高级搜索

留言板

尊敬的读者、作者、审稿人, 关于本刊的投稿、审稿、编辑和出版的任何问题, 您可以本页添加留言。我们将尽快给您答复。谢谢您的支持!

姓名
邮箱
手机号码
标题
留言内容
验证码

基于OpenFlow交换机洗牌的DDoS攻击动态防御方法

武泽慧 魏强 任开磊 王清贤

武泽慧, 魏强, 任开磊, 王清贤. 基于OpenFlow交换机洗牌的DDoS攻击动态防御方法[J]. 电子与信息学报, 2017, 39(2): 397-404. doi: 10.11999/JEIT160449
引用本文: 武泽慧, 魏强, 任开磊, 王清贤. 基于OpenFlow交换机洗牌的DDoS攻击动态防御方法[J]. 电子与信息学报, 2017, 39(2): 397-404. doi: 10.11999/JEIT160449
WU Zehui, WEI Qiang, REN Kailei, WANG Qingxian. Dynamic Defense for DDoS Attack Using OpenFlow-based Switch Shuffling Approach[J]. Journal of Electronics & Information Technology, 2017, 39(2): 397-404. doi: 10.11999/JEIT160449
Citation: WU Zehui, WEI Qiang, REN Kailei, WANG Qingxian. Dynamic Defense for DDoS Attack Using OpenFlow-based Switch Shuffling Approach[J]. Journal of Electronics & Information Technology, 2017, 39(2): 397-404. doi: 10.11999/JEIT160449

基于OpenFlow交换机洗牌的DDoS攻击动态防御方法

doi: 10.11999/JEIT160449
基金项目: 

国家863计划项目(2012AA012902),国家杰出青年科学基金(61402526)

Dynamic Defense for DDoS Attack Using OpenFlow-based Switch Shuffling Approach

Funds: 

The National 863 Program of China (2012AA012902), The National Science Fund for Distinguished Young Scholars (61402526)

  • 摘要: 网络资源的有限性和网络管理的分散性是传统网络难以解决分布式拒绝服务攻击问题的重要原因。当前的防御方法存在静态性、滞后性的不足,并且难以定位攻击者。针对上述问题,该文提出一种动态防御的方法。利用软件定义网络(SDN)集中控制和动态管理的特性构建OpenFlow交换机洗牌模型,使用贪心算法实现用户-交换机连接的动态映射,通过多轮洗牌区分出用户群中的攻击者和合法用户,对合法用户提供低延迟不间断服务。在开源SDN控制器Ryu上实现原型系统,并在SDN环境下进行测试。性能测试结果表明采用该方法可以通过有限次的洗牌筛选出攻击者,降低DDoS攻击对合法访问的影响;能力测试结果则说明了在由一个控制器组成的环形拓扑结构下该方法的防御效果与攻击流的大小无关,而是仅与攻击者的数目有关。
  • PRAS A, SANTANNA J, and STEINBERGER J. DDoS 3.0-How Terrorists Bring Down the Internet[M]. New York: Springer, 2016: 1-4. doi: 10.1007/978-3-319-31559-1_1.
    YADAV V K, TRIVEDI C, and MEHTRE M. DDA: an approach to handle DDoS (Ping Flood) attack[C]. International Conference on ICT for Sustainable Development, Singapore, 2016: 11-23. doi: rg/10.1007/978- 981-10-0129-1_2.
    NAGPAL B, SHARMA P, and CHAUHAN N. DDoS tools: classification, analysis and comparison[C]. IEEE International Conference on Computing for Sustainable Global Development, New Delhi, India, 2015: 342-346.
    LIU Xia, YANG Xin, and XIA Yu. Netfence: preventing internet denial of service from inside out[C]. ACM Sigcomm Computer Communication Review, New York, NY, USA, 2010: 255-266. doi: 10.1145/1851182.1851214.
    BRAGA R, MOTA E, and PASSITO A. Lightweight DDoS flooding attack detection using NOX/OpenFlow[C]. International Conference on Local Computer Networks, Washington, DC, USA, 2010: 408-415. doi: 10.1109/lcn. 2010.5735752.
    YEGANEH S and CANJALI Y. Kandoo: a framework for efficient and scalable offloading of control applications[C]. ACM Workshop on Hot Topics in Software Defined Networks, Helsinki, Finland, 2012: 19-24. doi: 10.1145/ 2342441. 2342446.
    SHIN S and PORRAS P. AVANT-GUARD: scalable and vigilant switch flow management in software-defined networks[C]. International Conference on Computer and Communications Security. Berlin, Germany, 2013: 413-424. doi: 10.1145 /2508859.2516684.
    LIM S, HA J, KIM H, et al. A SDN-oriented DDoS blocking scheme for botnet-based attacks[C]. International Conference on Ubiquitous and Future Networks, Shanghai, China, 2014: 63-68. doi: 10.1109/icufn.2014.6876752.
    JOHNSON N and KOTZ S. Urn models and their applications: an approach to modern discrete probability theory[J]. Journal of International Statistical Review, 1978, 20(4): 104-119. doi: 10.2307/3617688.
    EGER S. Stirlings approximation for central extended binomial coefficients[J]. Journal of American Mathematica, 2014, 121(4): 344-349. doi: 10.4169/amer.math.monthly.121. 04.344.
    MATSUMOTO M and NISHIMURA T. Mersenne twister: a 623-dimensionally equidistributed uniform pseudo-random number generator[J], Journal of Model, 1998, 8(1): 3-30. doi: 10.1145/272991.272995.
  • 加载中
计量
  • 文章访问数:  1246
  • HTML全文浏览量:  142
  • PDF下载量:  570
  • 被引次数: 0
出版历程
  • 收稿日期:  2016-05-03
  • 修回日期:  2016-09-27
  • 刊出日期:  2017-02-19

目录

    /

    返回文章
    返回