CN116389120A - Novel DDOS attack defense system and method based on IP and topology confusion - Google Patents

Novel DDOS attack defense system and method based on IP and topology confusion Download PDF

Info

Publication number
CN116389120A
CN116389120A CN202310363837.1A CN202310363837A CN116389120A CN 116389120 A CN116389120 A CN 116389120A CN 202310363837 A CN202310363837 A CN 202310363837A CN 116389120 A CN116389120 A CN 116389120A
Authority
CN
China
Prior art keywords
topology
virtual
network
lip
module
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Pending
Application number
CN202310363837.1A
Other languages
Chinese (zh)
Inventor
李腾
孙小敏
孔甜甜
林泽健
韩志峰
何彦武
卢知雨
马卓
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
Xidian University
Original Assignee
Xidian University
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Xidian University filed Critical Xidian University
Priority to CN202310363837.1A priority Critical patent/CN116389120A/en
Publication of CN116389120A publication Critical patent/CN116389120A/en
Pending legal-status Critical Current

Links

Images

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/14Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
    • H04L63/1441Countermeasures against malicious traffic
    • H04L63/1458Denial of Service
    • YGENERAL TAGGING OF NEW TECHNOLOGICAL DEVELOPMENTS; GENERAL TAGGING OF CROSS-SECTIONAL TECHNOLOGIES SPANNING OVER SEVERAL SECTIONS OF THE IPC; TECHNICAL SUBJECTS COVERED BY FORMER USPC CROSS-REFERENCE ART COLLECTIONS [XRACs] AND DIGESTS
    • Y02TECHNOLOGIES OR APPLICATIONS FOR MITIGATION OR ADAPTATION AGAINST CLIMATE CHANGE
    • Y02DCLIMATE CHANGE MITIGATION TECHNOLOGIES IN INFORMATION AND COMMUNICATION TECHNOLOGIES [ICT], I.E. INFORMATION AND COMMUNICATION TECHNOLOGIES AIMING AT THE REDUCTION OF THEIR OWN ENERGY USE
    • Y02D30/00Reducing energy consumption in communication networks
    • Y02D30/50Reducing energy consumption in communication networks in wire-line communication networks, e.g. low power modes or reduced link rate

Abstract

The invention discloses a novel DDOS attack defense system and method based on IP and topology confusion, which mainly solves the problem that the existing method has insufficient defense strength for the novel DDOS attack, and the scheme comprises the following steps: a proxy IP confusion unit, a topology confusion unit, and a communication quality maintenance unit; firstly, prolonging the time for an attacker to collect the proxy server communication IP through a proxy server IP confusion unit; secondly, the topology confusion unit adds redundant paths into path information of a trace stream of a response attacker to prevent the attacker from distinguishing a virtual path from a real communication path, and the generated virtual path length is different from the real communication path length, so that the attacker is prevented from distinguishing the real communication path through analyzing the length information; finally, the aim of recovering the network communication quality is achieved by calling a re-routing algorithm based on reinforcement learning in the initial stage of network congestion. The invention can effectively protect the network from being attacked by the novel DDOS, and simultaneously ensure the communication quality.

Description

Novel DDOS attack defense system and method based on IP and topology confusion
Technical Field
The invention belongs to the technical field of information security, and further relates to a novel distributed denial of service DDOS (Distributed Denial of Service) attack active defense technology, in particular to a novel DDOS attack defense system and method based on IP and topology confusion, which can be used for protecting a network from being invaded by the novel DDOS attack.
Background
The new DDOS attack blocks the critical links of normal users to the target server by organizing many botnets to send large amounts of low-speed traffic to proxy servers around the target server. In general, the novel DDOS attack mainly comprises the following four steps: the first step is that an attacker collects IP information of proxy servers around the target server by using a scanning tool such as NMAP. And secondly, the attacker uses a tracking tool to instruct the controlled botnet to send traceroute data packets to the target server and the proxy server to infer the network topology, and builds a link diagram from the botnet to the server. And thirdly, analyzing the obtained link diagram by an attacker to identify key links. Fourth, the attacker directs the botnet to send attack data packets to the proxy server. Compared with the traditional DDOS attack, the novel DDOS attack has stronger destructiveness and harm and is more difficult to detect and prevent. Studies have shown that the Internet is a scaleless network with severe non-uniformity in link connections, a few critical links dominate the operation of the scaleless network, and once these critical links are broken, the connectivity of the entire network cannot be guaranteed. Therefore, how to design a solution that can defend against the novel DDOS attack is critical to the operation of the network.
The Jinwoo Kim et al 2022 discloses a novel DDOS attack active defense scheme based on topology confusion in Proceedings of the USENIX NDSS, but because the topology confusion technology is limited to responding to an attacker's traceroute data packet by using a real communication path and a virtual path with the same length as the real communication path, the following disadvantages exist, on the one hand, because only the real communication path and the virtual path exist, if a certain switch leaks own real IP, the attacker can easily infer which is the real communication path, so that the whole topology structure of the network finally analyzes a key link; on the other hand, because the nodes on the virtual path are in one-to-one correspondence with the nodes on the real communication path, an attacker can easily divide the route information responded by the Traceroute data packet according to the path length information, so that the network topology is revealed, and the network security is threatened; finally, the solution is unable to resist blind novel DDOS attacks due to lack of a processing solution after network congestion, wherein the blind novel DDOS attacks refer to that an attacker directly initiates attacks to proxy servers around a target server to block a network based on the existing obtained network information when the exact information of a key link is not presumed.
Inventive scheme
The invention aims to overcome the defects of the technology and provides a novel DDOS attack defense system based on IP and topology confusion. The system comprises: proxy IP confusion unit, topology confusion unit, and communication quality maintenance unit. Firstly, the time for an attacker to collect the communication IP of the proxy server is prolonged through the proxy server IP confusion unit, so that the attack intention of the attacker is reduced; secondly, if a large number of Traceroute data packets appear in the network, which means that an attacker has collected enough proxy server communication IP, the system starts a topology confusion unit, and the topology confusion unit can make the attacker unable to distinguish network key links by analyzing Traceroute response flow; in addition, the nodes on the virtual path are not in one-to-one correspondence with the nodes on the real communication path, but a virtual network is created on the nodes on the real communication path, so that an attacker can be prevented from dividing the route information responded by the Traceroute according to the path length information; finally, the invention protects the network from blind novel DDOS attacks by invoking the reinforcement learning-based rerouting algorithm in the initial stage of network congestion.
In order to achieve the above purpose, the technical scheme adopted by the invention is as follows:
a novel DDOS attack defense system based on IP and topology confusion, comprising: a proxy IP confusion unit, a topology confusion unit, and a communication quality maintenance unit;
the proxy server IP confusion unit comprises an IP distribution module and an IP confusion module; the IP distribution module distributes long-term IP and short-term IP for all proxy servers in the network, marks the long-term IP as LIP, marks the short-term IP as SIP, and takes the distribution condition as the input of the IP confusion module; the IP confusion module is used for realizing the requirements of LIP and SIP communication distributed by the IP distribution module between the host and the proxy server;
the topology confusion unit is composed of an original topology acquisition module, a virtual topology generation module and a virtual topology deployment module and is used for achieving the purpose that an attacker cannot distinguish network key links by analyzing Traceroute response flows; the network topology acquisition module acquires network topology by utilizing an SDN controller network topology discovery principle, records the network topology as an original topology, and takes the original topology as input of the virtual topology generation module; the virtual topology generation module generates a virtual topology for an input original topology according to a given parameter set { x, y }, and takes the virtual topology as the input of the virtual topology deployment module, wherein the virtual topology deployment module is used for deploying a network according to the input virtual topology;
the communication quality maintaining unit is composed of a link monitoring module combined with a re-routing algorithm based on reinforcement learning; the link monitoring module is used for monitoring network communication quality in real time, and calling a re-routing algorithm based on reinforcement learning to re-select a communication path for the data packet to restore network communication when the communication quality is smaller than a preset threshold value.
Further, the above IP allocation module allocates long-term IP and short-term IP to all proxy servers in the network, specifically: distributing an LIP and an SIP for a designated number K of proxy servers in a network with N proxy servers, and distributing LIPs for the rest N-K proxy servers; the IP confusion module modifies the flow table of the SDN switch through the SDN controller to meet the requirements of LIP and SIP communication distributed by the IP distribution module between the host and the proxy server, and is used for increasing the difficulty of an attacker in collecting the IP information of the proxy server.
Further, the virtual topology generating module generates a virtual topology for the input original topology according to the given parameter set { x, y }, and the implementation is as follows:
considering each switch in the original topology as a node, the set of nodes consisting of all switches is denoted { N1, N2,., nn }, where N represents the total number of nodes; respectively creating x virtual networks for all SDN switches in the original topology, wherein the number of nodes on any one virtual network is not fixed, and obtaining a virtual network set:
Figure BDA0004165976200000031
wherein->
Figure BDA0004165976200000032
Representing an xth virtual network created for an nth node Nn; assuming that any two nodes Ni and Nj have links in the original topology, where i, j ε 1,2,..n, and i+.j, is x versus virtual network +.>
Figure BDA0004165976200000033
Creating one-to-one virtual links to obtain x virtual links; for any two nodes Ni and Nj, randomly selecting y redundant paths from Ni to Nj in the original topology by a virtual topology generation module; the real communication path from Ni to Nj in the original topology is recorded as an original path; the path formed by virtual links between virtual networks created for nodes on the original path is referred to as a virtual path, the original path, x virtual paths created from Ni to Nj, and y redundant paths randomly selected are referred to as virtual topologies from Ni to Nj.
Further, the virtual topology deployment module achieves the aim of deploying the virtual topology into the network by modifying the TTL value of the traceroute data packet and the IP address of the response packet simultaneously or rerouting the data packet to a redundant path; the link monitoring module is operated in the whole life cycle of the system operation, monitors the network communication quality in real time through the Ipref tool, and the monitoring content at least comprises link delay, link utilization rate and port rate.
A novel DDOS attack defense method based on IP and topology confusion comprises the following steps:
(1) In a network with N proxy servers, selecting K proxy servers as designated proxy servers according to defending ability of defenders;
(2) The IP distribution module is used for distributing a long-term IP and a short-term IP for the appointed proxy server, recording the long-term IP as LIP and the short-term IP as SIP, and distributing only LIP for the rest proxy servers; LIP is unchanged for a long time, a parameter t is given by the system, and SIP is allocated to a designated proxy server again at intervals of t; the LIP of a proxy server is used as the communication IP of the proxy server, and the distribution result is input to an IP confusion module;
(3) The IP confusion module modifies the flow table of the SDN switch through the SDN controller, so that the data packet is forwarded among the SDN switches in the network through matching the modified flow table, and the following is realized:
(3.1) when an IP packet is sent from an external user to a proxy server, first the IP packet is sent to an SDN switch connected to the external user, where the SDN switch connected to the external user is denoted as an ingress switch and the SDN switch connected to the proxy server is denoted as an egress switch; the ingress exchanger sends the IP data packet to the SDN controller, the SDN controller judges whether the IP address of the IP data packet belongs to LIP of a proxy server, if so, the ingress exchanger and the egress exchanger issue flow tables according to flow table issuing rules adopted by the SDN controller without deploying the proxy server IP confusion unit, if not, the step (3.2) is carried out;
(3.2) the SDN controller judges whether the destination address belongs to the current SIP of a specific proxy server, if so, the proxy server is called a hit server and is transferred to the step (3.3), and if not, the SDN controller issues a flow table to an inlet switch and an outlet switch according to a flow table issuing rule adopted by an undeployed proxy server IP confusion unit SDN controller;
(3.3) the SDN controller newly adds a flow table item in the flow table of the inlet switch, the destination IP in the matching domain of the flow table item is set as the SIP of the hit server, the action domain of the flow table item is set as the LIP of the hit server for modifying the destination IP address of the data packet and forwarding the LIP, and the expiration time of the flow table item is set as t; the SDN controller adds a flow table item in the flow table of the outlet exchanger, sets the source IP in the matching domain of the flow table item as LIP hitting the server, sets the action domain of the flow table item as SIP hitting the server with the source IP address of the data packet modified and forwarded, and sets the expiration time of the flow table item as t;
(4) The virtual topology generation module generates x virtual paths for any two nodes Ni and Nj in the original topology according to system given parameters { x, y }, and randomly selects y redundant paths in the network to obtain the virtual topology;
(5) The virtual topology deployment module deploys the virtual topology into the network, so that an attacker can forward the detection flow between any two nodes Ni and Nj in the X virtual paths from Ni to Nj, the y redundant paths selected randomly and the original path at medium probability, and the aim that the attacker cannot distinguish the key links of the network by analyzing the Traceroute response flow is fulfilled;
(6) In the whole life cycle of system operation, monitoring network communication quality in real time through a link monitoring module, wherein the quality judgment standard at least comprises link delay, link utilization rate and port rate; and if the network communication quality is found to be reduced to be smaller than the threshold value preset by the system, executing a rerouting algorithm based on reinforcement learning to realize link protection.
Compared with the prior art, the invention has the following advantages:
the proxy server IP confusion unit can prolong the time for an attacker to collect the proxy server communication IP and reduce the attack intention of the attacker. The reasons are as follows: if a large amount of SIP exists in the M pieces of IP information collected by the attacker through NMAP network segment scanning, when the attacker prepares to initiate the attack for collecting enough pieces of proxy server communication IP, the SIP will expire soon, the attack cannot be normally performed, the attacker is forced to continuously collect the IP information, and therefore the attack preparation time can be effectively prolonged, and the attack intention of the attacker is reduced.
Secondly, the topology confusion unit adds redundant paths into path information of a response attacker tracking flow in the virtual topology generation module, so that the attacker is prevented from distinguishing a virtual path and a real communication path due to the fact that a certain switch leaks a real IP; in addition, the virtual path is formed by the virtual network, and the number of nodes of the virtual network is not fixed, so that the generated virtual path length is different from the real communication path length, and an attacker can be prevented from distinguishing the real communication path, the redundant path and the virtual path through the length information.
Thirdly, the link monitoring module of the communication quality maintaining unit can monitor the network communication quality in real time in the whole life cycle of system operation, and the network communication quality is recovered in time by calling a re-routing algorithm based on reinforcement learning in the initial stage of network congestion so as to protect the network from blind novel DDOS attack.
Drawings
FIG. 1 is an overall block diagram of the system of the present invention;
FIG. 2 is a flow chart of an implementation of the method of the present invention;
FIG. 3 is a schematic diagram of virtual topology generation in accordance with the present invention;
fig. 4 is a schematic diagram of a deployment scenario of a virtual topology deployment module in the present invention.
Detailed Description
In order to make the objects, technical solutions and advantages of the present application more apparent, the present invention will be further clearly and completely described in connection with the following specific embodiments.
Embodiment one: referring to fig. 1, the novel DDOS attack defense system based on IP and topology confusion provided by the invention comprises: a proxy IP confusion unit, a topology confusion unit, and a communication quality maintenance unit;
the proxy server IP confusion unit comprises an IP distribution module and an IP confusion module; the IP distribution module distributes long-term IP and short-term IP for all proxy servers in the network, marks the long-term IP as LIP, marks the short-term IP as SIP, and takes the distribution condition as the input of the IP confusion module; the IP confusion module is used for realizing the LIP and SIP communication requirement distributed by the IP distribution module between the host and the proxy server. The IP distribution module distributes long-term IP and short-term IP for all proxy servers in the network, and specifically comprises the following steps: distributing an LIP and an SIP for a designated number K of proxy servers in a network with N proxy servers, and distributing LIPs for the rest N-K proxy servers; the IP confusion module modifies the flow table of the SDN switch through the SDN controller to meet the requirements of LIP and SIP communication distributed by the IP distribution module between the host and the proxy server, and is used for increasing the difficulty of an attacker in collecting the IP information of the proxy server.
The topology confusion unit is composed of an original topology acquisition module, a virtual topology generation module and a virtual topology deployment module and is used for achieving the purpose that an attacker cannot distinguish network key links by analyzing Traceroute response flows. The network topology acquisition module acquires network topology by utilizing an SDN controller network topology discovery principle, records the network topology as an original topology, and takes the original topology as input of the virtual topology generation module; the virtual topology generation module generates a virtual topology for an input original topology according to a given parameter set { x, y }, and takes the virtual topology as the input of the virtual topology deployment module, wherein the virtual topology deployment module is used for deploying a network according to the input virtual topology;
the virtual topology generation module generates a virtual topology for an input original topology according to a given parameter set { x, y }, and the implementation is as follows: considering each switch in the original topology as a node, the set of nodes consisting of all switches is denoted { N1, N2,., nn }, where N represents the total number of nodes; respectively creating x virtual networks for all SDN switches in the original topology, wherein the number of nodes on any one virtual network is not fixed, and obtaining a virtual network set:
Figure BDA0004165976200000061
wherein->
Figure BDA0004165976200000062
Representing an xth virtual network created for an nth node Nn; assuming that any two nodes Ni and Nj have links in the original topology, where i, j ε 1,2,..n and i+.j, are x versus virtual network +.>
Figure BDA0004165976200000071
Creating one-to-one virtual links to obtain x virtual links; for any two nodes Ni and Nj, randomly selecting y redundant paths from Ni to Nj in the original topology by a virtual topology generation module; the real communication path from Ni to Nj in the original topology is recorded as an original path; the path formed by virtual links between virtual networks created for nodes on the original path is referred to as a virtual path, the original path, x virtual paths created from Ni to Nj, and y redundant paths randomly selected are referred to as virtual topologies from Ni to Nj.
The virtual topology deployment module achieves the aim of deploying the virtual topology into the network by modifying the TTL value of the traceroute data packet and the IP address of the response packet simultaneously or rerouting the data packet to a redundant path; the link monitoring module operates in the whole life cycle of system operation, monitors network communication quality in real time through the Ipref tool, and the monitoring content at least comprises link delay, link utilization rate and port rate.
The communication quality maintaining unit is composed of a link monitoring module combined with a re-routing algorithm based on reinforcement learning; the link monitoring module is used for monitoring network communication quality in real time, and calling a re-routing algorithm based on reinforcement learning to re-select a communication path for the data packet to restore network communication when the communication quality is smaller than a preset threshold value.
Embodiment two: referring to fig. 2, the novel DDOS attack defense method based on long and short IP and topology confusion provided by the invention specifically comprises the following steps:
step 1, selecting K proxy servers as appointed proxy servers according to defending demands of defenders in a network with N proxy servers; wherein the number K is determined according to the following manner:
Figure BDA0004165976200000072
wherein N represents the total number of proxy servers in the network, M represents the number of proxy servers that an attacker needs to collect, and the system sets a parameter p according to own defense requirements, that is, the probability p of how small the system wants the attacker to scan through the NMAP network segment, and then collect M LIP at one time.
Step 2, using an IP distribution module to distribute a long-term IP and a short-term IP for a designated proxy server, recording the long-term IP as LIP and the short-term IP as SIP, and distributing only LIP for other proxy servers; LIP is unchanged for a long time, a parameter t is given by the system, and SIP is allocated to a designated proxy server again at intervals of t; the LIP of a proxy server is used as the communication IP of the proxy server, and the distribution result is input to an IP confusion module;
the IP allocation module is used for allocating the SIP and the LIP to the proxy server, and the allocation of the SIP and the LIP needs to meet the following requirements:
(a) The LIP of each proxy server is different, and the LIP allocated to all proxy servers is denoted as { LIP } 1 ,LIP 2 ,...,LIP N SIP of each designated proxy server is not of the list 1 ,LIP 2 ,...,LIP N -SIP of any two designated proxy servers at the same time are different;
(b) Any proxy server is in the same network segment with its LIP at present;
(c) The system is given a T, during which the same SIP cannot be allocated multiple times, in order to prevent that the SIP scanned by the NMAP is continuously available during the T, for example, during the first T, the SIP belongs to the proxy server 1 and the second T is allocated to the proxy server 2, and then the attacker can receive the IP response packet during both T times.
Step 3, the IP confusion module modifies the flow table of the SDN switch through the SDN controller, so that the data packet is forwarded among all SDN switches in the network through matching the modified flow table, and the following is realized:
(3.1) when an IP packet is sent from an external user to a proxy server, first the IP packet is sent to an SDN switch connected to the external user, where the SDN switch connected to the external user is denoted as an ingress switch and the SDN switch connected to the proxy server is denoted as an egress switch; the ingress exchanger sends the IP data packet to the SDN controller, the SDN controller judges whether the IP address of the IP data packet belongs to LIP of a proxy server, if so, the ingress exchanger and the egress exchanger issue flow tables according to flow table issuing rules adopted by the SDN controller without deploying the proxy server IP confusion unit, if not, the step (3.2) is carried out;
(3.2) the SDN controller judges whether the destination address belongs to the current SIP of a specific proxy server, if so, the proxy server is called a hit server and is transferred to the step (3.3), and if not, the SDN controller issues a flow table to an inlet switch and an outlet switch according to a flow table issuing rule adopted by an undeployed proxy server IP confusion unit SDN controller;
(3.3) the SDN controller newly adds a flow table item in the flow table of the inlet switch, the destination IP in the matching domain of the flow table item is set as the SIP of the hit server, the action domain of the flow table item is set as the LIP of the hit server for modifying the destination IP address of the data packet and forwarding the LIP, and the expiration time of the flow table item is set as t; the SDN controller adds a flow table item in the flow table of the outlet exchanger, sets the source IP in the matching domain of the flow table item as LIP hitting the server, sets the action domain of the flow table item as SIP hitting the server and forwards the source IP address of the data packet, and sets the expiration time of the flow table item as t.
Step 4, the virtual topology generation module generates x virtual paths between any two nodes Ni and Nj in the original topology according to system given parameters { x, y }, and randomly selects y redundant paths in the network to obtain the virtual topology;
and 5, the virtual topology deployment module deploys the virtual topology into the network, so that an attacker can forward the detection flow between any two nodes Ni and Nj in the x virtual paths from Ni to Nj, the y redundant paths selected randomly and the original path with medium probability, and the purpose that the attacker cannot distinguish the key links of the network by analyzing the Traceroute response flow is realized.
Step 6, monitoring network communication quality in real time through a link monitoring module in the whole life cycle of system operation, wherein the quality judgment standard at least comprises link delay, link utilization rate and port rate; and if the network communication quality is found to be reduced to be smaller than the threshold value preset by the system, executing a rerouting algorithm based on reinforcement learning to realize link protection.
Embodiment III: referring to fig. 3, in the DDOS attack defending method in this embodiment, the overall implementation steps are the same as those in the second embodiment, and a further description will be made of the virtual topology generating module:
as shown in fig. 3, where N1-N2-N3-N4-N5 is the true communication path of N1 to N5, i.e. the original path, N1-N6-N7-N8-N5 is the redundant path of N1 to N5 in the original topology, in this embodiment we assume that the input parameter x is 2 and y is 1, then
Figure BDA0004165976200000091
And->
Figure BDA0004165976200000092
Is two virtual networks created at N1, < >>
Figure BDA0004165976200000093
And->
Figure BDA0004165976200000094
Is two virtual networks created at N2, N3N 4N 5, and so on, then the virtual path of N1 through N5 contains two: />
Figure BDA0004165976200000095
And
Figure BDA0004165976200000096
N1-N6-N7-N8-N5 are redundant paths chosen for N1 to N5, then the virtual topology generated is as shown in FIG. 3.
Embodiment four: referring to fig. 4, in the DDOS attack defending method in this embodiment, the overall implementation steps are the same as those in the second embodiment, and a further description will be made on the virtual topology deployment module:
the virtual topology deployment module enables an attacker to misuse the detected flow to forward in the virtual path, the redundant path and the critical path at medium probability by modifying the TTL value of the Traceroute data packet and the IP address of the response packet or rerouting the data packet to the redundant path, so that the attacker cannot identify the critical path by analyzing the Traceroute response flow:
(5.1) in order to prevent an attacker from distinguishing a node on a real communication path from a node on a virtual network by observing IP addresses, the IP address allocated to the node on the virtual network should be public network IP, furthermore, the allocated IP should be within the same subnet as the node on the corresponding real communication path, and it is also necessary to avoid using already allocated IP addresses.
(5.2) the SDN controller modifying the traceroute packet TTL value and instructing the switch to respond to the trace packet with its real or fake IP address or to reroute the packet to a redundant path. The 1/3 traceroute data packet is modified to realize that the virtual path view is returned to the attacker, the 1/3 traceroute data packet is modified to realize that the attacker returns the requirement of the redundant path view, and the 1/3 data packet is left to forward normally. In fig. 4, S is an attacker, D is a proxy server, a is a node on an original path, in this example, we assume that a virtual path is generated for the node to select a redundant path, B-C is a virtual network created on the node a, S-E-D is a randomly selected redundant path, if a virtual path view needs to be returned to the attacker, when the switch a receives a traceroute command with ttl=1, the SDN controller makes a rule of a flow table, and modifies the source IP address of the ICMP timeout response message to B; when a data packet with TTL=2 is received, in order to enable an attacker to exist as a switch C, the TTL value is reduced by 2, the data packet is outdated at the switch A, an SDN controller formulates a flow table rule, and the source IP address of the ICMP overtime response message is modified to be C; when a data packet with ttl=3 is received, in order for an attacker to be present as well as switch C, the TTL value is decremented by 2, so that the data packet will reach proxy server D, and the attacker sees a virtual path response of S-B-C-D. If a redundant path view needs to be returned for an attacker, the SDN controller can issue a flow table rule and reroute the data packet to E, so that the attacker view obtains a topological view of S-E-D.
Fifth embodiment: the DDOS attack defending method in this embodiment has the same overall implementation steps as those in the second embodiment, and the rerouting algorithm based on reinforcement learning will be further described, so as to implement the following steps:
(6.1) matrix the chaining relationship of SDN switches in the original topology
Figure BDA0004165976200000101
Representation, wherein element l ij 、l ji All represent the link relationship between Ni and Nj in the original topology, if there is a link between them, then L in the matrix L ij 、l ji 1, otherwise 0;
(6.2) designing a state space and an action space of the agent according to all the nodes { N1, N2, & gt, nn }, wherein the state correspondence of the agent when the data packet is in an ith node Ni is represented as Ni ', and the action correspondence of the agent when the data packet selects the next route as Nj is represented as Nj';
(6.3) the agent has selected an action Nj 'in state Ni', its rewards being obtained in the following cases:
case one: in L L ij 0, prize r=r 0 ,r 0 Representing a penalty for it;
and a second case: in L L ij 1, and Nj is not a node connected to the proxy server, rewards r=λ1bw ij +λ2LTR ij +λ3DL ij +λ4JI ij +λ5Loss ij
And a third case: in L L ij 1, and Nj is the node connected to the proxy server, rewarding r=λ1bw ij +λ2LTR ij +λ3DL ij +λ4JI ij +λ5Loss ij +r 3 Wherein r is 3 A reward representing reaching a destination address;
wherein BW is ij Representing the residual bandwidth of the link between nodes Ni and Nj, LTR ij Representing the link throughput rate, DL, between nodes Ni and Nj ij Representing the link delay, JI, between nodes Ni and Nj ij Representing link jitter between nodes Ni and Nj, loss ij Representing the link packet loss rate between nodes Ni and Nj, λi is the weight of the reward function, where λ1, λ2 ε [0,1],λ3,λ4,λ5∈[-1,0]The value of λ1- > λ5 can be determined experimentally, i.e. the parameters λ1, λ2, λ3, λ4, λ5 are chosen such that the agent gets the highest prize as the weight of the prize function;
and (6.4) training the Q table by utilizing Q learning according to the designed state space, action space and rewarding function, and forwarding the data packet according to the Q table after training is finished, wherein for example, the state Ni ' of the agent is equivalent to the state Ni ' of the data packet at the ith node Ni, the agent selects the action Nj ' with the largest rewarding based on the Q table, and the agent is equivalent to the state Nj of the data packet as the next route.
The non-detailed description of the invention is within the knowledge of a person skilled in the art.
The foregoing description of the preferred embodiment of the invention is not intended to be limiting, but it will be apparent to those skilled in the art that various modifications and changes in form and detail may be made without departing from the principles and construction of the invention, but these modifications and changes based on the idea of the invention are still within the scope of the appended claims.

Claims (8)

1. A novel DDOS attack defense system based on IP and topology confusion, comprising: a proxy IP confusion unit, a topology confusion unit, and a communication quality maintenance unit;
the proxy server IP confusion unit comprises an IP distribution module and an IP confusion module; the IP distribution module distributes long-term IP and short-term IP for all proxy servers in the network, marks the long-term IP as LIP, marks the short-term IP as SIP, and takes the distribution condition as the input of the IP confusion module; the IP confusion module is used for realizing the requirements of LIP and SIP communication distributed by the IP distribution module between the host and the proxy server;
the topology confusion unit is composed of an original topology acquisition module, a virtual topology generation module and a virtual topology deployment module and is used for achieving the purpose that an attacker cannot distinguish network key links by analyzing Traceroute response flows; the network topology acquisition module acquires network topology by utilizing an SDN controller network topology discovery principle, records the network topology as an original topology, and takes the original topology as input of the virtual topology generation module; the virtual topology generation module generates a virtual topology for an input original topology according to a given parameter set { x, y }, and takes the virtual topology as the input of the virtual topology deployment module, wherein the virtual topology deployment module is used for deploying a network according to the input virtual topology;
the communication quality maintaining unit is composed of a link monitoring module combined with a re-routing algorithm based on reinforcement learning; the link monitoring module is used for monitoring network communication quality in real time, and calling a re-routing algorithm based on reinforcement learning to re-select a communication path for the data packet to restore network communication when the communication quality is smaller than a preset threshold value.
2. The system according to claim 1, wherein: the IP distribution module distributes long-term IP and short-term IP for all proxy servers in the network, and specifically comprises the following steps: distributing an LIP and an SIP for a designated number K of proxy servers in a network with N proxy servers, and distributing LIPs for the rest N-K proxy servers; the IP confusion module modifies the flow table of the SDN switch through the SDN controller to meet the requirements of LIP and SIP communication distributed by the IP distribution module between the host and the proxy server, and is used for increasing the difficulty of an attacker in collecting the IP information of the proxy server.
3. The system according to claim 1, wherein: the virtual topology generation module generates a virtual topology for the input original topology according to a given parameter set { x, y }, and the implementation is as follows:
original rubbingEach switch in the topology is regarded as a node, and the node set formed by all switches is named { N1, N2,., nn }, where N represents the total number of nodes; respectively creating x virtual networks for all SDN switches in the original topology, wherein the number of nodes on any one virtual network is not fixed, and obtaining a virtual network set:
Figure FDA0004165976190000021
wherein->
Figure FDA0004165976190000022
Representing an xth virtual network created for an nth node Nn; assuming that any two nodes Ni and Nj have links in the original topology, where i, j ε 1,2,..n, and i+.j, is x versus virtual network +.>
Figure FDA0004165976190000023
Creating one-to-one virtual links to obtain x virtual links; for any two nodes Ni and Nj, randomly selecting y redundant paths from Ni to Nj in the original topology by a virtual topology generation module; the real communication path from Ni to Nj in the original topology is recorded as an original path; the path formed by virtual links between virtual networks created for nodes on the original path is referred to as a virtual path, the original path, x virtual paths created from Ni to Nj, and y redundant paths randomly selected are referred to as virtual topologies from Ni to Nj.
4. The system according to claim 1, wherein: the virtual topology deployment module achieves the aim of deploying the virtual topology into the network by modifying the TTL value of the traceroute data packet and the IP address of the response packet simultaneously or rerouting the data packet to a redundant path; the link monitoring module is operated in the whole life cycle of the system operation, monitors the network communication quality in real time through the Ipref tool, and the monitoring content at least comprises link delay, link utilization rate and port rate.
5. A method of implementing a defense in accordance with the system of claim 1, comprising the steps of:
(1) In a network with N proxy servers, selecting K proxy servers as designated proxy servers according to defending ability of defenders;
(2) The IP distribution module is used for distributing a long-term IP and a short-term IP for the appointed proxy server, recording the long-term IP as LIP and the short-term IP as SIP, and distributing only LIP for the rest proxy servers; LIP is unchanged for a long time, a parameter t is given by the system, and SIP is allocated to a designated proxy server again at intervals of t; the LIP of a proxy server is used as the communication IP of the proxy server, and the distribution result is input to an IP confusion module;
(3) The IP confusion module modifies the flow table of the SDN switch through the SDN controller, so that the data packet is forwarded among the SDN switches in the network through matching the modified flow table, and the following is realized:
(3.1) when an IP packet is sent from an external user to a proxy server, first the IP packet is sent to an SDN switch connected to the external user, where the SDN switch connected to the external user is denoted as an ingress switch and the SDN switch connected to the proxy server is denoted as an egress switch; the ingress exchanger sends the IP data packet to the SDN controller, the SDN controller judges whether the IP address of the IP data packet belongs to LIP of a proxy server, if so, the ingress exchanger and the egress exchanger issue flow tables according to flow table issuing rules adopted by the SDN controller without deploying the proxy server IP confusion unit, if not, the step (3.2) is carried out;
(3.2) the SDN controller judges whether the destination address belongs to the current SIP of a specific proxy server, if so, the proxy server is called a hit server and is transferred to the step (3.3), and if not, the SDN controller issues a flow table to an inlet switch and an outlet switch according to a flow table issuing rule adopted by an undeployed proxy server IP confusion unit SDN controller;
(3.3) the SDN controller newly adds a flow table item in the flow table of the inlet switch, the destination IP in the matching domain of the flow table item is set as the SIP of the hit server, the action domain of the flow table item is set as the LIP of the hit server for modifying the destination IP address of the data packet and forwarding the LIP, and the expiration time of the flow table item is set as t; the SDN controller adds a flow table item in the flow table of the outlet exchanger, sets the source IP in the matching domain of the flow table item as LIP hitting the server, sets the action domain of the flow table item as SIP hitting the server with the source IP address of the data packet modified and forwarded, and sets the expiration time of the flow table item as t;
(4) The virtual topology generation module generates x virtual paths for any two nodes Ni and Nj in the original topology according to system given parameters { x, y }, and randomly selects y redundant paths in the network to obtain the virtual topology;
(5) The virtual topology deployment module deploys the virtual topology into the network, so that an attacker can forward the detection flow between any two nodes Ni and Nj in the X virtual paths from Ni to Nj, the y redundant paths selected randomly and the original path at medium probability, and the aim that the attacker cannot distinguish the key links of the network by analyzing the Traceroute response flow is fulfilled;
(6) In the whole life cycle of system operation, monitoring network communication quality in real time through a link monitoring module, wherein the quality judgment standard at least comprises link delay, link utilization rate and port rate; and if the network communication quality is found to be reduced to be smaller than the threshold value preset by the system, executing a rerouting algorithm based on reinforcement learning to realize link protection.
6. The method according to claim 5, wherein: the number K of the designated proxy servers is determined according to the following mode:
Figure FDA0004165976190000041
wherein N represents the total number of proxy servers in the network, M represents the number of proxy servers that an attacker needs to collect, and the system sets a parameter p according to own defense requirements, that is, the probability p of how small the system wants the attacker to scan through the NMAP network segment, and then collect M LIP at one time.
7. The method according to claim 5, wherein: the allocation in step (2), the allocation of SIP and LIP needs to meet the following requirements:
(a) The LIP of each proxy server is different, and the LIP allocated to all proxy servers is denoted as { LIP } 1 ,LIP 2 ,...,LIP N SIP of each designated proxy server is not of the list 1 ,LIP 2 ,...,LIP N -SIP of any two designated proxy servers at the same time are different;
(b) Any proxy server is in the same network segment with its LIP at present;
(c) The system is given a T in which the same SIP cannot be allocated multiple times.
8. The method according to claim 5, wherein: the step (6) of the reinforcement learning-based rerouting algorithm specifically searches for an optimal next route for the data packet in Ni, and the implementation steps are as follows:
(6.1) matrix the chaining relationship of SDN switches in the original topology
Figure FDA0004165976190000042
Representation, wherein element l ij 、l ji All represent the link relationship between Ni and Nj in the original topology, if there is a link between them, then L in the matrix L ij 、l ji 1, otherwise 0;
(6.2) designing a state space and an action space of the agent according to all the nodes { N1, N2, & gt, nn }, wherein the state correspondence of the agent when the data packet is in an ith node Ni is represented as Ni ', and the action correspondence of the agent when the data packet selects the next route as Nj is represented as Nj';
(6.3) the agent has selected an action Nj 'in state Ni', its rewards being obtained in the following cases:
case one: in L L ij 0, prize r=r 0 ,r 0 Representing a penalty for it;
and a second case: in L L ij Is 1And Nj is not a node connected to the proxy server, rewards r=λ1bw ij +λ2LTR ij +λ3DL ij +λ4JI ij +λ5Loss ij
And a third case: in L L ij 1, and Nj is the node connected to the proxy server, rewarding r=λ1bw ij +λ2LTR ij +λ3DL ij +λ4JI ij +λ5Loss ij +r 3 Wherein r is 3 A reward representing reaching a destination address;
wherein BW is ij Representing the residual bandwidth of the link between nodes Ni and Nj, LTR ij Representing the link throughput rate, DL, between nodes Ni and Nj ij Representing the link delay, JI, between nodes Ni and Nj ij Representing link jitter between nodes Ni and Nj, loss ij Representing the link packet loss rate between nodes Ni and Nj, λi is the weight of the reward function, where λ1, λ2 ε [0,1],λ3,λ4,λ5∈[-1,0]The value of λ1- > λ5 can be determined experimentally, i.e. the parameters λ1, λ2, λ3, λ4, λ5 are chosen such that the agent gets the highest prize as the weight of the prize function;
and (6.4) training the Q table by utilizing Q learning according to the designed state space, action space and rewarding function, and forwarding the data packet according to the Q table after training is finished.
CN202310363837.1A 2023-04-06 2023-04-06 Novel DDOS attack defense system and method based on IP and topology confusion Pending CN116389120A (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN202310363837.1A CN116389120A (en) 2023-04-06 2023-04-06 Novel DDOS attack defense system and method based on IP and topology confusion

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN202310363837.1A CN116389120A (en) 2023-04-06 2023-04-06 Novel DDOS attack defense system and method based on IP and topology confusion

Publications (1)

Publication Number Publication Date
CN116389120A true CN116389120A (en) 2023-07-04

Family

ID=86965267

Family Applications (1)

Application Number Title Priority Date Filing Date
CN202310363837.1A Pending CN116389120A (en) 2023-04-06 2023-04-06 Novel DDOS attack defense system and method based on IP and topology confusion

Country Status (1)

Country Link
CN (1) CN116389120A (en)

Cited By (2)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN117714212A (en) * 2024-02-05 2024-03-15 中国科学技术大学 Network topology confusion method and system for defending link flooding attack
CN117714212B (en) * 2024-02-05 2024-05-17 中国科学技术大学 Network topology confusion method and system for defending link flooding attack

Cited By (2)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN117714212A (en) * 2024-02-05 2024-03-15 中国科学技术大学 Network topology confusion method and system for defending link flooding attack
CN117714212B (en) * 2024-02-05 2024-05-17 中国科学技术大学 Network topology confusion method and system for defending link flooding attack

Similar Documents

Publication Publication Date Title
Aydeger et al. Mitigating crossfire attacks using SDN-based moving target defense
CN112615818B (en) SDN-based DDOS attack protection method, device and system
CN110113435B (en) Method and equipment for cleaning flow
US9455995B2 (en) Identifying source of malicious network messages
Douligeris et al. DDoS attacks and defense mechanisms: classification and state-of-the-art
US9258323B1 (en) Distributed filtering for networks
Gummadi et al. Improving the Reliability of Internet Paths with One-hop Source Routing.
EP1364297B1 (en) Methods and apparatus for protecting against overload conditions on nodes of a distributed network
Abliz Internet denial of service attacks and defense mechanisms
US7356689B2 (en) Method and apparatus for tracing packets in a communications network
US6628623B1 (en) Methods and systems for determining switch connection topology on ethernet LANs
Herrmann et al. Privacy-implications of performance-based peer selection by onion-routers: a real-world case study using I2P
JP6193473B2 (en) Computer-implemented method, computer program product and computer
WO2005043820A1 (en) System and method for traffic analysis
CN113364810B (en) Link flooding attack detection and defense system and method
CN113810405A (en) SDN network-based path jump dynamic defense system and method
JP2010193083A (en) Communication system, and communication method
Touch et al. DynaBone: dynamic defense using multi-layer Internet overlays
CN116389120A (en) Novel DDOS attack defense system and method based on IP and topology confusion
Saharan et al. Prevention of DrDoS amplification attacks by penalizing the attackers in SDN environment
Czirkos et al. Enhancing collaborative intrusion detection methods using a Kademlia overlay network
Pashkov et al. Protection of the Control Plane from DDoS Attacks in Software-Defined Networks
Zhang et al. A SDN Proactive Defense Scheme Based on IP and MAC Address Mutation
Chen et al. AID: A global anti-DoS service
Sardana et al. Autonomous dynamic honeypot routing mechanism for mitigating DDoS attacks in DMZ

Legal Events

Date Code Title Description
PB01 Publication
PB01 Publication
SE01 Entry into force of request for substantive examination
SE01 Entry into force of request for substantive examination