基于区块链与排队理论的DDoS防御机制研究

Research on DDoS Defense Mechanism Based on Blockchain and Queuing Theory

在软件定义网络(Software Defined Networking,SDN)中,控制层很容易受到分布式拒绝服务(Distributed Denial of Service,DDoS)攻击的威胁。攻击者通过恶意请求或数据流等方式,向SDN控制器发送大量请求,从而使控制器资源耗尽,导致控制器不能正常工作。因此,防范和处理控制层DDoS攻击是SDN安全的关键。该文提出一种基于区块链与排队理论的DDoS攻击检测防御机制,该防御机制结合区块链技术,设计了一种新的SDN架构模型,该模型对SDN控制层重新进行构造,在SDN控制层加入容量监控模块、安全模块及区块链模块。容量监控模块基于排队理论,计算进入控制器数据包队列的长度阈值,当队列内数据包数目连续2次超过阈值或控制器规则表容量达到70%容量触发报警,安全模块用于触发报警后在设置报警的数据包进行DDoS特征匹配,如果被确定为异常数据则将数据包摘要信息上传至区块链,利用智能合约共享异常数据包信息摘要,既能够防止过多的信息记录在区块链造成系统负载,又能够使SDN网络信息达成共识。对该攻击检测防御机制进行仿真实验,选出了效果最优参数,实验结果表明,与同类型系统相比,该机制对异常数据流的检测率及正常数据流的误报率均有所提升。

In Software Defined Networking(SDN),the control layer is easily threatened by Distributed Denial of Service(DDoS) attacks.Attackers send a large number of requests to the SDN controller through malicious requests or data streams,leading to the depletion of controller resources and the inability of the controller to function properly.Therefore,preventing and handling control layer DDoS attacks is crucial for SDN security.We propose a DDoS attack detection and defense mechanism based on blockchain and queuing theory.This defense mechanism combines blockchain technology and designs a new SDN architecture model.The model reconstructs the SDN control layer by adding capacity monitoring module,security module,and blockchain module.The capacity monitoring module is based on queuing theory and calculates the length threshold for entering the controller packet queue.When the number of packets in the queue exceeds the threshold twice in a row or the controller rule table capacity reaches 70%,an alarm is triggered.The security module is used to trigger the alarm and perform DDoS feature matching on the data packets that have set the alarm.If it is determined to be abnormal data,the packet summary information is uploaded to the blockchain.By using smart contracts to share the abnormal packet information summary,it can not only prevent excessive information from being recorded on the blockchain and causing system load,but also enable SDN network information to reach consensus.We conduct simulation experiments on the proposed attack detection and defense mechanism,selecting the most effective parameters.The experimental results show that compared with similar systems,the detection rate of abnormal data streams and the false alarm rate of normal data streams in the proposed mechanism have been improved.