CN104539595B - It is a kind of to integrate the SDN frameworks and method of work for threatening processing and routing optimality - Google Patents

Abstract

The invention discloses an SDN architecture, system and working method integrating threat processing and routing optimization. The SDN network architecture includes: an application plane, a data plane, and a control plane; When the IDS device detects an attack threat, a packet with DDoS attack characteristics is reported to the application plane through the SSL communication channel; the application plane is used to analyze the attack type, and customize the corresponding attack threat processing strategy according to the attack type; control The plane provides an attack threat processing interface for the application plane, and provides an optimal path calculation and/or attack threat identification interface for the data plane. The present invention enables the network to realize route-optimized traffic forwarding according to the real-time status of links when the network suffers from large-scale DDoS threats, and at the same time quickly and accurately perform DDoS threat identification and processing responses, thereby fully guaranteeing network communication quality.

Description

An SDN Architecture and Working Method Integrating Threat Processing and Routing Optimization

technical field

The invention relates to the field of network security, in particular to an SDN architecture and working method integrating DDoS threat filtering and routing optimization.

Background technique

At present, high-speed and widely connected networks have become an important infrastructure of modern society. However, with the expansion of the scale of the Internet, the defects of the traditional normative system are increasingly emerging.

The latest report released by the National Computer Network Emergency Response Technology Coordination Center (CNCERT/CC) shows that hacker activities are becoming more and more frequent, and attacks such as website backdoors, phishing, and malicious web malware are on the rise. facing serious challenges.

Among them, Distributed Denial of Service attack (Distributed Denial of Service, DDoS) is still one of the most important threats affecting the security of Internet operation. The number, size, and type of DDoS attacks have increased dramatically over the past few years.

Software Defined Network (SDN) has the characteristics of real-time update of routing policies and rules, support for in-depth data packet analysis, etc., so it can provide faster and more accurate network monitoring and defense functions against DDoS threats in complex network ring environments .

Contents of the invention

The purpose of the present invention is to provide an SDN architecture and working method that integrates threat processing and routing optimization to solve the network security problems caused by a large number of DDoS attacks in the existing network, so as to realize fast, efficient and comprehensive identification and defense DDoS attack.

In order to solve the above technical problems, the present invention provides an SDN network architecture, including: application plane, data plane and control plane; wherein

Data plane, when any IDS device in the data plane detects a message with DDoS attack characteristics, it will report to the application plane through the SSL communication channel;

The application plane is used to analyze the attack type and customize the corresponding attack threat handling strategy according to the attack type;

The control plane provides an attack threat processing interface for the application plane, and provides an optimal path calculation and/or attack threat identification interface for the data plane.

Preferably, in order to realize DDoS detection in the IDS device, the IDS device includes: a fraudulent message detection module, which detects the fraudulent behavior of the link layer and the Internet layer address; The abnormal behavior of layer flag bit setting is detected; the abnormal message detection module detects the flooding attack behavior of the application layer and the transport layer; The packets are detected sequentially; and if any detection module detects that the above-mentioned corresponding behavior exists in the packet, the packet is transferred to the application plane.

Preferably, the application plane is suitable for when the message has fraudulent behavior, and the attack threat is in the OpenFlow domain, then the controller in the control plane shields the host; or when the attack threat is not in the OpenFlow domain, the controller passes the The access port traffic of the switch corresponding to the message is redirected to the traffic cleaning center for filtering;

The application plane is also suitable for shielding the traffic of the attack program or the attack host through the controller when the message has abnormal behavior; and

When the message has a flood attack behavior, the application plane is adapted to redirect the traffic of the access port of the switch corresponding to the message to the traffic cleaning center through the controller for filtering.

Beneficial effects of the present invention: the present invention deploys service function modules such as DDoS threat monitoring, threat protection, and routing optimization on the data plane, control plane, and application plane, respectively. When the network suffers from large-scale DDoS threats, it can realize routing-optimized traffic forwarding according to the real-time status of the link, and at the same time quickly and accurately identify and process DDoS threats to fully guarantee the quality of network communication.

In another aspect, the present invention also provides a working method of a DDoS threat filtering SDN system to solve the technical problem of defending against DDoS attacks.

In order to solve the above technical problems, the working method of the DDoS threat filtering SDN system includes: when any IDS device detects a message with DDoS attack characteristics, it reports to the IDS decision server through the SSL communication channel; the IDS decision server According to the reported information, formulate the processing policy corresponding to the message with DDoS attack characteristics, and then shield the message through the controller or redirect the traffic of the access port of the switch corresponding to the message to the traffic cleaning center for filtering.

Preferably, in order to realize DDoS detection in the IDS device, the IDS device includes: a fraudulent message detection module, which detects the fraudulent behavior of the link layer and the Internet layer address; The abnormal behavior of layer flag bit setting is detected; the abnormal message detection module detects the flooding attack behavior of the application layer and the transport layer; The packets are detected sequentially; and if any detection module detects that the above-mentioned corresponding behavior exists in the packet, the packet is transferred to the IDS decision server.

Preferably, the IDS decision server is adapted to shield the host through the controller when the message has deceptive behavior and the attack threat is in the OpenFlow domain; or when the attack threat is not in the OpenFlow domain, then use the controller to block the message The traffic of the corresponding switch access port is redirected to the traffic cleaning center for filtering; the IDS decision server is also suitable for shielding the traffic of the attack program or the attack host through the controller when the packet has abnormal behavior; and when the packet If there is a flood attack behavior, the IDS decision server is adapted to redirect the traffic of the access port of the switch corresponding to the message to the traffic cleaning center through the controller for filtering.

In the third aspect, the present invention also provides a working method of an SDN system integrating threat processing and routing optimization, so as to solve the technical problems of distributed monitoring of DDoS attacks and formulation of corresponding threat processing strategies.

In order to solve the above-mentioned technical problems, the present invention also provides a working method of an SDN system integrating threat processing and routing optimization, including the following steps:

Step S100, network initialization; Step S200, distributed DDoS threat monitoring; and Step S300, threat processing and/or route optimization.

Preferably, in order to better realize the network configuration, the devices involved in the network initialization in the step S100 include: a controller, an IDS decision server and distributed IDS devices;

The steps of network initialization are as follows:

The controller constructs a network device information binding table, and updates the network device information binding table to each IDS device in real time;

The controller issues the flow table of the mirroring strategy, that is, forwards all port traffic mirroring of the host towed by the OF switch to the corresponding IDS device in the network domain; and

The controller issues DDoS threat identification rules to each corresponding IDS device in each network domain;

The method for distributed DDoS threat monitoring in the step S200 includes:

Detect the spoofing behavior of the link layer and the Internet layer address, the abnormal behavior of the flag bit setting of the Internet layer and the transport layer, and the flood attack behavior of the application layer and the transport layer in turn;

If any detection in the above process determines that the message has a corresponding behavior, then the message is transferred to step S300.

Preferably, the method for detecting spoofing of link layer and Internet layer addresses includes:

The fraudulent behavior is detected by the fraudulent message detection module, that is, at first, the network device information binding table is called by the fraudulent message detection module; secondly, the type of the message encapsulated in the Packet-In message is detected by the fraudulent message detection module Parse to obtain the corresponding source and destination IP addresses, MAC addresses, and the DPID number and port number of the switch that uploaded the Packet-In message, and compare the above information with the corresponding information in the network device information binding table; If the above-mentioned information in the message matches, then the next detection is carried out with the message; If the above-mentioned information in the message does not match, then the message is transferred to step S300; The detection method comprises: by destroying the message detection module, the abnormal behavior of flag bit setting is detected, that is, each flag bit of the message is detected to judge whether each flag bit conforms to the TCP/IP protocol specification; if each flag bit of the message If the bit matches, then the message is transferred to the next detection; if each flag bit of the message does not match, the message is transferred to step S300; the method for detecting the flooding attack behavior of the application layer and the transport layer Including: detecting the flood attack behavior through the abnormal message detection module, that is, constructing a hash table for identifying flood attack messages in the abnormal message detection module, and according to the threshold set in the hash table value to determine whether the message has a flooding attack behavior, and transfer the determination result to step S300.

Preferably, the method for threat processing and/or route optimization in step S300 includes: if the message has fraudulent behavior and the attack threat is in the OpenFlow domain, the IDS decision server is adapted to shield the host through the controller; and when If the attack threat is not in the OpenFlow domain, the traffic of the access port of the switch corresponding to the message is redirected to the traffic cleaning center by the controller for filtering; The traffic of the program or the attacking host is shielded; if the message has a flooding attack behavior, the IDS decision server redirects the traffic of the switch access port corresponding to the message to the traffic cleaning center through the controller for filtering; and /or calculate the optimal path according to the link load factor, that is, detect the remaining link bandwidth of two adjacent nodes, obtain the load factor of the link, and obtain the optimal path of any two points according to the load factor and the initialized network topology map path, the controller obtains a corresponding forwarding flow table according to the optimal path and issues it to each switch.

Preferably, the method for the IDS decision server to shield the program and/or host that sends the message includes: first, constructing a corresponding hash table for counting and setting a corresponding threshold, that is, within a unit time, the IDS decision server constructs The first hash table for counting fraudulent behaviors, the second hash table for counting abnormal behaviors with flag bits set, and the third hash table for counting flooding attack behaviors; set the first and second hash tables at the same time , the first, second, and third thresholds in the third hash table; secondly, shield the program and/or host that sends the message, that is, use the corresponding hash for the behavior of the message transferred to the IDS decision server The table counts, and when the count exceeds the corresponding threshold, the program and/or the host that sends the message is blocked.

Beneficial effects of the present invention: (1) the present invention integrates DDoS threat filtering technology and routing optimization technology, when monitoring and shielding DDOS attacks, data congestion will not be caused, and by separating monitoring and threat processing, effective The burden on the control plane is reduced, and the network is safer and the operation of universities is guaranteed; (2) the present invention fundamentally solves the problem that the address forgery DDoS attack cannot be identified and traced under the traditional network architecture. In the case of DDoS attacks or normal high-traffic services in the network, the controller can realize the routing optimization of normal traffic based on the real-time perception of network parameters such as the remaining bandwidth of the link, and greatly improve the user experience; (3) the present invention The processing architecture adopts scalable modular design, which realizes efficient detection and flexible processing of DDoS threats; (4) each module adopts independent interface design to obtain data packet information, which reduces the coupling correlation between modules; (5) Each module uses an optimized program data structure to finely divide each processing sub-flow, which improves the high cohesion characteristics of the module.

Description of drawings

In order to make the content of the present invention more easily understood, the present invention will be described in further detail below in conjunction with the specific embodiments according to the accompanying drawings, wherein

Figure 1 shows a functional block diagram of a data layer in a software-defined network;

Fig. 2 shows the functional block diagram of the DDoS attack identification and protection system based on SDN architecture;

Fig. 3 shows the working flow diagram of fraudulent message detection module;

Fig. 4 shows the work flow chart of destroying message detection module;

Fig. 5 shows the detection flowchart of UDP Floodling;

FIG. 6 shows a flow chart of ICMP Floodling detection.

Detailed ways

In order to make the object, technical solution and advantages of the present invention clearer, the present invention will be further described in detail below in combination with specific embodiments and with reference to the accompanying drawings. It should be understood that these descriptions are exemplary only, and are not intended to limit the scope of the present invention. Also, in the following description, descriptions of well-known structures and techniques are omitted to avoid unnecessarily obscuring the concept of the present invention.

Figure 1 shows a functional block diagram of the data layer in software-defined networking.

As shown in FIG. 1 , in a software-defined network (Software Defined Network, SDN) architecture, when a packet (Packet) arrives at a switch, the flow table carried in the switch is first matched. If the match is successful, execute the forwarding rule according to the action specified in the flow table. If the matching fails, the switch encapsulates the packet in a Packet In message and sends it to the controller, and the switch stores the packet in a local cache. Wait for the controller to make a decision on how to process this message.

If there are many hosts in the network, it is necessary to establish a hash table with keys for all hosts in the network, which is called "violation times hash table group", which includes: the first hash table suitable for counting spoofed messages A hash table, a second hash table suitable for counting damaged packets, and a third hash table suitable for counting flood attacks. Record the number of violations of the corresponding host, that is, the integrity of the host.

The data packets in the network are real-time, so it is necessary to establish a hash table of threat message counts per unit time, and each host corresponds to a key in the hash table, and the corresponding key value is the recorded unit time The number of threat data packets sent by the host corresponding to the key. This type of hash table must set the key values corresponding to all keys in the hash table to 0 at the beginning of the unit time "time slice"; and each type of detected message needs to have such a table, for example, detected For 100 types of messages, 100 such hash tables are required.

Also, each hash table must have a corresponding threshold. As long as there is a host in the hash table, the count is accumulated in the corresponding value. Check if the value exceeds the set threshold after counting. If the corresponding threshold is exceeded, the key-value count in the corresponding record of the number of violations hash table.

Moreover, parameters such as the threshold of each hash table and the time slice length of the hash table can be adjusted through the interface.

For example: the hash table for hosts is:

Spoofed packet count hash table per unit time

Host1 Host2 Host3 Host4 Host5 Host6 Host7 Host8  … Host n 1 2 2 1 100 2 0 0  … 0

Destroy packet count hash table per unit time

SYN count hash table per unit time

Host1 Host2 Host3 Host4 Host5 Host6 Host7 Host8  … Host n 1 1 0 1 100 2 0 0  … 0

UDP Flood count hash table per unit time

ICMP Flood count hash table per unit time

All the above hash tables are counting tables per unit time, and all corresponding key values will be set to 0 when the time slice counting starts;

Violations Hash Table

On the basis of the principles of the above invention, the specific implementation process of this embodiment is as follows.

Example 1

A kind of SDN network framework, comprises: application plane, data plane and control plane; Wherein data plane, when being positioned at any IDS (being intrusion detection device) equipment in the data plane detects the message of DDoS attack characteristic, namely through SSL communication The channel is reported to the application plane; the application plane is used to analyze the attack type, and customize the corresponding attack threat processing strategy according to the attack type; the control plane provides the attack threat processing interface for the application plane, and provides the optimal path calculation for the data plane and/or attack threat identification interfaces.

Among them, the characteristics of DDoS attack are defined as: spoofing of link layer and Internet layer addresses, abnormal behavior of Internet layer and transport layer flag setting, and flood attack behavior of application layer and transport layer.

The IDS equipment includes:

Spoofed message detection module detects the spoofing behavior of link layer and Internet layer addresses; damage message detection module detects abnormal behaviors set by Internet layer and transport layer flag bits; abnormal message detection module detects the abnormal behavior of application layer and transport layer flood attack behaviors are detected; through the fraudulent message detection module, damaged message detection module, and abnormal message detection module, the messages are detected in turn; and if any detection module detects that the message has the above-mentioned When the corresponding action is taken, the message is transferred to the application plane.

The application plane is suitable for when the message has fraudulent behavior and the attack threat is in the OpenFlow domain, then the controller in the control plane shields the host; or when the attack threat is not in the OpenFlow domain, then the message is transmitted by the controller The traffic of the corresponding switch access port is redirected to the traffic cleaning center for filtering; the application plane is also suitable for shielding the traffic of the attacking program or attacking host through the controller when the message has abnormal behavior; and when the message has flooding attack behavior, the application plane is suitable for redirecting the access port traffic of the switch corresponding to the message to the traffic cleaning center through the controller for filtering.

The attack type analysis and attack threat processing strategy of the application plane, the attack behavior monitoring, attack threat shielding and route optimization of the data plane, and the attack threat processing, attack threat identification and optimal path calculation of the control plane will be described in the following embodiments Expand.

Wherein, the application plane can be realized through the IDS decision server, and the control plane can be realized through the controller. For details, see the following examples.

Example 2

As shown in Figure 2, a working method based on the DDoS threat filtering SDN system includes: when any IDS device detects a message with DDoS attack characteristics, it reports to the IDS decision-making through the SSL communication channel Server; the IDS decision server formulates a processing strategy corresponding to the message with DDoS attack characteristics according to the reported information, and then shields the message through the controller or redirects the flow of the switch access port corresponding to the message Go to the flow cleaning center for filtration.

Further, the IDS equipment includes:

Spoofed message detection module detects spoofing behavior of link layer and Internet layer addresses;

Destroy the message detection module to detect abnormal behaviors set by the flag bits of the Internet layer and the transport layer;

Abnormal message detection module, which detects the flood attack behavior of the application layer and the transport layer;

Detecting the messages sequentially through the fraudulent message detection module, the damaged message detection module, and the abnormal message detection module;

And if any detection module detects that the message has the above-mentioned corresponding behavior, it transfers the message to the IDS decision server.

Further, the IDS decision server is adapted to shield the host through the controller when the message has deceptive behavior and the attack threat is in the OpenFlow domain; or when the attack threat is not in the OpenFlow domain, then use the controller to correspond to the message The access port traffic of the switch is redirected to the traffic cleaning center for filtering; the IDS decision server is also suitable for shielding the flow of the attacking program or attacking host through the controller when the message has abnormal behavior; and when the message has abnormal behavior flooding attack behavior, the IDS decision server is adapted to redirect the access port traffic of the switch corresponding to the message to the traffic cleaning center through the controller for filtering.

The present invention adopts the sequence from the fraudulent message detection module to the damaged message detection module, and then to the abnormal message detection module, wherein each module adopts an independent interface design to obtain data packet information, which reduces the coupling correlation between modules ; and each module uses an optimized program data structure to finely divide each processing sub-flow, which improves the high cohesion characteristics of the module. This detection sequence improves the detection efficiency of message data and reduces the missed detection rate.

As shown in Figure 3, the network device information binding table is invoked by the fraudulent message detection module, and the first hash table suitable for counting message fraudulent behaviors is constructed in the IDS decision server within a unit time , and setting the first threshold in the first hash table; the fraudulent message detection module analyzes the type of the message encapsulated in the Packet-In message to obtain the corresponding source and destination IP addresses , MAC address, and the DPID number and port number information of the switch that uploaded the Packet-In message, and compare each information with the corresponding information in the network device information binding table; if the above information in the message matches, the report will be The text is transferred to the damaged message detection module; if the above information in the message does not match, it is transferred to the IDS decision server, the message is discarded, and the fraudulent behavior is counted at the same time, when the count value exceeds the first threshold When set to a value, blocks the program and/or host that sent the message.

Specifically, the spoofed message detection module is used to judge the message for the first time, that is, to determine whether the message is an IP spoofing attack message, a port spoofing attack message or a MAC spoofing attack message.

The specific steps include: first parsing out the source, destination MAC address and switch entry in the Ethernet frame, and then parsing out different messages according to different message types. When the packet type is IP, ARP, or RARP, the corresponding source and destination IP addresses are parsed out, and then the information is checked and matched against the information in the network device information binding table. If the corresponding information is matched, the It is processed by the damaged message detection module. If it does not match, the message is transferred to the IDS decision server for processing; and at the same time, the cheating behavior is accumulated and counted, and when the count value exceeds the first threshold, the program and/or host that sends the message is blocked.

Floodlight has a device manager module, DeviceManagerImpl, that tracks devices as they move across the network and defines devices based on new flows.

The device manager knows the device from the PacketIn request, and obtains the device network parameter information (source, destination IP, MAC, VLAN, etc.) from the PacketIn message, and distinguishes the device into a switch or a host through an entity classifier. By default, the entity classifier uses MAC address and/or VLAN to represent a device, and these two attributes can uniquely identify a device. Another important information is the installation point of the device (DPID number and port number of the switch) (in an openflow area, a device can only have one installation point, here the openflow area refers to the same Floodlight instance connected A collection of multiple switches. The device manager also sets expiration times for IP addresses, installation points, and devices, and the last timestamp is used as the basis for judging whether they are expired.)

Therefore, the network device information binding table module only needs to call the IDeviceService provided by the DeviceManagerImpl module, and add the monitoring interface of IDeviceListener to the service at the same time.

Among them, the monitoring interfaces provided by IDeviceListener are:

Service provider: IFloodlightProviderService, IDeviceService

Dependency interface: IFloodlightModule, IDeviceListener

The records in the table can refresh the records in the binding table in real time according to the high and low level trigger mechanism of the switch (the low level of Port Down is triggered when the network cable is pulled out, and the high level of Port Up is triggered when the network cable is pulled in).

Traditional DDoS attacks cannot touch or modify Switch DPID and Switch Port information. Taking advantage of this advantage, spoofing attacks can be detected more flexibly.

Fig. 4 shows the working flow diagram of the damaged message detection module.

As shown in Figure 4, the second hash table suitable for counting the abnormal behavior of the flag bit setting of the message is constructed in the IDS decision server in the unit time, and the first hash table in the second hash table is set. Two thresholds; the damaged message detection module detects each flag bit of the message to judge whether each flag bit meets the TCP/IP protocol specification; if each flag bit of the message meets, then the message is transferred to abnormal Message detection module; if each flag bit of the message does not meet, then transfer to the IDS decision server to discard the message, and simultaneously count the abnormal behavior of flag bit setting, when the count value exceeds the second threshold , block the program and/or host that sent the message.

Specifically, the damaged message detection module is used to perform a second judgment on the message, that is, to determine whether the message is an attack message with a malicious flag feature. Wherein, the attack packets with the characteristics of malicious flag bits include but not limited to IP attack packets and TCP attack packets. The implementation steps include: detecting the flag bits of each message for the IP attack message and the TCP/UDP attack message therein, that is, identifying whether each flag bit conforms to the TCP/IP protocol specification. If it matches, it will be directly handed over to the abnormal number packet detection module for processing. If not, it is judged as an attack packet and transferred to the IDS decision server for processing.

Taking typical attacks such as Tear Drop as an example, there is an offset field and a fragment flag (MF) in the IP packet header. If the attacker sets the offset field to an incorrect value, the IP fragments will overlap or disconnected, the target machine system will crash.

In the IP packet header, there is a protocol field, which indicates which protocol the IP packet carries. The value of this field is less than 100. If an attacker sends a large number of IP packets with a protocol field greater than 100 to the target computer, the protocol stack in the target computer system will be destroyed, forming an attack.

Therefore, in the damaged message detection module, first extract the flag bits of the message, and then check whether it is normal.

If it is normal, it will be handed over to the subsequent module for processing.

If it is not normal, the data packet is discarded, and the counter of the corresponding hash table is counted. If the counter exceeds the set second threshold per unit time, the IDS decision server is invoked to block the corresponding program and/or directly block the corresponding host.

After the data packets filtered by the fraudulent message detection module, the addresses in the subsequent data packets processed by the corrupted message detection module are all real. In this way, it is effectively avoided that the target machine receives a damaged message, which may directly lead to the collapse of the protocol stack of the target machine, or even the direct crash of the target machine.

The processing function of the damaged message detection module is roughly similar to that of the spoofed message detection process, the difference is that the damaged message detection module parses out the flag bits of each message, and then checks whether each flag bit is normal.

If it is normal, it is directly processed by the subsequent abnormal packet detection module.

If it is not normal, the data packet is discarded, and the counter in the hash table corresponding to the credit checking mechanism is applied to the host to count. If it exceeds the set threshold, block the corresponding attack program or directly block the attack host.

Build a hash table for identifying flood attack messages in the abnormal message detection module, and build a third hash suitable for counting flood attack behaviors per unit time in the IDS decision server table, and setting a third threshold in the third hash table; the abnormal message detection module is adapted to judge whether the message has an attack behavior according to the threshold set in the hash table; If there is no attack behavior, then send the data; if there is an attack behavior, then transfer to the IDS decision server, discard the message, and count the attack behavior at the same time, when the count value exceeds the third threshold, block The program and/or host that sent the message.

Specifically, the abnormal message detection module is used to perform a third judgment on the message, that is, to determine whether the message is a flooding attack message.

The specific steps include: accumulating the corresponding records in the hash table of the constructed identification flood attack message, and detecting whether it exceeds a threshold, so as to determine whether it is a flood attack message.

After filtering by the above two modules of the fraudulent message detection module and the damaged message detection module, the data packets processed by the subsequent modules basically belong to the normal data packets. However, under normal circumstances, there will also be DDoS attacks. In the prior art, generally only the deceptive message detection module and the damaged message detection module are performed. In this technical solution, in order to avoid DDoS attacks as much as possible.

The following embodiments are specific implementations of shielding DDoS attacks through the abnormal message detection module after filtering by the fraudulent message detection module and the damaged message detection module. This implementation manner uses UDP Flooding and ICMPFlooding as examples.

Fig. 5 shows a flow chart of UDP Floodling detection.

Regarding UDP Floodling, as shown in Figure 5, a large number of UDP packets are sent to the target machine using the mechanism of the UDP protocol without establishing a connection. The target machine spends a lot of time processing UDP packets. These UDP attack packets will not only overflow the buffer storing UDP packets, but also occupy a large amount of network bandwidth. The target machine cannot (or seldom) receive legitimate UDP packets. arts.

Since different hosts send a large number of UDP data packets to a single host, there must be a situation that the UDP port is occupied, so this technical solution can receive an ICMP port unreachable packet.

Therefore, this technical solution can establish a hash table for all hosts, which is specially used to store the times of receiving ICMP port unreachable packets per unit time. If it exceeds the set threshold, the corresponding attack program will be blocked directly.

FIG. 6 shows a flow chart of ICMP Floodling detection.

With regard to ICMP Floodling, as shown in FIG. 6 , ICMP Flooding is directly counted per unit time. If the corresponding threshold value is exceeded, the corresponding host is directly shielded. Although this method is simple, it is direct and effective.

Therefore, the abnormal packet detection module, if the detected packet type is an abnormal packet detection type, then carry out the corresponding counter detection whether it exceeds the threshold value, if it does not exceed the threshold value, it can also pass the optimal routing strategy to the data packet. send. If the threshold is exceeded, the corresponding attack program is blocked, or the corresponding host is directly blocked accordingly.

When any module in the fraudulent message detection module, destruction message detection module and abnormal message detection module judges that the message is the above-mentioned attack message, then the attack message is transferred to the IDS decision server, that is, discarded said message, and block the program and/or host that sent the message.

When the "spoofed packet detection module", "destroyed packet detection module" and "abnormal packet detection module" need to discard data packets or shield threat hosts. Directly call the IDS decision server to perform corresponding threat processing operations.

The specific implementation steps of the IDS decision server include:

Discard described message, promptly the step of discarding data packet comprises as follows:

When the OpenFlow switch does not match the corresponding flow table, it will encapsulate the data packet in the Packet In message, and the switch will store the data packet in the local cache. The data packet is stored in the cache and has a cache area ID This ID number will also be encapsulated in the buffer_id of the Packet In message, in the form of Packet out, and the buffer_id in the Packet out message will fill in the buffer ID of the data packet to be discarded (the buffer_id in the corresponding Packet In message).

The steps to block a host include the following:

The OpenFlow protocol flow table structure is as follows:

The structure of the header field is:

header field counter action

The steps of shielding the application program in the IDS decision server include the following:

Step 1: Fill in the corresponding matching field in the packet header field of the flow table, and obtain the shielded attack program or host information by setting the Wildcards shielded field. Among them, if it is necessary to shield the attack program, fill in the following matching fields in the header field of the flow table: IP, MAC, VLAN, Switch DPID, Switch Port, protocol type and its port number, etc. If you need to shield the host, fill in the flow table header field: IP, MAC, VLAN, Swtich DPID, Swtich Port and other matching fields.

Step 2: Set the action list of the flow table to empty to realize the packet discarding of the attacking program/host.

Step 3: Invoke the record values in each hash table to calculate the automatic deletion time when the flow table expires.

Step 4: Deliver the flow table masking program or host.

Therefore, the network of the technical solution can effectively identify and filter out attack packets.

Optionally, after passing through the above modules, the real-time optimal routing policy of the normal message is issued.

Specific steps are as follows:

First enter step S1 to submit an acquisition request to the topology interface (API) of the controller, and then acquire the whole network topology through step S2.

Then, obtain the link status of the whole network. First enter step S3, then obtain the link status of the whole network through step S10, and then calculate the remaining bandwidth of the link of the whole network.

Then there is the calculation of the real-time optimal path. The algorithm uses the classic Dijkstra algorithm, and the weight of the algorithm is changed to the reciprocal of the remaining bandwidth of the entire network link obtained in the previous step, so as to ensure that the calculated path is the smoothest and has the lowest transmission delay. the smallest path. (For the specific algorithm of the optimal path, refer to the relevant content in Embodiment 3)

Finally, the calculated optimal path is converted into a real-time optimal path strategy composed of flow tables, which is delivered through step S11.

Step S1 uses a topology interface, a kind of API interface provided by the controller, which uses LLDP (Link Layer Discovery Protocol) and broadcast packets to discover links, and then the controller automatically calculates the network topology.

Step S2: The topology interface of the controller sends feedback of the topology acquisition request to the "whole network topology acquisition module" of the "real-time optimal path calculation module".

In step S3, the "network-wide link status acquisition module" sends a request to the "switch query interface module" to acquire the link status of the whole network. Among them, the "switch query interface module" is expanded on the basis of the "switch feature query module" and "switch status query module" that come with the controller, and realizes the calculation and query functions of the remaining bandwidth of the link.

Then, the "switch query module" sends a switch characteristic request broadcast packet to all switches in the network through step S4. Then step S5 is used to receive the message from the switch characteristic feedback in the network, parse out the curr field in the message, and obtain the current bandwidth B of each switch port.

Next, the module sends broadcast packets of switch status requests to all switches in the network through step S6, including message statuses such as the number of packets sent by the port, the number of bytes sent by the port, the number of bytes received by the port, and the number of packets received by the port. Next, the module receives the message from the status feedback of the switch in the network through step S7, parses out the tx_bytes field, obtains the number of sent bytes N1, and obtains the current time t1.

Next, the module sends a switch state request broadcast packet to all switches in the network through step S8, and then, through S9, the module receives a message from the switch state feedback in the network, stops timing, and obtains the current time t2. Parse the tx_bytes field to get the number of sent bytes N2.

Then the remaining bandwidth of the current port can be calculated as: B-(N2-N1)/(t2-t1).

Then, use the obtained network topology to calculate the remaining bandwidth of each link:

If it is a connection between switches, obtain the remaining bandwidth of the switch ports at both ends of the link, where the remaining bandwidth of the link is the smaller of the remaining bandwidths of the two ports.

If it is a connection between a host and a switch, the remaining bandwidth of the switch port connected to the host is obtained, and the remaining bandwidth of the link is the remaining bandwidth of the switch port connected to the host.

Step S4 The controller sends a Feature Request message to all switches in the whole network in the form of broadcast.

Step S5 The controller receives the Feature Reply message fed back to the controller from the switches in the network.

In step S6, the controller sends a Stats Request message to all switches in the whole network in the form of broadcast.

Step S7 The controller receives the Stats Reply message fed back to the controller from the switches in the network.

Step S8 The controller sends a Stats Request message to all switches in the whole network in the form of broadcast.

Step S9 The controller receives the Stats Reply message fed back to the controller from the switch in the network.

Step S10: The switch query interface feeds back the calculated remaining link bandwidth information to the "network-wide link status acquisition module".

Step S11: The real-time optimal routing policy calculated by the routing policy delivery module, and the calculated flow table is delivered to the relevant switch through step S12.

Step S12, the interface is an API interface provided by the controller, and is used to deliver the calculated optimal routing policy.

Through the optimal path strategy, while defending against DDOS attacks, the average transmission delay of the network does not increase sharply.

Example 3

Based on Embodiment 1 and Embodiment 2, a working method of an SDN system that integrates threat processing and routing optimization can effectively reduce the workload of the controller through distributed detection and centralized processing. Improved detection efficiency and data transfer rate.

The working method of the SDN system integrating threat processing and routing optimization of the present invention comprises the following steps:

Step S100, network initialization; Step S200, distributed DDoS threat monitoring; and Step S300, threat processing and/or route optimization.

Further, the devices involved in network initialization in step S100 include: a controller, an IDS decision server and distributed IDS devices;

The steps of network initialization are as follows:

Step S101, the IDS decision server establishes a dedicated SSL communication channel with each IDS device (this step S101 is an optional implementation); step S102, the controller builds a network device information binding table, and the network device information The binding table is updated in each IDS device in real time; step S104, the controller issues the flow table of the mirroring strategy, that is, forwards all port traffic mirroring of the host towed by the OF switch to the corresponding IDS device in the network domain; and step S105 , the controller delivers DDoS threat identification rules to corresponding IDS devices in each network domain.

The method for distributed DDoS threat monitoring in the step S200 includes: sequentially spoofing the address of the link layer and the Internet layer, setting abnormal behaviors of the flag bits of the Internet layer and the transport layer, and flooding attack behaviors of the application layer and the transport layer Perform detection; if any detection in the above process determines that the message has a corresponding behavior, then the message is transferred to step S300.

The specific implementation steps include:

Step S210, detecting spoofing behavior of link layer and Internet layer addresses.

Step S220, detecting the abnormal behavior of the flag bit settings of the Internet layer and the transport layer.

Step S230, detecting the flood attack behavior of the application layer and the transport layer.

Step S240, if after the message passes through the steps S210, S220, and S230 in sequence, and any step determines that the message has fraudulent, abnormal, or attacking behaviors, then transfer the message to step S300.

The method for detecting the spoofing of the link layer and the Internet layer address in the step S210 includes the following steps: Step S211, calling the network device information binding table by the fraudulent message detection module; Step S212, passing the fraudulent message detection module Analyze the type of message encapsulated in the Packet-In message to obtain the corresponding source, destination IP address, MAC address, and the DPID number and port number of the switch that uploaded the Packet-In message, and share the above information with the network Compare the corresponding information in the device information binding table; if the above information in the message matches, then transfer the message to step S220; if the above information in the message does not match, then transfer the message to step S300.

In the step S220, the method for detecting the abnormal behavior of the Internet layer and the transport layer flag bit setting includes: detecting each flag bit of the message to judge whether each flag bit meets the TCP/IP protocol specification; if each flag bit of the message If the flag bits match, the message is transferred to step S230; if the flag bits of the message are not matched, the message is transferred to step S300.

The method for detecting the flood attack behavior of the application layer and the transport layer in the step S230 includes the following steps: step S231, constructing a hash table for identifying flood attack messages in the abnormal message detection module; step S232, judge whether the message is a flood attack message by the abnormal message detection module according to the threshold set in the hash table, and transfer the judgment result to step S300, that is, if there is no attack behavior, then Send the data normally or through the above-mentioned optimal path strategy; if there is an attack behavior, take corresponding shielding measures.

The method for threat handling and/or route optimization in step S300 includes:

If the message has deceptive behavior, and the attack threat is in the OpenFlow domain, then the IDS decision server is suitable for shielding the host through the controller; and when the attack threat is not in the OpenFlow domain, then the switch corresponding to the message is Access port traffic is redirected to the traffic cleaning center for filtering;

If the message has an abnormal behavior, the IDS decision server shields the flow of the attack program or the attack host through the controller; the specific implementation steps include: for destroying the message attack, because the message currently processed by the IDS device has passed the deception Packet detection, so the packet address is real. The IDS decision server only needs to launch a drop flow table under the northbound interface of the controller to block the traffic of the attacking program or attacking host. But these are only coarse-grained decisions, which are only applicable to a small amount of packet destruction attacks.

If the message has a flooding attack behavior, the IDS decision server redirects the traffic of the switch access port corresponding to the message to the traffic cleaning center through the controller for filtering; optionally, the security device in the traffic cleaning center The protection results can also be fed back to the controller to adjust the network strategy to realize multi-dimensional protection in the case of SDN network and traditional network.

Further, the optimal path is calculated according to the link load factor, that is, the remaining link bandwidth of two adjacent nodes is detected, the load factor of the link is obtained, and the optimal path of any two points is obtained according to the load factor and the initialized network topology map. path, the controller obtains a corresponding forwarding flow table according to the optimal path and issues it to each switch.

The specific algorithm flow of the optimization path is as follows:

The method for the IDS decision server to shield the program and/or host that sends the message includes:

First, build the corresponding hash table for counting and set the corresponding threshold, namely

Within a unit time, the IDS decision server constructs a first hash table for counting fraudulent behaviors, a second hash table for counting abnormal behaviors with flag bits set, and a third hash table for counting flooding attack behaviors. Greek table;

Simultaneously set the first, second, and third thresholds in the first, second, and third hash tables;

Second, block the program and/or host that sent the message, i.e.

For the behavior of the message transferred to the IDS decision server, use the corresponding hash table to count, and when the count value exceeds the corresponding threshold, block the program and/or host that sent the message.

Example 4

The SDN architecture and system of the present invention can define SDNQA (SDN Communication Quality Assurance Strategy), that is, an SDN communication quality assurance strategy.

Tests related to target design and scenario deployment.

The present invention has been deployed and tested, and the main test environment and test contents are as follows:

(1) Based on the OpenFlow 1.3 protocol, test the communication between the Floodlight controller, OF switch, IDS device and IDS decision server equipped with DDoS threat filtering and communication quality assurance components.

(2) Test whether the IDS device can monitor the abnormal attack traffic in the network in real time, and report to the IDS decision server through the SSL communication channel.

(3) Test whether the IDS decision server can formulate a strategy to deal with the corresponding attack threat according to the information reported by the IDS device, and issue it through the northbound interface of the controller.

(4) Test whether the controller can generate and deliver real-time optimized forwarding paths according to the real-time network conditions to improve user experience.

The specific deployment of the experimental scene. The middle is the basic network area, and there are two virtual networks. Among them, virtual network A has deployed the SDNQA system, but virtual network B has not been deployed, and there are several DDoS attack puppets in each virtual network. The right side is the experimental effect comparison area, including a web server and two user hosts, where Tomcat runs on the web server to provide web services to the outside world, and user hosts A and B are hosts connected to virtual networks A and B respectively. The left side is the attack simulation area. There is a DDoS attack machine, which will act as the master control machine to control the puppet machines in virtual network A and virtual network B to launch hybrid DDoS attacks on the web server.

Based on the above experimental environment, the performance of the SDNQA architecture is verified from two aspects: (1) comparing the attack frequency of the Web server under the hybrid DDoS attack; (2) comparing the average network transmission delay caused by the flooding attack .

First, analyze the flow inflow of the web server. The attacking machine controls the puppet machines in each virtual network and launches a hybrid DDoS attack on the web server at the same time, the highest frequency is 55Hz, and the attack duration is 100 seconds. Intercept all the data packet sequences of the web server, and separate the request sequences of each virtual network, respectively obtain the request sequences of virtual network A and virtual network B flowing into the server, and compare the attack frequency of the web server.

It can be seen that the SDNQA system quickly identified typical DDoS attacks within the time period of 0s to 5s, and took filtering protection measures within the time period of 0s to 40s. After 40 seconds, the network traffic tends to be normal, and the test user host A can always get the webpage request response normally. However, there has been a large amount of attack traffic flowing in the virtual network B where the SDNQA system is not deployed, and the test user host B cannot get a response to the web page request.

Secondly, we extract the request sequence of test user host A and test user host B from the previously intercepted data packet sequence, and calculate the average transmission delay time of data packets from each request sequence to obtain the average transmission of the two virtual networks Latency comparison.

It can be seen that after routing optimization, the average transmission delay of virtual network A does not increase sharply with the increase of data volume. It can be seen that the SDNQA architecture can optimize the flow forwarding path based on the perception of real-time network conditions, so as to ensure the best user experience in the case of DDoS attacks or normal large-traffic services in the network.

It should be understood that the above specific embodiments of the present invention are only used to illustrate or explain the principle of the present invention, and not to limit the present invention. Therefore, any modification, equivalent replacement, improvement, etc. made without departing from the spirit and scope of the present invention shall fall within the protection scope of the present invention. Furthermore, it is intended that the appended claims of the present invention embrace all changes and modifications that come within the scope and metesques of the appended claims, or equivalents of such scope and metes and bounds.

Claims (1)

1. A kind of 1. SDN framework, it is characterised in that including：Datum plane, using plane and control plane；Wherein

   Datum plane, when any IDS equipment detects the message of ddos attack feature in datum plane, that is, pass through SSL Communication channel is reported to using plane；

   Using plane, for analyzing attack type, and corresponding attack is customized according to attack type and threatens processing strategy；

   Control plane, for using plane provides attack threat Processing Interface, and for datum plane provide optimal path computation and/or Attack threat identification interface；

   Include in the IDS equipment：

   Packet check module is cheated, the deceptive practices to link layer and internet layer address detect；

   Packet check module is destroyed, the abnormal behaviour set to internetwork layer and transport layer flag bit detects；

   Exception message detection module, the formula attack that flooded to application layer and transport layer detect；

   By the deception packet check module, packet check module, exception message detection module are destroyed successively to message progress Detection；And if the message is transferred to using plane when above-mentioned respective behavior be present by any detection module detection outgoing packet；

   The application plane is attacked and threatened in OpenFlow domains suitable for having deceptive practices when message, then is put down by controlling Controller shielding main frame in face；Or threatened when attacking not in OpenFlow domains, then by controller by corresponding to the message Interchanger access interface flow be redirected to flow cleaning center and filtered；

   The application plane is further adapted for having abnormal behaviour when message, then to attacker or attacks the stream of main frame by controller Amount is shielded；And

   Flooded formula attack when message has, then it is described using plane be suitable to by controller by the message corresponding to exchange Machine access interface flow is redirected to flow cleaning center and filtered.