[go: up one dir, main page]

CN111885092A - An edge node DDoS attack detection method, processing method and SDN - Google Patents

An edge node DDoS attack detection method, processing method and SDN Download PDF

Info

Publication number
CN111885092A
CN111885092A CN202010949698.7A CN202010949698A CN111885092A CN 111885092 A CN111885092 A CN 111885092A CN 202010949698 A CN202010949698 A CN 202010949698A CN 111885092 A CN111885092 A CN 111885092A
Authority
CN
China
Prior art keywords
destination
address
request message
ddos attack
edge node
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Pending
Application number
CN202010949698.7A
Other languages
Chinese (zh)
Inventor
侯乐
徐雷
贾宝军
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
China United Network Communications Group Co Ltd
Original Assignee
China United Network Communications Group Co Ltd
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by China United Network Communications Group Co Ltd filed Critical China United Network Communications Group Co Ltd
Priority to CN202010949698.7A priority Critical patent/CN111885092A/en
Publication of CN111885092A publication Critical patent/CN111885092A/en
Pending legal-status Critical Current

Links

Images

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/14Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
    • H04L63/1441Countermeasures against malicious traffic
    • H04L63/1458Denial of Service
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/14Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
    • H04L63/1408Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic by monitoring network traffic
    • H04L63/1416Event detection, e.g. attack signature detection

Landscapes

  • Engineering & Computer Science (AREA)
  • Computer Security & Cryptography (AREA)
  • Computer Hardware Design (AREA)
  • Computing Systems (AREA)
  • General Engineering & Computer Science (AREA)
  • Computer Networks & Wireless Communication (AREA)
  • Signal Processing (AREA)
  • Data Exchanges In Wide-Area Networks (AREA)

Abstract

本发明提供一种边缘节点的DDoS攻击检测方法、处理方法及SDN,所述检测方法包括:接收预定时间段内傀儡机发送的请求报文流;根据所述请求报文流计算每个请求报文中每个目的IP地址对应的目的端口的熵值以及源端口的熵值;根据每个目的IP地址对应的目的端口的熵值以及源端口的熵值判断所述目的IP地址对应的边缘节点是否存在DDoS攻击。该检测方法、处理方法及SDN能够解决现有技术中由于边缘网络容易受到DDoS攻击,且不存在DDoS物理清洗设备而导致无法检测DDoS攻击行为的问题。

Figure 202010949698

The invention provides a DDoS attack detection method, processing method and SDN of an edge node. The detection method includes: receiving a request message flow sent by a puppet machine within a predetermined time period; calculating each request message flow according to the request message flow In this paper, the entropy value of the destination port corresponding to each destination IP address and the entropy value of the source port; according to the entropy value of the destination port corresponding to each destination IP address and the entropy value of the source port, the edge node corresponding to the destination IP address is judged Whether there is a DDoS attack. The detection method, processing method and SDN can solve the problem in the prior art that the DDoS attack behavior cannot be detected because the edge network is vulnerable to DDoS attacks and there is no DDoS physical cleaning device.

Figure 202010949698

Description

一种边缘节点的DDoS攻击检测方法、处理方法及SDNAn edge node DDoS attack detection method, processing method and SDN

技术领域technical field

本发明涉及网络攻击防御技术领域,尤其涉及一种边缘节点的DDoS攻击检测方法、处理方法及SDN。The invention relates to the technical field of network attack defense, in particular to a DDoS attack detection method, processing method and SDN of an edge node.

背景技术Background technique

分布式拒绝服务(Distributed Denial of Service,DDoS)攻击是目前威胁网络安全的主要攻击手段,该类攻击由黑客控制傀儡机向受害者主机发送大量虚假报文,从而造成网络拥塞或是受害者主机崩溃。在边缘网络中边缘节点作为服务提供者,很容易受到分布式拒绝服务(DDoS)攻击,从而造成其服务中断。此外,在边缘网络中通常也不存在十分昂贵的DDoS物理清洗设备,所以如何在边缘网络中使用较小的成本检测针对边缘节点的DDoS攻击行为变得十分关键与必要。Distributed Denial of Service (DDoS) attack is currently the main attack method that threatens network security. This type of attack is controlled by hackers to send a large number of false packets to the victim host, thereby causing network congestion or the victim host. collapse. As service providers in edge networks, edge nodes are vulnerable to Distributed Denial of Service (DDoS) attacks, resulting in service interruption. In addition, there is usually no very expensive DDoS physical cleaning equipment in the edge network, so how to detect the DDoS attack behavior against the edge node in the edge network with a small cost becomes very critical and necessary.

发明内容SUMMARY OF THE INVENTION

本发明所要解决的技术问题是针对现有技术的上述不足,提供一种边缘节点的DDoS攻击检测方法、处理方法及SDN,用以解决现有技术中由于边缘网络容易受到DDoS攻击,且不存在DDoS物理清洗设备而导致无法检测DDoS攻击行为的问题。The technical problem to be solved by the present invention is aimed at the above-mentioned deficiencies of the prior art, and provides a DDoS attack detection method, processing method and SDN of an edge node to solve the problem that the edge network is vulnerable to DDoS attack in the prior art, and there is no DDoS attack in the prior art. DDoS physical cleaning of the device leads to the problem that DDoS attacks cannot be detected.

第一方面,本发明实施例提供一种边缘节点的DDoS攻击检测方法,应用于软件定义网络SDN,所述方法包括:In a first aspect, an embodiment of the present invention provides a method for detecting a DDoS attack on an edge node, which is applied to a software-defined network (SDN), and the method includes:

接收预定时间段内傀儡机发送的请求报文流;Receive the request message stream sent by the puppet machine within a predetermined time period;

根据所述请求报文流计算每个请求报文中每个目的IP地址对应的目的端口的熵值以及源端口的熵值;Calculate the entropy value of the destination port corresponding to each destination IP address in each request message and the entropy value of the source port according to the request message flow;

根据每个目的IP地址对应的目的端口的熵值以及源端口的熵值判断所述目的IP地址对应的边缘节点是否存在DDoS攻击。According to the entropy value of the destination port corresponding to each destination IP address and the entropy value of the source port, it is determined whether the edge node corresponding to the destination IP address has a DDoS attack.

优选地,所述接收预定时间段内傀儡机发送的请求报文流的步骤之前,所述方法还包括:Preferably, before the step of receiving the request message stream sent by the puppet machine within a predetermined time period, the method further includes:

在所述预定时间段的起始时刻到来时,清空交换机的流表项。When the start time of the predetermined time period arrives, the flow entry of the switch is cleared.

优选地,所述接收预定时间段内傀儡机发送的请求报文流的同时,所述方法还包括:Preferably, while receiving the request message stream sent by the puppet machine within a predetermined time period, the method further includes:

对接收到的请求报文流中的每个请求报文进行解析,得到每个请求报文的四元组信息,其中,所述四元组信息包括:源IP地址、目的IP地址、源端口以及目的端口;Analyze each request message in the received request message flow, and obtain the quadruple information of each request message, wherein the quadruple information includes: source IP address, destination IP address, source port and destination port;

将所述每个请求报文的四元组信息保存至预设数据库中。The quadruple information of each request message is stored in a preset database.

优选地,所述根据所述请求报文流计算每个请求报文中每个目的IP地址对应的目的端口的熵值以及源端口的熵值,包括:Preferably, calculating the entropy value of the destination port and the entropy value of the source port corresponding to each destination IP address in each request packet according to the request packet flow, including:

获取所述预设数据库中每个请求报文的所有四元组信息;Acquiring all quadruple information of each request message in the preset database;

根据所述四元组信息计算所述预设数据库中每个目的IP地址对应的目的端口的熵值以及源端口的熵值。The entropy value of the destination port and the entropy value of the source port corresponding to each destination IP address in the preset database are calculated according to the quadruple information.

优选地,所述根据每个目的IP地址对应的目的端口的熵值以及源端口的熵值判断所述目的IP地址对应的边缘节点是否存在DDoS攻击,包括:Preferably, according to the entropy value of the destination port corresponding to each destination IP address and the entropy value of the source port, judging whether the edge node corresponding to the destination IP address has a DDoS attack, including:

若目的IP地址对应的目的端口的熵值小于第一阈值,且源端口的熵值大于第二阈值,则判断所述目的IP地址对应的边缘节点存在DDoS攻击;If the entropy value of the destination port corresponding to the destination IP address is less than the first threshold, and the entropy value of the source port is greater than the second threshold, it is determined that the edge node corresponding to the destination IP address has a DDoS attack;

若目的IP地址对应的目的端口的熵值小于第一阈值,且源端口的熵值小于第二阈值,则判断所述目的IP地址对应的边缘节点不存在DDoS攻击。If the entropy value of the destination port corresponding to the destination IP address is less than the first threshold, and the entropy value of the source port is less than the second threshold, it is determined that the edge node corresponding to the destination IP address does not have a DDoS attack.

第二方面,本发明实施例提供一种边缘节点的DDoS攻击处理方法,应用于软件定义网络SDN,所述方法包括:In a second aspect, an embodiment of the present invention provides a method for processing a DDoS attack on an edge node, which is applied to a software-defined network (SDN), and the method includes:

采用第一方面所述的边缘节点的DDoS攻击检测方法判断与每个目的IP地址对应的边缘节点是否存在DDoS攻击;Using the edge node DDoS attack detection method described in the first aspect to determine whether the edge node corresponding to each destination IP address has a DDoS attack;

若判断存在DDoS攻击,则将与所述目的IP地址、源IP地址和目的端口匹配的请求报文丢弃;If it is judged that there is a DDoS attack, the request message matching the destination IP address, source IP address and destination port is discarded;

如判断边缘节点不存在DDoS攻击,则转发所述目的IP地址、源IP地址和目的端口匹配的请求报文。If it is determined that there is no DDoS attack on the edge node, the request packet whose destination IP address, source IP address and destination port match are forwarded.

优选地,若判断边缘节点存在DDoS攻击,则将与所述目的IP地址、源IP地址和目的端口匹配的请求报文丢弃,包括:Preferably, if it is judged that there is a DDoS attack on the edge node, the request packets matching the destination IP address, source IP address and destination port are discarded, including:

SDN中的控制器生成所述边缘节点对应的流表,所述流表用于指示SDN中的交换机将与所述目的IP地址、源IP地址和目的端口匹配的请求报文丢弃,所述流表的优先级设置为最高优先级;The controller in the SDN generates a flow table corresponding to the edge node, where the flow table is used to instruct the switch in the SDN to discard the request packet matching the destination IP address, source IP address and destination port, and the flow The priority of the table is set to the highest priority;

向SDN中的交换机下发所述流表,以使所述交换机在接收到与所述目的IP地址、源IP地址和目的端口匹配的请求报文时优先匹配所述流表并将其丢弃。The flow table is delivered to the switch in the SDN, so that the switch preferentially matches the flow table and discards it when receiving a request message matching the destination IP address, source IP address and destination port.

第三方面,本发明实施例提供一种SDN,包括:In a third aspect, an embodiment of the present invention provides an SDN, including:

接收模块,用于接收预定时间段内傀儡机发送的请求报文流;a receiving module, used for receiving the request message stream sent by the puppet machine within a predetermined time period;

计算模块,与所述接收模块连接,用于根据所述请求报文流计算每个请求报文中每个目的IP地址对应的目的端口的熵值以及源端口的熵值;A computing module, connected with the receiving module, is used to calculate the entropy value of the destination port and the entropy value of the source port corresponding to each destination IP address in each request message according to the request message flow;

判断模块,与所述计算模块连接,用于根据每个目的IP地址对应的目的端口的熵值以及源端口的熵值判断所述目的IP地址对应的边缘节点是否存在DDoS攻击。A judging module, connected with the computing module, is used for judging whether the edge node corresponding to the destination IP address has a DDoS attack according to the entropy value of the destination port corresponding to each destination IP address and the entropy value of the source port.

优选地,还包括:Preferably, it also includes:

流表项清空模块,用于在所述预定时间段的起始时刻到来时,清空交换机的流表项。The flow entry clearing module is configured to clear the flow entry of the switch when the start time of the predetermined time period arrives.

优选地,还包括:Preferably, it also includes:

第一处理模块,与所述判断模块连接,用于在所述判断模块判断所述边缘节点存在DDoS攻击时,将与所述目的IP地址、源IP地址和目的端口匹配的请求报文丢弃;a first processing module, connected with the judgment module, for discarding the request message matching the destination IP address, the source IP address and the destination port when the judgment module judges that the edge node has a DDoS attack;

第二处理模块,与所述判断模块连接,用于在所述判断模块判断所述边缘节点不存在DDoS攻击时,转发所述目的IP地址、源IP地址和目的端口匹配的请求报文。The second processing module is connected to the judging module, and is configured to forward the request message matching the destination IP address, the source IP address and the destination port when the judging module judges that the edge node does not have a DDoS attack.

本发明实施例提供的边缘节点的DDoS攻击检测方法、处理方法及SDN,通过在边缘网络中利用SDN接收预定时间段内傀儡机发送的请求报文流,并计算每个请求报文中每个目的IP地址对应的目的端口的熵值以及源端口的熵值,能够通过信息熵的方式检测针对边缘节点端口的DDoS攻击行为,从而解决了现有技术中由于边缘网络容易受到DDoS攻击,且不存在DDoS物理清洗设备而导致无法检测DDoS攻击行为的问题。The DDoS attack detection method, processing method, and SDN of an edge node provided by the embodiments of the present invention utilize the SDN in the edge network to receive the request message flow sent by the puppet machine within a predetermined period of time, and calculate each request message in each request message. The entropy value of the destination port corresponding to the destination IP address and the entropy value of the source port can detect the DDoS attack behavior against the edge node port by means of information entropy, thereby solving the problem that the edge network is vulnerable to DDoS attack in the prior art, and does not There is a problem that DDoS attacks cannot be detected due to physical DDoS cleaning of devices.

附图说明Description of drawings

图1:为本发明实施例1的一种DDoS攻击检测方法的流程图;1 is a flowchart of a DDoS attack detection method according to Embodiment 1 of the present invention;

图2:为本发明实施例2的一种DDoS攻击处理方法的流程图;2 is a flowchart of a method for processing a DDoS attack according to Embodiment 2 of the present invention;

图3:为本发明实施例3的一种SDN的结构图。FIG. 3 is a structural diagram of an SDN according to Embodiment 3 of the present invention.

具体实施方式Detailed ways

需要说明的是,在不冲突的情况下,本申请中的实施例及实施例中的特征可以相互组合。下面将参考附图并结合实施例来详细说明本申请。It should be noted that the embodiments in the present application and the features of the embodiments may be combined with each other in the case of no conflict. The present application will be described in detail below with reference to the accompanying drawings and in conjunction with the embodiments.

为了使本技术领域的人员更好地理解本申请方案,下面将结合本申请实施例中的附图,对本申请实施例中的技术方案进行清楚、完整地描述,显然,所描述的实施例仅仅是本申请一部分的实施例,而不是全部的实施例。基于本申请中的实施例,本领域普通技术人员在没有做出创造性劳动前提下所获得的所有其他实施例,都应当属于本申请保护的范围。In order to make those skilled in the art better understand the solutions of the present application, the technical solutions in the embodiments of the present application will be clearly and completely described below with reference to the accompanying drawings in the embodiments of the present application. Obviously, the described embodiments are only The embodiments are part of the present application, but not all of the embodiments. Based on the embodiments in the present application, all other embodiments obtained by those of ordinary skill in the art without creative work shall fall within the scope of protection of the present application.

实施例1:Example 1:

本实施例提供一种边缘节点的DDoS攻击检测方法,应用于软件定义网络(Software Defined Network,SDN)中,如图1所示,该方法包括:This embodiment provides a method for detecting a DDoS attack on an edge node, which is applied in a software defined network (Software Defined Network, SDN). As shown in FIG. 1 , the method includes:

步骤S102:接收预定时间段内傀儡机发送的请求报文流;Step S102: Receive a request message stream sent by the puppet machine within a predetermined time period;

在本实施例中,边缘节点和傀儡机都位于边缘网络中,该边缘网络采用SDN架构,SDN包括控制器和至少一个交换机,边缘节点是边缘网络中的服务器节点,边缘网络中的客户端被黑客入侵操纵后成为傀儡机,边缘节点和傀儡机与SDN中的交换机连接,傀儡机向SDN中发送请求报文,所述请求报文包括正常请求报文和DDoS攻击报文。In this embodiment, both the edge node and the puppet machine are located in the edge network, the edge network adopts the SDN architecture, the SDN includes a controller and at least one switch, the edge node is a server node in the edge network, and the client in the edge network is After hacking and manipulation, it becomes a puppet machine, the edge node and the puppet machine are connected to the switch in the SDN, and the puppet machine sends a request message to the SDN, and the request message includes a normal request message and a DDoS attack message.

需要说明的是,在SDN网络中交换机只负责根据控制器的转发逻辑进行转发,控制器的转发逻辑通过流表的形式部署在交换机上,现有技术通常在网络初始化的时候,控制器会向交换机下发一条默认流表,流表的内容是将收到的请求报文上传给控制器,这条流表的优先级比较低,当请求报文在到达交换机后,交换机会匹配流表,如果都匹配不到,就会按照这条默认流表将请求报文上传给控制器处理。It should be noted that in an SDN network, the switch is only responsible for forwarding according to the forwarding logic of the controller, and the forwarding logic of the controller is deployed on the switch in the form of a flow table. The switch sends a default flow table. The content of the flow table is to upload the received request message to the controller. The priority of this flow table is relatively low. When the request message reaches the switch, the switch will match the flow table. If there is no match, the request message will be uploaded to the controller for processing according to this default flow table.

可选地,接收预定时间段内傀儡机发送的请求报文流的步骤之前,方法还可以包括:Optionally, before the step of receiving the request message stream sent by the puppet machine within a predetermined time period, the method may further include:

在预定时间段的起始时刻到来时,清空交换机的流表项。When the start time of the predetermined time period arrives, the flow table entry of the switch is cleared.

在本实施例中,为了避免交换机因当前流表中存在与某一被攻击边缘节点匹配的流表项,而将其直接转发,不上传给控制器,在所述预定时间段的起始时刻到来时,清空所述交换机的流表项,从而进一步保证了检测的全面性。清空流表项后,交换机只剩默认流表项,即将所有收到的请求报文上传给控制器处理。In this embodiment, in order to prevent the switch from directly forwarding a flow entry that matches an attacked edge node because there is a flow entry in the current flow table without uploading it to the controller, at the beginning of the predetermined time period When it arrives, the flow entry of the switch is cleared, thereby further ensuring the comprehensiveness of detection. After clearing the flow entry, the switch only has the default flow entry, that is, uploading all received request packets to the controller for processing.

可选地,接收预定时间段内傀儡机发送的请求报文流的同时,方法还可以包括:Optionally, while receiving the request message stream sent by the puppet machine within a predetermined time period, the method may further include:

对接收到的请求报文流中的每个请求报文进行解析,得到每个请求报文的四元组信息,其中,四元组信息包括:源IP地址、目的IP地址、源端口以及目的端口;Analyze each request message in the received request message flow, and obtain the quadruple information of each request message, where the quadruple information includes: source IP address, destination IP address, source port and destination port;

将每个请求报文的四元组信息保存至预设数据库中。Save the quadruple information of each request message to the preset database.

在本实施例中,在预定时间段的起始时刻到来时,比如在t0时刻,控制器清空交换机流表项,并开始下列步骤:In this embodiment, when the start time of the predetermined time period arrives, such as at time t0, the controller clears the switch flow table entry, and starts the following steps:

步骤A:控制器接收交换机发送的请求报文;Step A: the controller receives the request message sent by the switch;

在本实例中,假设傀儡机h1向SDN网络中发送请求报文流,请求报文包含:发往边缘节点h2的正常请求报文与发往边缘节点h3的DDoS攻击报文两种类型报文,交换机收到主机请求报文后,匹配交换机默认流表项,将其依次上传给控制器。In this example, it is assumed that the puppet machine h1 sends a request packet flow to the SDN network, and the request packet includes two types of packets: a normal request packet sent to the edge node h2 and a DDoS attack packet sent to the edge node h3 , after the switch receives the host request message, it matches the default flow entry of the switch and uploads it to the controller in turn.

步骤B:控制器进行报文解析将请求报文的四元组(源IP地址、目的IP地址、源端口、目的端口)信息存入预设数据库DB内。DB的表项可以如表1所示:Step B: The controller parses the message and stores the quadruple (source IP address, destination IP address, source port, and destination port) information of the request message into the preset database DB. The entries of the DB can be as shown in Table 1:

表1Table 1

源IP地址source IP address 目的IP地址destination IP address 源端口source port 目的端口destination port IP-h1IP-h1 IP-h2IP-h2 Port-h1Port-h1 Port-h2Port-h2 IP-h1IP-h1 IP-h3IP-h3 虚假Port0fake Port0 Port-h3Port-h3

步骤C:控制器通过报文转发程序,将请求报文下发给交换机,执行正常转发流程。Step C: The controller sends the request message to the switch through the message forwarding procedure, and executes the normal forwarding process.

在预定时间段的结束时刻到来时,比如在t1时刻,则在预定时间段t内DB的表项可以如表2所示,其中,t=t1-t0。When the end time of the predetermined time period comes, for example, at time t1, the entry of the DB in the predetermined time period t may be as shown in Table 2, where t=t1-t0.

表2Table 2

源IPsource IP 目的IPdestination IP 源端口source port 目的端口destination port IP-h1IP-h1 IP-h2IP-h2 Port-h1Port-h1 Port-h2Port-h2 IP-h1IP-h1 IP-h3IP-h3 虚假Port0fake Port0 Port-h3Port-h3 ……... ……... ……... ……... IP-h1IP-h1 IP-h3IP-h3 虚假PortnFake Portn Port-h3Port-h3

步骤S104:根据请求报文流计算每个请求报文中每个目的IP地址对应的目的端口的熵值以及源端口的熵值。Step S104: Calculate the entropy value of the destination port and the entropy value of the source port corresponding to each destination IP address in each request message according to the request message flow.

可选地,根据请求报文流计算每个请求报文中每个目的IP地址对应的目的端口的熵值以及源端口的熵值,可以包括:Optionally, calculating the entropy value of the destination port and the entropy value of the source port corresponding to each destination IP address in each request packet according to the request packet flow, may include:

获取预设数据库中每个请求报文的所有四元组信息;Obtain all quadruple information of each request message in the preset database;

根据四元组信息计算预设数据库中每个目的IP地址对应的目的端口的熵值以及源端口的熵值。The entropy value of the destination port and the entropy value of the source port corresponding to each destination IP address in the preset database are calculated according to the quadruple information.

其中,熵值的计算公式可以如下:Among them, the calculation formula of the entropy value can be as follows:

H(x)=E[I(xi)]=E[log(2,1/P(xi))]=-∑P(xi)log(2,P(xi))(i=1,2,..n)H(x)=E[I(x i )]=E[log(2,1/P(x i ))]=-∑P(x i )log(2,P(x i ))(i= 1,2,..n)

其中,x表示随机变量,与之相对应的是所有可能输出的集合,定义为符号集,随机变量的输出用x表示。P(x)表示输出概率函数。变量的不确定性越大,熵也就越大,以表2为例,此时边缘节点H3的熵值为log(2,n),边缘节点H4的熵值为0。Among them, x represents a random variable, which corresponds to the set of all possible outputs, which is defined as a symbol set, and the output of a random variable is represented by x. P(x) represents the output probability function. The greater the uncertainty of the variable, the greater the entropy. Taking Table 2 as an example, the entropy value of edge node H3 is log(2,n), and the entropy value of edge node H4 is 0.

步骤S106:根据每个目的IP地址对应的目的端口的熵值以及源端口的熵值判断目的IP地址对应的边缘节点是否存在DDoS攻击。Step S106: Determine whether the edge node corresponding to the destination IP address has a DDoS attack according to the entropy value of the destination port corresponding to each destination IP address and the entropy value of the source port.

在对现有技术的研究和实践过程中,发明人发现:DDoS攻击行为表现为傀儡机发送请求报文的目的端口固定而源端口大量随机,即目的端口的熵值H4小于设定的第一阈值k4,源端口的熵值H3大于设定的第二阈值k3。因此,根据每个目的IP地址对应的目的端口的熵值以及源端口的熵值即可判断所述目的IP地址对应的边缘节点是否存在DDoS攻击。During the research and practice of the prior art, the inventor found that the DDoS attack behavior is that the destination port of the puppet machine to send the request message is fixed and the source port is random, that is, the entropy value H4 of the destination port is less than the set first port. Threshold k4, the entropy value H3 of the source port is greater than the set second threshold k3. Therefore, according to the entropy value of the destination port corresponding to each destination IP address and the entropy value of the source port, it can be determined whether the edge node corresponding to the destination IP address has a DDoS attack.

可选地,根据每个目的IP地址对应的目的端口的熵值以及源端口的熵值判断目的IP地址对应的边缘节点是否存在DDoS攻击,可以包括:Optionally, according to the entropy value of the destination port corresponding to each destination IP address and the entropy value of the source port, determine whether the edge node corresponding to the destination IP address has a DDoS attack, which may include:

若目的IP地址对应的目的端口的熵值小于第一阈值,且源端口的熵值大于第二阈值,则判断目的IP地址对应的边缘节点存在DDoS攻击;If the entropy value of the destination port corresponding to the destination IP address is less than the first threshold, and the entropy value of the source port is greater than the second threshold, it is determined that the edge node corresponding to the destination IP address has a DDoS attack;

若目的IP地址对应的目的端口的熵值小于第一阈值,且源端口的熵值小于第二阈值,则判断目的IP地址对应的边缘节点不存在DDoS攻击。If the entropy value of the destination port corresponding to the destination IP address is less than the first threshold, and the entropy value of the source port is less than the second threshold, it is determined that the edge node corresponding to the destination IP address does not have a DDoS attack.

在本实施例中,如表2所示,若SDN控制器经过比较可得,目的IP为h2时H4<k4且H3<k3,目的IP为h3时H4<k4且H3>k3,则判定该网络发生针对边缘节点h3的指定端口Port-h3,使边缘节点超负荷的DDoS攻击行为。In this embodiment, as shown in Table 2, if the SDN controller can obtain by comparison, when the destination IP is h2, H4<k4 and H3<k3, and when the destination IP is h3, H4<k4 and H3>k3, it is determined that the A DDoS attack occurs on the network against the designated port Port-h3 of the edge node h3, which overloads the edge node.

本实施例提供的边缘节点的DDoS攻击检测方法,通过在边缘网络中利用SDN接收预定时间段内傀儡机发送的请求报文流,并计算每个请求报文中每个目的IP地址对应的目的端口的熵值以及源端口的熵值,能够通过信息熵的方式检测针对边缘节点端口的DDoS攻击行为,从而解决了现有技术中由于边缘网络容易受到DDoS攻击,且不存在DDoS物理清洗设备而导致无法检测DDoS攻击行为的问题。The method for detecting a DDoS attack on an edge node provided by this embodiment uses SDN in the edge network to receive the request message flow sent by the puppet machine within a predetermined period of time, and calculates the destination corresponding to each destination IP address in each request message. The entropy value of the port and the entropy value of the source port can detect the DDoS attack behavior against the edge node port by means of information entropy, thus solving the problem in the prior art that the edge network is vulnerable to DDoS attacks and there is no DDoS physical cleaning device. The problem that leads to the inability to detect DDoS attack behavior.

实施例2:Example 2:

如图2所示,本实施例提供一种DDoS攻击处理方法,应用于软件定义网络SDN,方法包括:As shown in FIG. 2 , this embodiment provides a DDoS attack processing method, which is applied to a software-defined network SDN. The method includes:

步骤S202:采用如实施例1所述的边缘节点的DDoS攻击检测方法判断与每个目的IP地址对应的边缘节点是否存在DDoS攻击;Step S202: adopt the DDoS attack detection method of the edge node as described in Embodiment 1 to determine whether the edge node corresponding to each destination IP address has a DDoS attack;

步骤S204:若判断存在DDoS攻击,则将与目的IP地址、源IP地址和目的端口匹配的请求报文丢弃;Step S204: if it is judged that there is a DDoS attack, the request message matching the destination IP address, source IP address and destination port is discarded;

步骤S206:如判断边缘节点不存在DDoS攻击,则转发目的IP地址、源IP地址和目的端口匹配的请求报文。Step S206 : if it is determined that there is no DDoS attack on the edge node, forward the request packet whose destination IP address, source IP address and destination port match.

可选地,若判断边缘节点存在DDoS攻击,则将与目的IP地址、源IP地址和目的端口匹配的请求报文丢弃,可以包括:Optionally, if it is determined that there is a DDoS attack on the edge node, the request packets matching the destination IP address, source IP address and destination port are discarded, which may include:

SDN中的控制器生成边缘节点对应的流表,流表用于指示SDN中的交换机将与目的IP地址、源IP地址和目的端口匹配的请求报文丢弃,流表的优先级设置为最高优先级;The controller in the SDN generates the flow table corresponding to the edge node. The flow table is used to instruct the switch in the SDN to discard the request packets matching the destination IP address, source IP address and destination port. The priority of the flow table is set to the highest priority class;

向SDN中的交换机下发流表,以使交换机在接收到与目的IP地址、源IP地址和目的端口匹配的请求报文时优先匹配流表并将其丢弃。Distribute the flow table to the switch in the SDN, so that the switch will preferentially match the flow table and discard it when it receives a request packet that matches the destination IP address, source IP address, and destination port.

在对现有技术的研究和实践过程中,发明人发现:现有的DDoS攻击处理方法在检测到网络中存在DDoS攻击行为时,通常对傀儡机所连接的交换机端口进行限速,这种方式虽然避免了DDoS报文在网络中的传播,但是也会导致傀儡机正常业务的中断。比如主机h1在正常访问网络中服务器h2时,被黑客攻击成为傀儡机,并向服务器h3发送提交大量虚假请求,发生使服务器超负荷的DDoS攻击行为,当SDN控制器检测到DDoS攻击后,会对h1发送的所有报文进行丢弃或限速,导致h1无法继续正常访问网络。During the research and practice of the prior art, the inventor found that the existing DDoS attack processing methods usually limit the speed of the switch port connected to the puppet machine when detecting DDoS attack behavior in the network. Although the propagation of DDoS packets in the network is avoided, the normal services of the puppet machine will be interrupted. For example, when host h1 normally accesses server h2 in the network, it is attacked by hackers and becomes a puppet machine, and sends a large number of false requests to server h3, resulting in a DDoS attack that overloads the server. When the SDN controller detects a DDoS attack, it will All packets sent by h1 are discarded or the rate is limited, so that h1 cannot continue to access the network normally.

在本实施例中,若SDN控制器判定该网络发生针对边缘节点h3的指定端口Port-h3,使边缘节点超负荷的DDoS攻击行为时,同时根据数据库信息读取生成三元组(源IP=IP-h1、目的IP=IP-h3、目的端口=Port-h3)。SDN控制器给交换机下发流表,流表规则设置为匹配三元组并执行丢弃报文操作,流表优先级设置为高于交换机当前所有流表。In this embodiment, if the SDN controller determines that a DDoS attack occurs on the designated port Port-h3 of the edge node h3 and overloads the edge node, the SDN controller reads and generates a triplet (source IP= IP-h1, destination IP=IP-h3, destination port=Port-h3). The SDN controller sends a flow table to the switch. The flow table rule is set to match the triplet and the operation of discarding packets is performed. The priority of the flow table is set to be higher than that of all current flow tables of the switch.

通过上述操作后,傀儡机h1再次向SDN网络中发送请求报文,请求报文包含:发往服务器主机h2正常请求报文与发往服务器主机h3的DDoS攻击报文两种类型报文,发往h3的DDoS攻击报文优先匹配到设置的流表规则,交换机丢弃报文。发往h2的正常请求报文匹配到默认流表,上传控制器,按照控制器逻辑进行正常转发。After the above operations, the puppet machine h1 sends a request message to the SDN network again. The request message includes two types of messages: a normal request message sent to the server host h2 and a DDoS attack message sent to the server host h3. DDoS attack packets destined for h3 preferentially match the set flow table rules, and the switch discards the packets. The normal request packets sent to h2 are matched to the default flow table, uploaded to the controller, and forwarded normally according to the controller logic.

本发明实施例提供的DDoS攻击处理方法,通过流表对DDoS攻击报文进行过滤,避免了傀儡机正常网络访问受到影响。同时,通过在边缘网络中利用SDN接收预定时间段内傀儡机发送的请求报文流,并计算每个请求报文中每个目的IP地址对应的目的端口的熵值以及源端口的熵值,能够通过信息熵的方式检测针对边缘节点端口的DDoS攻击行为,从而解决了现有技术中由于边缘网络容易受到DDoS攻击,且不存在DDoS物理清洗设备而导致无法检测DDoS攻击行为的问题。In the DDoS attack processing method provided by the embodiment of the present invention, the DDoS attack message is filtered through the flow table, so that the normal network access of the puppet machine is prevented from being affected. At the same time, by using SDN in the edge network to receive the request message flow sent by the puppet machine within a predetermined period of time, and calculating the entropy value of the destination port corresponding to each destination IP address in each request message and the entropy value of the source port, The DDoS attack behavior against the edge node port can be detected by means of information entropy, thereby solving the problem that the DDoS attack behavior cannot be detected in the prior art because the edge network is vulnerable to DDoS attacks and there is no DDoS physical cleaning device.

实施例3:Example 3:

如图3所示,本实施例提供一种SDN,包括:As shown in FIG. 3 , this embodiment provides an SDN, including:

接收模块30,用于接收预定时间段内傀儡机发送的请求报文流;The receiving module 30 is used for receiving the request message stream sent by the puppet machine within a predetermined time period;

计算模块32,与接收模块30连接,用于根据请求报文流计算每个请求报文中每个目的IP地址对应的目的端口的熵值以及源端口的熵值;The computing module 32 is connected with the receiving module 30, and is used to calculate the entropy value of the destination port corresponding to each destination IP address in each request message and the entropy value of the source port according to the request message flow;

判断模块34,与计算模块32连接,用于根据每个目的IP地址对应的目的端口的熵值以及源端口的熵值判断目的IP地址对应的边缘节点是否存在DDoS攻击。The judgment module 34 is connected to the calculation module 32, and is used for judging whether the edge node corresponding to the destination IP address has a DDoS attack according to the entropy value of the destination port corresponding to each destination IP address and the entropy value of the source port.

优选地,还可以包括:Preferably, it can also include:

流表项清空模块,用于在预定时间段的起始时刻到来时,清空交换机的流表项。The flow entry clearing module is used for clearing the flow entry of the switch when the start time of the predetermined time period comes.

优选地,还可以包括:Preferably, it can also include:

第一处理模块,与判断模块34连接,用于在判断模块判断边缘节点存在DDoS攻击时,将与目的IP地址、源IP地址和目的端口匹配的请求报文丢弃;The first processing module, connected with the judgment module 34, is used for discarding the request message matched with the destination IP address, the source IP address and the destination port when the judgment module judges that the edge node has a DDoS attack;

第二处理模块,与判断模块34连接,用于在判断模块判断边缘节点不存在DDoS攻击时,转发目的IP地址、源IP地址和目的端口匹配的请求报文。The second processing module is connected to the judging module 34, and is used for forwarding the request message matching the destination IP address, the source IP address and the destination port when the judging module judges that there is no DDoS attack on the edge node.

实施例3提供的SDN,通过在边缘网络中利用SDN接收预定时间段内傀儡机发送的请求报文流,并计算每个请求报文中每个目的IP地址对应的目的端口的熵值以及源端口的熵值,能够通过信息熵的方式检测针对边缘节点端口的DDoS攻击行为,从而解决了现有技术中由于边缘网络容易受到DDoS攻击,且不存在DDoS物理清洗设备而导致无法检测DDoS攻击行为的问题。The SDN provided in Embodiment 3 uses the SDN in the edge network to receive the request message stream sent by the puppet machine within a predetermined time period, and calculates the entropy value of the destination port corresponding to each destination IP address in each request message and the source. The entropy value of the port can detect the DDoS attack behavior against the edge node port by means of information entropy, thereby solving the problem that the DDoS attack behavior cannot be detected in the existing technology because the edge network is vulnerable to DDoS attacks and there is no DDoS physical cleaning device. The problem.

可以理解的是,以上实施方式仅仅是为了说明本发明的原理而采用的示例性实施方式,然而本发明并不局限于此。对于本领域内的普通技术人员而言,在不脱离本发明的精神和实质的情况下,可以做出各种变型和改进,这些变型和改进也视为本发明的保护范围。It can be understood that the above embodiments are only exemplary embodiments adopted to illustrate the principle of the present invention, but the present invention is not limited thereto. For those skilled in the art, without departing from the spirit and essence of the present invention, various modifications and improvements can be made, and these modifications and improvements are also regarded as the protection scope of the present invention.

Claims (10)

1. A DDoS attack detection method of an edge node is applied to a Software Defined Network (SDN), and comprises the following steps:
receiving a request message stream sent by a puppet machine in a predetermined time period;
calculating the entropy value of a destination port and the entropy value of a source port corresponding to each destination IP address in each request message according to the request message flow;
and judging whether the edge node corresponding to the destination IP address has DDoS attack according to the entropy value of the destination port corresponding to each destination IP address and the entropy value of the source port.
2. The method of claim 1, wherein before the step of receiving the request packet stream sent by the puppet machine within a predetermined time period, the method further comprises:
and when the starting time of the preset time period comes, clearing the flow table entry of the switch.
3. The method of claim 2, wherein, while receiving the request packet stream sent by the puppet machine within a predetermined time period, the method further comprises:
analyzing each request message in the received request message stream to obtain quadruple information of each request message, wherein the quadruple information comprises: a source IP address, a destination IP address, a source port, and a destination port;
and storing the quadruple information of each request message into a preset database.
4. The method of claim 3, wherein the calculating the entropy of the destination port and the entropy of the source port corresponding to each destination IP address in each request packet according to the request packet flow comprises:
acquiring all four-tuple information of each request message in the preset database;
and calculating the entropy value of a destination port and the entropy value of a source port corresponding to each destination IP address in the preset database according to the quadruple information.
5. The method of claim 4, wherein the determining whether the DDoS attack exists on the edge node corresponding to the destination IP address according to the entropy of the destination port and the entropy of the source port corresponding to each destination IP address comprises:
if the entropy value of a destination port corresponding to a destination IP address is smaller than a first threshold value and the entropy value of a source port is larger than a second threshold value, judging that a DDoS attack exists on an edge node corresponding to the destination IP address;
and if the entropy value of the destination port corresponding to the destination IP address is smaller than a first threshold value and the entropy value of the source port is smaller than a second threshold value, judging that the edge node corresponding to the destination IP address does not have DDoS attack.
6. A DDoS attack processing method of an edge node is applied to a Software Defined Network (SDN), and comprises the following steps:
judging whether the edge node corresponding to each destination IP address has DDoS attack by adopting the DDoS attack detection method of the edge node according to any one of claims 1 to 5;
if DDoS attack exists, discarding the request message matched with the destination IP address, the source IP address and the destination port;
and if the edge node is judged to have no DDoS attack, forwarding the request message matched with the destination IP address, the source IP address and the destination port.
7. The DDoS attack processing method for an edge node according to claim 6, wherein if it is determined that a DDoS attack exists on the edge node, discarding the request packet matching the destination IP address, the source IP address, and the destination port comprises:
a controller in the SDN generates a flow table corresponding to the edge node, wherein the flow table is used for indicating a switch in the SDN to discard a request message matched with the destination IP address, the source IP address and the destination port, and the priority of the flow table is set to be the highest priority;
and issuing the flow table to a switch in the SDN so that the switch preferentially matches the flow table and discards the flow table when receiving a request message matched with the destination IP address, the source IP address and the destination port.
8. An SDN, comprising:
a receiving module, configured to receive a request message stream sent by a puppet machine within a predetermined time period;
a calculating module, connected to the receiving module, configured to calculate, according to the request packet flow, an entropy of a destination port and an entropy of a source port corresponding to each destination IP address in each request packet;
and the judging module is connected with the calculating module and is used for judging whether the DDoS attack exists on the edge node corresponding to the destination IP address or not according to the entropy value of the destination port corresponding to each destination IP address and the entropy value of the source port.
9. The SDN of claim 8, further comprising:
and the flow table entry emptying module is used for emptying the flow table entry of the switch when the starting time of the preset time period arrives.
10. The SDN of claim 8, further comprising:
the first processing module is connected with the judging module and used for discarding the request message matched with the destination IP address, the source IP address and the destination port when the judging module judges that the DDoS attack exists on the edge node;
and the second processing module is connected with the judging module and used for forwarding the request message matched with the destination IP address, the source IP address and the destination port when the judging module judges that the DDoS attack does not exist in the edge node.
CN202010949698.7A 2020-09-10 2020-09-10 An edge node DDoS attack detection method, processing method and SDN Pending CN111885092A (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN202010949698.7A CN111885092A (en) 2020-09-10 2020-09-10 An edge node DDoS attack detection method, processing method and SDN

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN202010949698.7A CN111885092A (en) 2020-09-10 2020-09-10 An edge node DDoS attack detection method, processing method and SDN

Publications (1)

Publication Number Publication Date
CN111885092A true CN111885092A (en) 2020-11-03

Family

ID=73199135

Family Applications (1)

Application Number Title Priority Date Filing Date
CN202010949698.7A Pending CN111885092A (en) 2020-09-10 2020-09-10 An edge node DDoS attack detection method, processing method and SDN

Country Status (1)

Country Link
CN (1) CN111885092A (en)

Cited By (2)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
WO2022249451A1 (en) * 2021-05-28 2022-12-01 日本電信電話株式会社 Switch, network controller, communication control method, and communication control program
CN116248340A (en) * 2022-12-26 2023-06-09 北京百度网讯科技有限公司 Detection method, device, electronic equipment and storage medium of interface attack

Citations (13)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN103441982A (en) * 2013-06-24 2013-12-11 杭州师范大学 Intrusion alarm analyzing method based on relative entropy
CN104468624A (en) * 2014-12-22 2015-03-25 上海斐讯数据通信技术有限公司 SDN controller, routing/switching device and network defending method
US20150095969A1 (en) * 2013-07-16 2015-04-02 Fortinet, Inc. System and method for software defined behavioral ddos attack mitigation
CN104836702A (en) * 2015-05-06 2015-08-12 华中科技大学 Host network abnormal behavior detection and classification method under large flow environment
WO2017035717A1 (en) * 2015-08-29 2017-03-09 华为技术有限公司 Distributed denial of service attack detection method and associated device
CN107888618A (en) * 2014-12-17 2018-04-06 蔡留凤 The DDoS for solving network security threatens the method for work of filtering SDN systems
CN108366065A (en) * 2018-02-11 2018-08-03 中国联合网络通信集团有限公司 Attack detection method and SDN switch
CN108848095A (en) * 2018-06-22 2018-11-20 安徽大学 The detection of server ddos attack and defence method under SDN environment based on double entropys
CN109768955A (en) * 2017-11-10 2019-05-17 高丽大学校产学协力团 System and method for defense against distributed denial of service attack based on software-defined network
CN110535888A (en) * 2019-10-12 2019-12-03 广州西麦科技股份有限公司 Port Scan Attacks detection method and relevant apparatus
CN111294328A (en) * 2019-10-23 2020-06-16 上海科技网络通信有限公司 Method for active security defense of SDN (software defined network) based on information entropy calculation
CN111327590A (en) * 2020-01-19 2020-06-23 中国联合网络通信集团有限公司 An attack processing method and device
CN111490975A (en) * 2020-03-23 2020-08-04 山东大学 Distributed denial of service DDoS attack tracing system and method based on software defined network

Patent Citations (13)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN103441982A (en) * 2013-06-24 2013-12-11 杭州师范大学 Intrusion alarm analyzing method based on relative entropy
US20150095969A1 (en) * 2013-07-16 2015-04-02 Fortinet, Inc. System and method for software defined behavioral ddos attack mitigation
CN107888618A (en) * 2014-12-17 2018-04-06 蔡留凤 The DDoS for solving network security threatens the method for work of filtering SDN systems
CN104468624A (en) * 2014-12-22 2015-03-25 上海斐讯数据通信技术有限公司 SDN controller, routing/switching device and network defending method
CN104836702A (en) * 2015-05-06 2015-08-12 华中科技大学 Host network abnormal behavior detection and classification method under large flow environment
WO2017035717A1 (en) * 2015-08-29 2017-03-09 华为技术有限公司 Distributed denial of service attack detection method and associated device
CN109768955A (en) * 2017-11-10 2019-05-17 高丽大学校产学协力团 System and method for defense against distributed denial of service attack based on software-defined network
CN108366065A (en) * 2018-02-11 2018-08-03 中国联合网络通信集团有限公司 Attack detection method and SDN switch
CN108848095A (en) * 2018-06-22 2018-11-20 安徽大学 The detection of server ddos attack and defence method under SDN environment based on double entropys
CN110535888A (en) * 2019-10-12 2019-12-03 广州西麦科技股份有限公司 Port Scan Attacks detection method and relevant apparatus
CN111294328A (en) * 2019-10-23 2020-06-16 上海科技网络通信有限公司 Method for active security defense of SDN (software defined network) based on information entropy calculation
CN111327590A (en) * 2020-01-19 2020-06-23 中国联合网络通信集团有限公司 An attack processing method and device
CN111490975A (en) * 2020-03-23 2020-08-04 山东大学 Distributed denial of service DDoS attack tracing system and method based on software defined network

Non-Patent Citations (2)

* Cited by examiner, † Cited by third party
Title
MING XUANYUAN: "Detection and Mitigation of DDoS Attacks Using Conditional Entropy in Software-defined Networking", 《2019 11TH INTERNATIONAL CONFERENCE ON ADVANCED COMPUTING (ICOAC)》 *
原超: "网络设备信息安全评估方法研究", 《信息科技辑》 *

Cited By (3)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
WO2022249451A1 (en) * 2021-05-28 2022-12-01 日本電信電話株式会社 Switch, network controller, communication control method, and communication control program
JP7632609B2 (en) 2021-05-28 2025-02-19 日本電信電話株式会社 SWITCH, NETWORK CONTROLLER, COMMUNICATION CONTROL METHOD, AND COMMUNICATION CONTROL PROGRAM
CN116248340A (en) * 2022-12-26 2023-06-09 北京百度网讯科技有限公司 Detection method, device, electronic equipment and storage medium of interface attack

Similar Documents

Publication Publication Date Title
CN109792409B (en) Methods, systems, and computer readable media for dropping messages during congestion events
US9043912B2 (en) Method for thwarting application layer hypertext transport protocol flood attacks focused on consecutively similar application-specific data packets
CN104539625B (en) Network security defense system based on software definition and working method thereof
CN104539594B (en) SDN architecture, system and working method integrating DDoS threat filtering and routing optimization
CN109768955B (en) System and method for defense against distributed denial of service attack based on software-defined network
US7768921B2 (en) Identification of potential network threats using a distributed threshold random walk
CN107710680B (en) Method and device for sending network attack defense strategy and network attack defense
CN104660582B (en) Software-defined network architecture for DDoS identification, protection and path optimization
CN101800707B (en) Method for establishing stream forwarding list item and data communication equipment
US7854000B2 (en) Method and system for addressing attacks on a computer connected to a network
CN106357641B (en) Defense method and device for interest packet flooding attack in content-centric network
CN104539595B (en) An SDN Architecture and Working Method Integrating Threat Processing and Routing Optimization
CN104378380A (en) System and method for identifying and preventing DDoS attacks on basis of SDN framework
US20090240804A1 (en) Method and apparatus for preventing igmp packet attack
KR20060128734A (en) Adaptive defense against various network attacks
CN108810008B (en) Transmission control protocol flow filtering method, device, server and storage medium
CN106657126A (en) Device and method for detecting and defending DDos attack
CN111885092A (en) An edge node DDoS attack detection method, processing method and SDN
US7818795B1 (en) Per-port protection against denial-of-service and distributed denial-of-service attacks
JP5178573B2 (en) Communication system and communication method
CN106101088B (en) The method of cleaning equipment, detection device, routing device and prevention DNS attack
CN110198290B (en) Information processing method, equipment, device and storage medium
WO2005004410A1 (en) A method controlling retransmission of a data message in a routing device
WO2019096104A1 (en) Attack prevention
CN105516200A (en) Cloud system security processing method and device

Legal Events

Date Code Title Description
PB01 Publication
PB01 Publication
SE01 Entry into force of request for substantive examination
SE01 Entry into force of request for substantive examination
RJ01 Rejection of invention patent application after publication

Application publication date: 20201103

RJ01 Rejection of invention patent application after publication