SDN中DDoS攻击检测与混合防御技术  

作　　者：李小菲 陈义 LI Xiaofei;CHEN Yi(Information Technology Center,Hebei University,Baoding 071002,China;Computer Teaching Department,Hebei University,Baoding 071001,China)

机构地区：[1]河北大学信息技术中心,河北保定071002 [2]河北大学计算机教学部,河北保定071001

出　　处：《现代电子技术》2025年第2期85-89,共5页Modern Electronics Technique

基　　金：2022年中国高校产学研创新基金——新一代信息技术创新项目:SDN中混合防御DDoS攻击检测技术研究(2022IT078)。

摘　　要：DDoS攻击是软件定义网络(SDN)安全领域的一大威胁,严重威胁网络控制器及交换机等设备的正常运行,因此提出一种SDN中DDoS攻击检测与混合防御技术。在DDoS攻击检测方面,利用卡方检验值对SDN中控制器收到的Packet_In数据流内数据帧数量进行统计分析,将高于数据流卡方阈值的数据流初步判断为可疑流;继续计算数据流与可疑流的相对Sibson距离,区分可疑流是DDoS攻击流还是正常突发流;最后通过计算数据流之间的Sibson距离,根据DDoS攻击流的特征,确定攻击流是否为DDoS攻击流。在DDoS攻击防御方面,采用共享流表空间支持和Packet_In报文过滤方法混合防御,被DDoS攻击的交换机流表空间过载,将过载流表引流到其他交换机,从而完成数据层的防御;溯源得到DDoS攻击MAC地址并进行Packet_In数据流过滤,完成控制层的防御。实验结果表明,所提方法可有效检测软件定义网络交换机和控制器内的DDoS攻击流,能够防御不同的DDoS攻击。DDoS attack is a major threat in the security field of software-defined network(SDN),which seriously threatens the normal operation of network controllers,switches and other devices.Therefore,a DDoS attack detection and hybrid defense technology in SDN is proposed.In terms of DDoS attack detection,the statistical analysis of the number of data frames in the Packet-IN data stream received by the controller in SDN is conducted by means of chi-square test values.The data streams above the card side threshold of the data stream are judged preliminarily as suspicious streams.The relative Sibson distance between the data stream and the suspicious stream is calculated sequentially to distinguish whether the suspicious stream is a DDoS attack flow or a normal burst flow.The Sibson distance between data flow is calculated to determine whether the attack flow is a DDoS attack flow based on the features of the DDoS attack flows.In terms of DDoS attack defense,the hybrid defense is conducted by mean of shared flow tablespace support and Packet-IN packet filtering.The flow tablespace of the switch attacked by DDoS is overloaded,and the overloaded flow table is drained to other switches to complete the defense at the data layer.The MAC address of DDoS attack is traced,and the Packet_In data flow is filtered to complete the defense of control layer.The experimental results show that the proposed method can effectively detect DDoS attack flows in SDN switches and controllers,and can defend against different DDoS attacks.

关 键 词：软件定义网络 DDoS攻击流 攻击检测 混合防御 卡方检验值 Sibson距离 流表空间共享 

分 类 号：TN929.5-34[电子电信—通信与信息系统] TP393.08[电子电信—信息与通信工程]