CN104580107B - malicious attack detection method and controller - Google Patents
malicious attack detection method and controller Download PDFInfo
- Publication number
- CN104580107B CN104580107B CN201310508486.5A CN201310508486A CN104580107B CN 104580107 B CN104580107 B CN 104580107B CN 201310508486 A CN201310508486 A CN 201310508486A CN 104580107 B CN104580107 B CN 104580107B
- Authority
- CN
- China
- Prior art keywords
- message
- port
- controller
- interchanger
- flow table
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Active
Links
Classifications
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/14—Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
- H04L63/1441—Countermeasures against malicious traffic
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L47/00—Traffic control in data switching networks
- H04L47/10—Flow control; Congestion control
- H04L47/32—Flow control; Congestion control by discarding or delaying data units, e.g. packets or frames
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/14—Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
- H04L63/1408—Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic by monitoring network traffic
- H04L63/1416—Event detection, e.g. attack signature detection
Landscapes
- Engineering & Computer Science (AREA)
- Computer Security & Cryptography (AREA)
- Computer Networks & Wireless Communication (AREA)
- Signal Processing (AREA)
- Computer Hardware Design (AREA)
- Computing Systems (AREA)
- General Engineering & Computer Science (AREA)
- Data Exchanges In Wide-Area Networks (AREA)
Abstract
The present invention relates to a kind of malicious attack detection method and controller, applied in the open flows network architecture including controller and interchanger, wherein, this method includes:The controller receives the message reporting message that the interchanger reports, the first port that the controller determines to meet to report rate conditions is by malicious attack, wherein, the first port is described to report rate conditions to refer to reporting speed not less than predetermined speed threshold values and continue for very first time length for message reporting message corresponding to port to connect the port of the interchanger and main frame.Malicious attack detection method provided in an embodiment of the present invention and controller can detect the malicious attack behavior suffered port from network source, so as to find out in time reply by malicious attack strategy.
Description
Technical field
The present invention relates to communication technical field, more particularly to a kind of malicious attack detection method and controller.
Background technology
With OpenFlow(Open flows, hereinafter referred to as OF)Extensive use of the network in actual scene, it necessarily also can
Face the problem of running into malicious attack of legacy network.Typical malicious attack includes flood attack, dos is attacked etc., most of
Malicious attack be network is got congestion by generating mass data stream or destination server is paralysed, most common situation is
Attack is also in the tolerance range of network but destination server has been paralysed.
In legacy network, the robustness of interchanger can only be relied on to the Bearing degree of network congestion, but due in network
Various types of interchanger is might have, and their security strategy can be different, therefore network congestion is born
Degree has uncertainty;And fire wall that the attack for destination server can only be then installed on reliance server and protect soft
Part, but the mass data stream that malicious attack is generated has consumed network bandwidth, network is had hysteresis quality.
At present, OF networks are also without the strategy of reply malicious attack.
The content of the invention
Technical problem
In view of this, the technical problem to be solved in the present invention is that effective detection goes out OF networks by malicious attack.
Solution
In order to solve the above-mentioned technical problem, according to one embodiment of the invention, there is provided a kind of malicious attack detection method, should
For in the open flows network architecture including controller and interchanger, including:
The controller receives the message reporting message that the interchanger reports;And
The first port that the controller determines to meet to report rate conditions by malicious attack,
Wherein, the first port is connects the port of the interchanger and main frame, and described to report rate conditions be finger tip
Message reporting message corresponding to mouthful reports speed not less than predetermined speed threshold values and continue for very first time length.
For above-mentioned malicious attack detection method, in a kind of possible implementation, described in controller reception
After the message reporting message that interchanger reports, this method also includes:
The controller is stored the message reporting message received;
After the first port that the controller determines to meet to report rate conditions is by malicious attack, this method is also wrapped
Include:
The controller removes message reporting message corresponding to the first port stored and the instruction exchange
Machine removes flow table item corresponding to the first port.
For above-mentioned malicious attack detection method, in a kind of possible implementation, described in controller removing
After message reporting message corresponding to first port and the instruction interchanger remove flow table item corresponding to the first port,
Also include:
The controller issues new flow table item to the interchanger, and the new flow table item is used to notify the interchanger
Directly abandon the message received from the first port.
For above-mentioned malicious attack detection method, in a kind of possible implementation, when the new flow table item aging
Afterwards, the controller receives the message reporting message corresponding to the first port that the interchanger reports again,
Wherein, flow table item aging includes the flow table item in the second predetermined time span without the message of matching or the institute
State flow table item and continue for the 3rd predetermined time span of the controller.
In order to solve the above-mentioned technical problem, according to another embodiment of the present invention, there is provided a kind of controller, applied to including
In the open flows network architecture of controller and interchanger, the controller includes:
Receiving module, the message reporting message reported for receiving the interchanger;And
Processing module, it is connected with the receiving module, for determining to meet to report the first port of rate conditions to be disliked
Meaning attack,
Wherein, the first port is connects the port of the interchanger and main frame, and described to report rate conditions be finger tip
Message reporting message corresponding to mouthful reports speed not less than predetermined speed threshold values and continue for very first time length.
For controller noted above, in a kind of possible implementation, in addition to:
Memory module, it is connected with the receiving module and the processing module, described in receiving module is received
Message reporting message is stored;
The processing module is additionally operable to remove message reporting message corresponding to the first port and the instruction exchange
Machine removes flow table item corresponding to the first port.
For controller noted above, in a kind of possible implementation, in addition to:
Sending module, it is connected with the processing module, for issuing new flow table item to the interchanger, the new stream
List item is used to notify the interchanger directly to abandon the message received from the first port.
For controller noted above, in a kind of possible implementation, after the new flow table item aging, the reception
Module receives the message reporting message corresponding to the first port that the interchanger reports again,
Wherein, flow table item aging includes the flow table item in the second predetermined time span without the message of matching or the institute
State flow table item and continue for the 3rd predetermined time span of the controller.
Beneficial effect
Malicious attack detection method provided in an embodiment of the present invention and controller, controller are reported by desampler
Message reporting message, report whether speed has exceeded setting according to message reporting message corresponding to the port of a certain connection main frame
Speed threshold values and continue for predetermined time span to determine the port whether by malicious attack.If corresponding to the port
Reporting speed to exceed the speed threshold values of setting and continue for predetermined time span for message reporting message, then can determine that the end
Mouth is by malicious attack.Malicious attack detection method provided in an embodiment of the present invention, port can be detected from network source
The malicious attack behavior suffered, so as to find out in time reply by malicious attack strategy.
According to below with reference to the accompanying drawings becoming to detailed description of illustrative embodiments, further feature of the invention and aspect
It is clear.
Brief description of the drawings
Comprising in the description and the accompanying drawing of a part for constitution instruction and specification together illustrate the present invention's
Exemplary embodiment, feature and aspect, and for explaining the principle of the present invention.
Fig. 1 shows the flow chart of malicious attack detection method according to an embodiment of the invention;
Fig. 2 shows the flow chart of malicious attack detection method according to another embodiment of the present invention;
Fig. 3 shows the message time sequence figure of malicious attack detection method according to an embodiment of the invention;
Fig. 4 shows the schematic diagram of existing OF network architectures message forwarding method;
Fig. 5 shows the schematic diagram of message forwarding method according to an embodiment of the invention;
Fig. 6 shows the structured flowchart of controller according to an embodiment of the invention;
Fig. 7 shows the structured flowchart of controller according to another embodiment of the present invention;
Fig. 8 shows the structured flowchart of the controller according to further embodiment of this invention.
Embodiment
Describe various exemplary embodiments, feature and the aspect of the present invention in detail below with reference to accompanying drawing.It is identical in accompanying drawing
Reference represent the same or analogous element of function.Although the various aspects of embodiment are shown in the drawings, remove
Non-specifically point out, it is not necessary to accompanying drawing drawn to scale.
Special word " exemplary " is meant " being used as example, embodiment or illustrative " herein.Here as " exemplary "
Illustrated any embodiment should not necessarily be construed as preferred or advantageous over other embodiments.
In addition, in order to better illustrate the present invention, numerous details is given in embodiment below.
It will be appreciated by those skilled in the art that without some details, the present invention can equally be implemented.In some instances, for
Method, means, element and circuit well known to those skilled in the art are not described in detail, in order to highlight the purport of the present invention.
Existing OF networks are mainly by OF Switch(OF interchangers, lower abbreviation interchanger)With OF Controller(OF
Controller, lower abbreviation controller)Form.Interchanger includes flow table, similar to the routing table of general switch, but unlike
Interchanger oneself can not safeguard flow table, and all messages by interchanger can all be matched with flow table.If a message is looked for
The flow table item of matching is arrived, then carry out action corresponding to this flow table item(Operation), for example, an operation is probably
Command message forwards from some prescribed port, at this moment will produce data flow in OF networks.If the stream of matching is not found
List item, then this message will be packaged into message reporting message, such as Packetin message by interchanger, then report control
Device processed.After controller receives the message reporting message, the message is determined for example, by increasing and deleting the mode of flow table item
Message corresponding to reporting message this how to handle.Controller mainly controls the stream of interchanger by increasing and deleting flow table item
Table.
Embodiment 1
Fig. 1 shows the flow chart of malicious attack detection method according to an embodiment of the invention.This method is mainly used in
In the OF network architectures including controller and interchanger.As shown in figure 1, the malicious attack detection method can mainly include it is following
Step:
Step S100, the message reporting message that controller desampler reports,
Step S120, controller determines to meet to report the first ports of rate conditions by malicious attack,
Wherein, first port is the port of connection interchanger and main frame, reports rate conditions to refer to message corresponding to port
Reporting message reports speed not less than predetermined speed threshold values and continue for very first time length.
Specifically, the controller in OF networks connects host to interchanger(Main frame)Port be managed.Controller can
In link discovery and to get Global Topological, the port information of interchanger connection interchanger is included findings that, and is needed in main frame
Will be with then caning be found that interchanger is connected the port information of main frame during network service.
For above-mentioned steps S100, after some port of interchanger receives the message that a certain main frame is sent,
The flow table on interchanger can be searched, if finding the flow table item that matches of forwarding rule with the message, do not have to
Controller report, the directly message according to corresponding to corresponding rule in the flow table item by the message are transmitted to destination service
Device.If not finding the flow table item of matching, exchange opportunity constructs corresponding message reporting message and reports controller, for example,
Packetin message, inform that controller without corresponding flow table item, then waits the instruction of controller thereon.
Controller can receive the message reporting message that main frame is reported by the interchanger, wherein, the message, which reports, to disappear
Breath can include all or part of content of port and message corresponding to the message reporting message, can also handed over including message
The buffer address changed planes.
For above-mentioned steps S120, controller can receive the port of interchanger all under it corresponding to message report
Message.Speed is reported to be set more than or equal to controller when message reporting message corresponding to certain Single port of a certain interchanger of discovery
The speed threshold values of message reporting message corresponding to fixed port, and when this reports the speed to continue for predetermined time span, i.e.,
Port satisfaction reports rate conditions, then controller determines the port by malicious attack.For example, the port pair of controller setting
The speed threshold values for the message reporting message answered is 100/s, and the duration is set to 5s, when the port at a time, it is corresponding
Message reporting message reports speed to exceed 100/s, and from the moment, the message reporting message reports speed to surpass
The time span for crossing 100/s continue for more than 5s, then it is believed that the port meets to report rate conditions, controller can determine
The port is by malicious attack.
Malicious attack detection method provided in an embodiment of the present invention, the message that controller is reported by desampler report
Message, report whether speed has exceeded the rate valve set according to message reporting message corresponding to the port of a certain connection main frame
It is worth and continue for predetermined time span to determine the port whether by malicious attack.If message corresponding to the port reports
Reporting speed to exceed the speed threshold values of setting and continue for predetermined time span for message, then can determine that the port is disliked
Meaning attack.Malicious attack detection method provided in an embodiment of the present invention, the evil that port is suffered can be detected from network source
Meaning attack.
Embodiment 2
Fig. 2 shows the flow chart of malicious attack detection method according to another embodiment of the present invention.Label and Fig. 1 in Fig. 2
Identical step has identical function, for simplicity, omits the detailed description to these steps.
As shown in Fig. 2 the main region of the malicious attack detection method and malicious attack detection method shown in Fig. 1 shown in Fig. 2
It is not, after step sloo, can also comprises the following steps:
Step S110, controller is stored the message reporting message received;
Specifically, this message can be reported and disappeared after the message reporting message that interchanger reports is received by controller
Cease in the spatial cache being stored thereon, wait pending.
In a kind of possible implementation, after step S120, it can also comprise the following steps:
Step S130, controller removes message reporting message corresponding to stored first port and instruction interchanger is clear
Except flow table item corresponding to first port.
Specifically, for convenience of the description of the present application, first port will be referred to as by the port of malicious attack.In step S120
Middle controller determines first port by after malicious attack, and controller can remove first in the spatial cache being stored thereon
Message reporting message corresponding to port, and it is clear by flow table item corresponding to first port to issue configured information instruction interchanger simultaneously
Remove.
In a kind of possible implementation, after step S130, the malicious attack detection method of the present embodiment can be with
Comprise the following steps:
Step S140, controller issues new flow table item to interchanger, and new flow table item is used to notify interchanger directly to lose
Abandon the message received from first port.
Specifically, controller removes message reporting message corresponding to first port and instruction interchanger removes first port
After corresponding flow table item, a new flow table item can also be issued and mainly used to interchanger corresponding to first port, the flow table item
In notice interchanger, the message received from the first port can be directly abandoned.
In a kind of possible implementation, when established in step S140 be used for notify interchanger directly to abandon first end
During the message that mouth receives after aging, interchanger can will receive message from first port again and be configured on corresponding message
Message is reported, reports controller.If now message reporting message corresponding to first port report speed be less than setting speed
During rate threshold values, that is, when being unsatisfactory for reporting rate conditions, then controller can issue new to interchanger corresponding to the first port
Flow table item is so that message corresponding to the message reporting message can be forwarded to its destination server.Wherein, flow table item aging includes
Flow table item continue for predetermined the 3rd of controller in the second predetermined time span without the message of matching or the flow table item
Time span.If now message reporting message corresponding to port report speed still above or equal to setting speed threshold values
When, that is, when meeting to report rate conditions, handled still according to the port in the above method by malicious attack.
Fig. 3 is the message time sequence figure of the malicious attack detection method of the present embodiment.As shown in figure 3, main frame passes through a certain friendship
The port changed planes sends message to controller, does not find the flow table item for corresponding to message forwarding on switches, then hands over
Construction of changing planes reports controller corresponding to the message reporting message of the message.Controller is received corresponding to the port on message
After reporting message, the speed threshold values for reporting speed whether to exceed setting of message reporting message corresponding to the port is judged, at this
Message reporting message corresponding to port report speed exceeded setting speed threshold values in the case of, removing receive the port pair
The message reporting message answered and its corresponding flow table item, meanwhile, controller issues a new flow table item to corresponding to the port
Interchanger, inform that interchanger directly abandons the message received from the port.
In the existing OF network architectures, as shown in figure 4, controller is to all messages(Including normal message and malice
Attack message)The flow table item for E-Packeting will be issued, then all messages are forwarded to destination server by interchanger, this
Sample may produce mass data stream in OF networks, wherein the data flow for including a large amount of malicious attack messages is possible to, may
Directly affect the forwarding of normal message or influence the normal work of destination server.In the present embodiment, as shown in figure 5, control
Device only issues the flow table item for E-Packeting to normal message, and then normal message is forwarded to destination server by interchanger.
When certain Single port of interchanger is by malicious attack, controller it is determined that the port by malicious attack after, can indicate to hand over
Change planes and abandon malicious attack message and the flow table item for E-Packeting only is issued to normal message, can so greatly reduce evil
Data flow caused by meaning attack message, in this case, the forwarding of normal message would not be by the shadow of malicious attack message
Ring, so that OF networks detect from network source and solve malicious attack, so as to alleviate malicious attack to target
The influence of server, while network congestion caused by malicious attack possibility can also be avoided.
It should be noted that the malicious attack detection method of the embodiment of the present invention, application field are not limited to OF networks, appoint
The network architecture of what control and forwarding decoupling, as long as using the malicious attack detection method of the embodiment of the present invention, should all cover
Within the protection domain of the application.
Embodiment 3
Fig. 6 shows the structured flowchart of controller according to an embodiment of the invention.The controller 20 be mainly used in including
In the open flows OF network architectures of controller 20 and interchanger.As illustrated, controller 20 can mainly include receiving module 21
And processing module 22.Wherein, receiving module 21 is mainly used in the message reporting message that desampler reports, processing module
22, it is connected with receiving module 21, is mainly used in determining that satisfaction reports the first port of rate conditions by malicious attack, wherein,
First port is the port of connection interchanger and main frame, reports rate conditions to refer to reporting for message reporting message corresponding to port
Speed is not less than predetermined speed threshold values and continue for very first time length.
The controller 20 of the embodiment of the present invention can perform the malicious attack detection method in above-described embodiment 1.Embodiment 1
In malicious attack detection method can be referring specifically to the detailed description of embodiment 1.
Controller provided in an embodiment of the present invention, the message that controller is reported by receiving module desampler, which reports, to disappear
Breath, processing module are used for the rate valve for reporting speed whether to exceed setting of the message reporting message according to corresponding to certain Single port
It is worth and continue for predetermined time span to determine the port whether by malicious attack.If message corresponding to the port reports
Reporting speed to exceed the speed threshold values of setting and continue for predetermined time span for message, then can determine that the port is disliked
Meaning attack.Controller provided in an embodiment of the present invention, the malicious attack behavior suffered port can be detected from network source.
Embodiment 4
Fig. 7 shows the structured flowchart of controller according to another embodiment of the present invention.Label and Fig. 6 identical groups in Fig. 7
Part has identical function, for simplicity, omits the detailed description to these components.
The controller 30 of the present embodiment and the main distinction of controller 20 of a upper embodiment are that controller 30 can also wrap
Include memory module 23.Memory module 23 is connected with receiving module 21 and processing module 22, for receive receiving module 21
Message reporting message is stored.Processing module 22 is additionally operable to remove message reporting message corresponding to first port and instruction is handed over
Change planes and remove flow table item corresponding to first port.
In a kind of possible implementation, controller 30 can also include sending module 24.Sending module 24 and processing
Module 22 connects, and for issuing new flow table item to interchanger, new flow table item is used to notify interchanger directly to abandon from first
The message that port receives.
In a kind of possible implementation, after new flow table item aging, receiving module 21 receives interchanger again
The message reporting message corresponding to first port reported.Wherein, flow table item aging includes flow table item in the second predetermined time
In length the 3rd predetermined time span of controller has been continue for without the message of matching or the flow table item.
The controller 30 of the embodiment of the present invention can perform the malicious attack detection method in above-described embodiment 2.Embodiment 2
In malicious attack detection method can be referring specifically to the detailed description of embodiment 2.
Controller provided in an embodiment of the present invention, the message that controller is reported by receiving module desampler, which reports, to disappear
Breath, processing module are used for the rate valve for reporting speed whether to exceed setting of the message reporting message according to corresponding to certain Single port
It is worth and continue for predetermined time span to determine the port whether by malicious attack.If message corresponding to the port reports
Reporting speed to exceed the speed threshold values of setting and continue for predetermined time span for message, then can determine that the port is disliked
Meaning attack.After determining the port by malicious attack, processing module can be also used for removing the storage that first port reports
Message reporting message and instruction interchanger in a storage module removes flow table item corresponding to first port.Finally utilize transmission
Module issues new flow table item, and the new flow table item is used to notify interchanger directly to abandon the message received from first port.
So, the controller of the embodiment of the present invention can detect from network source and solve malicious attack, be attacked so as to alleviate malice
The influence to destination server is hit, it is also possible to network congestion caused by avoiding malicious attack possible.
Embodiment 5
Fig. 8 shows the structured flowchart of the controller according to further embodiment of this invention.The controller 800 can be possessed
The host server of computing capability, personal computer PC or portable portable computer or terminal etc..It is of the invention specific
Embodiment is not limited the specific implementation of calculate node.
The controller 800 includes processor (processor) 810, communication interface (Communications
Interface) 820, memory (memory) 830 and bus 840.Wherein, processor 810, communication interface 820 and storage
Device 830 completes mutual communication by bus 840.
Communication interface 820 is used for and network device communications, and wherein the network equipment includes such as Virtual Machine Manager center, shared
Storage etc..
Processor 810 is used for configuration processor.Processor 810 is probably a central processor CPU, or special integrated
Circuit ASIC(Application Specific Integrated Circuit), or it is arranged to implement the present invention in fact
Apply one or more integrated circuits of example.
Memory 830 is used to deposit file.Memory 830 may include high-speed RAM memory, it is also possible to also including non-easy
The property lost memory (non-volatile memory), for example, at least a magnetic disk storage.Memory 830 can also be storage
Device array.Memory 830 is also possible to by piecemeal, and described piece can be combined into virtual volume by certain rule.
In a kind of possible embodiment, said procedure can be the program code for including computer-managed instruction.The journey
Sequence is particularly used in:
The controller receives the message reporting message that the interchanger reports;And
The first port that the controller determines to meet to report rate conditions by malicious attack,
Wherein, the first port is connects the port of the interchanger and main frame, and described to report rate conditions be finger tip
Message reporting message corresponding to mouthful reports speed not less than predetermined speed threshold values and continue for very first time length.
In a kind of possible implementation, the controller receive message reporting message that the interchanger reports it
Afterwards, said procedure also includes:
The controller is stored the message reporting message received;
After the first port that the controller determines to meet to report rate conditions is by malicious attack, said procedure is also
Including:
The controller removes message reporting message corresponding to the first port stored and the instruction exchange
Machine removes flow table item corresponding to the first port.
In a kind of possible implementation, message reporting message corresponding to the first port is removed in the controller
And after the instruction interchanger removes flow table item corresponding to the first port, said procedure also includes:
The controller issues new flow table item to the interchanger, and the new flow table item is used to notify the interchanger
Directly abandon the message received from the first port.
In a kind of possible implementation, after the new flow table item aging, the controller receives institute again
The message reporting message corresponding to the first port that interchanger reports is stated,
Wherein, flow table item aging includes the flow table item in the second predetermined time span without the message of matching or the institute
State flow table item and continue for the 3rd predetermined time span of the controller.
Those of ordinary skill in the art are it is to be appreciated that each exemplary cell and algorithm in embodiment described herein
Step, it can be realized with the combination of electronic hardware or computer software and electronic hardware.These functions actually with hardware also
It is software form to realize, application-specific and design constraint depending on technical scheme.Professional and technical personnel can be directed to
It is specific to realize described function using different methods is selected, but this realization is it is not considered that beyond model of the invention
Enclose.
If in the form of computer software come realize the function and as independent production marketing or in use, if
To a certain extent it is believed that all or part of technical scheme(Such as the part to be contributed to prior art)It is
Embody in form of a computer software product.The computer software product is generally stored inside computer-readable non-volatile
In storage medium, including some instructions are causing computer equipment(Can be that personal computer, server or network are set
It is standby etc.)Perform all or part of step of various embodiments of the present invention method.And foregoing storage medium include USB flash disk, mobile hard disk,
Read-only storage(ROM, Read-Only Memory), random access memory(RAM, Random Access Memory), magnetic
Dish or CD etc. are various can be with the medium of store program codes.
The foregoing is only a specific embodiment of the invention, but protection scope of the present invention is not limited thereto, any
Those familiar with the art the invention discloses technical scope in, change or replacement can be readily occurred in, should all be contained
Cover within protection scope of the present invention.Therefore, protection scope of the present invention described should be defined by scope of the claims.
Claims (8)
1. a kind of malicious attack detection method, applied in the open flows network architecture including controller and interchanger, its feature
It is, methods described includes:
The controller receives the message reporting message that the interchanger reports;And
The first port that the controller determines to meet to report rate conditions by malicious attack,
Wherein, the message reporting message is:The message of main frame transmission is received in the port of the interchanger, and in the friendship
Change planes in the case of the upper flow table item for not finding and being forwarded corresponding to the message, the switch fabric corresponds to the report
The message of text,
The first port is described to report rate conditions to refer to report corresponding to port to connect the port of the interchanger and main frame
Literary reporting message reports speed not less than predetermined speed threshold values and continue for very first time length.
2. malicious attack detection method according to claim 1, it is characterised in that receive the exchange in the controller
After the message reporting message that machine reports, in addition to:
The controller is stored the message reporting message received;
After the first port that the controller determines to meet to report rate conditions is by malicious attack, methods described is also wrapped
Include:
The controller removes message reporting message corresponding to the first port stored and the instruction interchanger is clear
Except flow table item corresponding to the first port.
3. malicious attack detection method according to claim 1 or 2, it is characterised in that described in being removed in the controller
After message reporting message corresponding to first port and the instruction interchanger remove flow table item corresponding to the first port,
Also include:
The controller issues new flow table item to the interchanger, and the new flow table item is used to notify that the interchanger is direct
Abandon the message received from the first port.
4. malicious attack detection method according to claim 3, it is characterised in that after the new flow table item aging,
The controller receives the message reporting message corresponding to the first port that the interchanger reports again,
Wherein, flow table item aging includes the flow table item in the second predetermined time span without the message of matching or the stream
List item continue for the 3rd predetermined time span of the controller.
A kind of 5. controller, applied in the open flows network architecture including the controller and interchanger, it is characterised in that institute
Stating controller includes:
Receiving module, the message reporting message reported for receiving the interchanger;And
Processing module, it is connected with the receiving module, for determining to meet to report the first port of rate conditions maliciously to be attacked
Hit,
Wherein, the message reporting message is:The message of main frame transmission is received in the port of the interchanger, and in the friendship
Change planes in the case of the upper flow table item for not finding and being forwarded corresponding to the message, the switch fabric corresponds to the report
The message of text,
The first port is described to report rate conditions to refer to report corresponding to port to connect the port of the interchanger and main frame
Literary reporting message reports speed not less than predetermined speed threshold values and continue for very first time length.
6. controller according to claim 5, it is characterised in that also include:
Memory module, it is connected with the receiving module and the processing module, for the message for receiving receiving module
Reporting message is stored;
The processing module is additionally operable to remove message reporting message corresponding to the first port and the instruction interchanger is clear
Except flow table item corresponding to the first port.
7. the controller according to claim 5 or 6, it is characterised in that also include:
Sending module, it is connected with the processing module, for issuing new flow table item to the interchanger, the new flow table item
For notifying the interchanger directly to abandon the message received from the first port.
8. controller according to claim 7, it is characterised in that after the new flow table item aging, the reception mould
Block receives the message reporting message corresponding to the first port that the interchanger reports again,
Wherein, flow table item aging includes the flow table item in the second predetermined time span without the message of matching or the stream
List item continue for the 3rd predetermined time span of the controller.
Priority Applications (1)
Application Number | Priority Date | Filing Date | Title |
---|---|---|---|
CN201310508486.5A CN104580107B (en) | 2013-10-24 | 2013-10-24 | malicious attack detection method and controller |
Applications Claiming Priority (1)
Application Number | Priority Date | Filing Date | Title |
---|---|---|---|
CN201310508486.5A CN104580107B (en) | 2013-10-24 | 2013-10-24 | malicious attack detection method and controller |
Publications (2)
Publication Number | Publication Date |
---|---|
CN104580107A CN104580107A (en) | 2015-04-29 |
CN104580107B true CN104580107B (en) | 2018-02-06 |
Family
ID=53095305
Family Applications (1)
Application Number | Title | Priority Date | Filing Date |
---|---|---|---|
CN201310508486.5A Active CN104580107B (en) | 2013-10-24 | 2013-10-24 | malicious attack detection method and controller |
Country Status (1)
Country | Link |
---|---|
CN (1) | CN104580107B (en) |
Families Citing this family (8)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
CN105187324B (en) * | 2015-08-21 | 2018-01-30 | 上海斐讯数据通信技术有限公司 | A kind of the quantity method for limiting and control system of SDN circulations hair |
CN109768949B (en) * | 2017-11-09 | 2021-09-03 | 阿里巴巴集团控股有限公司 | Port scanning processing system, method and related device |
CN109347810B (en) * | 2018-09-27 | 2021-06-11 | 新华三技术有限公司 | Method and device for processing message |
CN110392034B (en) * | 2018-09-28 | 2020-10-13 | 新华三信息安全技术有限公司 | Message processing method and device |
CA3058012C (en) | 2019-03-29 | 2021-05-11 | Alibaba Group Holding Limited | Cryptography chip with identity verification |
JP6921222B2 (en) | 2019-03-29 | 2021-08-18 | アドバンスド ニュー テクノロジーズ カンパニー リミテッド | Encryption key management based on ID information |
CA3057398C (en) | 2019-03-29 | 2021-07-06 | Alibaba Group Holding Limited | Securely performing cryptographic operations |
KR20200116010A (en) | 2019-03-29 | 2020-10-08 | 알리바바 그룹 홀딩 리미티드 | Encryption key management based on identity information |
Citations (2)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
CN101188531A (en) * | 2007-12-27 | 2008-05-28 | 沈阳东软软件股份有限公司 | A method and system for monitoring network traffic exception |
CN102487339A (en) * | 2010-12-01 | 2012-06-06 | 中兴通讯股份有限公司 | Attack preventing method for network equipment and device |
Family Cites Families (1)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
US8789173B2 (en) * | 2009-09-03 | 2014-07-22 | Juniper Networks, Inc. | Protecting against distributed network flood attacks |
-
2013
- 2013-10-24 CN CN201310508486.5A patent/CN104580107B/en active Active
Patent Citations (2)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
CN101188531A (en) * | 2007-12-27 | 2008-05-28 | 沈阳东软软件股份有限公司 | A method and system for monitoring network traffic exception |
CN102487339A (en) * | 2010-12-01 | 2012-06-06 | 中兴通讯股份有限公司 | Attack preventing method for network equipment and device |
Non-Patent Citations (3)
Title |
---|
HP openflow protocol overview;HP;《HP technical solution guide http://hp.com》;20130930;全文 * |
Software-defined networks and openflow;William Stallings;《The internet protocol journal》;20130331;全文 * |
基于多源安全信息的告警校验与聚合技术;马琳茹等;《计算机工程》;20060831;全文 * |
Also Published As
Publication number | Publication date |
---|---|
CN104580107A (en) | 2015-04-29 |
Similar Documents
Publication | Publication Date | Title |
---|---|---|
CN104580107B (en) | malicious attack detection method and controller | |
JP6055009B2 (en) | Packet processing method, apparatus and system | |
WO2018058677A1 (en) | Message processing method, computing device, and message processing apparatus | |
CN101557343B (en) | Detecting and protecting method of double-layer loop in VRRP topological network | |
CN105229976B (en) | Low-latency lossless switching fabric for data center | |
CN105591974B (en) | Message processing method, apparatus and system | |
CN101106518B (en) | Service denial method for providing load protection of central processor | |
CN104660565A (en) | Hostile attack detection method and device | |
CN105556916B (en) | The information statistical method and device of network flow | |
WO2013052794A1 (en) | Route prefix aggregation using reachable and non-reachable addresses in a computer network | |
CN105247831A (en) | Flow table modifying method, flow table modifying device, and openflow network system | |
CN104852855B (en) | Jamming control method, device and equipment | |
CN105991347A (en) | Redirection method of DNS request message and device | |
CN107786450A (en) | A kind of data message transmission method, device and machinable medium | |
CN108134748A (en) | A kind of packet discarding method and device based on fast-forwarding list item | |
CN103200100A (en) | Method and device for packet transmitting | |
CN105207908B (en) | A kind of message processing method and system | |
CN101645904A (en) | Method and device for reducing utilization rate of central processing unit of switch | |
CN106559323A (en) | A kind of method and apparatus sent on SDN equipment first packet | |
CN104702498B (en) | A kind of method and device reducing equipment room light connects quantity by harmonious protection | |
CN109286584A (en) | Fragmentation and reassembly method, device and equipment in a kind of multiple nucleus system | |
CN107749826A (en) | A kind of data packet forwarding method and system | |
WO2015081735A1 (en) | Traffic offloading method, apparatus, and system | |
WO2019041944A1 (en) | Method and apparatus for processing packets | |
CN107995199A (en) | The port speed constraint method and device of the network equipment |
Legal Events
Date | Code | Title | Description |
---|---|---|---|
C06 | Publication | ||
PB01 | Publication | ||
C10 | Entry into substantive examination | ||
SE01 | Entry into force of request for substantive examination | ||
GR01 | Patent grant | ||
GR01 | Patent grant |