CN110247893A - A kind of data transmission method and SDN controller - Google Patents
A kind of data transmission method and SDN controller Download PDFInfo
- Publication number
- CN110247893A CN110247893A CN201910390899.5A CN201910390899A CN110247893A CN 110247893 A CN110247893 A CN 110247893A CN 201910390899 A CN201910390899 A CN 201910390899A CN 110247893 A CN110247893 A CN 110247893A
- Authority
- CN
- China
- Prior art keywords
- connection
- sdn controller
- forwarding device
- forwarding
- historical data
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Granted
Links
- 238000000034 method Methods 0.000 title claims abstract description 58
- 230000005540 biological transmission Effects 0.000 title claims abstract description 27
- 238000004891 communication Methods 0.000 claims abstract description 10
- 238000012545 processing Methods 0.000 claims description 25
- 206010033799 Paralysis Diseases 0.000 abstract description 8
- 238000005516 engineering process Methods 0.000 abstract description 2
- 238000010586 diagram Methods 0.000 description 16
- 230000006870 function Effects 0.000 description 12
- 230000003993 interaction Effects 0.000 description 10
- 230000002159 abnormal effect Effects 0.000 description 9
- 230000008569 process Effects 0.000 description 8
- 238000004458 analytical method Methods 0.000 description 4
- 230000009286 beneficial effect Effects 0.000 description 4
- 230000003287 optical effect Effects 0.000 description 4
- 230000008878 coupling Effects 0.000 description 3
- 238000010168 coupling process Methods 0.000 description 3
- 238000005859 coupling reaction Methods 0.000 description 3
- 238000013461 design Methods 0.000 description 3
- 230000009471 action Effects 0.000 description 2
- 238000004364 calculation method Methods 0.000 description 2
- 238000005206 flow analysis Methods 0.000 description 2
- 230000003068 static effect Effects 0.000 description 2
- 238000006467 substitution reaction Methods 0.000 description 2
- 238000004422 calculation algorithm Methods 0.000 description 1
- 238000004590 computer program Methods 0.000 description 1
- 235000014510 cooky Nutrition 0.000 description 1
- 238000001514 detection method Methods 0.000 description 1
- 230000002265 prevention Effects 0.000 description 1
- 230000004044 response Effects 0.000 description 1
Classifications
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/14—Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
- H04L63/1441—Countermeasures against malicious traffic
- H04L63/1458—Denial of Service
Landscapes
- Engineering & Computer Science (AREA)
- Computer Security & Cryptography (AREA)
- Computer Hardware Design (AREA)
- Computing Systems (AREA)
- General Engineering & Computer Science (AREA)
- Computer Networks & Wireless Communication (AREA)
- Signal Processing (AREA)
- Data Exchanges In Wide-Area Networks (AREA)
Abstract
The embodiment provides a kind of data transmission methods and SDN controller, it is related to field of communication technology, it solves and exists in the prior art since attacker gets the mark ID of some forwarding device, the relevant informations such as source IP address, purpose IP address, to carry out DoS attack to SDN controller level, the network paralysis for leading to large area, the problem of influencing the experience of user.This method includes that SDN controller obtains the historical data that the forwarding device of connection has been established;Wherein, to include forwarding device send first number of request to SDN controller to historical data and SDN controller sends second number of message to forwarding device or historical data includes Connection Time that forwarding device establishes connection with SDN controller for the last time;SDN controller is determined when meeting preset condition, generates warning information and disconnect the connection with forwarding device, and re-establish the connection with forwarding device according to mark ID according to historical data.
Description
Technical Field
The present invention relates to the field of communications technologies, and in particular, to a data transmission method and an SDN controller.
Background
Denial of service (DoS) is a simple but effective attack, and mainly destroys the effectiveness of network services, so that a victim computer or a network cannot receive and process an external request in time or cannot respond to the external request in time, and thus network services of a legal user cannot run normally, resulting in poor user experience.
In the prior art, when a Software Defined Network (SDN) controller is connected to a forwarding device, authentication is first required to be performed, the SDN controller records an identifier ID and stores the identifier ID in a flow table, and each forwarding device corresponds to an independent identifier ID; wherein, the identification ID is generated once and has the same life cycle as the forwarding device. If an attacker obtains relevant information such as an identification ID, a source IP address and a destination IP address of a certain forwarding device, the attacker can forge request information of the forwarding device to carry out DoS attack on the SDN controller layer, so that the network device on the SDN controller layer is not overloaded and is paralyzed or stops providing normal network service, thereby causing large-area network paralysis and influencing user experience.
As can be seen from the above, in the prior art, an attacker obtains relevant information such as an identifier ID, a source IP address, and a destination IP address of a certain forwarding device, thereby performing DoS attack on an SDN controller layer, resulting in large-area network paralysis and affecting user experience.
Disclosure of Invention
Embodiments of the present invention provide a data transmission method and an SDN controller, which solve the problem in the prior art that an attacker obtains relevant information such as an identifier ID, a source IP address, and a destination IP address of a certain forwarding device, thereby performing DoS attack on a layer of the SDN controller, causing large-area network paralysis, and affecting user experience.
In order to achieve the above purpose, the embodiment of the invention adopts the following technical scheme:
in a first aspect, an embodiment of the present invention provides a data transmission method, including: the SDN controller acquires historical data of forwarding equipment with established connection; the historical data comprises a first number of times that the forwarding device sends a request to the SDN controller and a second number of times that the SDN controller sends a message to the forwarding device, or the historical data comprises connection time that the forwarding device establishes connection with the SDN controller last time; the SDN controller generates alarm information and disconnects the connection with the forwarding equipment when determining that preset conditions are met according to the historical data, and reestablishes the connection with the forwarding equipment according to the identification ID; and the warning information is used for indicating that the forwarding equipment has DOS attack when the identification IDs of the SDN controller and the forwarding equipment establishing connection are different each time.
According to the scheme, the embodiment of the invention can judge whether the forwarding equipment has the DoS attack or not according to the historical data by acquiring the historical data of the forwarding equipment with the established connection, and when the forwarding equipment meets the preset condition according to the historical data, the alarm information is generated and the connection with the forwarding equipment is disconnected, so that the attack to the SDN controller can be prevented; meanwhile, in order to prevent that other users initiate a request to the SDN controller through the forwarding device after the connection with the forwarding device is disconnected, the connection with the forwarding device is reestablished according to the identification ID after the connection with the forwarding device is disconnected; at this time, by setting the identification ID of the connection established between the SDN controller and the forwarding device to be different each time, an attacker can be prevented from making a DoS attack on the SDN controller layer by using the identification ID of the forwarding device, the source IP address, the destination IP address and other related information forgery request information again, and the normal operation of the SDN controller is ensured; the problem that in the prior art, an attacker obtains relevant information such as an identification ID (identity), a source IP address and a destination IP address of a certain forwarding device, thereby carrying out DoS (denial of service) attack on a layer of an SDN controller, causing large-area network paralysis and influencing user experience is solved.
In a second aspect, an embodiment of the present invention provides an SDN controller, including: an acquisition unit, configured to acquire historical data of a forwarding device to which a connection has been established; the historical data comprises a first number of times that the forwarding device sends a request to the SDN controller and a second number of times that the SDN controller sends a message to the forwarding device, or the historical data comprises connection time that the forwarding device establishes connection with the SDN controller last time; the processing unit is used for generating alarm information and disconnecting the connection with the forwarding equipment when the preset condition is determined to be met according to the historical data acquired by the acquisition unit, and reestablishing the connection with the forwarding equipment according to the identification ID; and the warning information is used for indicating that the forwarding equipment has DOS attack when the identification IDs of the SDN controller and the forwarding equipment establishing connection are different each time.
In a third aspect, an embodiment of the present invention provides an SDN controller, including: communication interface, processor, memory, bus; the memory is used for storing computer executable instructions, the processor is connected with the memory through the bus, and when the SDN controller runs, the processor executes the computer executable instructions stored in the memory, so that the SDN controller executes the method provided by the first aspect.
In a fourth aspect, an embodiment of the present invention provides a computer storage medium comprising instructions which, when run on a computer, cause the computer to perform the method as provided in the first aspect above.
It can be understood that any SDN controller provided above is configured to execute the method according to the first aspect provided above, and therefore, the beneficial effects that can be achieved by the SDN controller refer to the beneficial effects of the method according to the first aspect and the corresponding scheme in the following detailed description, which are not described herein again.
Drawings
In order to more clearly illustrate the embodiments of the present invention or the technical solutions in the prior art, the drawings used in the description of the embodiments or the prior art will be briefly described below, it is obvious that the drawings in the following description are only some embodiments of the present invention, and for those skilled in the art, other drawings can be obtained according to the drawings without creative efforts.
FIG. 1 is a diagram illustrating a DoS attack method in the prior art;
FIG. 2 is a diagram illustrating a DoS attack mode for a management plane in the prior art;
fig. 3 is a schematic diagram of a DoS attack manner of a management plane to a forwarding plane device in the prior art;
fig. 4 is a schematic diagram of a DoS attack method between forwarding plane devices in the prior art;
figure 5 is a network architecture diagram for an SDN provided by an embodiment of the invention;
fig. 6 is a flowchart illustrating a data transmission method according to an embodiment of the present invention;
fig. 7 is a second flowchart illustrating a data transmission method according to an embodiment of the present invention;
fig. 8 is a schematic structural diagram of an identifier ID of a data transmission method according to an embodiment of the present invention;
fig. 9 is a third schematic flowchart of a data transmission method according to an embodiment of the present invention;
fig. 10 is a fourth flowchart illustrating a data transmission method according to an embodiment of the invention;
fig. 11 is a fifth flowchart illustrating a data transmission method according to an embodiment of the invention;
fig. 12 is a sixth schematic flowchart of a data transmission method according to an embodiment of the present invention;
fig. 13 is a schematic diagram of three-dimensional vector analysis of a data transmission method according to an embodiment of the present invention;
FIG. 14 is a schematic diagram of 3 connected forwarding devices;
fig. 15 is a seventh schematic flowchart illustrating a data transmission method according to an embodiment of the present invention;
fig. 16 is an eighth schematic flowchart of a data transmission method according to an embodiment of the present invention;
fig. 17 is a schematic diagram of two-dimensional vector analysis of a data transmission method according to an embodiment of the present invention;
fig. 18 is a schematic structural diagram of an SDN controller according to an embodiment of the present invention;
fig. 19 is a second schematic structural diagram of an SDN controller according to an embodiment of the present invention.
Reference numerals:
an SDN controller-10;
an acquisition unit-101; a processing unit-102.
Detailed Description
The technical solutions in the embodiments of the present invention will be clearly and completely described below with reference to the drawings in the embodiments of the present invention, and it is obvious that the described embodiments are only a part of the embodiments of the present invention, and not all of the embodiments. All other embodiments, which can be derived by a person skilled in the art from the embodiments given herein without making any creative effort, shall fall within the protection scope of the present invention.
For the convenience of clearly describing the technical solutions of the embodiments of the present invention, in the embodiments of the present invention, the words "first", "second", and the like are used for distinguishing the same items or similar items with basically the same functions and actions, and those skilled in the art can understand that the words "first", "second", and the like are not limited in number or execution order.
In the embodiments of the present invention, words such as "exemplary" or "for example" are used to mean serving as examples, illustrations or descriptions. Any embodiment or design described as "exemplary" or "e.g.," an embodiment of the present invention is not necessarily to be construed as preferred or advantageous over other embodiments or designs. Rather, use of the word "exemplary" or "such as" is intended to present concepts related in a concrete fashion.
In the description of the embodiments of the present invention, the meaning of "a plurality" means two or more unless otherwise specified. For example, a plurality of networks refers to two or more networks.
The term "and/or" herein is merely an association describing an associated object, meaning that three relationships may exist, e.g., a and/or B, may mean: a exists alone, A and B exist simultaneously, and B exists alone. The symbol "/" herein denotes a relationship in which the associated object is or, for example, a/B denotes a or B.
The SDN is a novel network innovation architecture, and by separating a control plane and a data plane of network equipment, the flexible control of network flow is realized, the network becomes a resource capable of being flexibly allocated, and meanwhile, more and more DoS attacks on the network adopting the SDN architecture are provided for attackers. The most basic DoS attack is to make the network server to be filled with a large amount of information requiring reply in a short time, quickly consume network bandwidth and system resources, cause the network or system to be out of load and break down or stop providing normal network service; as shown in fig. 1, an attacker attacks the victim host in a one-to-one manner; at this time, if the performance indexes of the victim host, such as processor performance, memory capacity, and network bandwidth, are not high, the victim host may fail to bear the load and may be paralyzed or stop providing normal network services.
Fig. 2 is a schematic diagram illustrating a DoS attack performed by an attacker on a management plane of a network employing an SDN architecture; an attacker forges a large amount of nonexistent data flows and sends the data flows to the forwarding device 2, the forwarding device 2 cannot inquire the forwarding rules of the data flows in the flow table of the attacker after receiving the forwarding rules, so a large amount of inquiry requests can be sent to the SDN controller, resources of the SDN controller are used for responding to the requests of the forwarding device 2 at the moment, if other users simultaneously apply for flow table information inquiry to the SDN controller through the forwarding device 1, normal response cannot be obtained, and then DoS attack is carried out on a controller management plane of a network adopting an SDN framework.
Figure 3 presents a schematic diagram of a DoS attack of an attacker on the forwarding plane by the management plane of a network employing an SDN architecture; if an attacker forges a large number of useless query requests, but the source address is filled as the address of the forwarding device 1, the SDN controller receives the query requests and then issues a large number of flow tables to the forwarding device 1 according to the source address information, the flow tables are issued by the SDN controller, the forwarding device needs to process, if the processing capacity of the forwarding device 1 is exceeded, the forwarding device 1 cannot respond to access requests of other users, and DoS attack of a management plane on the forwarding plane device occurs at this time.
Figure 4 presents a schematic diagram of an attacker's DoS attack between forwarding planes of a network employing an SDN architecture; if an attacker forges a large amount of same information and directly sends the information to the forwarding device 2, the forwarding device 2 forwards the flow to the forwarding device 1 according to the flow table information, and if the processing capacity of the forwarding device 1 exceeds the processing capacity of the forwarding device 1, when a user sends request information to the forwarding device 1 or an SDN controller sends information to the forwarding device 1, the forwarding device 1 cannot respond to the request information, and at this time, DoS attack among forwarding plane devices occurs.
In view of the above problems, an embodiment of the present invention provides a data transmission method, which provides a network architecture diagram adopting an SDN architecture as shown in fig. 5, where the network architecture diagram includes an application plane, a management plane, and a forwarding plane; the SDN controller in the management plane has functions of topology management, resource management, performance management, service management and the like, and is additionally provided with a security module, wherein the security module comprises an authentication and authentication function, a flow analysis function and an alarm processing function, so that DoS attacks of attackers on the management plane of a network adopting the SDN architecture, DoS attacks of attackers on a forwarding plane of the management plane of the network adopting the SDN architecture and DoS attacks of attackers on forwarding planes of the network adopting the SDN architecture can be effectively detected through the security module, alarm processing is carried out, and normal operation of the network adopting the SDN architecture is ensured, and the specific implementation mode is as follows:
example one
An embodiment of the present invention provides a data transmission method, as shown in fig. 6 and 7, including:
s101, an SDN controller acquires historical data of forwarding equipment with established connection; the historical data comprises a first number of times that the forwarding device sends a request to the SDN controller and a second number of times that the SDN controller sends a message to the forwarding device, or the historical data comprises connection time that the forwarding device establishes connection with the SDN controller last time.
S102, when the SDN controller determines that preset conditions are met according to historical data, generating alarm information, disconnecting the alarm information from forwarding equipment, and reestablishing connection with the forwarding equipment according to Identification (ID) numbers; the ID of the connection established with the forwarding equipment is different every time, and the alarm information is used for indicating that the forwarding equipment has DOS attack.
It should be noted that, in practical applications, the authentication function in the security module includes: when the SDN controller and the forwarding device are connected, authentication is needed to be carried out firstly, the SDN controller generates an identification ID according to ID information of the forwarding device and a storage rule of the SDN controller, the SDN controller records the identification ID and stores the identification ID in a flow table and sends the identification ID to the corresponding forwarding device, so that when the forwarding device and the SDN controller carry out authentication, the identification ID sent by the SDN controller is sent to the SDN controller, the SDN controller compares the identification ID sent by the forwarding device with the identification ID stored in the flow table and corresponding to the forwarding device, when the two identification IDs are consistent, the authentication of the forwarding device and the SDN controller is successful, and the SDN controller establishes connection with the forwarding device; each forwarding device corresponds to an independent identification ID, and data cookies stored on the local terminal of the user are generated for use by the flow table.
Exemplarily, with the forwarding device as a switch, the identifier ID of the SDN controller that establishes a connection with the forwarding device each time is different, including:
for a switch, it has ID information, usually identified by media access Control Address (MAC); illustratively, the MAC address may occupy 6 bytes, which is compiled in hexadecimal.
When the SDN controller receives the ID information of a switch, the SDN controller adds 3 bytes to the ID information (MAC address) of the switch (wherein 2 bytes are used to indicate the last connection time, 1 byte is used to indicate the number of interactions, and the structure of the identification ID is shown in fig. 8), so that the identification ID generated each time is different, and exemplarily, the newly added 3 bytes are compiled in hexadecimal.
However, in the conventional SDN definition, when the SDN controller and the forwarding device establish a connection, the identification ID is generated once and has the same life cycle as that of the forwarding device. If an attacker obtains relevant information such as an ID and an Internet Protocol (IP) address of a certain forwarding device, the attacker can forge the forwarding device to attack other network devices on the controller layer or the forwarding plane. Therefore, the first step in the security module is to add authentication, if authentication is performed every time information is transferred, the method is relatively safe, in this way, an SDN controller is caused to add extra calculation cost and storage resources, in order to guarantee the authentication effectiveness of forwarding devices to a certain extent and avoid excessive calculation cost of the SDN controller, we store the connection condition between the SDN controller and each device through the authentication and authentication module, and judge whether DoS attacks exist in the forwarding devices according to the number of information transfers and the connection establishment length (such as S1020 and S1021), when DoS attacks exist in the forwarding devices, an alarm processing function in the security module is started, after alarm information is generated, the forwarding devices are reconnected, and since the identifier IDs of the connections established between the SDN controller and the forwarding devices are different each time, an attacker does not have a new identifier ID of the forwarding devices after the SDN controller and the forwarding devices are connected, therefore, DoS attack cannot be initiated to the SDN controller again, the safety of the SDN controller is improved, and user experience is guaranteed.
Optionally, the historical data comprises a first number and a second number; the SDN controller, according to the historical data, when determining that a preset condition is satisfied, generates alarm information and disconnects connection with the forwarding device, and reestablishes connection with the forwarding device according to the identifier ID, as shown in fig. 7 and 9, includes:
and S1020, when the SDN controller determines that the sum of the first times and the second times is greater than or equal to a first threshold value in a specified time period according to the first times and the second times, generating alarm information, disconnecting the alarm information from the forwarding equipment, and reestablishing the connection with the forwarding equipment according to the identification ID.
Optionally, the historical data includes connection time; the SDN controller generates alarm information and disconnects connection with the forwarding device when determining that a preset condition is satisfied according to the history data, and reestablishes connection with the forwarding device according to the identifier ID, as shown in fig. 7 and 10, including:
and S1021, when determining that the difference value between the current time and the connection time is greater than or equal to the time threshold value according to the connection time, the SDN controller generates alarm information, disconnects the connection with the forwarding equipment, and reestablishes the connection with the forwarding equipment according to the identification ID.
In an actual application, when the SDN controller establishes a connection with the forwarding device, the SDN controller generates a corresponding flow table as shown in table 1.
TABLE 1
| current_time | switch_ID | connection_time | interval | count |
The current _ time represents the current time, the switch _ ID represents the ID number of the forwarding device, the connection _ time represents the latest connection time, the interval represents the specified interval time (unit hour), and the count represents the number of interactions (each time the SDN controller issues data to the forwarding device or the forwarding device requests data from the SDN controller, the number of interactions is + 1).
When the difference between current _ time and connection _ time is greater than or equal to the interval (which may also be a time threshold) or the count value reaches a specified value (such as a first threshold), the SDN controller needs to perform authentication and authentication with the forwarding device again, after authentication, the connection _ time becomes the current time, and the count number starts from 0.
Setting a time interval for re-authentication and authentication according to historical data, and avoiding resource consumption caused by frequently re-establishing connection authentication and authentication; according to the historical data, counting the number of times of information interaction between the SDN controller and the forwarding equipment within a period of time, so that a first threshold value within a rated time can be determined, if the number of times of information interaction between the SDN controller and the forwarding equipment exceeds the set first threshold value within the rated time, it is considered that abnormal flow data consume network resources within the rated time, at the moment, the connection between the SDN controller and the forwarding equipment needs to be disconnected, and authentication is conducted again.
As can be seen from the foregoing solution, compared with the prior art, the data transmission method provided in the embodiments of the present invention can effectively prevent a forwarding layer from performing a DoS attack (DoS attack type in fig. 2) on a management plane, and the connection established between the SDN controller and the forwarding device is not constant, but the connection is not frequently reestablished to consume the computing resources of the controller, and according to the time threshold and the first threshold, the management plane and the forwarding plane can be effectively protected, and the connection authentication relationship between the forwarding device and the SDN controller is controlled.
Optionally, the history data further includes a first traffic arriving at the forwarding device, a second traffic flowing out of the forwarding device, and a third traffic flowing through the forwarding device, and as shown in fig. 7, 11, and 12, the method further includes:
and S103, when the SDN controller determines that the preset condition is not met according to the historical data, the first flow is larger than a first flow threshold, the second flow is larger than a second flow threshold, or the third flow is larger than a third flow threshold, generating alarm information, disconnecting the alarm information from the forwarding equipment, and reestablishing the connection with the forwarding equipment according to the identification ID.
When determining that the preset condition is not met according to the historical data, and determining that the first flow is greater than a first flow threshold, or the second flow is greater than a second flow threshold, or the third flow is greater than a third flow threshold, the SDN controller generates alarm information and disconnects the forwarding device, and reestablishes the connection with the forwarding device according to the identifier ID, including:
and S1030, when determining that the interaction times within the specified time period are not met and are larger than or equal to a first threshold according to the historical data, the SDN controller generates alarm information and disconnects the forwarding equipment when determining that the first flow is larger than the first flow threshold, or the second flow is larger than a second flow threshold, or the third flow is larger than a third flow threshold, and reestablishes the connection with the forwarding equipment according to the identification ID.
Or,
and S1031, when determining that the difference between the current time and the connection time is not met and is larger than or equal to the time threshold according to the historical data, and determining that the first flow is larger than the first flow threshold, or the second flow is larger than the second flow threshold, or the third flow is larger than the third flow threshold, the SDN controller generates alarm information, disconnects the forwarding equipment, and reestablishes the connection with the forwarding equipment according to the identification ID.
Specifically, in practical applications, a three-dimensional rectangular coordinate system as shown in fig. 13 may be established by a first traffic, a second traffic, a third traffic, a first traffic threshold, a second traffic threshold, and a third traffic threshold (where the first traffic threshold may be determined according to the first traffic that has historically arrived at the forwarding device, the second traffic threshold may be determined according to the second traffic that has flowed from the forwarding device, and the third traffic threshold may be determined according to the third traffic that has flowed through the forwarding device); wherein, PAHas the coordinates ofPANHas the coordinates of (P)N-X,PN-Y,PN-Z),PN-XEqual to the first flow threshold, PN-YEqual to the second flow threshold, PN-ZEqual to the third flow threshold, IADenotes a first flow rate, OAIndicating a second flow rate, TAIndicating a third flow rate.
When point PAFall in PANWhen the flow rate is out of the closed space formed by the XY plane, the XZ plane and the YZ plane (corresponding to the first flow rate being larger than the first flow rate threshold value, or the second flow rate being larger than the second flow rate threshold value, or the third flow rate being larger than the third flow rate threshold value), the abnormal condition exists at the moment; when point P isAFall in PANWhen the flow rate is within the closed space formed by the XY plane, the XZ plane and the YZ plane (which is equivalent to that the first flow rate is less than or equal to the first flow rate threshold value, the second flow rate is less than or equal to the second flow rate threshold value and the third flow rate is less than or equal to the third flow rate threshold value), the situation that no abnormal situation exists is shown, and therefore whether the flow rate is existed at present or not can be judged more intuitively.
It should be noted that the traffic analysis function in the security module is to perform traffic analysis on each forwarding device that establishes a connection with the SDN controller, and analyze abnormal traffic between forwarding devices by comparing 3 parameters, that is, inbound traffic, outbound traffic, and outbound traffic.
For example, taking fig. 14 as an example, there are 3 forwarding devices (forwarding device a, forwarding device B, and forwarding device C, respectively) in the figure, and flow table information issued by the SDN controller includes source (src) IP and destination (des) IP information, that is, information indicating that a flow goes from one forwarding device to another forwarding device.
The flow is an outbound flow for the forwarding device of the srcIP; the forwarding equipment of the desIP is the inflow flow; and according to the routing information, the forwarding devices of the paths are recorded as the troughflow of the paths. For example, if the SDN controller issues a traffic srcIP as the IP of the forwarding device a, and the desIP is the IP of the forwarding device C, the traffic is an outbound traffic for the forwarding device a, an inbound traffic for the forwarding device C, and a through traffic for the forwarding device B.
Each forwarding device has a flow counting function, and after a certain period of time, the SDN controller acquires flow data from each device, records the flow conditions in a specified time period, and compares the flow data with the previous flow data to analyze whether abnormal conditions exist.
Taking the forwarding device a as an example, the forwarding device a may count the traffic entering the forwarding device a and the traffic flowing out from the forwarding device a, and according to the flow table information, we know the traffic sent from the forwarding device a, that is, the outflow traffic, and the traffic reaching the forwarding device a, that is, the inflow traffic; according to the traffic flowing out of the forwarding device a counted by the device itself, we can obtain the traffic passing through the forwarding device a, i.e. the troughflow traffic.
The flow condition of the forwarding device A in a specified time period can be obtained, so that the forwarding device A can obtain the flow condition in the specified time periodCan be associated with to determine the point PACoordinates of (2)By determining the point PAAnd PANThe positional relationship of the closed space formed with the XY plane, the XZ plane, and the YZ plane, so that the DoS attack as in fig. 3 or fig. 4 can be recognized.
Specifically, for the sake of computational convenience, the point P is determinedAWhen the coordinates of (b) are obtained, the point P may be directly expressed by the first flow rate, the second flow rate, and the third flow rateAOf (2), i.e. point PAHas the coordinates of (I)A,OA,TA)。
Optionally, as shown in fig. 7, fig. 15 and fig. 16, the method further includes:
and S104, when the SDN controller determines that the preset condition is not met according to the historical data, the first time is greater than a second threshold value, or the second time is greater than a third threshold value, generating alarm information, disconnecting the forwarding equipment, and reestablishing the connection with the forwarding equipment according to the identification ID.
Wherein, when determining that the preset condition is not met according to the historical data, the SDN controller determines that the first time is greater than the second threshold, or the second time is greater than the third threshold, generates the alarm information, disconnects the forwarding device, and reestablishes the connection with the forwarding device according to the identifier ID, including:
and S1040, when determining that the interaction times within the specified time period are not met and are larger than or equal to a first threshold according to the historical data, and determining that the first time is larger than a second threshold, or when the second time is larger than a third threshold, the SDN controller generates alarm information, disconnects the connection with the forwarding equipment, and reestablishes the connection with the forwarding equipment according to the identification ID.
Or,
and S1041, when determining that the difference between the current time and the connection time is not met and is greater than or equal to the time threshold according to the historical data, and determining that the first time is greater than a second threshold, or the second time is greater than a third threshold, the SDN controller generates alarm information, disconnects the connection with the forwarding equipment, and reestablishes the connection with the forwarding equipment according to the identification ID.
Specifically, in practical applications, a rectangular coordinate system as shown in fig. 17 may be established by the first times, the second threshold and the third threshold; wherein, point PSAHas the coordinates ofPSNHas the coordinates of (P)NA-X,PNA-Y),PSN-XEqual to a first threshold value, PSN-YEqual to a second threshold value, ISADenotes the first order, OSAIndicating a second number of times.
When point PSAFall in PSNWhen the space is not the closed space formed by the X axis and the Y axis (which is equal to that the first time is greater than the second threshold value or that the second time is greater than the third threshold value), the abnormal condition exists at the moment; when point PSAFall in PSNWhen the flow rate is in the closed space formed by the X axis and the Y axis (which is equivalent to that the first time is less than or equal to the second threshold, and the second time is less than or equal to the third threshold), the condition that no abnormal condition exists is shown, so that whether the flow rate exists at present can be judged more intuitively.
It should be noted that, in practical applications, there is no flow-through traffic for the SDN controller, so only the inflow traffic and the outflow traffic are analyzed for the SDN controller.
When the SDN controller is used, the Outflow flow refers to the second number of times that the SDN controller sends a forwarding flow table, that is, a service issuing command request, to the forwarding device, and the underflow flow refers to the first number of times that the forwarding device sends a service query or a resource scheduling request to the controller, and we need to analyze the request flows of the SDN controller and each forwarding device, so that when an abnormal condition occurs, the abnormal condition can be found among several devices quickly.
Similarly, we can determine point P according to the first number and the second number in the designated time periodSAHas the coordinates ofBy determining the point PSAAnd PSNAnd the position relation ratio of the closed space formed by the X-axis and the Y-axis, so that the DoS attack of fig. 2 can be recognized.
Specifically, for the sake of computational convenience, the point P is determinedSAThe point P can be directly expressed by the first order and the third orderSAOf (2), i.e. point PSAHas the coordinates of (I)SA,OSA)。
Specifically, as shown in fig. 7, the forwarding device a accesses the network and needs to perform authentication with the SDN controller (the SDN controller allocates an initial identifier ID to the forwarding device a), so that the SDN controller can perform service interaction with the forwarding device a normally; then the SDN controller monitors the flow of the forwarding equipment A and analyzes the flow P of the forwarding equipment AAIn case that the current _ time and the connection _ time are not less than the interval or the count value is monitored to exceed (represent to be greater than or equal to) the first threshold, generating alarm information, re-performing authentication between the SDN controller and the equipment, and then repeating the steps; if current _ time and connection _ time < interval or count value < first threshold, and flow P is monitoredASending an alarm when the flow is larger than or equal to the flow threshold, disconnecting the SDN controller from the forwarding device A, and reestablishing the connection with the forwarding device according to the identification ID; when P is presentSAAnd when the value is larger than or equal to the second threshold (which indicates that the SDN controller may have DoS attacks), disconnecting the SDN controller from all forwarding devices, processing the attacks, and reconnecting the SDN controller with the forwarding device a after detecting that the SDN controller is normal.
The invention discloses an SDN network detection and prevention scheme for handling DoS attacks, which can effectively identify the DoS attacks aiming at a management plane or a forwarding plane and give an alarm according to the attacks by providing an authentication method of an SDN management plane and the forwarding plane and a flow analysis method of the management plane and the forwarding plane.
According to the scheme, the embodiment of the invention can judge whether the forwarding equipment has the DoS attack or not according to the historical data by acquiring the historical data of the forwarding equipment with the established connection, and when the forwarding equipment meets the preset condition according to the historical data, the alarm information is generated and the connection with the forwarding equipment is disconnected, so that the attack to the SDN controller can be prevented; meanwhile, in order to prevent that other users initiate a request to the SDN controller through the forwarding device after the connection with the forwarding device is disconnected, the connection with the forwarding device is reestablished according to the identification ID after the connection with the forwarding device is disconnected; at this time, by setting the identification ID of the connection established between the SDN controller and the forwarding device to be different each time, an attacker can be prevented from making a DoS attack on the SDN controller layer by using the identification ID of the forwarding device, the source IP address, the destination IP address and other related information forgery request information again, and the normal operation of the SDN controller is ensured; the problem that in the prior art, an attacker obtains relevant information such as an identification ID (identity), a source IP address and a destination IP address of a certain forwarding device, thereby carrying out DoS (denial of service) attack on a layer of an SDN controller, causing large-area network paralysis and influencing user experience is solved.
Example two
An embodiment of the present invention provides an SDN controller 10, as shown in fig. 18, including:
an obtaining unit 101, configured to obtain historical data of a forwarding device to which a connection has been established; the historical data comprises a first number of times that the forwarding device sends a request to the SDN controller and a second number of times that the SDN controller sends a message to the forwarding device, or the historical data comprises connection time that the forwarding device establishes connection with the SDN controller last time.
A processing unit 102, configured to generate alarm information and disconnect the connection with the forwarding device when it is determined that a preset condition is met according to the history data acquired by the acquiring unit 101, and reestablish the connection with the forwarding device according to the identifier ID; the ID of the connection established with the forwarding equipment is different every time, and the alarm information is used for indicating that the forwarding equipment has DOS attack.
Optionally, the historical data comprises a first number and a second number; the processing unit 102 is specifically configured to generate alarm information and disconnect the connection with the forwarding device when determining that the sum of the first frequency and the second frequency within a specified time period is greater than or equal to a first threshold value according to the first frequency acquired by the acquiring unit 101 and the second frequency acquired by the acquiring unit 101, and reestablish the connection with the forwarding device according to the identifier ID; the ID of the connection established with the forwarding equipment is different every time, and the alarm information is used for indicating that the forwarding equipment has DOS attack.
Optionally, the historical data includes connection time; the processing unit 102 is specifically configured to, when determining that the difference between the current time and the connection time is greater than or equal to the time threshold according to the connection time acquired by the acquisition unit 101, generate alarm information, disconnect the forwarding device, and reestablish the connection with the forwarding device according to the identifier ID.
Optionally, the history data further includes a first traffic arriving at the forwarding device, a second traffic flowing out of the forwarding device, and a third traffic flowing through the forwarding device; the processing unit 102 is further configured to, when it is determined that the preset condition is not met according to the history data acquired by the acquiring unit 101, determine that the first flow acquired by the acquiring unit 101 is greater than a first flow threshold, or that the second flow acquired by the acquiring unit 101 is greater than a second flow threshold, or that the third flow acquired by the acquiring unit 101 is greater than a third flow threshold, generate alarm information and disconnect the forwarding device, and reestablish the connection with the forwarding device according to the identifier ID.
Optionally, the processing unit 102 is further configured to, when it is determined that the preset condition is not met according to the history data acquired by the acquiring unit 101, determine that the first number acquired by the acquiring unit 101 is greater than a second threshold, or when the second number acquired by the acquiring unit 101 is greater than a third threshold, generate the alarm information and disconnect the connection with the forwarding device, and reestablish the connection with the forwarding device according to the identifier ID.
All relevant contents of each step related to the above method embodiment may be referred to the functional description of the corresponding functional module, and the function thereof is not described herein again.
In the case of integrated modules, the SDN controller 10 includes: the device comprises a storage unit, a processing unit and an acquisition unit. The processing unit is configured to control and manage an action of the SDN controller, for example, the processing unit is configured to support the SDN controller to execute processes S101 and S102 in fig. 6; the obtaining unit is used for supporting information interaction between the SDN controller and other devices. And the storage unit is used for storing the program codes and data of the SDN controller.
For example, the processing unit is a processor, the storage unit is a memory, and the obtaining unit is a communication interface. The SDN controller is shown in fig. 19, and includes a communication interface 501, a processor 502, a memory 503, and a bus 504, where the communication interface 501 and the processor 502 are connected to the memory 503 through the bus 504.
The processor 502 may be a general-purpose Central Processing Unit (CPU), a microprocessor, an Application-Specific Integrated Circuit (ASIC), or one or more Integrated circuits configured to control the execution of programs in accordance with the teachings of the present disclosure.
The Memory 503 may be a Read-Only Memory (ROM) or other type of static storage device that can store static information and instructions, a Random Access Memory (RAM) or other type of dynamic storage device that can store information and instructions, an electrically erasable Programmable Read-Only Memory (EEPROM), a Compact Disc Read-Only Memory (CD-ROM) or other optical Disc storage, optical Disc storage (including Compact Disc, laser Disc, optical Disc, digital versatile Disc, blu-ray Disc, etc.), magnetic disk storage media or other magnetic storage devices, or any other medium that can be used to carry or store desired program code in the form of instructions or data structures and that can be accessed by a computer, but is not limited to these. The memory may be self-contained and coupled to the processor via a bus. The memory may also be integral to the processor.
The memory 503 is used for storing application program codes for executing the scheme of the application, and the processor 502 controls the execution. The communication interface 501 is used for information interaction with other devices, such as a remote controller. The processor 502 is configured to execute application program code stored in the memory 503 to implement the methods described in the embodiments of the present application.
Further, a computing storage medium (or media) is also provided, comprising instructions that when executed perform the method operations performed by the SDN controller in the above embodiments. Additionally, a computer program product is also provided, comprising the above-described computing storage medium (or media).
It should be understood that, in various embodiments of the present invention, the sequence numbers of the above-mentioned processes do not mean the execution sequence, and the execution sequence of each process should be determined by its function and inherent logic, and should not constitute any limitation on the implementation process of the embodiments of the present invention.
Those of ordinary skill in the art will appreciate that the various illustrative elements and algorithm steps described in connection with the embodiments disclosed herein may be implemented as electronic hardware or combinations of computer software and electronic hardware. Whether such functionality is implemented as hardware or software depends upon the particular application and design constraints imposed on the implementation. Skilled artisans may implement the described functionality in varying ways for each particular application, but such implementation decisions should not be interpreted as causing a departure from the scope of the present invention.
It is clear to those skilled in the art that, for convenience and brevity of description, the specific working processes of the above-described systems, apparatuses and units may refer to the corresponding processes in the foregoing method embodiments, and are not described herein again.
In the several embodiments provided in the present application, it should be understood that the disclosed system, apparatus, and method may be implemented in other ways. For example, the above-described device embodiments are merely illustrative, and for example, the division of the units is only one logical functional division, and other divisions may be realized in practice, for example, a plurality of units or components may be combined or integrated into another system, or some features may be omitted, or not executed. In addition, the shown or discussed mutual coupling or direct coupling or communication connection may be an indirect coupling or communication connection through some interfaces, devices or units, and may be in an electrical, mechanical or other form.
The units described as separate parts may or may not be physically separate, and parts displayed as units may or may not be physical units, may be located in one place, or may be distributed on a plurality of network units. Some or all of the units can be selected according to actual needs to achieve the purpose of the solution of the embodiment.
In addition, functional units in the embodiments of the present invention may be integrated into one processing unit, or each unit may exist alone physically, or two or more units are integrated into one unit.
The functions, if implemented in the form of software functional units and sold or used as a stand-alone product, may be stored in a computer readable storage medium. Based on such understanding, the technical solution of the present invention may be embodied in the form of a software product, which is stored in a storage medium and includes instructions for causing a computer device (which may be a personal computer, a server, or a network device) to execute all or part of the steps of the method according to the embodiments of the present invention. And the aforementioned storage medium includes: a U disk, a removable hard disk, a read-only memory (ROM), a Random Access Memory (RAM), a magnetic disk or an optical disk, and other various media capable of storing program codes.
It can be understood that any SDN controller provided above is used to execute a corresponding method of the above-provided embodiments, and therefore, the beneficial effects that can be achieved by the SDN controller refer to the beneficial effects of the method of the above-mentioned embodiment one and the corresponding scheme in the following detailed implementation, which are not described herein again.
The above description is only for the specific embodiments of the present invention, but the scope of the present invention is not limited thereto, and any person skilled in the art can easily conceive of the changes or substitutions within the technical scope of the present invention, and all the changes or substitutions should be covered within the scope of the present invention. Therefore, the protection scope of the present invention shall be subject to the protection scope of the appended claims.
Claims (12)
1. A method of data transmission, comprising:
the SDN controller acquires historical data of forwarding equipment with established connection; wherein the historical data comprises a first number of times the forwarding device sends a request to the SDN controller and a second number of times the SDN controller sends a message to the forwarding device, or the historical data comprises a connection time when the forwarding device last established a connection with the SDN controller;
the SDN controller generates alarm information and disconnects the forwarding equipment when determining that preset conditions are met according to the historical data, and reestablishes the connection with the forwarding equipment according to the identification ID; and each time the identifier ID of the SDN controller establishing connection with the forwarding device is different, the alarm information is used for indicating that the forwarding device has DOS attack.
2. The data transmission method according to claim 1, wherein the history data includes the first number and the second number;
the SDN controller generates alarm information and disconnects the connection with the forwarding equipment when determining that a preset condition is met according to the historical data, and reestablishes the connection with the forwarding equipment according to the identification ID, and the method comprises the following steps:
and when the SDN controller determines that the sum of the first times and the second times is greater than or equal to a first threshold value in a specified time period according to the first times and the second times, generating alarm information, disconnecting the alarm information from the forwarding equipment, and reestablishing the connection with the forwarding equipment according to the identification ID.
3. The data transmission method according to claim 1, wherein the history data includes the connection time;
the SDN controller generates alarm information and disconnects the connection with the forwarding equipment when determining that a preset condition is met according to the historical data, and reestablishes the connection with the forwarding equipment according to the identification ID, and the method comprises the following steps:
and when the SDN controller determines that the difference value between the current time and the connection time is greater than or equal to a time threshold value according to the connection time, generating alarm information, disconnecting the connection with the forwarding equipment, and reestablishing the connection with the forwarding equipment according to the identification ID.
4. The data transmission method according to claim 1, wherein the history data further includes a first traffic to the forwarding device, a second traffic to flow from the forwarding device, and a third traffic to flow through the forwarding device;
the method further comprises the following steps:
and when the SDN controller determines that the first flow is larger than a first flow threshold value, or the second flow is larger than a second flow threshold value, or the third flow is larger than a third flow threshold value according to the historical data and when the preset condition is not met, generating alarm information, disconnecting the connection with the forwarding equipment, and reestablishing the connection with the forwarding equipment according to the identification ID.
5. The data transmission method of claim 1, further comprising:
and when the SDN controller determines that a preset condition is not met according to the historical data, the first time is larger than a second threshold value, or the second time is larger than a third threshold value, generating alarm information, disconnecting the forwarding equipment, and reestablishing the connection with the forwarding equipment according to an identification ID.
6. An SDN controller, comprising:
an acquisition unit, configured to acquire historical data of a forwarding device to which a connection has been established; wherein the historical data comprises a first number of times the forwarding device sends a request to the SDN controller and a second number of times the SDN controller sends a message to the forwarding device, or the historical data comprises a connection time when the forwarding device last established a connection with the SDN controller;
the processing unit is used for generating alarm information and disconnecting the connection with the forwarding equipment when the historical data acquired by the acquisition unit meets the preset condition, and reestablishing the connection with the forwarding equipment according to the identification ID; and each time the identifier ID of the SDN controller establishing connection with the forwarding device is different, the alarm information is used for indicating that the forwarding device has DOS attack.
7. The SDN controller of claim 6, wherein the historical data comprises the first number and the second number;
the processing unit is specifically configured to generate alarm information and disconnect the connection with the forwarding device when determining that the sum of the first number of times and the second number of times within a specified time period is greater than or equal to a first threshold according to the first number of times acquired by the acquiring unit and the second number of times acquired by the acquiring unit, and reestablish the connection with the forwarding device according to the identification ID.
8. The SDN controller of claim 6, wherein the historical data comprises the connection time;
the processing unit is specifically configured to generate alarm information and disconnect the connection with the forwarding device when determining that the difference between the current time and the connection time is greater than or equal to a time threshold according to the connection time acquired by the acquisition unit, and reestablish the connection with the forwarding device according to the identification ID.
9. The SDN controller of claim 6, wherein the historical data further comprises first traffic to the forwarding device, second traffic flowing from the forwarding device, and third traffic flowing through the forwarding device;
the processing unit is further configured to, when it is determined that a preset condition is not met according to the historical data acquired by the acquisition unit, determine that the first flow acquired by the acquisition unit is greater than a first flow threshold, or that the second flow acquired by the acquisition unit is greater than a second flow threshold, or that the third flow acquired by the acquisition unit is greater than a third flow threshold, generate warning information and disconnect the forwarding device, and reestablish a connection with the forwarding device according to an identifier ID.
10. The SDN controller of claim 6, wherein the processing unit is further configured to, when determining, according to the historical data acquired by the acquiring unit, that a preset condition is not met, determine that the first number acquired by the acquiring unit is greater than a second threshold, or when the second number acquired by the acquiring unit is greater than a third threshold, generate alarm information and disconnect the forwarding device, and reestablish a connection with the forwarding device according to an identifier ID.
11. A computer storage medium comprising instructions which, when run on a computer, cause the computer to perform the data transmission method of any one of claims 1 to 5.
12. An SDN controller, comprising: communication interface, processor, memory, bus; the memory is used for storing computer execution instructions, the processor is connected with the memory through the bus, when the SDN controller runs, the processor executes the computer execution instructions stored in the memory, so that the SDN controller executes the data transmission method of any one of the claims 1-5.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN201910390899.5A CN110247893B (en) | 2019-05-10 | 2019-05-10 | Data transmission method and SDN controller |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN201910390899.5A CN110247893B (en) | 2019-05-10 | 2019-05-10 | Data transmission method and SDN controller |
Publications (2)
| Publication Number | Publication Date |
|---|---|
| CN110247893A true CN110247893A (en) | 2019-09-17 |
| CN110247893B CN110247893B (en) | 2021-07-13 |
Family
ID=67884248
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN201910390899.5A Active CN110247893B (en) | 2019-05-10 | 2019-05-10 | Data transmission method and SDN controller |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN110247893B (en) |
Cited By (3)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN110943979A (en) * | 2019-11-19 | 2020-03-31 | 普联技术有限公司 | SDN network attack detection method, device, equipment and system |
| CN111343206A (en) * | 2020-05-19 | 2020-06-26 | 上海飞旗网络技术股份有限公司 | Active defense method and device for data flow attack |
| CN113938312A (en) * | 2021-11-12 | 2022-01-14 | 北京天融信网络安全技术有限公司 | Detection method and device for brute force cracking flow |
Citations (11)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN103561011A (en) * | 2013-10-28 | 2014-02-05 | 中国科学院信息工程研究所 | Method and system for preventing blind DDoS attacks on SDN controllers |
| CN104158800A (en) * | 2014-07-21 | 2014-11-19 | 南京邮电大学 | Detection method of DDoS (Distributed Denial of Service) attack for software defined network (SDN) |
| CN105282169A (en) * | 2015-11-04 | 2016-01-27 | 中国电子科技集团公司第四十一研究所 | DDoS attack warning method and system based on SDN controller threshold |
| CN106034105A (en) * | 2015-03-09 | 2016-10-19 | 国家计算机网络与信息安全管理中心 | OpenFlow switch and method for processing DDoS attack |
| CN106534133A (en) * | 2016-11-17 | 2017-03-22 | 浙江工商大学 | Deep learning based DDOS defensive device and method in SDN |
| CN106561016A (en) * | 2015-11-19 | 2017-04-12 | 国网智能电网研究院 | DDoS attack detection device and method for SDN controller based on entropy |
| CN107438074A (en) * | 2017-08-08 | 2017-12-05 | 北京神州绿盟信息安全科技股份有限公司 | The means of defence and device of a kind of ddos attack |
| CN107509128A (en) * | 2017-08-16 | 2017-12-22 | 中国联合网络通信集团有限公司 | A kind of method and system of core network access |
| WO2018076949A1 (en) * | 2016-10-31 | 2018-05-03 | 腾讯科技(深圳)有限公司 | Traffic attack protection method and system, controller, router, and storage medium |
| CN108282497A (en) * | 2018-04-28 | 2018-07-13 | 电子科技大学 | For the ddos attack detection method of SDN control planes |
| US20190097931A1 (en) * | 2017-09-28 | 2019-03-28 | Argela Yazilim ve Bilisim Teknolojileri San. ve Tic. A.S. | System and method for control traffic reduction between sdn controller and switch |
-
2019
- 2019-05-10 CN CN201910390899.5A patent/CN110247893B/en active Active
Patent Citations (11)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN103561011A (en) * | 2013-10-28 | 2014-02-05 | 中国科学院信息工程研究所 | Method and system for preventing blind DDoS attacks on SDN controllers |
| CN104158800A (en) * | 2014-07-21 | 2014-11-19 | 南京邮电大学 | Detection method of DDoS (Distributed Denial of Service) attack for software defined network (SDN) |
| CN106034105A (en) * | 2015-03-09 | 2016-10-19 | 国家计算机网络与信息安全管理中心 | OpenFlow switch and method for processing DDoS attack |
| CN105282169A (en) * | 2015-11-04 | 2016-01-27 | 中国电子科技集团公司第四十一研究所 | DDoS attack warning method and system based on SDN controller threshold |
| CN106561016A (en) * | 2015-11-19 | 2017-04-12 | 国网智能电网研究院 | DDoS attack detection device and method for SDN controller based on entropy |
| WO2018076949A1 (en) * | 2016-10-31 | 2018-05-03 | 腾讯科技(深圳)有限公司 | Traffic attack protection method and system, controller, router, and storage medium |
| CN106534133A (en) * | 2016-11-17 | 2017-03-22 | 浙江工商大学 | Deep learning based DDOS defensive device and method in SDN |
| CN107438074A (en) * | 2017-08-08 | 2017-12-05 | 北京神州绿盟信息安全科技股份有限公司 | The means of defence and device of a kind of ddos attack |
| CN107509128A (en) * | 2017-08-16 | 2017-12-22 | 中国联合网络通信集团有限公司 | A kind of method and system of core network access |
| US20190097931A1 (en) * | 2017-09-28 | 2019-03-28 | Argela Yazilim ve Bilisim Teknolojileri San. ve Tic. A.S. | System and method for control traffic reduction between sdn controller and switch |
| CN108282497A (en) * | 2018-04-28 | 2018-07-13 | 电子科技大学 | For the ddos attack detection method of SDN control planes |
Non-Patent Citations (3)
| Title |
|---|
| NHU-NGOC DAO, JOONGHEON KIM, MINHO PARK , SUNGRAE CHO: "Adaptive Suspicious Prevention for Defending DoS Attacks", 《PLOS ONE》 * |
| 孙凤木: "面向SDN网络的DDoS攻击检测与缓解技术研究", 《中国优秀硕士学位论文全文数据库信息科技辑》 * |
| 毛明 陈庶樵,崔世建: "SDN控制器部署中的可靠性优化研究", 《电子技术应用》 * |
Cited By (5)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN110943979A (en) * | 2019-11-19 | 2020-03-31 | 普联技术有限公司 | SDN network attack detection method, device, equipment and system |
| CN111343206A (en) * | 2020-05-19 | 2020-06-26 | 上海飞旗网络技术股份有限公司 | Active defense method and device for data flow attack |
| CN111343206B (en) * | 2020-05-19 | 2020-08-21 | 上海飞旗网络技术股份有限公司 | Active defense method and device for data flow attack |
| CN113938312A (en) * | 2021-11-12 | 2022-01-14 | 北京天融信网络安全技术有限公司 | Detection method and device for brute force cracking flow |
| CN113938312B (en) * | 2021-11-12 | 2024-01-26 | 北京天融信网络安全技术有限公司 | Method and device for detecting violent cracking flow |
Also Published As
| Publication number | Publication date |
|---|---|
| CN110247893B (en) | 2021-07-13 |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| US11671402B2 (en) | Service resource scheduling method and apparatus | |
| US11153336B2 (en) | Network security analysis for smart appliances | |
| US9130983B2 (en) | Apparatus and method for detecting abnormality sign in control system | |
| US10291539B2 (en) | Methods, systems, and computer readable media for discarding messages during a congestion event | |
| US8881259B2 (en) | Network security system with customizable rule-based analytics engine for identifying application layer violations | |
| CN110247893B (en) | Data transmission method and SDN controller | |
| CN106453669B (en) | Load balancing method and server | |
| JP6692178B2 (en) | Communications system | |
| CN108028828B (en) | A distributed denial of service DDoS attack detection method and related equipment | |
| CN106506664B (en) | Server load balancing method and device | |
| JPWO2016194123A1 (en) | Relay device, network monitoring system, and program | |
| EP3926924A1 (en) | Method and system for providing edge service, and computing device | |
| US9847970B1 (en) | Dynamic traffic regulation | |
| JP2016111664A (en) | Computer packaging system, and secure path selection method utilizing network evaluation | |
| JP6834768B2 (en) | Attack detection method, attack detection program and relay device | |
| US10476746B2 (en) | Network management method, device, and system | |
| WO2017016454A1 (en) | Method and device for preventing ddos attack | |
| JP2016163180A (en) | COMMUNICATION SYSTEM, COMMUNICATION METHOD, AND PROGRAM | |
| CN102045379A (en) | Method and system for IP storage and storage equipment | |
| US8370897B1 (en) | Configurable redundant security device failover | |
| WO2019230739A1 (en) | Abnormality detection apparatus, abnormality detection method, and abnormality detection program | |
| US20100157806A1 (en) | Method for processing data packet load balancing and network equipment thereof | |
| CN108199965B (en) | Flow spec table item issuing method, network device, controller and autonomous system | |
| JP2007180891A (en) | Communication device, packet transmission control method used therefor, and program | |
| JP2017050869A (en) | Access control device and authentication control method |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| PB01 | Publication | ||
| PB01 | Publication | ||
| SE01 | Entry into force of request for substantive examination | ||
| SE01 | Entry into force of request for substantive examination | ||
| GR01 | Patent grant | ||
| GR01 | Patent grant |