CN116389120A - Novel DDOS attack defense system and method based on IP and topology confusion - Google Patents
Novel DDOS attack defense system and method based on IP and topology confusion Download PDFInfo
- Publication number
- CN116389120A CN116389120A CN202310363837.1A CN202310363837A CN116389120A CN 116389120 A CN116389120 A CN 116389120A CN 202310363837 A CN202310363837 A CN 202310363837A CN 116389120 A CN116389120 A CN 116389120A
- Authority
- CN
- China
- Prior art keywords
- topology
- virtual
- network
- lip
- module
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Pending
Links
- 230000007123 defense Effects 0.000 title claims abstract description 16
- 238000000034 method Methods 0.000 title claims abstract description 15
- 238000004891 communication Methods 0.000 claims abstract description 67
- 230000004044 response Effects 0.000 claims abstract description 18
- 230000002787 reinforcement Effects 0.000 claims abstract description 14
- 238000012423 maintenance Methods 0.000 claims abstract description 5
- 238000012544 monitoring process Methods 0.000 claims description 22
- 230000009471 action Effects 0.000 claims description 15
- 230000007774 longterm Effects 0.000 claims description 15
- 230000006870 function Effects 0.000 claims description 6
- YHVACWACSOJLSJ-UHFFFAOYSA-N n-methyl-n-(1-oxo-1-phenylpropan-2-yl)nitrous amide Chemical compound O=NN(C)C(C)C(=O)C1=CC=CC=C1 YHVACWACSOJLSJ-UHFFFAOYSA-N 0.000 claims description 5
- 239000011159 matrix material Substances 0.000 claims description 4
- 238000012549 training Methods 0.000 claims description 4
- 238000001514 detection method Methods 0.000 claims description 3
- 238000010586 diagram Methods 0.000 description 5
- 238000005516 engineering process Methods 0.000 description 3
- 238000012986 modification Methods 0.000 description 2
- 230000004048 modification Effects 0.000 description 2
- 230000002035 prolonged effect Effects 0.000 description 2
- 238000010276 construction Methods 0.000 description 1
- 230000007547 defect Effects 0.000 description 1
- 238000013461 design Methods 0.000 description 1
- 238000012545 processing Methods 0.000 description 1
Images
Classifications
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/14—Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
- H04L63/1441—Countermeasures against malicious traffic
- H04L63/1458—Denial of Service
-
- Y—GENERAL TAGGING OF NEW TECHNOLOGICAL DEVELOPMENTS; GENERAL TAGGING OF CROSS-SECTIONAL TECHNOLOGIES SPANNING OVER SEVERAL SECTIONS OF THE IPC; TECHNICAL SUBJECTS COVERED BY FORMER USPC CROSS-REFERENCE ART COLLECTIONS [XRACs] AND DIGESTS
- Y02—TECHNOLOGIES OR APPLICATIONS FOR MITIGATION OR ADAPTATION AGAINST CLIMATE CHANGE
- Y02D—CLIMATE CHANGE MITIGATION TECHNOLOGIES IN INFORMATION AND COMMUNICATION TECHNOLOGIES [ICT], I.E. INFORMATION AND COMMUNICATION TECHNOLOGIES AIMING AT THE REDUCTION OF THEIR OWN ENERGY USE
- Y02D30/00—Reducing energy consumption in communication networks
- Y02D30/50—Reducing energy consumption in communication networks in wire-line communication networks, e.g. low power modes or reduced link rate
Abstract
The invention discloses a novel DDOS attack defense system and method based on IP and topology confusion, which mainly solves the problem that the existing method has insufficient defense strength for the novel DDOS attack, and the scheme comprises the following steps: a proxy IP confusion unit, a topology confusion unit, and a communication quality maintenance unit; firstly, prolonging the time for an attacker to collect the proxy server communication IP through a proxy server IP confusion unit; secondly, the topology confusion unit adds redundant paths into path information of a trace stream of a response attacker to prevent the attacker from distinguishing a virtual path from a real communication path, and the generated virtual path length is different from the real communication path length, so that the attacker is prevented from distinguishing the real communication path through analyzing the length information; finally, the aim of recovering the network communication quality is achieved by calling a re-routing algorithm based on reinforcement learning in the initial stage of network congestion. The invention can effectively protect the network from being attacked by the novel DDOS, and simultaneously ensure the communication quality.
Description
Technical Field
The invention belongs to the technical field of information security, and further relates to a novel distributed denial of service DDOS (Distributed Denial of Service) attack active defense technology, in particular to a novel DDOS attack defense system and method based on IP and topology confusion, which can be used for protecting a network from being invaded by the novel DDOS attack.
Background
The new DDOS attack blocks the critical links of normal users to the target server by organizing many botnets to send large amounts of low-speed traffic to proxy servers around the target server. In general, the novel DDOS attack mainly comprises the following four steps: the first step is that an attacker collects IP information of proxy servers around the target server by using a scanning tool such as NMAP. And secondly, the attacker uses a tracking tool to instruct the controlled botnet to send traceroute data packets to the target server and the proxy server to infer the network topology, and builds a link diagram from the botnet to the server. And thirdly, analyzing the obtained link diagram by an attacker to identify key links. Fourth, the attacker directs the botnet to send attack data packets to the proxy server. Compared with the traditional DDOS attack, the novel DDOS attack has stronger destructiveness and harm and is more difficult to detect and prevent. Studies have shown that the Internet is a scaleless network with severe non-uniformity in link connections, a few critical links dominate the operation of the scaleless network, and once these critical links are broken, the connectivity of the entire network cannot be guaranteed. Therefore, how to design a solution that can defend against the novel DDOS attack is critical to the operation of the network.
The Jinwoo Kim et al 2022 discloses a novel DDOS attack active defense scheme based on topology confusion in Proceedings of the USENIX NDSS, but because the topology confusion technology is limited to responding to an attacker's traceroute data packet by using a real communication path and a virtual path with the same length as the real communication path, the following disadvantages exist, on the one hand, because only the real communication path and the virtual path exist, if a certain switch leaks own real IP, the attacker can easily infer which is the real communication path, so that the whole topology structure of the network finally analyzes a key link; on the other hand, because the nodes on the virtual path are in one-to-one correspondence with the nodes on the real communication path, an attacker can easily divide the route information responded by the Traceroute data packet according to the path length information, so that the network topology is revealed, and the network security is threatened; finally, the solution is unable to resist blind novel DDOS attacks due to lack of a processing solution after network congestion, wherein the blind novel DDOS attacks refer to that an attacker directly initiates attacks to proxy servers around a target server to block a network based on the existing obtained network information when the exact information of a key link is not presumed.
Inventive scheme
The invention aims to overcome the defects of the technology and provides a novel DDOS attack defense system based on IP and topology confusion. The system comprises: proxy IP confusion unit, topology confusion unit, and communication quality maintenance unit. Firstly, the time for an attacker to collect the communication IP of the proxy server is prolonged through the proxy server IP confusion unit, so that the attack intention of the attacker is reduced; secondly, if a large number of Traceroute data packets appear in the network, which means that an attacker has collected enough proxy server communication IP, the system starts a topology confusion unit, and the topology confusion unit can make the attacker unable to distinguish network key links by analyzing Traceroute response flow; in addition, the nodes on the virtual path are not in one-to-one correspondence with the nodes on the real communication path, but a virtual network is created on the nodes on the real communication path, so that an attacker can be prevented from dividing the route information responded by the Traceroute according to the path length information; finally, the invention protects the network from blind novel DDOS attacks by invoking the reinforcement learning-based rerouting algorithm in the initial stage of network congestion.
In order to achieve the above purpose, the technical scheme adopted by the invention is as follows:
a novel DDOS attack defense system based on IP and topology confusion, comprising: a proxy IP confusion unit, a topology confusion unit, and a communication quality maintenance unit;
the proxy server IP confusion unit comprises an IP distribution module and an IP confusion module; the IP distribution module distributes long-term IP and short-term IP for all proxy servers in the network, marks the long-term IP as LIP, marks the short-term IP as SIP, and takes the distribution condition as the input of the IP confusion module; the IP confusion module is used for realizing the requirements of LIP and SIP communication distributed by the IP distribution module between the host and the proxy server;
the topology confusion unit is composed of an original topology acquisition module, a virtual topology generation module and a virtual topology deployment module and is used for achieving the purpose that an attacker cannot distinguish network key links by analyzing Traceroute response flows; the network topology acquisition module acquires network topology by utilizing an SDN controller network topology discovery principle, records the network topology as an original topology, and takes the original topology as input of the virtual topology generation module; the virtual topology generation module generates a virtual topology for an input original topology according to a given parameter set { x, y }, and takes the virtual topology as the input of the virtual topology deployment module, wherein the virtual topology deployment module is used for deploying a network according to the input virtual topology;
the communication quality maintaining unit is composed of a link monitoring module combined with a re-routing algorithm based on reinforcement learning; the link monitoring module is used for monitoring network communication quality in real time, and calling a re-routing algorithm based on reinforcement learning to re-select a communication path for the data packet to restore network communication when the communication quality is smaller than a preset threshold value.
Further, the above IP allocation module allocates long-term IP and short-term IP to all proxy servers in the network, specifically: distributing an LIP and an SIP for a designated number K of proxy servers in a network with N proxy servers, and distributing LIPs for the rest N-K proxy servers; the IP confusion module modifies the flow table of the SDN switch through the SDN controller to meet the requirements of LIP and SIP communication distributed by the IP distribution module between the host and the proxy server, and is used for increasing the difficulty of an attacker in collecting the IP information of the proxy server.
Further, the virtual topology generating module generates a virtual topology for the input original topology according to the given parameter set { x, y }, and the implementation is as follows:
considering each switch in the original topology as a node, the set of nodes consisting of all switches is denoted { N1, N2,., nn }, where N represents the total number of nodes; respectively creating x virtual networks for all SDN switches in the original topology, wherein the number of nodes on any one virtual network is not fixed, and obtaining a virtual network set:wherein->Representing an xth virtual network created for an nth node Nn; assuming that any two nodes Ni and Nj have links in the original topology, where i, j ε 1,2,..n, and i+.j, is x versus virtual network +.>Creating one-to-one virtual links to obtain x virtual links; for any two nodes Ni and Nj, randomly selecting y redundant paths from Ni to Nj in the original topology by a virtual topology generation module; the real communication path from Ni to Nj in the original topology is recorded as an original path; the path formed by virtual links between virtual networks created for nodes on the original path is referred to as a virtual path, the original path, x virtual paths created from Ni to Nj, and y redundant paths randomly selected are referred to as virtual topologies from Ni to Nj.
Further, the virtual topology deployment module achieves the aim of deploying the virtual topology into the network by modifying the TTL value of the traceroute data packet and the IP address of the response packet simultaneously or rerouting the data packet to a redundant path; the link monitoring module is operated in the whole life cycle of the system operation, monitors the network communication quality in real time through the Ipref tool, and the monitoring content at least comprises link delay, link utilization rate and port rate.
A novel DDOS attack defense method based on IP and topology confusion comprises the following steps:
(1) In a network with N proxy servers, selecting K proxy servers as designated proxy servers according to defending ability of defenders;
(2) The IP distribution module is used for distributing a long-term IP and a short-term IP for the appointed proxy server, recording the long-term IP as LIP and the short-term IP as SIP, and distributing only LIP for the rest proxy servers; LIP is unchanged for a long time, a parameter t is given by the system, and SIP is allocated to a designated proxy server again at intervals of t; the LIP of a proxy server is used as the communication IP of the proxy server, and the distribution result is input to an IP confusion module;
(3) The IP confusion module modifies the flow table of the SDN switch through the SDN controller, so that the data packet is forwarded among the SDN switches in the network through matching the modified flow table, and the following is realized:
(3.1) when an IP packet is sent from an external user to a proxy server, first the IP packet is sent to an SDN switch connected to the external user, where the SDN switch connected to the external user is denoted as an ingress switch and the SDN switch connected to the proxy server is denoted as an egress switch; the ingress exchanger sends the IP data packet to the SDN controller, the SDN controller judges whether the IP address of the IP data packet belongs to LIP of a proxy server, if so, the ingress exchanger and the egress exchanger issue flow tables according to flow table issuing rules adopted by the SDN controller without deploying the proxy server IP confusion unit, if not, the step (3.2) is carried out;
(3.2) the SDN controller judges whether the destination address belongs to the current SIP of a specific proxy server, if so, the proxy server is called a hit server and is transferred to the step (3.3), and if not, the SDN controller issues a flow table to an inlet switch and an outlet switch according to a flow table issuing rule adopted by an undeployed proxy server IP confusion unit SDN controller;
(3.3) the SDN controller newly adds a flow table item in the flow table of the inlet switch, the destination IP in the matching domain of the flow table item is set as the SIP of the hit server, the action domain of the flow table item is set as the LIP of the hit server for modifying the destination IP address of the data packet and forwarding the LIP, and the expiration time of the flow table item is set as t; the SDN controller adds a flow table item in the flow table of the outlet exchanger, sets the source IP in the matching domain of the flow table item as LIP hitting the server, sets the action domain of the flow table item as SIP hitting the server with the source IP address of the data packet modified and forwarded, and sets the expiration time of the flow table item as t;
(4) The virtual topology generation module generates x virtual paths for any two nodes Ni and Nj in the original topology according to system given parameters { x, y }, and randomly selects y redundant paths in the network to obtain the virtual topology;
(5) The virtual topology deployment module deploys the virtual topology into the network, so that an attacker can forward the detection flow between any two nodes Ni and Nj in the X virtual paths from Ni to Nj, the y redundant paths selected randomly and the original path at medium probability, and the aim that the attacker cannot distinguish the key links of the network by analyzing the Traceroute response flow is fulfilled;
(6) In the whole life cycle of system operation, monitoring network communication quality in real time through a link monitoring module, wherein the quality judgment standard at least comprises link delay, link utilization rate and port rate; and if the network communication quality is found to be reduced to be smaller than the threshold value preset by the system, executing a rerouting algorithm based on reinforcement learning to realize link protection.
Compared with the prior art, the invention has the following advantages:
the proxy server IP confusion unit can prolong the time for an attacker to collect the proxy server communication IP and reduce the attack intention of the attacker. The reasons are as follows: if a large amount of SIP exists in the M pieces of IP information collected by the attacker through NMAP network segment scanning, when the attacker prepares to initiate the attack for collecting enough pieces of proxy server communication IP, the SIP will expire soon, the attack cannot be normally performed, the attacker is forced to continuously collect the IP information, and therefore the attack preparation time can be effectively prolonged, and the attack intention of the attacker is reduced.
Secondly, the topology confusion unit adds redundant paths into path information of a response attacker tracking flow in the virtual topology generation module, so that the attacker is prevented from distinguishing a virtual path and a real communication path due to the fact that a certain switch leaks a real IP; in addition, the virtual path is formed by the virtual network, and the number of nodes of the virtual network is not fixed, so that the generated virtual path length is different from the real communication path length, and an attacker can be prevented from distinguishing the real communication path, the redundant path and the virtual path through the length information.
Thirdly, the link monitoring module of the communication quality maintaining unit can monitor the network communication quality in real time in the whole life cycle of system operation, and the network communication quality is recovered in time by calling a re-routing algorithm based on reinforcement learning in the initial stage of network congestion so as to protect the network from blind novel DDOS attack.
Drawings
FIG. 1 is an overall block diagram of the system of the present invention;
FIG. 2 is a flow chart of an implementation of the method of the present invention;
FIG. 3 is a schematic diagram of virtual topology generation in accordance with the present invention;
fig. 4 is a schematic diagram of a deployment scenario of a virtual topology deployment module in the present invention.
Detailed Description
In order to make the objects, technical solutions and advantages of the present application more apparent, the present invention will be further clearly and completely described in connection with the following specific embodiments.
Embodiment one: referring to fig. 1, the novel DDOS attack defense system based on IP and topology confusion provided by the invention comprises: a proxy IP confusion unit, a topology confusion unit, and a communication quality maintenance unit;
the proxy server IP confusion unit comprises an IP distribution module and an IP confusion module; the IP distribution module distributes long-term IP and short-term IP for all proxy servers in the network, marks the long-term IP as LIP, marks the short-term IP as SIP, and takes the distribution condition as the input of the IP confusion module; the IP confusion module is used for realizing the LIP and SIP communication requirement distributed by the IP distribution module between the host and the proxy server. The IP distribution module distributes long-term IP and short-term IP for all proxy servers in the network, and specifically comprises the following steps: distributing an LIP and an SIP for a designated number K of proxy servers in a network with N proxy servers, and distributing LIPs for the rest N-K proxy servers; the IP confusion module modifies the flow table of the SDN switch through the SDN controller to meet the requirements of LIP and SIP communication distributed by the IP distribution module between the host and the proxy server, and is used for increasing the difficulty of an attacker in collecting the IP information of the proxy server.
The topology confusion unit is composed of an original topology acquisition module, a virtual topology generation module and a virtual topology deployment module and is used for achieving the purpose that an attacker cannot distinguish network key links by analyzing Traceroute response flows. The network topology acquisition module acquires network topology by utilizing an SDN controller network topology discovery principle, records the network topology as an original topology, and takes the original topology as input of the virtual topology generation module; the virtual topology generation module generates a virtual topology for an input original topology according to a given parameter set { x, y }, and takes the virtual topology as the input of the virtual topology deployment module, wherein the virtual topology deployment module is used for deploying a network according to the input virtual topology;
the virtual topology generation module generates a virtual topology for an input original topology according to a given parameter set { x, y }, and the implementation is as follows: considering each switch in the original topology as a node, the set of nodes consisting of all switches is denoted { N1, N2,., nn }, where N represents the total number of nodes; respectively creating x virtual networks for all SDN switches in the original topology, wherein the number of nodes on any one virtual network is not fixed, and obtaining a virtual network set:wherein->Representing an xth virtual network created for an nth node Nn; assuming that any two nodes Ni and Nj have links in the original topology, where i, j ε 1,2,..n and i+.j, are x versus virtual network +.>Creating one-to-one virtual links to obtain x virtual links; for any two nodes Ni and Nj, randomly selecting y redundant paths from Ni to Nj in the original topology by a virtual topology generation module; the real communication path from Ni to Nj in the original topology is recorded as an original path; the path formed by virtual links between virtual networks created for nodes on the original path is referred to as a virtual path, the original path, x virtual paths created from Ni to Nj, and y redundant paths randomly selected are referred to as virtual topologies from Ni to Nj.
The virtual topology deployment module achieves the aim of deploying the virtual topology into the network by modifying the TTL value of the traceroute data packet and the IP address of the response packet simultaneously or rerouting the data packet to a redundant path; the link monitoring module operates in the whole life cycle of system operation, monitors network communication quality in real time through the Ipref tool, and the monitoring content at least comprises link delay, link utilization rate and port rate.
The communication quality maintaining unit is composed of a link monitoring module combined with a re-routing algorithm based on reinforcement learning; the link monitoring module is used for monitoring network communication quality in real time, and calling a re-routing algorithm based on reinforcement learning to re-select a communication path for the data packet to restore network communication when the communication quality is smaller than a preset threshold value.
Embodiment two: referring to fig. 2, the novel DDOS attack defense method based on long and short IP and topology confusion provided by the invention specifically comprises the following steps:
step 1, selecting K proxy servers as appointed proxy servers according to defending demands of defenders in a network with N proxy servers; wherein the number K is determined according to the following manner:
wherein N represents the total number of proxy servers in the network, M represents the number of proxy servers that an attacker needs to collect, and the system sets a parameter p according to own defense requirements, that is, the probability p of how small the system wants the attacker to scan through the NMAP network segment, and then collect M LIP at one time.
Step 2, using an IP distribution module to distribute a long-term IP and a short-term IP for a designated proxy server, recording the long-term IP as LIP and the short-term IP as SIP, and distributing only LIP for other proxy servers; LIP is unchanged for a long time, a parameter t is given by the system, and SIP is allocated to a designated proxy server again at intervals of t; the LIP of a proxy server is used as the communication IP of the proxy server, and the distribution result is input to an IP confusion module;
the IP allocation module is used for allocating the SIP and the LIP to the proxy server, and the allocation of the SIP and the LIP needs to meet the following requirements:
(a) The LIP of each proxy server is different, and the LIP allocated to all proxy servers is denoted as { LIP } 1 ,LIP 2 ,...,LIP N SIP of each designated proxy server is not of the list 1 ,LIP 2 ,...,LIP N -SIP of any two designated proxy servers at the same time are different;
(b) Any proxy server is in the same network segment with its LIP at present;
(c) The system is given a T, during which the same SIP cannot be allocated multiple times, in order to prevent that the SIP scanned by the NMAP is continuously available during the T, for example, during the first T, the SIP belongs to the proxy server 1 and the second T is allocated to the proxy server 2, and then the attacker can receive the IP response packet during both T times.
Step 3, the IP confusion module modifies the flow table of the SDN switch through the SDN controller, so that the data packet is forwarded among all SDN switches in the network through matching the modified flow table, and the following is realized:
(3.1) when an IP packet is sent from an external user to a proxy server, first the IP packet is sent to an SDN switch connected to the external user, where the SDN switch connected to the external user is denoted as an ingress switch and the SDN switch connected to the proxy server is denoted as an egress switch; the ingress exchanger sends the IP data packet to the SDN controller, the SDN controller judges whether the IP address of the IP data packet belongs to LIP of a proxy server, if so, the ingress exchanger and the egress exchanger issue flow tables according to flow table issuing rules adopted by the SDN controller without deploying the proxy server IP confusion unit, if not, the step (3.2) is carried out;
(3.2) the SDN controller judges whether the destination address belongs to the current SIP of a specific proxy server, if so, the proxy server is called a hit server and is transferred to the step (3.3), and if not, the SDN controller issues a flow table to an inlet switch and an outlet switch according to a flow table issuing rule adopted by an undeployed proxy server IP confusion unit SDN controller;
(3.3) the SDN controller newly adds a flow table item in the flow table of the inlet switch, the destination IP in the matching domain of the flow table item is set as the SIP of the hit server, the action domain of the flow table item is set as the LIP of the hit server for modifying the destination IP address of the data packet and forwarding the LIP, and the expiration time of the flow table item is set as t; the SDN controller adds a flow table item in the flow table of the outlet exchanger, sets the source IP in the matching domain of the flow table item as LIP hitting the server, sets the action domain of the flow table item as SIP hitting the server and forwards the source IP address of the data packet, and sets the expiration time of the flow table item as t.
and 5, the virtual topology deployment module deploys the virtual topology into the network, so that an attacker can forward the detection flow between any two nodes Ni and Nj in the x virtual paths from Ni to Nj, the y redundant paths selected randomly and the original path with medium probability, and the purpose that the attacker cannot distinguish the key links of the network by analyzing the Traceroute response flow is realized.
Step 6, monitoring network communication quality in real time through a link monitoring module in the whole life cycle of system operation, wherein the quality judgment standard at least comprises link delay, link utilization rate and port rate; and if the network communication quality is found to be reduced to be smaller than the threshold value preset by the system, executing a rerouting algorithm based on reinforcement learning to realize link protection.
Embodiment III: referring to fig. 3, in the DDOS attack defending method in this embodiment, the overall implementation steps are the same as those in the second embodiment, and a further description will be made of the virtual topology generating module:
as shown in fig. 3, where N1-N2-N3-N4-N5 is the true communication path of N1 to N5, i.e. the original path, N1-N6-N7-N8-N5 is the redundant path of N1 to N5 in the original topology, in this embodiment we assume that the input parameter x is 2 and y is 1, thenAnd->Is two virtual networks created at N1, < >>And->Is two virtual networks created at N2, N3N 4N 5, and so on, then the virtual path of N1 through N5 contains two: />AndN1-N6-N7-N8-N5 are redundant paths chosen for N1 to N5, then the virtual topology generated is as shown in FIG. 3.
Embodiment four: referring to fig. 4, in the DDOS attack defending method in this embodiment, the overall implementation steps are the same as those in the second embodiment, and a further description will be made on the virtual topology deployment module:
the virtual topology deployment module enables an attacker to misuse the detected flow to forward in the virtual path, the redundant path and the critical path at medium probability by modifying the TTL value of the Traceroute data packet and the IP address of the response packet or rerouting the data packet to the redundant path, so that the attacker cannot identify the critical path by analyzing the Traceroute response flow:
(5.1) in order to prevent an attacker from distinguishing a node on a real communication path from a node on a virtual network by observing IP addresses, the IP address allocated to the node on the virtual network should be public network IP, furthermore, the allocated IP should be within the same subnet as the node on the corresponding real communication path, and it is also necessary to avoid using already allocated IP addresses.
(5.2) the SDN controller modifying the traceroute packet TTL value and instructing the switch to respond to the trace packet with its real or fake IP address or to reroute the packet to a redundant path. The 1/3 traceroute data packet is modified to realize that the virtual path view is returned to the attacker, the 1/3 traceroute data packet is modified to realize that the attacker returns the requirement of the redundant path view, and the 1/3 data packet is left to forward normally. In fig. 4, S is an attacker, D is a proxy server, a is a node on an original path, in this example, we assume that a virtual path is generated for the node to select a redundant path, B-C is a virtual network created on the node a, S-E-D is a randomly selected redundant path, if a virtual path view needs to be returned to the attacker, when the switch a receives a traceroute command with ttl=1, the SDN controller makes a rule of a flow table, and modifies the source IP address of the ICMP timeout response message to B; when a data packet with TTL=2 is received, in order to enable an attacker to exist as a switch C, the TTL value is reduced by 2, the data packet is outdated at the switch A, an SDN controller formulates a flow table rule, and the source IP address of the ICMP overtime response message is modified to be C; when a data packet with ttl=3 is received, in order for an attacker to be present as well as switch C, the TTL value is decremented by 2, so that the data packet will reach proxy server D, and the attacker sees a virtual path response of S-B-C-D. If a redundant path view needs to be returned for an attacker, the SDN controller can issue a flow table rule and reroute the data packet to E, so that the attacker view obtains a topological view of S-E-D.
Fifth embodiment: the DDOS attack defending method in this embodiment has the same overall implementation steps as those in the second embodiment, and the rerouting algorithm based on reinforcement learning will be further described, so as to implement the following steps:
(6.1) matrix the chaining relationship of SDN switches in the original topologyRepresentation, wherein element l ij 、l ji All represent the link relationship between Ni and Nj in the original topology, if there is a link between them, then L in the matrix L ij 、l ji 1, otherwise 0;
(6.2) designing a state space and an action space of the agent according to all the nodes { N1, N2, & gt, nn }, wherein the state correspondence of the agent when the data packet is in an ith node Ni is represented as Ni ', and the action correspondence of the agent when the data packet selects the next route as Nj is represented as Nj';
(6.3) the agent has selected an action Nj 'in state Ni', its rewards being obtained in the following cases:
case one: in L L ij 0, prize r=r 0 ,r 0 Representing a penalty for it;
and a second case: in L L ij 1, and Nj is not a node connected to the proxy server, rewards r=λ1bw ij +λ2LTR ij +λ3DL ij +λ4JI ij +λ5Loss ij ;
And a third case: in L L ij 1, and Nj is the node connected to the proxy server, rewarding r=λ1bw ij +λ2LTR ij +λ3DL ij +λ4JI ij +λ5Loss ij +r 3 Wherein r is 3 A reward representing reaching a destination address;
wherein BW is ij Representing the residual bandwidth of the link between nodes Ni and Nj, LTR ij Representing the link throughput rate, DL, between nodes Ni and Nj ij Representing the link delay, JI, between nodes Ni and Nj ij Representing link jitter between nodes Ni and Nj, loss ij Representing the link packet loss rate between nodes Ni and Nj, λi is the weight of the reward function, where λ1, λ2 ε [0,1],λ3,λ4,λ5∈[-1,0]The value of λ1- > λ5 can be determined experimentally, i.e. the parameters λ1, λ2, λ3, λ4, λ5 are chosen such that the agent gets the highest prize as the weight of the prize function;
and (6.4) training the Q table by utilizing Q learning according to the designed state space, action space and rewarding function, and forwarding the data packet according to the Q table after training is finished, wherein for example, the state Ni ' of the agent is equivalent to the state Ni ' of the data packet at the ith node Ni, the agent selects the action Nj ' with the largest rewarding based on the Q table, and the agent is equivalent to the state Nj of the data packet as the next route.
The non-detailed description of the invention is within the knowledge of a person skilled in the art.
The foregoing description of the preferred embodiment of the invention is not intended to be limiting, but it will be apparent to those skilled in the art that various modifications and changes in form and detail may be made without departing from the principles and construction of the invention, but these modifications and changes based on the idea of the invention are still within the scope of the appended claims.
Claims (8)
1. A novel DDOS attack defense system based on IP and topology confusion, comprising: a proxy IP confusion unit, a topology confusion unit, and a communication quality maintenance unit;
the proxy server IP confusion unit comprises an IP distribution module and an IP confusion module; the IP distribution module distributes long-term IP and short-term IP for all proxy servers in the network, marks the long-term IP as LIP, marks the short-term IP as SIP, and takes the distribution condition as the input of the IP confusion module; the IP confusion module is used for realizing the requirements of LIP and SIP communication distributed by the IP distribution module between the host and the proxy server;
the topology confusion unit is composed of an original topology acquisition module, a virtual topology generation module and a virtual topology deployment module and is used for achieving the purpose that an attacker cannot distinguish network key links by analyzing Traceroute response flows; the network topology acquisition module acquires network topology by utilizing an SDN controller network topology discovery principle, records the network topology as an original topology, and takes the original topology as input of the virtual topology generation module; the virtual topology generation module generates a virtual topology for an input original topology according to a given parameter set { x, y }, and takes the virtual topology as the input of the virtual topology deployment module, wherein the virtual topology deployment module is used for deploying a network according to the input virtual topology;
the communication quality maintaining unit is composed of a link monitoring module combined with a re-routing algorithm based on reinforcement learning; the link monitoring module is used for monitoring network communication quality in real time, and calling a re-routing algorithm based on reinforcement learning to re-select a communication path for the data packet to restore network communication when the communication quality is smaller than a preset threshold value.
2. The system according to claim 1, wherein: the IP distribution module distributes long-term IP and short-term IP for all proxy servers in the network, and specifically comprises the following steps: distributing an LIP and an SIP for a designated number K of proxy servers in a network with N proxy servers, and distributing LIPs for the rest N-K proxy servers; the IP confusion module modifies the flow table of the SDN switch through the SDN controller to meet the requirements of LIP and SIP communication distributed by the IP distribution module between the host and the proxy server, and is used for increasing the difficulty of an attacker in collecting the IP information of the proxy server.
3. The system according to claim 1, wherein: the virtual topology generation module generates a virtual topology for the input original topology according to a given parameter set { x, y }, and the implementation is as follows:
original rubbingEach switch in the topology is regarded as a node, and the node set formed by all switches is named { N1, N2,., nn }, where N represents the total number of nodes; respectively creating x virtual networks for all SDN switches in the original topology, wherein the number of nodes on any one virtual network is not fixed, and obtaining a virtual network set:wherein->Representing an xth virtual network created for an nth node Nn; assuming that any two nodes Ni and Nj have links in the original topology, where i, j ε 1,2,..n, and i+.j, is x versus virtual network +.>Creating one-to-one virtual links to obtain x virtual links; for any two nodes Ni and Nj, randomly selecting y redundant paths from Ni to Nj in the original topology by a virtual topology generation module; the real communication path from Ni to Nj in the original topology is recorded as an original path; the path formed by virtual links between virtual networks created for nodes on the original path is referred to as a virtual path, the original path, x virtual paths created from Ni to Nj, and y redundant paths randomly selected are referred to as virtual topologies from Ni to Nj.
4. The system according to claim 1, wherein: the virtual topology deployment module achieves the aim of deploying the virtual topology into the network by modifying the TTL value of the traceroute data packet and the IP address of the response packet simultaneously or rerouting the data packet to a redundant path; the link monitoring module is operated in the whole life cycle of the system operation, monitors the network communication quality in real time through the Ipref tool, and the monitoring content at least comprises link delay, link utilization rate and port rate.
5. A method of implementing a defense in accordance with the system of claim 1, comprising the steps of:
(1) In a network with N proxy servers, selecting K proxy servers as designated proxy servers according to defending ability of defenders;
(2) The IP distribution module is used for distributing a long-term IP and a short-term IP for the appointed proxy server, recording the long-term IP as LIP and the short-term IP as SIP, and distributing only LIP for the rest proxy servers; LIP is unchanged for a long time, a parameter t is given by the system, and SIP is allocated to a designated proxy server again at intervals of t; the LIP of a proxy server is used as the communication IP of the proxy server, and the distribution result is input to an IP confusion module;
(3) The IP confusion module modifies the flow table of the SDN switch through the SDN controller, so that the data packet is forwarded among the SDN switches in the network through matching the modified flow table, and the following is realized:
(3.1) when an IP packet is sent from an external user to a proxy server, first the IP packet is sent to an SDN switch connected to the external user, where the SDN switch connected to the external user is denoted as an ingress switch and the SDN switch connected to the proxy server is denoted as an egress switch; the ingress exchanger sends the IP data packet to the SDN controller, the SDN controller judges whether the IP address of the IP data packet belongs to LIP of a proxy server, if so, the ingress exchanger and the egress exchanger issue flow tables according to flow table issuing rules adopted by the SDN controller without deploying the proxy server IP confusion unit, if not, the step (3.2) is carried out;
(3.2) the SDN controller judges whether the destination address belongs to the current SIP of a specific proxy server, if so, the proxy server is called a hit server and is transferred to the step (3.3), and if not, the SDN controller issues a flow table to an inlet switch and an outlet switch according to a flow table issuing rule adopted by an undeployed proxy server IP confusion unit SDN controller;
(3.3) the SDN controller newly adds a flow table item in the flow table of the inlet switch, the destination IP in the matching domain of the flow table item is set as the SIP of the hit server, the action domain of the flow table item is set as the LIP of the hit server for modifying the destination IP address of the data packet and forwarding the LIP, and the expiration time of the flow table item is set as t; the SDN controller adds a flow table item in the flow table of the outlet exchanger, sets the source IP in the matching domain of the flow table item as LIP hitting the server, sets the action domain of the flow table item as SIP hitting the server with the source IP address of the data packet modified and forwarded, and sets the expiration time of the flow table item as t;
(4) The virtual topology generation module generates x virtual paths for any two nodes Ni and Nj in the original topology according to system given parameters { x, y }, and randomly selects y redundant paths in the network to obtain the virtual topology;
(5) The virtual topology deployment module deploys the virtual topology into the network, so that an attacker can forward the detection flow between any two nodes Ni and Nj in the X virtual paths from Ni to Nj, the y redundant paths selected randomly and the original path at medium probability, and the aim that the attacker cannot distinguish the key links of the network by analyzing the Traceroute response flow is fulfilled;
(6) In the whole life cycle of system operation, monitoring network communication quality in real time through a link monitoring module, wherein the quality judgment standard at least comprises link delay, link utilization rate and port rate; and if the network communication quality is found to be reduced to be smaller than the threshold value preset by the system, executing a rerouting algorithm based on reinforcement learning to realize link protection.
6. The method according to claim 5, wherein: the number K of the designated proxy servers is determined according to the following mode:
wherein N represents the total number of proxy servers in the network, M represents the number of proxy servers that an attacker needs to collect, and the system sets a parameter p according to own defense requirements, that is, the probability p of how small the system wants the attacker to scan through the NMAP network segment, and then collect M LIP at one time.
7. The method according to claim 5, wherein: the allocation in step (2), the allocation of SIP and LIP needs to meet the following requirements:
(a) The LIP of each proxy server is different, and the LIP allocated to all proxy servers is denoted as { LIP } 1 ,LIP 2 ,...,LIP N SIP of each designated proxy server is not of the list 1 ,LIP 2 ,...,LIP N -SIP of any two designated proxy servers at the same time are different;
(b) Any proxy server is in the same network segment with its LIP at present;
(c) The system is given a T in which the same SIP cannot be allocated multiple times.
8. The method according to claim 5, wherein: the step (6) of the reinforcement learning-based rerouting algorithm specifically searches for an optimal next route for the data packet in Ni, and the implementation steps are as follows:
(6.1) matrix the chaining relationship of SDN switches in the original topologyRepresentation, wherein element l ij 、l ji All represent the link relationship between Ni and Nj in the original topology, if there is a link between them, then L in the matrix L ij 、l ji 1, otherwise 0;
(6.2) designing a state space and an action space of the agent according to all the nodes { N1, N2, & gt, nn }, wherein the state correspondence of the agent when the data packet is in an ith node Ni is represented as Ni ', and the action correspondence of the agent when the data packet selects the next route as Nj is represented as Nj';
(6.3) the agent has selected an action Nj 'in state Ni', its rewards being obtained in the following cases:
case one: in L L ij 0, prize r=r 0 ,r 0 Representing a penalty for it;
and a second case: in L L ij Is 1And Nj is not a node connected to the proxy server, rewards r=λ1bw ij +λ2LTR ij +λ3DL ij +λ4JI ij +λ5Loss ij ;
And a third case: in L L ij 1, and Nj is the node connected to the proxy server, rewarding r=λ1bw ij +λ2LTR ij +λ3DL ij +λ4JI ij +λ5Loss ij +r 3 Wherein r is 3 A reward representing reaching a destination address;
wherein BW is ij Representing the residual bandwidth of the link between nodes Ni and Nj, LTR ij Representing the link throughput rate, DL, between nodes Ni and Nj ij Representing the link delay, JI, between nodes Ni and Nj ij Representing link jitter between nodes Ni and Nj, loss ij Representing the link packet loss rate between nodes Ni and Nj, λi is the weight of the reward function, where λ1, λ2 ε [0,1],λ3,λ4,λ5∈[-1,0]The value of λ1- > λ5 can be determined experimentally, i.e. the parameters λ1, λ2, λ3, λ4, λ5 are chosen such that the agent gets the highest prize as the weight of the prize function;
and (6.4) training the Q table by utilizing Q learning according to the designed state space, action space and rewarding function, and forwarding the data packet according to the Q table after training is finished.
Priority Applications (1)
Application Number | Priority Date | Filing Date | Title |
---|---|---|---|
CN202310363837.1A CN116389120A (en) | 2023-04-06 | 2023-04-06 | Novel DDOS attack defense system and method based on IP and topology confusion |
Applications Claiming Priority (1)
Application Number | Priority Date | Filing Date | Title |
---|---|---|---|
CN202310363837.1A CN116389120A (en) | 2023-04-06 | 2023-04-06 | Novel DDOS attack defense system and method based on IP and topology confusion |
Publications (1)
Publication Number | Publication Date |
---|---|
CN116389120A true CN116389120A (en) | 2023-07-04 |
Family
ID=86965267
Family Applications (1)
Application Number | Title | Priority Date | Filing Date |
---|---|---|---|
CN202310363837.1A Pending CN116389120A (en) | 2023-04-06 | 2023-04-06 | Novel DDOS attack defense system and method based on IP and topology confusion |
Country Status (1)
Country | Link |
---|---|
CN (1) | CN116389120A (en) |
Cited By (2)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
CN117714212A (en) * | 2024-02-05 | 2024-03-15 | 中国科学技术大学 | Network topology confusion method and system for defending link flooding attack |
CN117714212B (en) * | 2024-02-05 | 2024-05-17 | 中国科学技术大学 | Network topology confusion method and system for defending link flooding attack |
-
2023
- 2023-04-06 CN CN202310363837.1A patent/CN116389120A/en active Pending
Cited By (2)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
CN117714212A (en) * | 2024-02-05 | 2024-03-15 | 中国科学技术大学 | Network topology confusion method and system for defending link flooding attack |
CN117714212B (en) * | 2024-02-05 | 2024-05-17 | 中国科学技术大学 | Network topology confusion method and system for defending link flooding attack |
Similar Documents
Publication | Publication Date | Title |
---|---|---|
Aydeger et al. | Mitigating crossfire attacks using SDN-based moving target defense | |
CN112615818B (en) | SDN-based DDOS attack protection method, device and system | |
CN110113435B (en) | Method and equipment for cleaning flow | |
US9455995B2 (en) | Identifying source of malicious network messages | |
Douligeris et al. | DDoS attacks and defense mechanisms: classification and state-of-the-art | |
US9258323B1 (en) | Distributed filtering for networks | |
Gummadi et al. | Improving the Reliability of Internet Paths with One-hop Source Routing. | |
EP1364297B1 (en) | Methods and apparatus for protecting against overload conditions on nodes of a distributed network | |
Abliz | Internet denial of service attacks and defense mechanisms | |
US7356689B2 (en) | Method and apparatus for tracing packets in a communications network | |
US6628623B1 (en) | Methods and systems for determining switch connection topology on ethernet LANs | |
Herrmann et al. | Privacy-implications of performance-based peer selection by onion-routers: a real-world case study using I2P | |
JP6193473B2 (en) | Computer-implemented method, computer program product and computer | |
WO2005043820A1 (en) | System and method for traffic analysis | |
CN113364810B (en) | Link flooding attack detection and defense system and method | |
CN113810405A (en) | SDN network-based path jump dynamic defense system and method | |
JP2010193083A (en) | Communication system, and communication method | |
Touch et al. | DynaBone: dynamic defense using multi-layer Internet overlays | |
CN116389120A (en) | Novel DDOS attack defense system and method based on IP and topology confusion | |
Saharan et al. | Prevention of DrDoS amplification attacks by penalizing the attackers in SDN environment | |
Czirkos et al. | Enhancing collaborative intrusion detection methods using a Kademlia overlay network | |
Pashkov et al. | Protection of the Control Plane from DDoS Attacks in Software-Defined Networks | |
Zhang et al. | A SDN Proactive Defense Scheme Based on IP and MAC Address Mutation | |
Chen et al. | AID: A global anti-DoS service | |
Sardana et al. | Autonomous dynamic honeypot routing mechanism for mitigating DDoS attacks in DMZ |
Legal Events
Date | Code | Title | Description |
---|---|---|---|
PB01 | Publication | ||
PB01 | Publication | ||
SE01 | Entry into force of request for substantive examination | ||
SE01 | Entry into force of request for substantive examination |