基于OpenFlow与sFlow的DDoS攻击防御方法
|
摘要
分布式拒绝服务(DDoS)攻击是目前比较流行的网络攻击,其破坏力大并且难以防范追踪,对互联网安全造成了极大的威胁。针对此问题提出了一种基于OpenFlow与sFlow的入侵检测方法,通过sFlow采样技术实时检测网络流量,依据网络正常流量设定流量阈值,并通过对超过阈值的异常流量进行攻击检测、判断攻击流,最终使用OpenFlow协议阻断攻击源。该方法可以在几秒内自动检测、处理多种DDoS攻击。实验结果表明,与现有方案对比,该方法能够实时检测并阻止DDoS攻击,有效降低网络资源消耗。
The distributed denial of service attack(DDoS) have widely spread in network,which may cause the network or service unavailable and difficult to defend and trace,and lead to threats for Internet security.This paper proposes the method of intrusion detection based on OpenFlow and sFlow.In this method,the sFlow sampling technique is used to monitor the flow,and the threshold is set based on normal traffic flow;then the attack detection is performed for abnormal traffic flow of threshold to judge the attack flow;At last,the OpenFlow protocol is used to interrupt the attack sources.This method can automatically detect and process multiple DDoS attacks in several soconds.The experimental results show that compared with other existing solutions,this method can monitor the attack in runtime and reduce network resource consumption effectively.
The distributed denial of service attack(DDoS) have widely spread in network,which may cause the network or service unavailable and difficult to defend and trace,and lead to threats for Internet security.This paper proposes the method of intrusion detection based on OpenFlow and sFlow.In this method,the sFlow sampling technique is used to monitor the flow,and the threshold is set based on normal traffic flow;then the attack detection is performed for abnormal traffic flow of threshold to judge the attack flow;At last,the OpenFlow protocol is used to interrupt the attack sources.This method can automatically detect and process multiple DDoS attacks in several soconds.The experimental results show that compared with other existing solutions,this method can monitor the attack in runtime and reduce network resource consumption effectively.
引文
[1] 张永铮,肖军,云晓春,等.DDoS攻击检测和控制方法[J].软件学报,2012,23(8):2058-2072.
[2] 魏蔚.基于流量分析与控制的DDoS攻击防御技术与体系研究[D].杭州:浙江大学,2009.
[3] 李赫.基于SDN的DDoS流量识别与控制技术研究[D].南京:南京邮电大学,2016.
[4] 左青云,陈鸣,赵广松,等.基于OpenFlow的SDN技术研究[J].软件学报,2013,24(5):1078-1097.
[5] 邵延峰,贾哲.软件定义网络安全技术研究[J].无线电工程,2016,46(4):13-17.
[6] FUNDATION O N.Software-defined Networking:the New Norm for Networks[J].ONF White Paper,2012(2):2-6.
[7] 李吉良,娄阳,张学敏.软件定义广域网络控制平面抗毁研究[J].无线电通信技术,2018,44(2):148-153.
[8] GIOTIS K,ARGYROPOULOS C,ANDROULIDAKIS G,et al.Combining OpenFlow and sFlow for an Effective and Scalable Anomaly Detection and Mitigation Mechanism on SDN Environments[J].Computer Networks,2014,62(5):122-136.
[9] YAN Q,YU F R,GONG Q,et al.Software-Defined Networking (SDN) and Distributed Denial of Service (DDoS) Attacks in Cloud Computing Environments:A Survey,Some Research Issues,and Challenges[J].IEEE Communications Surveys & Tutorials,2016,18(1):602-622.
[10] YAO G ,BI J ,XIAO P .Source Address Validation Solution with OpenFlow/NOX Architecture[C]//IEEE International Conference on Network Protocols.IEEE Computer Society,2011:7-12.
[11] MOUSAVI S M.Early Detection of DDoS Attacks in Software Defined Networks Controller[D].Ottawa:Carleton University,2014.
[12] PARK J S,KIM S Y,PARK D H,et al.Design and Implementation of an SNMP-based Traffic Flooding Attack Detection System[J].The Korea Information Processing Society Transactions,2009,16(1):380-389.
[13] MIRKOVIC J,REIHER P.A Taxonomy of DDoS Attack and DDoS Defense Mechanisms[J].ACM SIGCOMM Computer Communication Review,2004,34(2):39-53.
[14] MIRKOVIC J,PRIER G,REIHER P.Attacking DDoS at the Source[C]//Network Protocols,Proceedings.10th IEEE International Conference on IEEE,2002:312-321.
[15] MCKEOWN N,ANDERSON T,BALAKRISHNAN H,et al.OpenFlow:Enabling Innovation in Campus Networks[J].ACM SIGCOMM Computer Communication Review,2008,38(2):69-74.
[16] 李宁,郝志安,李艳.OpenFlow网络架构实现与仿真研究[J].计算机与网络,2014,40(17):60-62.
[17] 宋松滋,林南晖,何俊.sFlow网络流量分析算法研究[J].现代计算机(专业版),2009(4):86-87.
[18] PHAAL P,PANCHEN S,MCKEE N.InMon Corporation's sFlow:A Method for Monitoring Traffic in Switched and Routed Networks[R],2001.
[19] MEDVED J,VARGA R,TKACIK A,et al.Openda Ylight:Towards a Model-driven Sdn Controller Architecture[C]//2014 IEEE 15th International Symposium on IEEE,2014:1-6.
[20] 晏思宇,杨帆,黄韬.基于OVS的SDN移动自组网络架构设计及实现[J].无线电通信技术,2016,42(4):69-74.
[2] 魏蔚.基于流量分析与控制的DDoS攻击防御技术与体系研究[D].杭州:浙江大学,2009.
[3] 李赫.基于SDN的DDoS流量识别与控制技术研究[D].南京:南京邮电大学,2016.
[4] 左青云,陈鸣,赵广松,等.基于OpenFlow的SDN技术研究[J].软件学报,2013,24(5):1078-1097.
[5] 邵延峰,贾哲.软件定义网络安全技术研究[J].无线电工程,2016,46(4):13-17.
[6] FUNDATION O N.Software-defined Networking:the New Norm for Networks[J].ONF White Paper,2012(2):2-6.
[7] 李吉良,娄阳,张学敏.软件定义广域网络控制平面抗毁研究[J].无线电通信技术,2018,44(2):148-153.
[8] GIOTIS K,ARGYROPOULOS C,ANDROULIDAKIS G,et al.Combining OpenFlow and sFlow for an Effective and Scalable Anomaly Detection and Mitigation Mechanism on SDN Environments[J].Computer Networks,2014,62(5):122-136.
[9] YAN Q,YU F R,GONG Q,et al.Software-Defined Networking (SDN) and Distributed Denial of Service (DDoS) Attacks in Cloud Computing Environments:A Survey,Some Research Issues,and Challenges[J].IEEE Communications Surveys & Tutorials,2016,18(1):602-622.
[10] YAO G ,BI J ,XIAO P .Source Address Validation Solution with OpenFlow/NOX Architecture[C]//IEEE International Conference on Network Protocols.IEEE Computer Society,2011:7-12.
[11] MOUSAVI S M.Early Detection of DDoS Attacks in Software Defined Networks Controller[D].Ottawa:Carleton University,2014.
[12] PARK J S,KIM S Y,PARK D H,et al.Design and Implementation of an SNMP-based Traffic Flooding Attack Detection System[J].The Korea Information Processing Society Transactions,2009,16(1):380-389.
[13] MIRKOVIC J,REIHER P.A Taxonomy of DDoS Attack and DDoS Defense Mechanisms[J].ACM SIGCOMM Computer Communication Review,2004,34(2):39-53.
[14] MIRKOVIC J,PRIER G,REIHER P.Attacking DDoS at the Source[C]//Network Protocols,Proceedings.10th IEEE International Conference on IEEE,2002:312-321.
[15] MCKEOWN N,ANDERSON T,BALAKRISHNAN H,et al.OpenFlow:Enabling Innovation in Campus Networks[J].ACM SIGCOMM Computer Communication Review,2008,38(2):69-74.
[16] 李宁,郝志安,李艳.OpenFlow网络架构实现与仿真研究[J].计算机与网络,2014,40(17):60-62.
[17] 宋松滋,林南晖,何俊.sFlow网络流量分析算法研究[J].现代计算机(专业版),2009(4):86-87.
[18] PHAAL P,PANCHEN S,MCKEE N.InMon Corporation's sFlow:A Method for Monitoring Traffic in Switched and Routed Networks[R],2001.
[19] MEDVED J,VARGA R,TKACIK A,et al.Openda Ylight:Towards a Model-driven Sdn Controller Architecture[C]//2014 IEEE 15th International Symposium on IEEE,2014:1-6.
[20] 晏思宇,杨帆,黄韬.基于OVS的SDN移动自组网络架构设计及实现[J].无线电通信技术,2016,42(4):69-74.