CN110198270A - A kind of active defense method in SDN network based on path and IP address jump - Google Patents

A kind of active defense method in SDN network based on path and IP address jump Download PDF

Info

Publication number
CN110198270A
CN110198270A CN201910390382.6A CN201910390382A CN110198270A CN 110198270 A CN110198270 A CN 110198270A CN 201910390382 A CN201910390382 A CN 201910390382A CN 110198270 A CN110198270 A CN 110198270A
Authority
CN
China
Prior art keywords
interchanger
flow table
rule
address
new
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Pending
Application number
CN201910390382.6A
Other languages
Chinese (zh)
Inventor
徐鹏
金海�
张芝
袁斌
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
Huazhong University of Science and Technology
Shenzhen Huazhong University of Science and Technology Research Institute
Original Assignee
Huazhong University of Science and Technology
Shenzhen Huazhong University of Science and Technology Research Institute
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Huazhong University of Science and Technology, Shenzhen Huazhong University of Science and Technology Research Institute filed Critical Huazhong University of Science and Technology
Priority to CN201910390382.6A priority Critical patent/CN110198270A/en
Publication of CN110198270A publication Critical patent/CN110198270A/en
Pending legal-status Critical Current

Links

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L45/00Routing or path finding of packets in data switching networks
    • H04L45/02Topology update or discovery
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L45/00Routing or path finding of packets in data switching networks
    • H04L45/38Flow based routing
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L45/00Routing or path finding of packets in data switching networks
    • H04L45/74Address processing for routing

Landscapes

  • Engineering & Computer Science (AREA)
  • Computer Networks & Wireless Communication (AREA)
  • Signal Processing (AREA)
  • Data Exchanges In Wide-Area Networks (AREA)

Abstract

The invention discloses the active defense methods in a kind of SDN network based on path and address jump, belong to mobile target defence field.It include: that S1. source host delivers a packet to first interchanger;S2. judge whether successful match flow entry if so, being forwarded to next-hop interchanger enters step S5 to data packet;Otherwise, Packet-In message is sent to controller by interchanger, enters step S3;S3. controller simultaneous selection data packet transmission path and virtual IP address;S4. controller generates flow table rule according to the transmission path and virtual IP address of selection, and issues flow table and reversed flow table to each interchanger;S5. judge whether the interchanger is last interchanger, if so, data packet is sent to destination host, otherwise, enters step S2.Utilize the thought that variation is actively manipulated in SDN network data Layer and control layer stalling characteristic and MTD, under the premise of not influencing network normal communication, change the IP and transmission path of data packet, increases the difficulty that attacker obtains information, to improve the Initiative Defense ability of system.

Description

A kind of active defense method in SDN network based on path and IP address jump
Technical field
The invention belongs to mobile targets to defend field, more particularly, to a kind of SDN (Software Defined Network, software defined network) active defense method in network based on path and address jump.
Background technique
Mobile target defence (Moving Target Defence, MTD) is to utilize dynamic, uncertain network environment Increase the attack difficulty of attacker, evades the risk attacked as much as possible.In traditional network defense technique, network configuration Typically static, attacker can scout network at any time to plan attack, and defender must keep at any time on the alert It is attacked to resist, forms the not reciprocity situation of attacking and defending.Construct an active, dynamic network environment can reduce this attack Prevent asymmetric gap, but will lead to system availability reduction, to limit the ability of MTD.
The appearance of SDN is that the solution of the problem brings new opportunity, and SDN realizes the separation of data Layer and controller, from Network structure is fundamentally changed, the characteristic of centralized management helps to play the advantage of MTD.In the prior art, patent CN105141641A discloses a kind of mobile target defence method of Chaos based on SDN and system, principle are then to pass through pairing The mode that method communication takes IP random and periodical to convert obscures attacker, and this method can hinder the detection of attacker to attack, but When attacker learns that the IP in network is the IP of camouflage, since path has not been changed, the short time same friendship of interior process is screened and analyzed The information changed planes, still can in a certain interchanger sniff to communication all information.Patent CN108833285A discloses one Kind of network moving target defence method, electronic equipment, storage medium and system, by realize path under certain hop period with Machine converts, but realizes the problems such as jumping the consistency of data transmission policies execution when not considering policy update later.It may Will appear path integration is that processing rule in data packet front and back is not identical, in a network due to IP address exposure, the overall situation of attacker Analysis still can be with sniff to the communication information.
The existing jump method that IP and path are realized based on SDN, data packet carries information due to data packet IP in network Exposure is easy to be captured by sniff person and analyze;The information of data packet transmission may be tracked by sniff person, so as to cause attacker's overall situation Analysis, learns network actual state, for example, topological structure or enlivening host.
Summary of the invention
In view of the drawbacks of the prior art, it is an object of the invention to solve the mobile target defender of prior art SDN network Method leads to the technical problem of defence capability difference because data packet IP exposure, data packet transmission information are tracked.
To achieve the above object, in a first aspect, the embodiment of the invention provides with being based on path and IP in a kind of SDN network The active defense method of location jump, method includes the following steps:
S1. source host delivers a packet to first interchanger;
S2. the flow table for searching the interchanger, judge data packet whether successful match flow entry, if so, according to matching flow table , it is forwarded to next-hop interchanger, enters step S5;Otherwise, interchanger disappears the information of data packet header by Packet-In Breath is sent to controller, enters step S3;
S3. after controller listens to the message, transmission path of the simultaneous selection data packet from source host to destination host and For hiding the virtual IP address of host information;
S4. controller generates flow table rule, and each friendship into transmission path according to the transmission path and virtual IP address of selection It changes planes and issues installation flow table and reversed flow table;
S5. judge whether the interchanger is last interchanger, if so, data packet is sent to purpose master according to matching flow entry Otherwise machine enters step S2.
Specifically, when receiving the Packet-In information that first interchanger is sent, controller is appointed from the IP being not used by Meaning selects two virtual IP addresses as source IP and destination IP.
Specifically, step S3 further include:
If send Packet-In message is not first interchanger, the Packet-In message from non-first interchanger is carried out It counts, judges whether count is more than given threshold, if so, controller is checking the interchanger for uploading Packet-In message Flow table when something goes wrong, re-issues corresponding flow table, otherwise, ignores the Packet-In message.
Specifically, described that flow table rule is generated according to the transmission path and virtual IP address of selection, specific as follows:
Modification data packet header source IP and purpose are executed by matching true source IP and destination IP for first interchanger IP be virtual IP address, increasing version number be the number of selected transmission path, turning for first interchanger determined based on selected transmission path The rule of originator mouth;
For last interchanger, by matching virtual source IP, destination IP and version number, it is true for executing restoring data packet header IP The transmission path that actual source IP and destination IP, basis are selected determines the rule of the forwarding port of last interchanger;
For by way of interchanger executed according to selected transmission road by matching virtual source IP, destination IP and version number Diameter determines the rule by way of the forwarding port of interchanger.
Specifically, the active defense method in the SDN network based on path and IP address jump further include:
While data packet is according to newest flow table continuous transmission in data flow, in the time interval apart from last time flow table issuance IP hop period tipWhen, controller selects new virtual IP address to reconstruct new flow table rule, and the priority of flow table rule is higher than old Flow table rule, and each interchanger into selection transmission path issues and installs new flow table and reversed flow table.
Specifically, the controller selects new virtual IP address to reconstruct new flow table rule, specific as follows:
Modification data packet header source IP and purpose are executed by matching true source IP and destination IP for first interchanger IP is the rule of new virtual IP address;
For by way of interchanger, executes and IP matched in occurrence is changed to new virtual IP address respectively, Action field is not The rule of change;
It for last interchanger, executes and IP matched in occurrence is changed to new virtual IP address respectively, modify data packet header Source IP and destination IP are the rule of new virtual IP address.
Specifically, the active defense method in the SDN network based on path and IP address jump further include:
While data packet is according to newest flow table continuous transmission in data flow, in the time interval apart from last time flow table issuance Path changes period trouteWhen, controller selects new transmission path to reconstruct new flow table rule, the priority of flow table rule Higher than old flow table rule, and each interchanger into new transmission path issues and installs new flow table and reversed flow table.
Specifically, the controller selects new transmission path to reconstruct new flow table rule, specific as follows:
For first interchanger, by matching true source IP and destination IP, execution revision number is new transmission path Number determines the rule of the forwarding port of first interchanger according to new transmission path;
It is new path number, root for by way of interchanger and last interchanger, executing version number matched in occurrence The rule of the forwarding port of the interchanger is determined according to new transmission path.
Specifically, following two condition need to be met by reconstructing new flow table rule:
(1) priority that new strategy issues flow table is higher than old strategy;
(2) when data flow is according to newest flow table continuous transmission, if flow table rule exceeds idle time tidleIt is not matched, from It is dynamic to be deleted.
Second aspect, the embodiment of the invention provides a kind of computer readable storage medium, the computer-readable storage mediums Computer program is stored in matter, which realizes SDN network described in above-mentioned first aspect when being executed by processor In based on path and IP address jump active defense method.
In general, through the invention it is contemplated above technical scheme is compared with the prior art, have below beneficial to effect Fruit:
1. the present invention is by modification data packet header source IP and destination IP and changes transmission path, make attacker unknown In the case of sniff network when get is mistake or incomplete information, to increase attacker for steal information and net The difficulty that network understands.The modification of IP is the separation based on data Layer in SDN network and control layer in the technological means, data Layer Interchanger is only responsible for following decision forwarding, and controller carrys out the forwarding of data packet in actual management network, with legacy network data The IP address of packet header will be used for pathfinding difference, and flow entry does not influence the modification of data packet header the principle of network communication. The modification in path is the global regulation's ability for having resource based on controller in SDN network in the technological means, available to arrive Network topology selects the original in different paths by disposing different flow table guide data packets to get a plurality of transmission path Reason brings attacker and can not identify and enlivens host, can not be recognized as same data flow, and acquisition complete information is difficult, thus Increase the effect for collecting the difficulty of information.
2. IP address and the path of the invention by initiatively changing transmitted data packet with certain frequency, reduces attack The availability for the information that person's sniff obtains tracks virtual IP address even if what attacker learnt the exposure of data packet in network is virtual IP address Transmission path is obtained, also only temporary data is got, may have occurred that variation at this time, makes the information of acquisition originally Failure further reduces the availability of attacker's information.What the technological means to be completed is the modification to same data flow, In situation known to source IP and destination IP, path is also known.It can be with the good flow entry of advance planning based on SDN network controller Rule can issue the principle of respective rule when setting hop period in time, bring the collected data meeting of attacker Be it is at random, it is irregular, time-effectiveness, to improve the effect of the defence capability of system.
Detailed description of the invention
Fig. 1 is the Initiative Defense side in a kind of SDN network provided in an embodiment of the present invention based on path and IP address jump Method flow chart;
Fig. 2 is flow table structural schematic diagram in each interchanger provided in an embodiment of the present invention.
Specific embodiment
In order to make the objectives, technical solutions, and advantages of the present invention clearer, with reference to the accompanying drawings and embodiments, right The present invention is further elaborated.It should be appreciated that the specific embodiments described herein are merely illustrative of the present invention, and It is not used in the restriction present invention.
As shown in Figure 1, the active defense method in a kind of SDN network based on path and IP address jump, this method include Following steps:
S1. source host delivers a packet to first interchanger;
S2. the flow table for searching the interchanger, judge data packet whether successful match flow entry, if so, according to matching flow table , it is forwarded to next-hop interchanger, enters step S5;Otherwise, interchanger disappears the information of data packet header by Packet-In Breath is sent to controller, enters step S3;
S3. after controller listens to the message, transmission path of the simultaneous selection data packet from source host to destination host and For hiding the virtual IP address of host information;
S4. controller generates flow table rule, and each friendship into transmission path according to the transmission path and virtual IP address of selection It changes planes and issues installation flow table and reversed flow table;
S5. judge whether the interchanger is last interchanger, if so, data packet is sent to purpose master according to matching flow entry Otherwise machine enters step S2.
Step S1. source host delivers a packet to first interchanger.
Data flow continues data packet being sent to first interchanger from source host.As shown in Fig. 2, being handed over two hosts and four For changing planes, it is connected (not shown) with controller.It is assumed that first carrying out IP jump (the second row), then carry out Path selection (the third line), either progress IP mutation or Route Selection, constant path number and IP are kept not with current state in fact Become.Host A will send data packet to host B, and the data packet of host A can first be transmitted to the interchanger C0 being connected directly therewith.
Step S2. searches the flow table of the interchanger, judge data packet whether successful match flow entry, if so, according to matching Flow entry is forwarded to next-hop interchanger, enters step S5;Otherwise, the information of data packet header is passed through Packet- by interchanger In message is sent to controller, enters step S3.
Interchanger does not have decision making function, searches corresponding flow table and is matched, and the data packet of transmission can follow flow table rule, As long as matching the occurrence of flow table, so that it may execute relevant Action operation.Occurrence is by the certain of data packet header Field is constituted, for example, source IP and purpose IP address etc..
If the content that the occurrence of flow entry includes identical calculation successful match with data packet header corresponding informance, is directly pressed According to the Action field instruction forwarding data packet of flow table.Action can have multiple operations, for example, modifying the IP of data packet simultaneously Address and some port for being forwarded to interchanger.
If no flow entry matching, interchanger match table-miss rule, table-miss rule needs controller thing It first configures, the specified data packet for not matching flow entry is sent to controller.Interchanger passes through the information of data packet header Packet-In message is sent to controller, for example, the information such as the source IP of data packet, destination IP, port, MAC Address.
After step S3. controller listens to the message, transmission road of the simultaneous selection data packet from source host to destination host Diameter and virtual IP address for hiding host information.
It is different from the data Layer where interchanger, controller as the management level in SDN network, to network carry out deployment and Control can constantly monitor the request from interchanger.Once listening to Packet-In message, received data packet is parsed, is identified The interchanger id of data packet and the source IP address of data packet are sent, the interchanger is determined using network topology, and whether source host is straight Connect it is connected, therefore, it is determined that send Packet-In message interchanger whether headed by interchanger, if so, carrying out routed path simultaneously Selection and virtual IP address setting.
When receiving the information of first interchanger, controller is then considered that new communication starts, and will execute corresponding routing Policy selection path.Controller parses source IP and destination IP in data packet using Packet-In message, passes through what is be collected into The relevant informations such as network link working condition, according to one or more network performance indexes (packet loss, remaining bandwidth, time delay etc. Deng), each of the links are assessed, using assessed value as link weight, formulate routing policy.If Duplication mistake between path Greatly, then the effect for changing path is not had, it instead can be because of policy deployment and cost reduction network performance when issuing.With net The scale of network topology becomes larger, and optional path is more, and specific routing policy can adjust according to actual topological structure.It looks for Source host is to all paths of destination host out, after removing the wherein higher path of path overlap rate, selects k paths, false If transmission path is respectively S1, S2 ..., Sk, path number 1,2 ... is given respectively, and k randomly chooses paths Sa (1 therein ≤a≤k).Once selection finishes, the interchanger id of all transmission on path and the port for being forwarded to next interchanger are ok It is determined.
When receiving the information of first interchanger, controller selects virtual IP address to hide real IP to data flow.Due to control Device processed has recorded the IP of communication host in entire SDN network, can arbitrarily select a v1 as source from the IP being not used by IP, v2 IP as a purpose, for substituting the IP information of real IP hiding data packet.
If disposing and being controlled successfully to SDN network, that is, disposed data packet includes replying packet by way of forwarding Transmission, then certainty Packet-In message is necessarily from first interchanger.If send Packet-In message is not first interchanger, It is likely to be policy deployment to go wrong, needs to enter fault-tolerant processing.Specifically, to the Packet-In from non-first interchanger Message is counted, and judges whether count is more than given threshold, if so, controller inspection uploads the stream of Packet-In interchanger Whether table goes wrong, if going wrong, re-issues corresponding flow table, otherwise, ignores the Packet-In message.
Step S4. controller generates flow table rule according to the transmission path and virtual IP address of selection, and into transmission path Each interchanger issues installation flow table and reversed flow table.
Data packet transmission paths is determining, for substitution virtual IP address also selected after, controller is according to having got The interchanger id of transmission, the port of corresponding forwarding and substitution IP, issue flow table to issue corresponding strategy, with flow table in Fig. 2 Item the first row is corresponding, specifically:
Modification data packet header source IP and purpose are executed by matching true source IP and destination IP for first interchanger IP is virtual IP address, increased version number is the number for selecting transmission path, is determined head interchanger based on selected transmission path Forward the rule of port.
For last interchanger, by matching virtual source IP, destination IP and version number, it is true for executing restoring data packet header IP The transmission path that actual source IP and destination IP, basis are selected determines the rule of the forwarding port of last interchanger.
For by way of interchanger executed according to selected transmission road by matching virtual source IP, destination IP and version number Diameter determines the rule by way of the forwarding port of interchanger.
Step S5. judges whether the interchanger is last interchanger, if so, data packet is sent to mesh according to matching flow entry Host otherwise enter step S2.
If the interchanger is last interchanger, necessarily directly it is connected with destination host.Data packet is according to flow entry Action instruction is transferred to destination host.Since controller has installed the rule of corresponding reverse transfer, host B is to host The reply packet of A transmission can equally follow the route forwarding planned, to complete while hiding IP and change path whole The communication of data packet is completed in the forwarding of a data flow.
Preferably, the active defense method in the SDN network based on path and IP address jump further include:
While data packet is according to newest flow table continuous transmission in data flow, in the time interval apart from last time flow table issuance IP hop period tipWhen, controller selects new virtual IP address to reconstruct new flow table rule, and the priority of flow table rule is higher than old Flow table rule, and each interchanger into selection transmission path issues and installs new flow table and reversed flow table.
Once tipTime arrives, from the IP being not used by randomly choose two virtual IP addresses respectively as data packet source IP and Destination IP is set as v3 and v4, realizes the jump of address in a data flow.The controller selects new virtual IP address to reconstruct newly Flow table rule, it is corresponding with the second row of flow entry in Fig. 2, it is constant for the rule in path, specific as follows:
Modification data packet header source IP and purpose are executed by matching true source IP and destination IP for first interchanger IP is the rule of new virtual IP address.
For by way of interchanger, executes and IP matched in occurrence is changed to new virtual IP address respectively, Action field is not The rule of change.
It for last interchanger, executes and IP matched in occurrence is changed to new virtual IP address respectively, modify data packet header Source IP and destination IP are the rule of new virtual IP address.
Preferably, the active defense method in the SDN network based on path and IP address jump further include:
While data packet is according to newest flow table continuous transmission in data flow, in the time interval apart from last time flow table issuance Path changes period trouteWhen, controller selects new transmission path to reconstruct new flow table rule, the priority of flow table rule Higher than old flow table rule, and each interchanger into new transmission path issues and installs new flow table and reversed flow table.
Once trouteTime arrives, and selectes a paths, the path number b (1≤b that will acquire at random again from k paths ≤ k) it is used as version number.The controller selects new transmission path to reconstruct new flow table rule, with flow entry the third line in Fig. 2 It is corresponding, it is constant for the rule of IP, specifically:
For first interchanger, by matching true source IP and destination IP, execution revision number is new transmission path Number determines the rule of the forwarding port of first interchanger according to new transmission path.
It is new path number, root for by way of interchanger and last interchanger, executing version number matched in occurrence The rule of the forwarding port of the interchanger is determined according to new transmission path.
According to real network situation, compromise considers packet loss and protection effect, and IP hop period t is arrangedip, path change week Phase troute, generally the second grade.Temporal frequency has been set separately to path and IP address, once reaching time interval, has needed to carry out The change of new and old strategy.Change to path and the modification of IP address is both needed to follow following rule:
1. the priority that new strategy issues flow table is higher than old strategy.If possessing identical priority, data packet turns It will be uncertain for sending out, and two kinds of strategies can coexist in a switch, and as policy update is too fast, data flow is excessive, interchanger In have a large amount of flow tables and exist, it is possible that the problem of flow table is overflowed.So for same data flow, in order to guarantee it The data packet transmitted afterwards follows new strategy forwarding, needs to be distinguished with raising priority.But priority can not be without limitation Increase, priority need to be set in a certain range, when having arrived inflection point, new strategy priority is lower, it then follows old strategy forwarding , do not affect other data flows and then make system perturbations.The data packet transmitted later under identical matching condition all Follow new strategy forwarding.
2. data flow is according to newest flow table continuous transmission, if flow table rule exceeds idle time tidleIt is not matched, from It is dynamic to be deleted.For flow table, time t need to be provided withidle, guarantee that old strategy is automatically deleted on suitable opportunity.When new When old strategy alternates, the data packet transmitted later follows new strategy and is forwarded, and has transmitted and has not reached destination host also Data packet can match old tactful flow table in a short time to complete to forward, and old strategy also can not matched whithin a period of time Flow table is automatically deleted, and new strategy can then substitute the transmission work of old strategy completely, is so recycled.Strategy can both be guaranteed by doing so What is serviced when replacement does not interrupt, and can also be automatically deleted old strategy, does not increase excessive burden to the memory space of interchanger flow table. T in the embodiment of the present inventionidleIt is set as 2s.
The real IP for transmitting data packet is hidden by first interchanger, and the path number provided with Path selection is as version Number, data packet IP is modified back true IP by last interchanger, guarantees the accuracy of packet information transmitting.Flow table is issued every time When, controller first issues the flow table strategy of other interchangers in addition to first interchanger, then issues the flow table strategy of first interchanger, comes Guarantee that data packet can be correctly forwarded to destination host after transferring first interchanger, without because flow table matches not Above frequently sends and request to controller.
Present invention focuses on the advantage of SDN network and MTD to be combined, SDN network data Layer and control layer are utilized The thought that variation is actively manipulated in isolated characteristic and MTD changes data packet under the premise of not influencing network normal communication IP and transmission path, increase attacker obtain information difficulty, to improve the Initiative Defense ability of system.It is passed by modification The IP address of transmission of data packet and the mode for changing transmission path, it would be possible to by attacker's sniff to sensitive information stash, Play the purpose for obscuring attacker.In order to increase the difficulty that attacker obtains information, controller is based on regular hour frequency and changes Become IP address or path, initiatively initiate variation, the availability of sniff information is reduced, to lower attacker to Network status Understand, can not plan attack, and then reduce success attack rate, to realize the Initiative Defense to network.
More than, the only preferable specific embodiment of the application, but the protection scope of the application is not limited thereto, and it is any Within the technical scope of the present application, any changes or substitutions that can be easily thought of by those familiar with the art, all answers Cover within the scope of protection of this application.Therefore, the protection scope of the application should be subject to the protection scope in claims.

Claims (10)

1. in a kind of SDN network based on path and IP address jump active defense method, which is characterized in that this method include with Lower step:
S1. source host delivers a packet to first interchanger;
S2. the flow table for searching the interchanger, judge data packet whether successful match flow entry, if so, according to matching flow entry, turn It is dealt into next-hop interchanger, enters step S5;Otherwise, interchanger sends out the information of data packet header by Packet-In message Controller is given, S3 is entered step;
S3. it after controller listens to the message, transmission path of the simultaneous selection data packet from source host to destination host and is used for Hide the virtual IP address of host information;
S4. controller generates flow table rule, and each interchanger into transmission path according to the transmission path and virtual IP address of selection Issue installation flow table and reversed flow table;
S5. judge whether the interchanger is last interchanger, if so, data packet is sent to destination host according to matching flow entry, it is no Then, S2 is entered step.
2. active defense method as described in claim 1, which is characterized in that as the Packet- for receiving first interchanger transmission When In information, controller arbitrarily selects two virtual IP addresses as source IP and destination IP from the IP being not used by.
3. active defense method as claimed in claim 1 or 2, which is characterized in that step S3 further include:
If send Packet-In message is not first interchanger, the Packet-In message from non-first interchanger is counted Number judges whether count is more than given threshold, if so, controller is checking the stream for uploading the interchanger of Packet-In message Table when something goes wrong, re-issues corresponding flow table, otherwise, ignores the Packet-In message.
4. active defense method as described in any one of claims 1 to 3, which is characterized in that the transmission road according to selection Diameter and virtual IP address generate flow table rule, specific as follows:
It executes modification data packet header source IP by matching true source IP and destination IP for first interchanger and destination IP is Virtual IP address, increasing version number be the number of selected transmission path, the forwarding end for determining based on selected transmission path first interchanger The rule of mouth;
For last interchanger, by matching virtual source IP, destination IP and version number, execution restoring data packet header IP is real source The transmission path that IP and destination IP, basis are selected determines the rule of the forwarding port of last interchanger;
For by way of interchanger executed true according to selected transmission path by matching virtual source IP, destination IP and version number The rule of the fixed forwarding port by way of interchanger.
5. such as the described in any item active defense methods of Claims 1-4, which is characterized in that be based on path in the SDN network With the active defense method of IP address jump further include:
While data packet is according to newest flow table continuous transmission in data flow, jumped in the time interval IP apart from last time flow table issuance Variable period tipWhen, controller selects new virtual IP address to reconstruct new flow table rule, and the priority of flow table rule is higher than old flow table Rule, and each interchanger into selection transmission path issues and installs new flow table and reversed flow table.
6. active defense method as claimed in claim 5, which is characterized in that it is new that the controller selects new virtual IP address to reconstruct Flow table rule, it is specific as follows:
It executes modification data packet header source IP by matching true source IP and destination IP for first interchanger and destination IP is The rule of new virtual IP address;
For by way of interchanger, executes and IP matched in occurrence is changed to new virtual IP address respectively, Action field is constant Rule;
It for last interchanger, executes and IP matched in occurrence is changed to new virtual IP address respectively, modify data packet header source IP It is the rule of new virtual IP address with destination IP.
7. such as active defense method as claimed in any one of claims 1 to 6, which is characterized in that be based on path in the SDN network With the active defense method of IP address jump further include:
While data packet is according to newest flow table continuous transmission in data flow, in the time interval path apart from last time flow table issuance Change period trouteWhen, controller selects new transmission path to reconstruct new flow table rule, and the priority of flow table rule is higher than Old flow table rule, and each interchanger into new transmission path issues and installs new flow table and reversed flow table.
8. active defense method as claimed in claim 7, which is characterized in that the controller selects new transmission path to reconstruct New flow table rule, specific as follows:
For first interchanger, by matching true source IP and destination IP, executing revision number is that new transmission path is numbered, The rule of the forwarding port of first interchanger is determined according to new transmission path;
For by way of interchanger and last interchanger, executing version number matched in occurrence is new path number, according to new Transmission path determine the interchanger forwarding port rule.
9. such as the described in any item active defense methods of claim 5 to 8, which is characterized in that reconstructing new flow table rule need to expire Sufficient following two condition:
(1) priority that new strategy issues flow table is higher than old strategy;
(2) when data flow is according to newest flow table continuous transmission, if flow table rule exceeds idle time tidleIt is not matched, automatically will It is deleted.
10. a kind of computer readable storage medium, which is characterized in that be stored with computer on the computer readable storage medium Program, the computer program is realized when being executed by processor to be based in SDN network as described in any one of claim 1 to 9 The active defense method in path and IP address jump.
CN201910390382.6A 2019-05-10 2019-05-10 A kind of active defense method in SDN network based on path and IP address jump Pending CN110198270A (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN201910390382.6A CN110198270A (en) 2019-05-10 2019-05-10 A kind of active defense method in SDN network based on path and IP address jump

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN201910390382.6A CN110198270A (en) 2019-05-10 2019-05-10 A kind of active defense method in SDN network based on path and IP address jump

Publications (1)

Publication Number Publication Date
CN110198270A true CN110198270A (en) 2019-09-03

Family

ID=67752576

Family Applications (1)

Application Number Title Priority Date Filing Date
CN201910390382.6A Pending CN110198270A (en) 2019-05-10 2019-05-10 A kind of active defense method in SDN network based on path and IP address jump

Country Status (1)

Country Link
CN (1) CN110198270A (en)

Cited By (18)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN110611671A (en) * 2019-09-12 2019-12-24 北京邮电大学 Local area network communication method and device based on moving target defense
CN111163062A (en) * 2019-12-12 2020-05-15 之江实验室 Multi-network address hopping security defense method for cross fire attack
CN111224934A (en) * 2019-10-31 2020-06-02 浙江工商大学 Service path verification method for mimicry configuration in mimicry defense
CN111385228A (en) * 2020-02-26 2020-07-07 天津理工大学 Mobile target defense method based on openflow switch port confusion
CN111884941A (en) * 2020-08-03 2020-11-03 中国人民解放军92941部队 Safe SDN multicast system and control method thereof
CN113098900A (en) * 2021-04-29 2021-07-09 福建奇点时空数字科技有限公司 SDN network IP hopping method supporting address space expansion
CN113114666A (en) * 2021-04-09 2021-07-13 天津理工大学 Moving target defense method for scanning attack in SDN network
CN113242215A (en) * 2021-04-21 2021-08-10 华南理工大学 Defense method, system, device and medium for SDN fingerprint attack
CN113259387A (en) * 2021-06-21 2021-08-13 江苏天翼安全技术有限公司 Method for preventing honeypot from being controlled to jump board machine based on virtual exchange
CN113595769A (en) * 2021-07-09 2021-11-02 武汉大学 Multi-node network delay time window calculation method for hopping network
CN113612691A (en) * 2021-08-06 2021-11-05 浙江工商大学 Path conversion method, storage medium and terminal equipment
CN113765896A (en) * 2021-08-18 2021-12-07 广东三水合肥工业大学研究院 Internet of things implementation system and method based on artificial intelligence
CN113810404A (en) * 2021-09-15 2021-12-17 佳缘科技股份有限公司 SDN (software defined network) -based dynamic defense system and method for full-view transformation of network
CN114124491A (en) * 2021-11-12 2022-03-01 中国电信股份有限公司 Method and system for preventing bypass hijacking, ingress and egress switch and security network element
CN114257538A (en) * 2021-12-07 2022-03-29 中国人民解放军63891部队 SDN-based address random transformation method
CN114826923A (en) * 2021-01-27 2022-07-29 华中科技大学 Network rigidity evaluation method of SDN network
CN115065531A (en) * 2022-06-14 2022-09-16 天津理工大学 SDN-based moving target defense method for IoT network sniffing attack
CN116170396A (en) * 2022-12-29 2023-05-26 天翼云科技有限公司 IM message transmission method and system

Citations (4)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN104301129A (en) * 2013-07-16 2015-01-21 上海宽带技术及应用工程研究中心 Dynamic host configuration method and system in software defined network
CN105429957A (en) * 2015-11-02 2016-03-23 芦斌 IP address jump safety communication method based on SDN framework
CN106657066A (en) * 2016-12-23 2017-05-10 中国电子科技集团公司第三十研究所 Random jumping method and device for network management plane address
CN109729022A (en) * 2017-10-30 2019-05-07 华为技术有限公司 A kind of data transmission method for uplink based on software defined network, apparatus and system

Patent Citations (4)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN104301129A (en) * 2013-07-16 2015-01-21 上海宽带技术及应用工程研究中心 Dynamic host configuration method and system in software defined network
CN105429957A (en) * 2015-11-02 2016-03-23 芦斌 IP address jump safety communication method based on SDN framework
CN106657066A (en) * 2016-12-23 2017-05-10 中国电子科技集团公司第三十研究所 Random jumping method and device for network management plane address
CN109729022A (en) * 2017-10-30 2019-05-07 华为技术有限公司 A kind of data transmission method for uplink based on software defined network, apparatus and system

Cited By (28)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN110611671A (en) * 2019-09-12 2019-12-24 北京邮电大学 Local area network communication method and device based on moving target defense
CN111224934A (en) * 2019-10-31 2020-06-02 浙江工商大学 Service path verification method for mimicry configuration in mimicry defense
CN111224934B (en) * 2019-10-31 2022-04-15 浙江工商大学 Service path verification method for mimicry configuration in mimicry defense
CN111163062A (en) * 2019-12-12 2020-05-15 之江实验室 Multi-network address hopping security defense method for cross fire attack
CN111163062B (en) * 2019-12-12 2022-02-22 之江实验室 Multi-network address hopping security defense method for cross fire attack
CN111385228B (en) * 2020-02-26 2022-02-18 天津理工大学 Mobile target defense method based on openflow switch port confusion
CN111385228A (en) * 2020-02-26 2020-07-07 天津理工大学 Mobile target defense method based on openflow switch port confusion
CN111884941A (en) * 2020-08-03 2020-11-03 中国人民解放军92941部队 Safe SDN multicast system and control method thereof
CN114826923A (en) * 2021-01-27 2022-07-29 华中科技大学 Network rigidity evaluation method of SDN network
CN113114666B (en) * 2021-04-09 2022-02-22 天津理工大学 Moving target defense method for scanning attack in SDN network
CN113114666A (en) * 2021-04-09 2021-07-13 天津理工大学 Moving target defense method for scanning attack in SDN network
CN113242215A (en) * 2021-04-21 2021-08-10 华南理工大学 Defense method, system, device and medium for SDN fingerprint attack
CN113242215B (en) * 2021-04-21 2022-05-24 华南理工大学 Defense method, system, device and medium for SDN fingerprint attack
CN113098900B (en) * 2021-04-29 2023-04-07 厦门美域中央信息科技有限公司 SDN network IP hopping method supporting address space expansion
CN113098900A (en) * 2021-04-29 2021-07-09 福建奇点时空数字科技有限公司 SDN network IP hopping method supporting address space expansion
CN113259387A (en) * 2021-06-21 2021-08-13 江苏天翼安全技术有限公司 Method for preventing honeypot from being controlled to jump board machine based on virtual exchange
CN113595769A (en) * 2021-07-09 2021-11-02 武汉大学 Multi-node network delay time window calculation method for hopping network
CN113595769B (en) * 2021-07-09 2022-06-07 武汉大学 Multi-node network delay time window calculation method for hopping network
CN113612691A (en) * 2021-08-06 2021-11-05 浙江工商大学 Path conversion method, storage medium and terminal equipment
CN113612691B (en) * 2021-08-06 2023-04-07 浙江工商大学 Path conversion method, storage medium and terminal equipment
CN113765896A (en) * 2021-08-18 2021-12-07 广东三水合肥工业大学研究院 Internet of things implementation system and method based on artificial intelligence
CN113810404A (en) * 2021-09-15 2021-12-17 佳缘科技股份有限公司 SDN (software defined network) -based dynamic defense system and method for full-view transformation of network
CN114124491A (en) * 2021-11-12 2022-03-01 中国电信股份有限公司 Method and system for preventing bypass hijacking, ingress and egress switch and security network element
CN114257538A (en) * 2021-12-07 2022-03-29 中国人民解放军63891部队 SDN-based address random transformation method
CN114257538B (en) * 2021-12-07 2023-08-25 中国人民解放军63891部队 SDN-based address random transformation method
CN115065531A (en) * 2022-06-14 2022-09-16 天津理工大学 SDN-based moving target defense method for IoT network sniffing attack
CN115065531B (en) * 2022-06-14 2023-09-08 天津理工大学 SDN-based mobile target defense method for IoT network sniffing attack
CN116170396A (en) * 2022-12-29 2023-05-26 天翼云科技有限公司 IM message transmission method and system

Similar Documents

Publication Publication Date Title
CN110198270A (en) A kind of active defense method in SDN network based on path and IP address jump
CN106921666B (en) DDoS attack defense system and method based on cooperative theory
US9197518B2 (en) Quality-deteriorated part analyzing system, quality-deteriorated part analyzing device, quality-deteriorated part analyzing method, and quality-deteriorated part analyzing program
CN105493450B (en) The method and system of service exception in dynamic detection network
JP6186655B2 (en) Malicious attack detection method and apparatus
US8611220B2 (en) Network system, controller, and network control method
CN104335537B (en) For the system and method for the multicast multipath of layer 2 transmission
US10826821B2 (en) Flow path detection
CN110890994B (en) Method, device and system for determining message forwarding path
JP2013207748A (en) Network system ad node device
CN111431800B (en) Method, device and equipment for establishing path and machine-readable storage medium
CN105591937B (en) A kind of acquisition method and equipment of network topological information
CN106487558B (en) A kind of method and apparatus for realizing the scalable appearance of access device
JP2014526189A (en) Method and apparatus for self-healing routing of control traffic in split architecture systems
CN107800668B (en) Distributed denial of service attack defense method, device and system
JP2007201966A (en) Traffic control scheme, apparatus and system
CN110679120B (en) Communication network node
CN102801738A (en) Distributed DoS (Denial of Service) detection method and system on basis of summary matrices
GB2527273A (en) Executing loops
CN106470213A (en) A kind of source tracing method of attack message and device
CN104601467A (en) Method and device for sending messages
CN113992539A (en) Network security dynamic route hopping method and system
Wang et al. Source-based defense against ddos attacks in sdn based on sflow and som
KR101541531B1 (en) Routing method based on available bandwidth pattern in software defined network
KR101601586B1 (en) Switch for communicating data in a dynamic computer network

Legal Events

Date Code Title Description
PB01 Publication
PB01 Publication
SE01 Entry into force of request for substantive examination
SE01 Entry into force of request for substantive examination
RJ01 Rejection of invention patent application after publication
RJ01 Rejection of invention patent application after publication

Application publication date: 20190903