CN104378380A - System and method for identifying and preventing DDoS attacks on basis of SDN framework - Google Patents

System and method for identifying and preventing DDoS attacks on basis of SDN framework Download PDF

Info

Publication number
CN104378380A
CN104378380A CN201410699598.8A CN201410699598A CN104378380A CN 104378380 A CN104378380 A CN 104378380A CN 201410699598 A CN201410699598 A CN 201410699598A CN 104378380 A CN104378380 A CN 104378380A
Authority
CN
China
Prior art keywords
message
attack
module
hash table
flag bit
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Pending
Application number
CN201410699598.8A
Other languages
Chinese (zh)
Inventor
张家华
王江平
杨种学
李滢
史煜凯
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
Nanjing Xiaozhuang University
Original Assignee
Nanjing Xiaozhuang University
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Nanjing Xiaozhuang University filed Critical Nanjing Xiaozhuang University
Priority to CN201410699598.8A priority Critical patent/CN104378380A/en
Publication of CN104378380A publication Critical patent/CN104378380A/en
Pending legal-status Critical Current

Links

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/14Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
    • H04L63/1441Countermeasures against malicious traffic
    • H04L63/1458Denial of Service

Landscapes

  • Engineering & Computer Science (AREA)
  • Computer Security & Cryptography (AREA)
  • Computer Hardware Design (AREA)
  • Computing Systems (AREA)
  • General Engineering & Computer Science (AREA)
  • Computer Networks & Wireless Communication (AREA)
  • Signal Processing (AREA)
  • Computer And Data Communications (AREA)

Abstract

The invention relates to a system and method for identifying and preventing DDoS attacks on the basis of an SDN framework. The system comprises a cheating message detection module, a destroying message detection module, an abnormal message detection module and a threat processing module, wherein the cheating message detection module is used for detecting cheating behaviors of addresses of a link layer and an internet layer, the destroying message detection module is used for detecting abnormal behaviors of zone bit settings of the internet layer and a transmission layer, and the abnormal message detection module is used for detecting flooding type attack behaviors of an application layer and the transmission layer; the cheating message detection module, the destroying message detection module and the abnormal message detection module are used for sequentially detecting messages; if any detection module detects that the messages have cheating, abnormity and attack behaviors, the messages are shifted to the threat processing module; the threat processing module is suitable for discarding the messages and shielding programs and/or hosts transmitting the messages. Extensible modular design is adopted for the processing framework, and efficient detection and flexible processing of DDoS threats are achieved; processing procedures are segmented finely, and the high cohesion property of the modules is improved.

Description

A kind of identification based on SDN framework and the system and method protecting ddos attack
Technical field
The present invention relates to network safety filed, particularly relate to a kind of identification based on SDN framework and the method and system of protecting ddos attack.
Background technology
In recent years, while the network extensively connected at a high speed brings convenience to everybody, also for ddos attack creates very favourable condition.Distributed denial of service attack become hacker often adopt and be difficult to take precautions against attack means, one of biggest threat becoming network security, it uses the efficient protocal of the Internet necessity, zero deflection ground transmits packet to any destination from any source, take too much Service Source, thus make validated user obtain service response, cause serious financial consequences to all kinds of Internet user and service provider.The method of current defending DDoS (Distributed Denial of Service) attacks adopts the measure of packet filtering or limiting speed usually; not only slow, consume large, and also block effective traffic simultaneously; all can not provide perfect defence, as IDS intrusion detection, firewall protection, black hole technology, router filtration etc.
Further, do not relate to attack detecting function in prior art, specifically comprise: pretend the filtration of message, destroy the filtration of message and the filtration etc. of exception message.
Therefore, need to design a kind of effective DDoS guard system comprehensively based on SDN framework, to improve identification and the protective capacities of DDoS threat, solve a large amount of DDos existed in existing network and attack problem.
Summary of the invention
The object of this invention is to provide a kind of DDoS threat identification based on SDN framework and guard system, this guard system efficiently solves a large amount of DDos in existing network and attacks the network security problem caused,
To realize fast, efficiently, all sidedly identify and defending DDoS (Distributed Denial of Service) attacks.
In order to solve the problems of the technologies described above, the invention provides a kind of identification based on SDN framework and the method and system of protecting ddos attack, it comprises:
Described deception packet check module, detects the deceptive practices of link layer and internetwork layer address; Described destruction packet check module, detects the abnormal behaviour that internetwork layer and transport layer flag bit are arranged; Described exception message detection module, detects the formula attack that floods of application layer and transport layer; Described deception packet check module, destruction packet check module, exception message detection module detect message successively; And when if arbitrary detection module detects that message exists above-mentioned respective behavior, then this message is proceeded to threat processing module; Described threat processing module is suitable for abandoning described message, and shielding sends program and/or the main frame of this message.
Further, in order to better realize the detection to deception message, network equipment information binding table is built in described deception packet check module, and the first Hash table being suitable for that packet cheating behavior is counted built in described threat processing module in the unit interval, and set the first threshold values in this first Hash table; Described deception packet check module, the type of the message be encapsulated in Packet-In message is resolved, to obtain corresponding source, object IP address, MAC Address and to upload No. DPID, switch and the port number information of Packet-In message, and each information is compared with the corresponding information in network equipment information binding table respectively; If the above-mentioned information matches in message, then message is proceeded to and destroy packet check module; If the above-mentioned information in message is not mated, then proceed to described threat processing module, message is abandoned; Count deceptive practices, when this count value is more than the first threshold values, shielding sends program and/or the main frame of this message simultaneously.
Further, in order to better realize destroying the detection of message, in described threat processing module, build being suitable in the unit interval the second Hash table that abnormal behaviour counts is arranged to the flag bit of message, and setting the second threshold values in this second Hash table; The each flag bit of described destruction packet check module to message detects, to judge whether each flag bit meets ICP/IP protocol specification; If each flag bit of message meets, then message is proceeded to exception message detection module; If each flag bit of message does not meet, then proceed to described threat processing module, message is abandoned; Arrange abnormal behaviour to flag bit to count, when this count value is more than the second threshold values, shielding sends program and/or the main frame of this message simultaneously.
Further, in order to better realize detecting exception message, the Hash table for identifying the formula attack message that floods is built at described exception message detection module, in described threat processing module, build the 3rd Hash table being suitable for that the formula attack of flooding is counted in the unit interval, and set the 3rd threshold values in the 3rd Hash table; Described exception message detection module, is suitable for judging whether described message has attack according to the threshold values set in described Hash table; If without attack, then by data distributing; If have attack, then proceed to described threat processing module, message is abandoned; Count attack, when count value is more than the 3rd threshold values, shielding sends program and/or the main frame of this message simultaneously.
Another aspect, the present invention is in order to solve above-mentioned same technical problem, and additionally provide a kind of ddos attack identification based on SDN framework and means of defence, it comprises:
Successively to the deceptive practices of link layer and internetwork layer address, internetwork layer and transport layer flag bit arrange abnormal behaviour, and the formula that the floods attack of application layer and transport layer detects; If when arbitrary detecting step judges that message exists respective behavior in said process, then this message is proceeded to threat processing module, to abandon described message, and shielding sends program and/or the main frame of message.
Further, in order to better realize detecting the deceptive practices of link layer and internetwork layer address,
The method that the deceptive practices of link layer and internetwork layer address detect is comprised: by deception packet check module, deceptive practices are detected, namely first, in deception packet check module, build network equipment information binding table; Secondly, by deception packet check module, the type being encapsulated in message in Packet-In message is resolved, to obtain corresponding source, object IP address, MAC Address and to upload No. DPID, switch and the port numbers of this Packet-In message, and above-mentioned each information is compared with the corresponding information in network equipment information binding table respectively; If the above-mentioned information matches in message, then proceed to next detecting step by message; If the above-mentioned information in message is not mated, then message is proceeded to threat processing module.
Further, in order to the abnormal behaviour better realized internetwork layer and transport layer flag bit are arranged detects, internetwork layer and transport layer flag bit arrange the method that abnormal behaviour carries out detecting and comprise: arrange abnormal behaviour to flag bit detect by destroying packet check module, namely each flag bit of message is detected, to judge whether each flag bit meets ICP/IP protocol specification; If each flag bit of message meets, then message is proceeded to next detecting step; If each flag bit of message does not meet, then message is proceeded to threat processing module.
Further, in order to better realize detecting the formula that the floods attack of application layer and transport layer,
The method that the formula that the floods attack of application layer and transport layer is carried out detecting comprises: detected the formula attack of flooding by exception message detection module, namely build the Hash table for identifying the formula attack message that floods at exception message detection module, and judge whether message has the formula attack that floods according to the threshold values set in this Hash table; If without attack, then data are normally issued; If have attack, then attack message is proceeded to threat processing module.
Further, described threat processing module shielding sends the program of message and/or the method for main frame comprises: first, build corresponding Hash table and the setting respective threshold of counting, namely in the unit interval, the first Hash table that deceptive practices are counted is built in described threat processing module, flag bit arranges the second Hash table that abnormal behaviour carries out counting, and to the 3rd Hash table that the formula attack of flooding counts; Set first, second, third threshold values in first, second, third Hash table simultaneously; Secondly, shielding sends program and/or the main frame of this message, namely for the behavior proceeding to the message threatening processing module, utilizes corresponding Hash table to count, and when count value exceedes respective thresholds, shielding sends program and/or the main frame of this message.
Beneficial effect of the present invention: (1) process framework of the present invention adopts open-ended modularity design, achieves the efficient detection to DDoS threat and sweetly disposition; (2) each module obtains packet information and adopts independently Interface design, reduces the coupling relevance of intermodule; (3) each module uses the program data structure optimized, and each process sub-process of careful segmentation, improves the high cohesion characteristic of module.
Accompanying drawing explanation
In order to make content of the present invention be more likely to be clearly understood, below basis specific embodiment and by reference to the accompanying drawings, the present invention is further detailed explanation, wherein
Fig. 1 shows the theory diagram of data Layer in software defined network;
Fig. 2 shows the theory diagram of ddos attack identification based on SDN framework and guard system;
Fig. 3 shows the workflow diagram of deception packet check module;
Fig. 4 shows the workflow diagram destroying packet check module;
Fig. 5 shows the overhaul flow chart of UDP Floodling;
Fig. 6 shows the overhaul flow chart of ICMP Floodling;
The curve chart of attack frequency of Fig. 7 (a) for not using the Web server of the identification of this ddos attack and guard system and bearing;
The curve chart of attack frequency of Fig. 7 (b) for using the Web server of the identification of this ddos attack and guard system and bearing;
Fig. 8 shows the FB(flow block) of ddos attack identification based on SDN framework and means of defence.
Embodiment
For making the object, technical solutions and advantages of the present invention clearly understand, below in conjunction with embodiment also with reference to accompanying drawing, the present invention is described in more detail.Should be appreciated that, these describe just exemplary, and do not really want to limit the scope of the invention.In addition, in the following description, the description to known features and technology is eliminated, to avoid unnecessarily obscuring concept of the present invention.
Operation principle of the present invention
Fig. 1 shows the theory diagram of data Layer in software defined network.
As shown in Figure 1, in software defined network (Software Defined Network, SDN) framework, when a message (Packet) arrives switch time, first in switch with stream table mate.If the match is successful, the action executing of just specifying according to stream table forwards rule.If it fails to match, then this message is encapsulated in Packet In message by switch, sends to controller, and this message exists in local cache by switch.Wait controller makes decisions, and how to process this message.
A lot of main frame is had in network, then needing to set up one for All hosts in network is the Hash table of key, be referred to as " in violation of rules and regulations number of times Hash table group ", it comprises: be suitable for the first Hash table counted deception message, be suitable for the second Hash table that destruction message is counted, be suitable for attacking to the formula that floods the 3rd Hash table counted.The violation number of times of record respective hosts, the namely credibility of main frame.
Packet in network is real-time, so need the Hash table of the threat packet counting set up in a kind of unit interval, and a key in the corresponding Hash table of each main frame, corresponding key assignments be record unit interval in the number of threat data bag that sends of the main frame of corresponding keys.Key assignments corresponding for keys all in Hash table must set to 0 in the unit interval " timeslice " by this type of Hash table at first; And often kind of message detected all needs a such table, with regard to such as have detected 100 kinds of messages, just need 100 this type of Hash tables.
And each Hash table must have a corresponding threshold value.As long as one has main frame accumulated counts in analog value in Hash table.Check after counting whether this value exceedes the threshold value of setting.If exceed corresponding threshold value, then the key assignments counting in violation number of times Hash table corresponding record.
Further, the threshold value of each Hash table, the parameters such as Hash table timeslice length all can be regulated by interface.
Such as: the Hash table of main frame is:
Unit interval deception packet counting Hash table
Host1 Host2 Host3 Host4 Host5 Host6 Host7 Host8 …… Host n
1 2 2 1 100 2 0 0 …… 0
Unit interval destroys packet counting Hash table
Host1 Host2 Host3 Host4 Host5 Host6 Host7 Host8 …… Host n
1 2 2 1 100 2 0 0 …… 0
Unit interval SYN counts Hash table
Host1 Host2 Host3 Host4 Host5 Host6 Host7 Host8 …… Host n
1 1 0 1 100 2 0 0 …… 0
Unit interval UDP Flood counts Hash table
Host1 Host2 Host3 Host4 Host5 Host6 Host7 Host8 …… Host n
1 1 0 1 100 2 0 0 …… 0
Unit interval ICMP Flood counts Hash table
Host1 Host2 Host3 Host4 Host5 Host6 Host7 Host8 …… Host n
1 1 0 1 100 2 0 0 …… 0
……
Hash tables all is above all unit interval count table, and timeslice counting starts all corresponding key assignments to be set to 0;
Number of times Hash table in violation of rules and regulations
Host1 Host2 Host3 Host4 Host5 Host6 Host7 Host8 …… Host n
1 1 0 1 0 2 0 0 …… 0
On the basis of foregoing invention principle, below list two kinds of technical schemes.
Embodiment 1
Embodiment 1 is the technical scheme about ddos attack identification and guard system.
Fig. 2 shows the theory diagram of ddos attack identification based on SDN framework and guard system.
As shown in Figure 2, a kind of ddos attack identification based on SDN framework and guard system, comprising: controller, this controller comprises: deception packet check module, destruction packet check module, exception message detection module, and threatens processing module.
Described deception packet check module, detects the deceptive practices of link layer and internetwork layer address.
Described destruction packet check module, detects the abnormal behaviour that internetwork layer and transport layer flag bit are arranged.
Described exception message detection module, detects the formula attack that floods of application layer and transport layer.
Described deception packet check module, destruction packet check module, exception message detection module detect message successively; And if when arbitrary detection module detects that message exists above-mentioned respective behavior, then this message is proceeded to threat processing module.Wherein, above-mentioned respective behavior refers to the respective behavior corresponding to each module, namely cheats the corresponding deceptive practices of packet check module, destroys the abnormal behaviour that packet check module respective flag position is arranged, formula attack that what exception message detection module was corresponding flood.
Described threat processing module is suitable for abandoning described message, and shielding sends program and/or the main frame of this message.
The present invention adopts from deception packet check module to destruction packet check module, then to the order that exception message detection module detects successively, wherein, each module obtains packet information and adopts independently Interface design, reduces the coupling relevance of intermodule; And each module uses the program data structure optimized, and each process sub-process of careful segmentation, improves the high cohesion characteristic of module.This detection ordering improves the detection efficiency to message data, and reduces loss.
Fig. 3 shows the workflow diagram of deception packet check module.
As shown in Figure 3, network equipment information binding table is built in described deception packet check module, and the first Hash table being suitable for that packet cheating behavior is counted built in described threat processing module in the unit interval, and set the first threshold values in this first Hash table; Described deception packet check module, the type of the message be encapsulated in Packet-In message is resolved, to obtain corresponding source, object IP address, MAC Address and to upload No. DPID, switch and the port number information of Packet-In message, and each information is compared with the corresponding information in network equipment information binding table respectively; If the above-mentioned information matches in message, then message is proceeded to and destroy packet check module; If the above-mentioned information in message is not mated, then proceed to described threat processing module, abandon, and count deceptive practices simultaneously message, when this count value is more than the first threshold values, shielding sends program and/or the main frame of this message.
Concrete, described deception packet check module is used for carrying out first time judgement to message, namely judges whether message is IP spoofing attack message, port spoofing attack message or MAC spoofing attack message.
Concrete steps comprise: parse source, target MAC (Media Access Control) address and switch entrance first in ethernet frames, then parse different messages according to different type of messages.When type of message is IP, ARP, RARP, then parse corresponding source, object IP address then these information to be tabled look-up coupling to the information in network equipment information binding table, if match corresponding information, then give and destroy packet check resume module.If do not mate, then this message is proceeded to and threaten processing module process; And accumulated counts is carried out to deceptive practices simultaneously, when this count value is more than the first threshold values, shielding sends program and/or the main frame of this message.
Have a device manager module DeviceManagerImpl in Floodlight, when an equipment in a network mobile device time tracking equipment, and according to newly flowing define equipment.
Equipment manager learns equipment from PacketIn request, and from PacketIn message, obtain device network parameter information (information such as source, object IP, MAC, VLAN), is carried out dividing into switch or main frame by equipment by entity classification device.Under default situations, entity classification device uses MAC Address and/or vlan table to show an equipment, mark equipment that these two attributes can be unique.The important information of another one be equipment mounting points (No. DPID of switch and port numbers) (, in an openflow region, an equipment can only have a mounting points, and here openflow region refers to the set of the multiple switches be connected with same Floodlight example.Equipment manager is also provided with expired time for IP address, mounting points, equipment, and last timestamp is as judging the foundation whether they are expired.)
Therefore only need call the IDeviceService that DeviceManagerImpl module provides inside network equipment information binding table module, simultaneously to the monitoring interface of this service interpolation IDeviceListener.
The monitoring interface that wherein IDeviceListener provides has:
ISP: IFloodlightProviderService, IDeviceService
Rely on interface: IFloodlightModule, IDeviceListener
Record in table can refresh the record in binding table in real time according to the low and high level trigger mechanism (low level triggering Port Down extracted by netting twine, and netting twine pulls out the high level of triggering Port Up) of switch.
Traditional ddos attack cannot touch, revise the information of Switch DPID and Switch Port, utilizes this advantage, can detect spoofing attack more flexibly.
Fig. 4 shows the workflow diagram destroying packet check module.
As shown in Figure 4, in described threat processing module, build being suitable in the unit interval the second Hash table that abnormal behaviour counts is arranged to the flag bit of message, and set the second threshold values in this second Hash table; The each flag bit of described destruction packet check module to message detects, to judge whether each flag bit meets ICP/IP protocol specification; If each flag bit of message meets, then message is proceeded to exception message detection module; If each flag bit of message does not meet, then proceed to described threat processing module, abandon message, and arrange abnormal behaviour to flag bit simultaneously and count, when this count value is more than the second threshold values, shielding sends program and/or the main frame of this message.
Concrete, described destruction packet check module, judges for carrying out second time to message, namely judges whether message is the attack message with malice flag bit feature.Wherein, the attack message with malice flag bit feature includes but not limited to IP attack message, TCP attack message.Implementation step comprises: detection IP attack message and TCP/UDP attack message wherein being realized to the flag bit of each message, namely identifies whether each flag bit meets ICP/IP protocol specification.If met, just directly transfer to abnormal number packet check resume module.If do not meet, be then judged as attack message, proceed to and threaten processing module process.
With typical attack such as Tear Drop for row, an offset field and a burst mark (MF) is had in IP packet header, if assailant is arranged to incorrect value offset field, IP fragmentation message just there will be the situation overlapping or disconnect, and target machine system will be collapsed.
In IP heading, have a protocol fields, this field specifies this IP message and carries which kind of agreement.The value of this field is less than 100, if assailant sends to target machine the IP message that a large amount of bands is greater than the protocol fields of 100, the protocol stack in target machine system will be damaged, and is formed and attacks.
Therefore in destruction packet check module, first extract each flag bit of message, then check whether normal.
If normal, then give subsequent module for processing.
If abnormal, then abandon this packet, and to corresponding Hash table rolling counters forward.If when unit interval inside counting device exceedes described second threshold values of setting, then call and threaten processing module shield corresponding program and/or directly shield corresponding main frame.
After packet filtering by deception packet check module, the address in the follow-up packet handled by destruction packet check module is all real.Like this, effectively avoid target machine and have received destruction message, may directly cause the protocol stack of target machine to collapse, even target machine directly collapses.
The processing capacity destroying packet check module is roughly similar with deception packet check handling process, and whether normal the flag bit of what difference was that destruction packet check module parses is each message, then detect each flag bit.
If talked about normally, just directly to follow-up exception message detection module process.
If abnormal, then controller transmitting order to lower levels abandons this packet, and to the corresponding Hash table inside counting device counting of host application reference mechanism.If exceed the threshold values of setting, then shield corresponding attacker or directly shield and attack main frame.
The Hash table for identifying the formula attack message that floods is built at described exception message detection module, in described threat processing module, build the 3rd Hash table being suitable for that the formula attack of flooding is counted in the unit interval, and set the 3rd threshold values in the 3rd Hash table; Described exception message detection module, is suitable for judging whether described message has attack according to the threshold values set in described Hash table; If without attack, then by data distributing; If have attack, then proceed to described threat processing module, abandon, and count attack simultaneously message, when count value is more than the 3rd threshold values, shielding sends program and/or the main frame of this message.
Concrete, described exception message detection module, judges for carrying out third time to message, namely judges whether message is the formula attack message that floods.
Concrete steps comprise: utilize the identification to building to flood adding up to the respective record in Hash table of formula attack message, and detect whether exceed threshold value, to judge whether the being formula attack message that floods.
Through above-mentioned deception packet check module, the filtering destroying packet check module two modules, the packet of subsequent module for processing belongs to packet under normal circumstances substantially.But, under normal circumstances, also have ddos attack and produce, in the prior art, generally only carry out deception packet check module, destroy packet check module, and in the technical program, in order to avoid ddos attack as much as possible.
Following examples to after carrying out deception packet check module, destroying packet check modular filtration, then shield the embodiment of ddos attack by exception message detection module.This execution mode is for UDP Flooding and ICMP Flooding.
Fig. 5 shows the overhaul flow chart of UDP Floodling.
About UDP Floodling, as shown in Figure 5, utilizing the mechanism of udp protocol without the need to connecting, sending a large amount of UDP message to target machine.Target machine can spend a large amount of time-triggered protocol UDP messages, and these UDP attack messages not only can make the cache overflow depositing UDP message, and can take a large amount of network bandwidths, and target machine (or little) cannot receive legal UDP message.
Because different main frames sends a large amount of UDP message bag to single main frame, so certainly have the situation that udp port takies, so the technical program can receive the unreachable bag of port of an ICMP.
So the technical program can set up a Hash table to All hosts, be used for specially depositing in the unit interval number of times receiving the unreachable bag of ICMP port.If exceed the threshold values of setting, then directly shield corresponding attacker.
Fig. 6 shows the overhaul flow chart of ICMP Floodling.
About ICMP Floodling, as shown in Figure 6, directly unit interval inside counting is carried out for ICMP Flooding.If exceed corresponding threshold values, then direct corresponding shielding is carried out to respective host, although the method is simple, directly effective.
Therefore, exception message detection module, if the type of message detected is exception message type of detection, then carries out corresponding counter detection and whether exceedes threshold value, if do not exceed threshold value, also can be issued by optimum routing policy this packet.If exceeded threshold value, then shield corresponding attacker, or directly corresponding shielding has been carried out to respective host.
When in described deception packet check module, destruction packet check module and exception message detection module, arbitrary module judges that described message is above-mentioned attack message, then this attack message is proceeded to threat processing module, that is, abandon described message, and shielding sends program and/or the main frame of this message.
When " deception packet check module ", " destroying packet check module " and " exception message detection module " need packet discard or needs to shield threat main frame time.Directly call and threaten processing module to carry out corresponding threat process operation.
The concrete implementation step of described threat processing module comprises:
Abandon described message, namely the step of packet discard comprises as follows:
OpenFlow switch is not matching under corresponding stream expression condition, can this data envelope be contained in Packet In message, this packet exists in local buffer memory by exchange opportunity simultaneously, packet is deposited in the buffer, there is No. ID, a buffer area, this No. ID also can be encapsulated in the buffer_id of Packet In message, by the form of Packet out, the buffer_id simultaneously in Packet out message fills in the buffer area ID (buffer_id in corresponding Packet In message) of the packet that will abandon.
The step of shielding main frame comprises as follows:
OpenFlow protocol streams list structure is as follows:
Territory, packet header Counter Action
The structure in its middle wrapping head territory is:
Threatening processing module to comprise the step that application programs carries out shielding comprises as follows:
Step 1: fill in corresponding matching field in the territory, packet header of stream table, and by arranging Wildcards mask field, obtain shielding attacker or host information.Wherein, as attacker need be shielded, then in territory, stream table packet header, fill in following matching field: IP, MAC, VLAN, Swtich DPID, Swtich Port, protocol type and port numbers thereof etc.As need main frame be shielded, then fill in territory, stream table packet header: the matching fields such as IP, MAC, VLAN, Swtich DPID, Swtich Port.
Step 2: stream is shown action lists and puts sky, realizes the data packet discarding of attacker/main frame.
Step 3: call the record value in each Hash table, calculates stream table time-out erasing time automatically.
Step 4: issue stream table mask program or main frame.
Therefore, the network of the technical program can effectively identify and filtering attack packets.Concrete implementation result is see Fig. 7 (a) and Fig. 7 (b).
Optionally, after above-mentioned each module, by issuing of the real-time optimum routing policy of normal message.
Concrete steps are as follows:
First enter step S1 to submit to the topological interface (API) of controller the request of acquisition to, then obtain full mesh topology by step S2.
Then, by carrying out the acquisition of total network links state.First enter step S3, then obtain total network links state by step S10, then calculate total network links remaining bandwidth.
Then be exactly the calculating of real-time optimal path, algorithm adopts classical dijkstra's algorithm, and the weights of algorithm change the inverse of the total network links remaining bandwidth that previous step obtains into, so just can ensure that the path calculated is the most unobstructed, the path that propagation delay time is minimum.
Finally, the optimal path calculated is converted to the real-time optimal path strategy be made up of stream table, issued by step S11.
Step S1 uses topological interface, the api interface that a kind of controller carries, and use LLDP (Link Layer Discovery Protocol) and broadcast packet to find link, then controller calculates network topology automatically.
The topological interface of step S2 controller obtains feedback of request to " full mesh topology acquisition module " topology of " real-time optimal path computation module ".
In step S3, " total network links state acquisition module " files a request to " switch query interface module ", obtains total network links state.Wherein, " switch query interface module " carries on " switch characteristic enquiry module " and " switch status enquiry module " basis at controller and expands, and achieves calculating and the query function of link remaining bandwidth.
Then, " switch query module " sends the broadcast packet of switch property request by step S4 all switches in network.Receive the message of switch characteristic feedback in automatic network again by step S5, parse the curr field inside message, obtain each switch ports themselves current bandwidth B.
Next, this module sends the broadcast packet of switch status request by step S6 all switches in network, comprises port and sends the message status such as bag number, port transmission byte number, port accepts byte number, port accepts bag number.Then, this module receives the message of switch status feedback in automatic network by step S7, parses tx_bytes field, obtains sending byte number N 1, obtain current time t 1.
Next, this module sends the broadcast packet of switch status request by step S8 all switches in network, and then, this module receives the message of switch status feedback in automatic network by S9, and timing stops, and obtains current time t 2.Parse tx_bytes field, obtain sending byte number N 2.
Then can calculate present port remaining bandwidth is: B-(N 2-N 1)/(t 2-t 1).
Then, the remaining bandwidth that the network topology that recycling obtains carries out every bar link calculates:
If the connection between switch and switch, then obtain the remaining bandwidth of the switch ports themselves of this both link ends, the remaining bandwidth of this link is the smaller in two port remaining bandwidths.
If the connection between main frame and switch, then obtain the remaining bandwidth of the switch ports themselves connecting main frame, this link remaining bandwidth is the switch ports themselves remaining bandwidth connecting this main frame.
Step S4 controller sends Feature Request message with the form of broadcast to all switches of the whole network.
Step S5 controller receives switch in automatic network and feeds back to the Feature Reply message of controller.
Step S6 controller sends Stats Request message with the form of broadcast to all switches of the whole network.
Step S7 controller receives switch in automatic network and feeds back to the Stats Reply message of controller.
Step S8 controller sends Stats Request message with the form of broadcast to all switches of the whole network.
Step S9 controller receives switch in automatic network and feeds back to the Stats Reply message of controller.
The link remaining bandwidth information feed back that calculates is given " total network links state acquisition module " by step S10 switch query interface.
Step S11 routing policy issues the real-time optimum routing policy that module calculates, and the stream table calculated is handed down to relevant switch by step S12.
This interface of step S12 is the api interface that controller carries, for issuing the optimum routing policy calculated.
Be defending DDOS attack while by described optimal path strategy, the average transmission time delay of network does not increase sharply.
Embodiment 2
The ddos attack identification based on SDN framework on embodiment 1 basis and means of defence, to solve the technical problem of effectively defending DDOS attack.
The method of described ddos attack identification and means of defence comprises: successively to the deceptive practices of link layer and internetwork layer address, internetwork layer and transport layer flag bit arrange abnormal behaviour, and the formula that the floods attack of application layer and transport layer detects; If when arbitrary detecting step judges that message exists respective behavior in said process, then this message is proceeded to threat processing module, to abandon described message, and shielding sends program and/or the main frame of message.
Fig. 8 shows the FB(flow block) of ddos attack identification based on SDN framework and means of defence.
As shown in Figure 8, concrete implementation step comprises:
Step S100, detects the deceptive practices of link layer and internetwork layer address.
Step S200, detects the abnormal behaviour that internetwork layer and transport layer flag bit are arranged.
Step S300, detects the formula that the floods attack of application layer and transport layer.
Step S400, if by message successively by after described step S100, step S200, step S300, when arbitrary step judges that message exists deception, exception, attack, then by described packet loss, and shielding sends program and/or the main frame of this message.
In described step S100, step S101 is comprised the steps: to the method that the deceptive practices of link layer and internetwork layer address detect, in deception packet check module, build network equipment information binding table; Step S102, by deception packet check module, the type being encapsulated in message in Packet-In message is resolved, to obtain corresponding source, object IP address, MAC Address and to upload No. DPID, switch and the port numbers of this Packet-In message, and above-mentioned each information is compared with the corresponding information in network equipment information binding table respectively; If the above-mentioned information matches in message, then proceed to step S200 by message; If the above-mentioned information in message is not mated, then message is proceeded to step S400.
Arrange to internetwork layer and transport layer flag bit the method that abnormal behaviour detects in described step S200 to comprise: detect each flag bit of message, to judge whether each flag bit meets ICP/IP protocol specification; If each flag bit of message meets, then message is proceeded to S300; If each flag bit of message does not meet, then message is proceeded to step S400.
In described step S300, step S301 being comprised the steps: to the method that the formula that the floods attack of application layer and transport layer detects, building the Hash table for identifying the formula attack message that floods at exception message detection module; According to the threshold values set in described Hash table, step S302, judges whether described message is the formula attack message that floods by exception message detection module; If without attack, then data normally to be issued or by above-mentioned optimal path policy distribution; If have attack, then attack message is proceeded to step S400.
In described step S400 by message successively by after described step S100, step S200, step S300, if when wherein arbitrary step judges that message exists deception, exception, attack, then by described packet loss, and the step shielding program and/or the main frame sending this message is as follows:
Step S410, build corresponding Hash table and the setting respective threshold of counting, namely in the unit interval, the first Hash table that the deceptive practices of message are counted is built in threat processing module, flag bit arranges the second Hash table that abnormal behaviour carries out counting, and to the 3rd Hash table that the formula attack of flooding counts; Set first, second, third threshold values in first, second, third Hash table simultaneously.
Step S420, shielding sends program and/or the main frame of this message, namely for the behavior proceeding to the message threatening processing module, utilizes corresponding Hash table to count, and when count value exceedes respective thresholds, shielding sends program and/or the main frame of this message.
Concrete implementation step comprises: will detect in described step S100 that the message of deceptive practices proceeds to threat processing module, described threat processing module abandons this message, and deceptive practices are counted simultaneously, when this count value is more than the first threshold values, shielding sends program and/or the main frame of this message.
The message of the abnormal behaviour detected in described step S200 is proceeded to threat processing module, described threat processing module abandons this message, and abnormal behaviour is counted, when this count value is more than the second threshold values, shielding sends program and/or the main frame of this message. simultaneously
The attack message that described step S300 judges is proceeded to described threat processing module, realize abandoning this attack message, and attack record value is added up, when accumulated value exceedes setting the 3rd threshold values, shielding sends program and/or the main frame of attack message. simultaneously
Should be understood that, above-mentioned embodiment of the present invention only for exemplary illustration or explain principle of the present invention, and is not construed as limiting the invention.Therefore, any amendment made when without departing from the spirit and scope of the present invention, equivalent replacement, improvement etc., all should be included within protection scope of the present invention.In addition, claims of the present invention be intended to contain fall into claims scope and border or this scope and border equivalents in whole change and modification.

Claims (9)

1., based on ddos attack identification and the guard system of SDN framework, it is characterized in that, comprising:
Described deception packet check module, detects the deceptive practices of link layer and internetwork layer address;
Described destruction packet check module, detects the abnormal behaviour that internetwork layer and transport layer flag bit are arranged;
Described exception message detection module, detects the formula attack that floods of application layer and transport layer;
Described deception packet check module, destruction packet check module, exception message detection module detect message successively; And when if arbitrary detection module detects that message exists above-mentioned respective behavior, then this message is proceeded to threat processing module;
Described threat processing module is suitable for abandoning described message, and shielding sends program and/or the main frame of message.
2. ddos attack identification according to claim 1 and guard system, is characterized in that,
In described deception packet check module, build network equipment information binding table, and in described threat processing module, build the first Hash table being suitable for that packet cheating behavior is counted in the unit interval, and set the first threshold values in this first Hash table;
Described deception packet check module, the type of the message be encapsulated in Packet-In message is resolved, to obtain corresponding source, object IP address, MAC Address and to upload No. DPID, switch and the port number information of Packet-In message, and each information is compared with the corresponding information in network equipment information binding table respectively;
If the above-mentioned information matches in message, then message is proceeded to and destroy packet check module;
If the above-mentioned information in message is not mated, then proceed to described threat processing module, message is abandoned; Count deceptive practices, when this count value is more than the first threshold values, shielding sends program and/or the main frame of this message simultaneously.
3. ddos attack identification according to claim 2 and guard system, is characterized in that,
In described threat processing module, build being suitable in the unit interval the second Hash table that abnormal behaviour counts is arranged to the flag bit of message, and set the second threshold values in this second Hash table;
The each flag bit of described destruction packet check module to message detects, to judge whether each flag bit meets ICP/IP protocol specification;
If each flag bit of message meets, then message is proceeded to exception message detection module;
If each flag bit of message does not meet, then proceed to described threat processing module, message is abandoned; Arrange abnormal behaviour to flag bit to count, when this count value is more than the second threshold values, shielding sends program and/or the main frame of this message simultaneously.
4. ddos attack identification according to claim 3 and guard system, is characterized in that,
The Hash table for identifying the formula attack message that floods is built at described exception message detection module, in described threat processing module, build the 3rd Hash table being suitable for that the formula attack of flooding is counted in the unit interval, and set the 3rd threshold values in the 3rd Hash table;
Described exception message detection module, is suitable for judging whether described message has attack according to the threshold values set in described Hash table;
If without attack, then by data distributing;
If have attack, then proceed to described threat processing module, message is abandoned; Count attack, when count value is more than the 3rd threshold values, shielding sends program and/or the main frame of this message simultaneously.
5., based on ddos attack identification and the means of defence of SDN framework, comprising:
Successively to the deceptive practices of link layer and internetwork layer address, internetwork layer and transport layer flag bit arrange abnormal behaviour, and
The formula that the floods attack of application layer and transport layer detects;
If when arbitrary detecting step judges that message exists respective behavior in said process, then this message is proceeded to threat processing module, to abandon described message, and shielding sends program and/or the main frame of message.
6. the ddos attack identification based on SDN framework according to claim 5 and means of defence, is characterized in that, comprises the method that the deceptive practices of link layer and internetwork layer address detect:
By deception packet check module, deceptive practices are detected, namely
First, in deception packet check module, network equipment information binding table is built;
Secondly, by deception packet check module, the type being encapsulated in message in Packet-In message is resolved, to obtain corresponding source, object IP address, MAC Address and to upload No. DPID, switch and the port numbers of this Packet-In message, and above-mentioned each information is compared with the corresponding information in network equipment information binding table respectively;
If the above-mentioned information matches in message, then proceed to next detecting step by message;
If the above-mentioned information in message is not mated, then message is proceeded to threat processing module.
7. the ddos attack identification based on SDN framework according to claim 6 and means of defence, is characterized in that, internetwork layer and transport layer flag bit arrange the method that abnormal behaviour carries out detecting and comprise:
Arrange abnormal behaviour by destruction packet check module to flag bit to detect, namely
Each flag bit of message is detected, to judge whether each flag bit meets ICP/IP protocol specification;
If each flag bit of message meets, then message is proceeded to next detecting step;
If each flag bit of message does not meet, then message is proceeded to threat processing module.
8. the ddos attack identification based on SDN framework according to claim 7 and means of defence, is characterized in that, the method that the formula that the floods attack of application layer and transport layer is carried out detecting comprises:
By exception message detection module, the formula attack of flooding is detected, namely
Build the Hash table for identifying the formula attack message that floods at exception message detection module, and judge whether message has the formula attack that floods according to the threshold values set in this Hash table;
If without attack, then data are normally issued;
If have attack, then attack message is proceeded to threat processing module.
9. the ddos attack identification based on SDN framework according to claim 8 and means of defence, is characterized in that, described threat processing module shielding sends the program of message and/or the method for main frame comprises:
First, corresponding Hash table and the setting respective threshold of counting is built, namely
In unit interval, build the first Hash table counted deceptive practices in described threat processing module, flag bit arranges the second Hash table that abnormal behaviour carries out counting, and to the 3rd Hash table that the formula attack of flooding counts;
Set first, second, third threshold values in first, second, third Hash table simultaneously;
Secondly, shielding sends program and/or the main frame of this message, namely
For the behavior proceeding to the message threatening processing module, utilize corresponding Hash table to count, when count value exceedes respective thresholds, shielding sends program and/or the main frame of this message.
CN201410699598.8A 2014-11-26 2014-11-26 System and method for identifying and preventing DDoS attacks on basis of SDN framework Pending CN104378380A (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN201410699598.8A CN104378380A (en) 2014-11-26 2014-11-26 System and method for identifying and preventing DDoS attacks on basis of SDN framework

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN201410699598.8A CN104378380A (en) 2014-11-26 2014-11-26 System and method for identifying and preventing DDoS attacks on basis of SDN framework

Publications (1)

Publication Number Publication Date
CN104378380A true CN104378380A (en) 2015-02-25

Family

ID=52557036

Family Applications (1)

Application Number Title Priority Date Filing Date
CN201410699598.8A Pending CN104378380A (en) 2014-11-26 2014-11-26 System and method for identifying and preventing DDoS attacks on basis of SDN framework

Country Status (1)

Country Link
CN (1) CN104378380A (en)

Cited By (15)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN105516184A (en) * 2015-12-31 2016-04-20 清华大学深圳研究生院 Increment deployment SDN network-based method for defending link flooding attack
CN105591977A (en) * 2015-08-28 2016-05-18 杭州华三通信技术有限公司 Message processing method and device
WO2017035717A1 (en) * 2015-08-29 2017-03-09 华为技术有限公司 Distributed denial of service attack detection method and associated device
CN107241359A (en) * 2017-08-03 2017-10-10 安捷光通科技成都有限公司 A kind of software-oriented defines the lightweight network flow abnormal detecting method of network
CN107438066A (en) * 2017-06-21 2017-12-05 浙江大学 A kind of DoS/DDoS attack defendings module and method based on SDN controllers
CN108289104A (en) * 2018-02-05 2018-07-17 重庆邮电大学 A kind of industry SDN network ddos attack detection with alleviate method
CN108667804A (en) * 2018-04-08 2018-10-16 北京大学 A kind of ddos attack detection and means of defence and system based on SDN frameworks
CN108881324A (en) * 2018-09-21 2018-11-23 电子科技大学 A kind of the DoS attack Distributed Detection and defence method of SDN network
CN109040131A (en) * 2018-09-20 2018-12-18 天津大学 A kind of LDoS attack detection method under SDN environment
CN109714338A (en) * 2018-12-27 2019-05-03 安徽长泰信息安全服务有限公司 A kind of intrusion prevention system towards SDN network
WO2019196304A1 (en) * 2018-04-09 2019-10-17 平安科技(深圳)有限公司 Electronic apparatus, credit feedback message parsing method, and storage medium
CN111327590A (en) * 2020-01-19 2020-06-23 中国联合网络通信集团有限公司 Attack processing method and device
CN112055028A (en) * 2020-09-11 2020-12-08 北京知道创宇信息技术股份有限公司 Network attack defense method and device, electronic equipment and storage medium
CN112153004A (en) * 2020-08-26 2020-12-29 江苏大学 Subnet temperature-based DDoS attack detection method in SDN environment
CN114244618A (en) * 2021-12-22 2022-03-25 北京天融信网络安全技术有限公司 Abnormal access detection method and device, electronic equipment and storage medium

Citations (7)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN101902338A (en) * 2009-05-27 2010-12-01 北京启明星辰信息技术股份有限公司 Intrusion detection system and method adopting unified detection framework
CN102487339A (en) * 2010-12-01 2012-06-06 中兴通讯股份有限公司 Attack preventing method for network equipment and device
EP2523405A1 (en) * 2010-01-08 2012-11-14 Nec Corporation Communication system, forwarding nodes, path management server and communication method
CN103414650A (en) * 2013-07-29 2013-11-27 上海华为技术有限公司 Routing method and device for congestion avoidance
CN103650435A (en) * 2013-08-14 2014-03-19 华为技术有限公司 Routing traffic adjusting method, device and controller
CN103731277A (en) * 2014-01-16 2014-04-16 华为技术有限公司 Energy-saving method in software defined network and energy-saving control device
US20140189867A1 (en) * 2013-01-02 2014-07-03 Electronics And Telecommunications Research Institute DDoS ATTACK PROCESSING APPARATUS AND METHOD IN OPENFLOW SWITCH

Patent Citations (7)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN101902338A (en) * 2009-05-27 2010-12-01 北京启明星辰信息技术股份有限公司 Intrusion detection system and method adopting unified detection framework
EP2523405A1 (en) * 2010-01-08 2012-11-14 Nec Corporation Communication system, forwarding nodes, path management server and communication method
CN102487339A (en) * 2010-12-01 2012-06-06 中兴通讯股份有限公司 Attack preventing method for network equipment and device
US20140189867A1 (en) * 2013-01-02 2014-07-03 Electronics And Telecommunications Research Institute DDoS ATTACK PROCESSING APPARATUS AND METHOD IN OPENFLOW SWITCH
CN103414650A (en) * 2013-07-29 2013-11-27 上海华为技术有限公司 Routing method and device for congestion avoidance
CN103650435A (en) * 2013-08-14 2014-03-19 华为技术有限公司 Routing traffic adjusting method, device and controller
CN103731277A (en) * 2014-01-16 2014-04-16 华为技术有限公司 Energy-saving method in software defined network and energy-saving control device

Cited By (22)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN105591977A (en) * 2015-08-28 2016-05-18 杭州华三通信技术有限公司 Message processing method and device
WO2017035717A1 (en) * 2015-08-29 2017-03-09 华为技术有限公司 Distributed denial of service attack detection method and associated device
CN105516184A (en) * 2015-12-31 2016-04-20 清华大学深圳研究生院 Increment deployment SDN network-based method for defending link flooding attack
CN105516184B (en) * 2015-12-31 2018-07-27 清华大学深圳研究生院 A kind of defence method of the link flood attack based on incremental deploying SDN network
CN107438066A (en) * 2017-06-21 2017-12-05 浙江大学 A kind of DoS/DDoS attack defendings module and method based on SDN controllers
CN107438066B (en) * 2017-06-21 2020-04-17 浙江大学 DoS/DDoS attack defense module and method based on SDN controller
CN107241359B (en) * 2017-08-03 2020-03-17 安捷光通科技成都有限公司 Lightweight network flow anomaly detection method oriented to software defined network
CN107241359A (en) * 2017-08-03 2017-10-10 安捷光通科技成都有限公司 A kind of software-oriented defines the lightweight network flow abnormal detecting method of network
CN108289104B (en) * 2018-02-05 2020-07-17 重庆邮电大学 Industrial SDN network DDoS attack detection and mitigation method
CN108289104A (en) * 2018-02-05 2018-07-17 重庆邮电大学 A kind of industry SDN network ddos attack detection with alleviate method
CN108667804B (en) * 2018-04-08 2020-09-29 北京大学 DDoS attack detection and protection method and system based on SDN architecture
CN108667804A (en) * 2018-04-08 2018-10-16 北京大学 A kind of ddos attack detection and means of defence and system based on SDN frameworks
WO2019196304A1 (en) * 2018-04-09 2019-10-17 平安科技(深圳)有限公司 Electronic apparatus, credit feedback message parsing method, and storage medium
CN109040131A (en) * 2018-09-20 2018-12-18 天津大学 A kind of LDoS attack detection method under SDN environment
CN108881324A (en) * 2018-09-21 2018-11-23 电子科技大学 A kind of the DoS attack Distributed Detection and defence method of SDN network
CN109714338A (en) * 2018-12-27 2019-05-03 安徽长泰信息安全服务有限公司 A kind of intrusion prevention system towards SDN network
CN111327590A (en) * 2020-01-19 2020-06-23 中国联合网络通信集团有限公司 Attack processing method and device
CN112153004A (en) * 2020-08-26 2020-12-29 江苏大学 Subnet temperature-based DDoS attack detection method in SDN environment
CN112055028A (en) * 2020-09-11 2020-12-08 北京知道创宇信息技术股份有限公司 Network attack defense method and device, electronic equipment and storage medium
CN112055028B (en) * 2020-09-11 2023-08-08 北京知道创宇信息技术股份有限公司 Network attack defense method, device, electronic equipment and storage medium
CN114244618A (en) * 2021-12-22 2022-03-25 北京天融信网络安全技术有限公司 Abnormal access detection method and device, electronic equipment and storage medium
CN114244618B (en) * 2021-12-22 2023-11-10 北京天融信网络安全技术有限公司 Abnormal access detection method and device, electronic equipment and storage medium

Similar Documents

Publication Publication Date Title
CN104378380A (en) System and method for identifying and preventing DDoS attacks on basis of SDN framework
CN104539594B (en) Merge DDoS and threaten filtering and SDN frameworks, system and the method for work of routing optimality
CN104539625B (en) A kind of network security protection system and its method of work based on software definition
CN104660582B (en) The network architecture of the software definition of DDoS identifications, protection and path optimization
CN104539595B (en) It is a kind of to integrate the SDN frameworks and method of work for threatening processing and routing optimality
US7124440B2 (en) Monitoring network traffic denial of service attacks
US7836498B2 (en) Device to protect victim sites during denial of service attacks
US7398317B2 (en) Thwarting connection-based denial of service attacks
US7043759B2 (en) Architecture to thwart denial of service attacks
Abdelsayed et al. An efficient filter for denial-of-service bandwidth attacks
CN104468636A (en) SDN structure for DDoS threatening filtering and link reallocating and working method
CN102263788B (en) Method and equipment for defending against denial of service (DDoS) attack to multi-service system
WO2002021278A1 (en) Coordinated thwarting of denial of service attacks
KR100882809B1 (en) DDoS PROTECTION SYSTEM AND METHOD IN PER-FLOW BASED PACKET PROCESSING SYSTEM
CN105871773A (en) DDoS filtering method based on SDN network architecture
Maheshwari et al. Defending network system against IP spoofing based distributed DoS attacks using DPHCF-RTT packet filtering technique
Ubale et al. SRL: An TCP SYNFLOOD DDoS mitigation approach in software-defined networks
CN107864155A (en) A kind of DDOS attack detection method of high-accuracy
US7464409B2 (en) Perimeter-based defense against data flooding in a data communication network
Mopari et al. Detection and defense against DDoS attack with IP spoofing
CN105871772A (en) Working method of SDN network architecture aimed at network attack
CN105871771A (en) SDN network architecture aimed at DDoS network attack
JP2010193083A (en) Communication system, and communication method
Chen et al. TRACK: A novel approach for defending against distributed denial-of-service attacks
Akhil et al. Distributed Denial of Service (DDoS) Attacks and Defence Mechanism

Legal Events

Date Code Title Description
C06 Publication
PB01 Publication
C10 Entry into substantive examination
SE01 Entry into force of request for substantive examination
RJ01 Rejection of invention patent application after publication

Application publication date: 20150225

RJ01 Rejection of invention patent application after publication