CN104580107B - malicious attack detection method and controller - Google Patents

malicious attack detection method and controller Download PDF

Info

Publication number
CN104580107B
CN104580107B CN201310508486.5A CN201310508486A CN104580107B CN 104580107 B CN104580107 B CN 104580107B CN 201310508486 A CN201310508486 A CN 201310508486A CN 104580107 B CN104580107 B CN 104580107B
Authority
CN
China
Prior art keywords
message
port
controller
interchanger
flow table
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Active
Application number
CN201310508486.5A
Other languages
Chinese (zh)
Other versions
CN104580107A (en
Inventor
李庆
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
Huawei Technologies Co Ltd
Original Assignee
Huawei Technologies Co Ltd
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Huawei Technologies Co Ltd filed Critical Huawei Technologies Co Ltd
Priority to CN201310508486.5A priority Critical patent/CN104580107B/en
Publication of CN104580107A publication Critical patent/CN104580107A/en
Application granted granted Critical
Publication of CN104580107B publication Critical patent/CN104580107B/en
Active legal-status Critical Current
Anticipated expiration legal-status Critical

Links

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/14Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
    • H04L63/1441Countermeasures against malicious traffic
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L47/00Traffic control in data switching networks
    • H04L47/10Flow control; Congestion control
    • H04L47/32Flow control; Congestion control by discarding or delaying data units, e.g. packets or frames
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/14Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
    • H04L63/1408Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic by monitoring network traffic
    • H04L63/1416Event detection, e.g. attack signature detection

Landscapes

  • Engineering & Computer Science (AREA)
  • Computer Security & Cryptography (AREA)
  • Computer Networks & Wireless Communication (AREA)
  • Signal Processing (AREA)
  • Computer Hardware Design (AREA)
  • Computing Systems (AREA)
  • General Engineering & Computer Science (AREA)
  • Data Exchanges In Wide-Area Networks (AREA)

Abstract

The present invention relates to a kind of malicious attack detection method and controller, applied in the open flows network architecture including controller and interchanger, wherein, this method includes:The controller receives the message reporting message that the interchanger reports, the first port that the controller determines to meet to report rate conditions is by malicious attack, wherein, the first port is described to report rate conditions to refer to reporting speed not less than predetermined speed threshold values and continue for very first time length for message reporting message corresponding to port to connect the port of the interchanger and main frame.Malicious attack detection method provided in an embodiment of the present invention and controller can detect the malicious attack behavior suffered port from network source, so as to find out in time reply by malicious attack strategy.

Description

Malicious attack detection method and controller
Technical field
The present invention relates to communication technical field, more particularly to a kind of malicious attack detection method and controller.
Background technology
With OpenFlow(Open flows, hereinafter referred to as OF)Extensive use of the network in actual scene, it necessarily also can Face the problem of running into malicious attack of legacy network.Typical malicious attack includes flood attack, dos is attacked etc., most of Malicious attack be network is got congestion by generating mass data stream or destination server is paralysed, most common situation is Attack is also in the tolerance range of network but destination server has been paralysed.
In legacy network, the robustness of interchanger can only be relied on to the Bearing degree of network congestion, but due in network Various types of interchanger is might have, and their security strategy can be different, therefore network congestion is born Degree has uncertainty;And fire wall that the attack for destination server can only be then installed on reliance server and protect soft Part, but the mass data stream that malicious attack is generated has consumed network bandwidth, network is had hysteresis quality.
At present, OF networks are also without the strategy of reply malicious attack.
The content of the invention
Technical problem
In view of this, the technical problem to be solved in the present invention is that effective detection goes out OF networks by malicious attack.
Solution
In order to solve the above-mentioned technical problem, according to one embodiment of the invention, there is provided a kind of malicious attack detection method, should For in the open flows network architecture including controller and interchanger, including:
The controller receives the message reporting message that the interchanger reports;And
The first port that the controller determines to meet to report rate conditions by malicious attack,
Wherein, the first port is connects the port of the interchanger and main frame, and described to report rate conditions be finger tip Message reporting message corresponding to mouthful reports speed not less than predetermined speed threshold values and continue for very first time length.
For above-mentioned malicious attack detection method, in a kind of possible implementation, described in controller reception After the message reporting message that interchanger reports, this method also includes:
The controller is stored the message reporting message received;
After the first port that the controller determines to meet to report rate conditions is by malicious attack, this method is also wrapped Include:
The controller removes message reporting message corresponding to the first port stored and the instruction exchange Machine removes flow table item corresponding to the first port.
For above-mentioned malicious attack detection method, in a kind of possible implementation, described in controller removing After message reporting message corresponding to first port and the instruction interchanger remove flow table item corresponding to the first port, Also include:
The controller issues new flow table item to the interchanger, and the new flow table item is used to notify the interchanger Directly abandon the message received from the first port.
For above-mentioned malicious attack detection method, in a kind of possible implementation, when the new flow table item aging Afterwards, the controller receives the message reporting message corresponding to the first port that the interchanger reports again,
Wherein, flow table item aging includes the flow table item in the second predetermined time span without the message of matching or the institute State flow table item and continue for the 3rd predetermined time span of the controller.
In order to solve the above-mentioned technical problem, according to another embodiment of the present invention, there is provided a kind of controller, applied to including In the open flows network architecture of controller and interchanger, the controller includes:
Receiving module, the message reporting message reported for receiving the interchanger;And
Processing module, it is connected with the receiving module, for determining to meet to report the first port of rate conditions to be disliked Meaning attack,
Wherein, the first port is connects the port of the interchanger and main frame, and described to report rate conditions be finger tip Message reporting message corresponding to mouthful reports speed not less than predetermined speed threshold values and continue for very first time length.
For controller noted above, in a kind of possible implementation, in addition to:
Memory module, it is connected with the receiving module and the processing module, described in receiving module is received Message reporting message is stored;
The processing module is additionally operable to remove message reporting message corresponding to the first port and the instruction exchange Machine removes flow table item corresponding to the first port.
For controller noted above, in a kind of possible implementation, in addition to:
Sending module, it is connected with the processing module, for issuing new flow table item to the interchanger, the new stream List item is used to notify the interchanger directly to abandon the message received from the first port.
For controller noted above, in a kind of possible implementation, after the new flow table item aging, the reception Module receives the message reporting message corresponding to the first port that the interchanger reports again,
Wherein, flow table item aging includes the flow table item in the second predetermined time span without the message of matching or the institute State flow table item and continue for the 3rd predetermined time span of the controller.
Beneficial effect
Malicious attack detection method provided in an embodiment of the present invention and controller, controller are reported by desampler Message reporting message, report whether speed has exceeded setting according to message reporting message corresponding to the port of a certain connection main frame Speed threshold values and continue for predetermined time span to determine the port whether by malicious attack.If corresponding to the port Reporting speed to exceed the speed threshold values of setting and continue for predetermined time span for message reporting message, then can determine that the end Mouth is by malicious attack.Malicious attack detection method provided in an embodiment of the present invention, port can be detected from network source The malicious attack behavior suffered, so as to find out in time reply by malicious attack strategy.
According to below with reference to the accompanying drawings becoming to detailed description of illustrative embodiments, further feature of the invention and aspect It is clear.
Brief description of the drawings
Comprising in the description and the accompanying drawing of a part for constitution instruction and specification together illustrate the present invention's Exemplary embodiment, feature and aspect, and for explaining the principle of the present invention.
Fig. 1 shows the flow chart of malicious attack detection method according to an embodiment of the invention;
Fig. 2 shows the flow chart of malicious attack detection method according to another embodiment of the present invention;
Fig. 3 shows the message time sequence figure of malicious attack detection method according to an embodiment of the invention;
Fig. 4 shows the schematic diagram of existing OF network architectures message forwarding method;
Fig. 5 shows the schematic diagram of message forwarding method according to an embodiment of the invention;
Fig. 6 shows the structured flowchart of controller according to an embodiment of the invention;
Fig. 7 shows the structured flowchart of controller according to another embodiment of the present invention;
Fig. 8 shows the structured flowchart of the controller according to further embodiment of this invention.
Embodiment
Describe various exemplary embodiments, feature and the aspect of the present invention in detail below with reference to accompanying drawing.It is identical in accompanying drawing Reference represent the same or analogous element of function.Although the various aspects of embodiment are shown in the drawings, remove Non-specifically point out, it is not necessary to accompanying drawing drawn to scale.
Special word " exemplary " is meant " being used as example, embodiment or illustrative " herein.Here as " exemplary " Illustrated any embodiment should not necessarily be construed as preferred or advantageous over other embodiments.
In addition, in order to better illustrate the present invention, numerous details is given in embodiment below. It will be appreciated by those skilled in the art that without some details, the present invention can equally be implemented.In some instances, for Method, means, element and circuit well known to those skilled in the art are not described in detail, in order to highlight the purport of the present invention.
Existing OF networks are mainly by OF Switch(OF interchangers, lower abbreviation interchanger)With OF Controller(OF Controller, lower abbreviation controller)Form.Interchanger includes flow table, similar to the routing table of general switch, but unlike Interchanger oneself can not safeguard flow table, and all messages by interchanger can all be matched with flow table.If a message is looked for The flow table item of matching is arrived, then carry out action corresponding to this flow table item(Operation), for example, an operation is probably Command message forwards from some prescribed port, at this moment will produce data flow in OF networks.If the stream of matching is not found List item, then this message will be packaged into message reporting message, such as Packetin message by interchanger, then report control Device processed.After controller receives the message reporting message, the message is determined for example, by increasing and deleting the mode of flow table item Message corresponding to reporting message this how to handle.Controller mainly controls the stream of interchanger by increasing and deleting flow table item Table.
Embodiment 1
Fig. 1 shows the flow chart of malicious attack detection method according to an embodiment of the invention.This method is mainly used in In the OF network architectures including controller and interchanger.As shown in figure 1, the malicious attack detection method can mainly include it is following Step:
Step S100, the message reporting message that controller desampler reports,
Step S120, controller determines to meet to report the first ports of rate conditions by malicious attack,
Wherein, first port is the port of connection interchanger and main frame, reports rate conditions to refer to message corresponding to port Reporting message reports speed not less than predetermined speed threshold values and continue for very first time length.
Specifically, the controller in OF networks connects host to interchanger(Main frame)Port be managed.Controller can In link discovery and to get Global Topological, the port information of interchanger connection interchanger is included findings that, and is needed in main frame Will be with then caning be found that interchanger is connected the port information of main frame during network service.
For above-mentioned steps S100, after some port of interchanger receives the message that a certain main frame is sent, The flow table on interchanger can be searched, if finding the flow table item that matches of forwarding rule with the message, do not have to Controller report, the directly message according to corresponding to corresponding rule in the flow table item by the message are transmitted to destination service Device.If not finding the flow table item of matching, exchange opportunity constructs corresponding message reporting message and reports controller, for example, Packetin message, inform that controller without corresponding flow table item, then waits the instruction of controller thereon.
Controller can receive the message reporting message that main frame is reported by the interchanger, wherein, the message, which reports, to disappear Breath can include all or part of content of port and message corresponding to the message reporting message, can also handed over including message The buffer address changed planes.
For above-mentioned steps S120, controller can receive the port of interchanger all under it corresponding to message report Message.Speed is reported to be set more than or equal to controller when message reporting message corresponding to certain Single port of a certain interchanger of discovery The speed threshold values of message reporting message corresponding to fixed port, and when this reports the speed to continue for predetermined time span, i.e., Port satisfaction reports rate conditions, then controller determines the port by malicious attack.For example, the port pair of controller setting The speed threshold values for the message reporting message answered is 100/s, and the duration is set to 5s, when the port at a time, it is corresponding Message reporting message reports speed to exceed 100/s, and from the moment, the message reporting message reports speed to surpass The time span for crossing 100/s continue for more than 5s, then it is believed that the port meets to report rate conditions, controller can determine The port is by malicious attack.
Malicious attack detection method provided in an embodiment of the present invention, the message that controller is reported by desampler report Message, report whether speed has exceeded the rate valve set according to message reporting message corresponding to the port of a certain connection main frame It is worth and continue for predetermined time span to determine the port whether by malicious attack.If message corresponding to the port reports Reporting speed to exceed the speed threshold values of setting and continue for predetermined time span for message, then can determine that the port is disliked Meaning attack.Malicious attack detection method provided in an embodiment of the present invention, the evil that port is suffered can be detected from network source Meaning attack.
Embodiment 2
Fig. 2 shows the flow chart of malicious attack detection method according to another embodiment of the present invention.Label and Fig. 1 in Fig. 2 Identical step has identical function, for simplicity, omits the detailed description to these steps.
As shown in Fig. 2 the main region of the malicious attack detection method and malicious attack detection method shown in Fig. 1 shown in Fig. 2 It is not, after step sloo, can also comprises the following steps:
Step S110, controller is stored the message reporting message received;
Specifically, this message can be reported and disappeared after the message reporting message that interchanger reports is received by controller Cease in the spatial cache being stored thereon, wait pending.
In a kind of possible implementation, after step S120, it can also comprise the following steps:
Step S130, controller removes message reporting message corresponding to stored first port and instruction interchanger is clear Except flow table item corresponding to first port.
Specifically, for convenience of the description of the present application, first port will be referred to as by the port of malicious attack.In step S120 Middle controller determines first port by after malicious attack, and controller can remove first in the spatial cache being stored thereon Message reporting message corresponding to port, and it is clear by flow table item corresponding to first port to issue configured information instruction interchanger simultaneously Remove.
In a kind of possible implementation, after step S130, the malicious attack detection method of the present embodiment can be with Comprise the following steps:
Step S140, controller issues new flow table item to interchanger, and new flow table item is used to notify interchanger directly to lose Abandon the message received from first port.
Specifically, controller removes message reporting message corresponding to first port and instruction interchanger removes first port After corresponding flow table item, a new flow table item can also be issued and mainly used to interchanger corresponding to first port, the flow table item In notice interchanger, the message received from the first port can be directly abandoned.
In a kind of possible implementation, when established in step S140 be used for notify interchanger directly to abandon first end During the message that mouth receives after aging, interchanger can will receive message from first port again and be configured on corresponding message Message is reported, reports controller.If now message reporting message corresponding to first port report speed be less than setting speed During rate threshold values, that is, when being unsatisfactory for reporting rate conditions, then controller can issue new to interchanger corresponding to the first port Flow table item is so that message corresponding to the message reporting message can be forwarded to its destination server.Wherein, flow table item aging includes Flow table item continue for predetermined the 3rd of controller in the second predetermined time span without the message of matching or the flow table item Time span.If now message reporting message corresponding to port report speed still above or equal to setting speed threshold values When, that is, when meeting to report rate conditions, handled still according to the port in the above method by malicious attack.
Fig. 3 is the message time sequence figure of the malicious attack detection method of the present embodiment.As shown in figure 3, main frame passes through a certain friendship The port changed planes sends message to controller, does not find the flow table item for corresponding to message forwarding on switches, then hands over Construction of changing planes reports controller corresponding to the message reporting message of the message.Controller is received corresponding to the port on message After reporting message, the speed threshold values for reporting speed whether to exceed setting of message reporting message corresponding to the port is judged, at this Message reporting message corresponding to port report speed exceeded setting speed threshold values in the case of, removing receive the port pair The message reporting message answered and its corresponding flow table item, meanwhile, controller issues a new flow table item to corresponding to the port Interchanger, inform that interchanger directly abandons the message received from the port.
In the existing OF network architectures, as shown in figure 4, controller is to all messages(Including normal message and malice Attack message)The flow table item for E-Packeting will be issued, then all messages are forwarded to destination server by interchanger, this Sample may produce mass data stream in OF networks, wherein the data flow for including a large amount of malicious attack messages is possible to, may Directly affect the forwarding of normal message or influence the normal work of destination server.In the present embodiment, as shown in figure 5, control Device only issues the flow table item for E-Packeting to normal message, and then normal message is forwarded to destination server by interchanger. When certain Single port of interchanger is by malicious attack, controller it is determined that the port by malicious attack after, can indicate to hand over Change planes and abandon malicious attack message and the flow table item for E-Packeting only is issued to normal message, can so greatly reduce evil Data flow caused by meaning attack message, in this case, the forwarding of normal message would not be by the shadow of malicious attack message Ring, so that OF networks detect from network source and solve malicious attack, so as to alleviate malicious attack to target The influence of server, while network congestion caused by malicious attack possibility can also be avoided.
It should be noted that the malicious attack detection method of the embodiment of the present invention, application field are not limited to OF networks, appoint The network architecture of what control and forwarding decoupling, as long as using the malicious attack detection method of the embodiment of the present invention, should all cover Within the protection domain of the application.
Embodiment 3
Fig. 6 shows the structured flowchart of controller according to an embodiment of the invention.The controller 20 be mainly used in including In the open flows OF network architectures of controller 20 and interchanger.As illustrated, controller 20 can mainly include receiving module 21 And processing module 22.Wherein, receiving module 21 is mainly used in the message reporting message that desampler reports, processing module 22, it is connected with receiving module 21, is mainly used in determining that satisfaction reports the first port of rate conditions by malicious attack, wherein, First port is the port of connection interchanger and main frame, reports rate conditions to refer to reporting for message reporting message corresponding to port Speed is not less than predetermined speed threshold values and continue for very first time length.
The controller 20 of the embodiment of the present invention can perform the malicious attack detection method in above-described embodiment 1.Embodiment 1 In malicious attack detection method can be referring specifically to the detailed description of embodiment 1.
Controller provided in an embodiment of the present invention, the message that controller is reported by receiving module desampler, which reports, to disappear Breath, processing module are used for the rate valve for reporting speed whether to exceed setting of the message reporting message according to corresponding to certain Single port It is worth and continue for predetermined time span to determine the port whether by malicious attack.If message corresponding to the port reports Reporting speed to exceed the speed threshold values of setting and continue for predetermined time span for message, then can determine that the port is disliked Meaning attack.Controller provided in an embodiment of the present invention, the malicious attack behavior suffered port can be detected from network source.
Embodiment 4
Fig. 7 shows the structured flowchart of controller according to another embodiment of the present invention.Label and Fig. 6 identical groups in Fig. 7 Part has identical function, for simplicity, omits the detailed description to these components.
The controller 30 of the present embodiment and the main distinction of controller 20 of a upper embodiment are that controller 30 can also wrap Include memory module 23.Memory module 23 is connected with receiving module 21 and processing module 22, for receive receiving module 21 Message reporting message is stored.Processing module 22 is additionally operable to remove message reporting message corresponding to first port and instruction is handed over Change planes and remove flow table item corresponding to first port.
In a kind of possible implementation, controller 30 can also include sending module 24.Sending module 24 and processing Module 22 connects, and for issuing new flow table item to interchanger, new flow table item is used to notify interchanger directly to abandon from first The message that port receives.
In a kind of possible implementation, after new flow table item aging, receiving module 21 receives interchanger again The message reporting message corresponding to first port reported.Wherein, flow table item aging includes flow table item in the second predetermined time In length the 3rd predetermined time span of controller has been continue for without the message of matching or the flow table item.
The controller 30 of the embodiment of the present invention can perform the malicious attack detection method in above-described embodiment 2.Embodiment 2 In malicious attack detection method can be referring specifically to the detailed description of embodiment 2.
Controller provided in an embodiment of the present invention, the message that controller is reported by receiving module desampler, which reports, to disappear Breath, processing module are used for the rate valve for reporting speed whether to exceed setting of the message reporting message according to corresponding to certain Single port It is worth and continue for predetermined time span to determine the port whether by malicious attack.If message corresponding to the port reports Reporting speed to exceed the speed threshold values of setting and continue for predetermined time span for message, then can determine that the port is disliked Meaning attack.After determining the port by malicious attack, processing module can be also used for removing the storage that first port reports Message reporting message and instruction interchanger in a storage module removes flow table item corresponding to first port.Finally utilize transmission Module issues new flow table item, and the new flow table item is used to notify interchanger directly to abandon the message received from first port. So, the controller of the embodiment of the present invention can detect from network source and solve malicious attack, be attacked so as to alleviate malice The influence to destination server is hit, it is also possible to network congestion caused by avoiding malicious attack possible.
Embodiment 5
Fig. 8 shows the structured flowchart of the controller according to further embodiment of this invention.The controller 800 can be possessed The host server of computing capability, personal computer PC or portable portable computer or terminal etc..It is of the invention specific Embodiment is not limited the specific implementation of calculate node.
The controller 800 includes processor (processor) 810, communication interface (Communications Interface) 820, memory (memory) 830 and bus 840.Wherein, processor 810, communication interface 820 and storage Device 830 completes mutual communication by bus 840.
Communication interface 820 is used for and network device communications, and wherein the network equipment includes such as Virtual Machine Manager center, shared Storage etc..
Processor 810 is used for configuration processor.Processor 810 is probably a central processor CPU, or special integrated Circuit ASIC(Application Specific Integrated Circuit), or it is arranged to implement the present invention in fact Apply one or more integrated circuits of example.
Memory 830 is used to deposit file.Memory 830 may include high-speed RAM memory, it is also possible to also including non-easy The property lost memory (non-volatile memory), for example, at least a magnetic disk storage.Memory 830 can also be storage Device array.Memory 830 is also possible to by piecemeal, and described piece can be combined into virtual volume by certain rule.
In a kind of possible embodiment, said procedure can be the program code for including computer-managed instruction.The journey Sequence is particularly used in:
The controller receives the message reporting message that the interchanger reports;And
The first port that the controller determines to meet to report rate conditions by malicious attack,
Wherein, the first port is connects the port of the interchanger and main frame, and described to report rate conditions be finger tip Message reporting message corresponding to mouthful reports speed not less than predetermined speed threshold values and continue for very first time length.
In a kind of possible implementation, the controller receive message reporting message that the interchanger reports it Afterwards, said procedure also includes:
The controller is stored the message reporting message received;
After the first port that the controller determines to meet to report rate conditions is by malicious attack, said procedure is also Including:
The controller removes message reporting message corresponding to the first port stored and the instruction exchange Machine removes flow table item corresponding to the first port.
In a kind of possible implementation, message reporting message corresponding to the first port is removed in the controller And after the instruction interchanger removes flow table item corresponding to the first port, said procedure also includes:
The controller issues new flow table item to the interchanger, and the new flow table item is used to notify the interchanger Directly abandon the message received from the first port.
In a kind of possible implementation, after the new flow table item aging, the controller receives institute again The message reporting message corresponding to the first port that interchanger reports is stated,
Wherein, flow table item aging includes the flow table item in the second predetermined time span without the message of matching or the institute State flow table item and continue for the 3rd predetermined time span of the controller.
Those of ordinary skill in the art are it is to be appreciated that each exemplary cell and algorithm in embodiment described herein Step, it can be realized with the combination of electronic hardware or computer software and electronic hardware.These functions actually with hardware also It is software form to realize, application-specific and design constraint depending on technical scheme.Professional and technical personnel can be directed to It is specific to realize described function using different methods is selected, but this realization is it is not considered that beyond model of the invention Enclose.
If in the form of computer software come realize the function and as independent production marketing or in use, if To a certain extent it is believed that all or part of technical scheme(Such as the part to be contributed to prior art)It is Embody in form of a computer software product.The computer software product is generally stored inside computer-readable non-volatile In storage medium, including some instructions are causing computer equipment(Can be that personal computer, server or network are set It is standby etc.)Perform all or part of step of various embodiments of the present invention method.And foregoing storage medium include USB flash disk, mobile hard disk, Read-only storage(ROM, Read-Only Memory), random access memory(RAM, Random Access Memory), magnetic Dish or CD etc. are various can be with the medium of store program codes.
The foregoing is only a specific embodiment of the invention, but protection scope of the present invention is not limited thereto, any Those familiar with the art the invention discloses technical scope in, change or replacement can be readily occurred in, should all be contained Cover within protection scope of the present invention.Therefore, protection scope of the present invention described should be defined by scope of the claims.

Claims (8)

1. a kind of malicious attack detection method, applied in the open flows network architecture including controller and interchanger, its feature It is, methods described includes:
The controller receives the message reporting message that the interchanger reports;And
The first port that the controller determines to meet to report rate conditions by malicious attack,
Wherein, the message reporting message is:The message of main frame transmission is received in the port of the interchanger, and in the friendship Change planes in the case of the upper flow table item for not finding and being forwarded corresponding to the message, the switch fabric corresponds to the report The message of text,
The first port is described to report rate conditions to refer to report corresponding to port to connect the port of the interchanger and main frame Literary reporting message reports speed not less than predetermined speed threshold values and continue for very first time length.
2. malicious attack detection method according to claim 1, it is characterised in that receive the exchange in the controller After the message reporting message that machine reports, in addition to:
The controller is stored the message reporting message received;
After the first port that the controller determines to meet to report rate conditions is by malicious attack, methods described is also wrapped Include:
The controller removes message reporting message corresponding to the first port stored and the instruction interchanger is clear Except flow table item corresponding to the first port.
3. malicious attack detection method according to claim 1 or 2, it is characterised in that described in being removed in the controller After message reporting message corresponding to first port and the instruction interchanger remove flow table item corresponding to the first port, Also include:
The controller issues new flow table item to the interchanger, and the new flow table item is used to notify that the interchanger is direct Abandon the message received from the first port.
4. malicious attack detection method according to claim 3, it is characterised in that after the new flow table item aging, The controller receives the message reporting message corresponding to the first port that the interchanger reports again,
Wherein, flow table item aging includes the flow table item in the second predetermined time span without the message of matching or the stream List item continue for the 3rd predetermined time span of the controller.
A kind of 5. controller, applied in the open flows network architecture including the controller and interchanger, it is characterised in that institute Stating controller includes:
Receiving module, the message reporting message reported for receiving the interchanger;And
Processing module, it is connected with the receiving module, for determining to meet to report the first port of rate conditions maliciously to be attacked Hit,
Wherein, the message reporting message is:The message of main frame transmission is received in the port of the interchanger, and in the friendship Change planes in the case of the upper flow table item for not finding and being forwarded corresponding to the message, the switch fabric corresponds to the report The message of text,
The first port is described to report rate conditions to refer to report corresponding to port to connect the port of the interchanger and main frame Literary reporting message reports speed not less than predetermined speed threshold values and continue for very first time length.
6. controller according to claim 5, it is characterised in that also include:
Memory module, it is connected with the receiving module and the processing module, for the message for receiving receiving module Reporting message is stored;
The processing module is additionally operable to remove message reporting message corresponding to the first port and the instruction interchanger is clear Except flow table item corresponding to the first port.
7. the controller according to claim 5 or 6, it is characterised in that also include:
Sending module, it is connected with the processing module, for issuing new flow table item to the interchanger, the new flow table item For notifying the interchanger directly to abandon the message received from the first port.
8. controller according to claim 7, it is characterised in that after the new flow table item aging, the reception mould Block receives the message reporting message corresponding to the first port that the interchanger reports again,
Wherein, flow table item aging includes the flow table item in the second predetermined time span without the message of matching or the stream List item continue for the 3rd predetermined time span of the controller.
CN201310508486.5A 2013-10-24 2013-10-24 malicious attack detection method and controller Active CN104580107B (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN201310508486.5A CN104580107B (en) 2013-10-24 2013-10-24 malicious attack detection method and controller

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN201310508486.5A CN104580107B (en) 2013-10-24 2013-10-24 malicious attack detection method and controller

Publications (2)

Publication Number Publication Date
CN104580107A CN104580107A (en) 2015-04-29
CN104580107B true CN104580107B (en) 2018-02-06

Family

ID=53095305

Family Applications (1)

Application Number Title Priority Date Filing Date
CN201310508486.5A Active CN104580107B (en) 2013-10-24 2013-10-24 malicious attack detection method and controller

Country Status (1)

Country Link
CN (1) CN104580107B (en)

Families Citing this family (8)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN105187324B (en) * 2015-08-21 2018-01-30 上海斐讯数据通信技术有限公司 A kind of the quantity method for limiting and control system of SDN circulations hair
CN109768949B (en) * 2017-11-09 2021-09-03 阿里巴巴集团控股有限公司 Port scanning processing system, method and related device
CN109347810B (en) * 2018-09-27 2021-06-11 新华三技术有限公司 Method and device for processing message
CN110392034B (en) * 2018-09-28 2020-10-13 新华三信息安全技术有限公司 Message processing method and device
CA3058012C (en) 2019-03-29 2021-05-11 Alibaba Group Holding Limited Cryptography chip with identity verification
JP6921222B2 (en) 2019-03-29 2021-08-18 アドバンスド ニュー テクノロジーズ カンパニー リミテッド Encryption key management based on ID information
CA3057398C (en) 2019-03-29 2021-07-06 Alibaba Group Holding Limited Securely performing cryptographic operations
KR20200116010A (en) 2019-03-29 2020-10-08 알리바바 그룹 홀딩 리미티드 Encryption key management based on identity information

Citations (2)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN101188531A (en) * 2007-12-27 2008-05-28 沈阳东软软件股份有限公司 A method and system for monitoring network traffic exception
CN102487339A (en) * 2010-12-01 2012-06-06 中兴通讯股份有限公司 Attack preventing method for network equipment and device

Family Cites Families (1)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US8789173B2 (en) * 2009-09-03 2014-07-22 Juniper Networks, Inc. Protecting against distributed network flood attacks

Patent Citations (2)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN101188531A (en) * 2007-12-27 2008-05-28 沈阳东软软件股份有限公司 A method and system for monitoring network traffic exception
CN102487339A (en) * 2010-12-01 2012-06-06 中兴通讯股份有限公司 Attack preventing method for network equipment and device

Non-Patent Citations (3)

* Cited by examiner, † Cited by third party
Title
HP openflow protocol overview;HP;《HP technical solution guide http://hp.com》;20130930;全文 *
Software-defined networks and openflow;William Stallings;《The internet protocol journal》;20130331;全文 *
基于多源安全信息的告警校验与聚合技术;马琳茹等;《计算机工程》;20060831;全文 *

Also Published As

Publication number Publication date
CN104580107A (en) 2015-04-29

Similar Documents

Publication Publication Date Title
CN104580107B (en) malicious attack detection method and controller
JP6055009B2 (en) Packet processing method, apparatus and system
WO2018058677A1 (en) Message processing method, computing device, and message processing apparatus
CN101557343B (en) Detecting and protecting method of double-layer loop in VRRP topological network
CN105229976B (en) Low-latency lossless switching fabric for data center
CN105591974B (en) Message processing method, apparatus and system
CN101106518B (en) Service denial method for providing load protection of central processor
CN104660565A (en) Hostile attack detection method and device
CN105556916B (en) The information statistical method and device of network flow
WO2013052794A1 (en) Route prefix aggregation using reachable and non-reachable addresses in a computer network
CN105247831A (en) Flow table modifying method, flow table modifying device, and openflow network system
CN104852855B (en) Jamming control method, device and equipment
CN105991347A (en) Redirection method of DNS request message and device
CN107786450A (en) A kind of data message transmission method, device and machinable medium
CN108134748A (en) A kind of packet discarding method and device based on fast-forwarding list item
CN103200100A (en) Method and device for packet transmitting
CN105207908B (en) A kind of message processing method and system
CN101645904A (en) Method and device for reducing utilization rate of central processing unit of switch
CN106559323A (en) A kind of method and apparatus sent on SDN equipment first packet
CN104702498B (en) A kind of method and device reducing equipment room light connects quantity by harmonious protection
CN109286584A (en) Fragmentation and reassembly method, device and equipment in a kind of multiple nucleus system
CN107749826A (en) A kind of data packet forwarding method and system
WO2015081735A1 (en) Traffic offloading method, apparatus, and system
WO2019041944A1 (en) Method and apparatus for processing packets
CN107995199A (en) The port speed constraint method and device of the network equipment

Legal Events

Date Code Title Description
C06 Publication
PB01 Publication
C10 Entry into substantive examination
SE01 Entry into force of request for substantive examination
GR01 Patent grant
GR01 Patent grant