摘要
针对分布式拒绝服务(DDoS)攻击难以在危害产生之前被检测和防御的问题,提出了一种基于软件定义网络(SDN)的面向恶意扫描的控制层实时防护机制。首先,分析了SDN相比传统网络在网络层防护技术上的优势;其次,针对网络攻击手段——恶意扫描,提出了面向恶意扫描的控制层实时防护机制,该机制在SDN集中控制式架构的基础上,充分利用Open Day Light(ODL)控制器所提供的表述性状态传递(REST)应用程序编程接口(API)开发外部应用,实现了对底层交换机端口的检测、判定、防护三个环节;最后,对给出的方案在ODL平台上进行了编程实现,并实验测试了恶意扫描的检测防御方案。实验结果表明:当有端口正在对网络进行恶意扫描时,面向恶意扫描的控制层实时防护机制可以及时禁用该端口,实时起到对恶意扫描攻击的防护作用,进而在分布式拒绝服务攻击当中具有破坏性的行为还未开始时就对其进行了预防。
Aiming at the problem that Distributed Denial of Service (DDoS) attacks are difficult to detect and defend before the damage is generated, a Control Real-time Defense Mechanism (CRDM) based on Software Defined Network (SDN) for malicious scanning was proposed. Firstly, the advantages of the SDN over the traditional network in the network layer protection technology were analyzed. Secondly, according to the network attack--malicious scanning, a CRDM for defending against malicious scanning was proposed. In CRDM, Representational State Transfer (REST) APIs ( Application Program Interfaces) provided by the OpenDayLight (ODL) were used to build an external application to achieve detection, determination and prevention on the switch port. Finally, CRDM was implemented on the ODL platform, and the detection and defense scheme of malicious scanning was tested. The simulation results show that: when a port is scanning the network maliciously, CRDM can disable the port in time, and protect against malicious scanning attacks in real-time. Then, the destructive behavior in a DDoS attack is prevented before it is started.
出处
《计算机应用》
CSCD
北大核心
2018年第1期188-193,共6页
journal of Computer Applications
基金
国家973计划项目(2013CB329100)
国家863计划项目(2015AA016103)~~
关键词
分布式拒绝服务攻击
网络层防护
软件定义网络
网络攻击
OpenDayLight
恶意扫描
Distributed Denial of Service (DDoS) attack
network layer protection
Software Defined Network (SDN)
network attack
OpenDayLight (ODL)
malicious scanning
