solving how to distribute the traffic to the paths participating in the rerouting, so that the maximum bandwidth utilization rate of the network after the traffic rerouting is minimum;

Setting decision variables as follows:

The problem of how to allocate traffic to paths participating in rerouting can be expressed as the following mathematical model:

min U_m (12)

U(P_i)≤U_max (15)

Wherein equation (12) represents the goal of optimization to minimize the maximum bandwidth utilization of the network after traffic rerouting; equation (13) indicates that traffic in the network remains conserved; equation (14) indicates that traffic on path P _i needs to remain within a certain range of link capacities after traffic rerouting, where a is a set coefficient, Representing traffic that is transmitted in the congested link before the rerouting but is instead transmitted in path P _i after the rerouting; equation (15) indicates that the bandwidth utilization of path P _i after traffic rerouting needs to be within a set range; equation (16) shows that path P _i involved in traffic rerouting is m repair paths/>And a path in the congested link P _c before rerouting;

By converting the flow distribution problem after rerouting into an optimization problem, adopting a greedy algorithm to obtain an optimal solution, and outputting an optimal strategy of flow rerouting:

According to the optimal strategy of traffic rerouting, the SDN controller modifies the port number of a routing table in a router related to the repair path and the congestion path before rerouting, changes the path of a data packet forwarded in the congestion path before rerouting, realizes traffic rerouting, and relieves link flooding attack.

4. A computer readable storage medium for storing a computer program for performing the traffic-based rerouting link flooding attack mitigation method of any of claims 1-3.