基于OpenDayLight的恶意扫描防护技术

doi:10.11772/j.issn.1001-9081.2017061527

计算机应用 ›› 2018, Vol. 38 ›› Issue (1): 188-193.DOI: 10.11772/j.issn.1001-9081.2017061527

基于OpenDayLight的恶意扫描防护技术

吴若豪, 董平, 郑涛

北京交通大学电子信息工程学院, 北京 100044

收稿日期:2017-06-21 修回日期:2017-08-18 出版日期:2018-01-10 发布日期:2018-01-22
通讯作者: 吴若豪
作者简介:吴若豪(1993-),男,海南儋州人,硕士研究生,主要研究方向:下一代互联网、软件定义网络、网络安全;董平(1979-),男,河北衡水人,副教授,博士,主要研究方向:下一代互联网、信息网络、网络安全;郑涛(1983-),男,北京人,讲师,博士,主要研究方向:下一代互联网、信息网络、网络安全。
基金资助:
国家973计划项目（2013CB329100）；国家863计划项目（2015AA016103）。

Malicious scanning protection technology based on OpenDayLight

WU Ruohao, DONG Ping, ZHENG Tao

School of Electronic and Information Engineering, Beijing Jiaotong University, Beijing 100044, China

Received:2017-06-21 Revised:2017-08-18 Online:2018-01-10 Published:2018-01-22
Supported by:
This work is partially supported by the National Basic Research Program (973 Program) of China (2013CB329100), the National High Technology Research and Development Program (863 Program) of China (2015AA016103).

摘要/Abstract

摘要： 针对分布式拒绝服务（DDoS）攻击难以在危害产生之前被检测和防御的问题，提出了一种基于软件定义网络（SDN）的面向恶意扫描的控制层实时防护机制。首先，分析了SDN相比传统网络在网络层防护技术上的优势；其次，针对网络攻击手段——恶意扫描，提出了面向恶意扫描的控制层实时防护机制，该机制在SDN集中控制式架构的基础上，充分利用OpenDayLight （ODL）控制器所提供的表述性状态传递（REST）应用程序编程接口（API）开发外部应用，实现了对底层交换机端口的检测、判定、防护三个环节；最后，对给出的方案在ODL平台上进行了编程实现，并实验测试了恶意扫描的检测防御方案。实验结果表明：当有端口正在对网络进行恶意扫描时，面向恶意扫描的控制层实时防护机制可以及时禁用该端口，实时起到对恶意扫描攻击的防护作用，进而在分布式拒绝服务攻击当中具有破坏性的行为还未开始时就对其进行了预防。

关键词: 分布式拒绝服务攻击, 网络层防护, 软件定义网络, 网络攻击, OpenDayLight, 恶意扫描

Abstract: Aiming at the problem that Distributed Denial of Service (DDoS) attacks are difficult to detect and defend before the damage is generated, a Control Real-time Defense Mechanism (CRDM) based on Software Defined Network (SDN) for malicious scanning was proposed. Firstly, the advantages of the SDN over the traditional network in the network layer protection technology were analyzed. Secondly, according to the network attack-malicious scanning, a CRDM for defending against malicious scanning was proposed. In CRDM, Representational State Transfer (REST) APIs (Application Program Interfaces) provided by the OpenDayLight (ODL) were used to build an external application to achieve detection, determination and prevention on the switch port. Finally, CRDM was implemented on the ODL platform, and the detection and defense scheme of malicious scanning was tested. The simulation results show that:when a port is scanning the network maliciously, CRDM can disable the port in time, and protect against malicious scanning attacks in real-time. Then, the destructive behavior in a DDoS attack is prevented before it is started.

Key words: Distributed Denial of Service (DDoS) attack, network layer protection, Software Defined Network (SDN), network attack, OpenDayLight (ODL), malicious scanning

中图分类号:

TP393.08

吴若豪, 董平, 郑涛. 基于OpenDayLight的恶意扫描防护技术[J]. 计算机应用, 2018, 38(1): 188-193.

WU Ruohao, DONG Ping, ZHENG Tao. Malicious scanning protection technology based on OpenDayLight[J]. Journal of Computer Applications, 2018, 38(1): 188-193.

参考文献

[1] 左青云,陈鸣,赵广松,等.基于OpenFlow的SDN技术研究[J].软件学报,2013,24(5):1078-1097.(ZUO Q Y, CHEN M, ZHAO G S, et al. Research on OpenFlow-based SDN technologies[J]. Journal of Software, 2013, 24(5):1078-1097.)
[2] 姜红德.新IT时代:下一代防火墙崛起[J].中国信息化,2016(12):84-86.(JIANG H D. The new IT era:the rise of the NGFW[J]. Information China, 2016(12):84-86.)
[3] SCOTT-HAYWARD S, O'CALLAGHAN G, SEZER S. SDN security:a survey[C]//SDN4FNS'13:Proceedings of 2013 IEEE Software Defined Networks for Future Networks and Services. Piscataway, NJ:IEEE, 2013:1-7.
[4] ALI S T, SIVARAMAN V, RADFORD A, et al. A survey of securing networks using software defined networking[J]. IEEE Transactions on Reliability, 2015, 64(3):1086-1097.
[5] 郁峰.软件定义网络架构下的安全问题综述[J].现代计算机(专业版),2014(16):13-20.(YU F. Overview of security issues in SDN architecture[J]. Modern Computer, 2014(16):13-20.)
[6] MATTA V, MAURO M D, LONGO M. DDoS attacks with randomized traffic innovation botnet identification challenges and strategies[J]. IEEE Transactions on Information Forensics & Security, 2017, 12(8):1844-1859.
[7] SOMANI G, GAUR M S, SANGHI D, et al. Combating DDoS attacks in the cloud:requirements, trends, and future directions[J]. IEEE Cloud Computing, 2017, 4(1):22-32.
[8] YAN Q, GONG Q, YU F R. Effective software-defined networking controller scheduling method to mitigate DDoS attacks[J]. Electronics Letters, 2017, 53(7):469-471.
[9] AMBROSIN M, CONTI M, GASPARI F D, et al. LineSwitch:tackling control plane saturation attacks in software-defined networking[J]. IEEE/ACM Transactions on Networking, 2017, 25(2):1206-1219.
[10] BURAGOHAIN C, MEDHI N. FlowTrApp:an SDN based architecture for DDoS attack detection and mitigation in data centers[C]//Proceedings of the 2016 International Conference on Signal Processing and Integrated Networks. Piscataway, NJ:IEEE, 2016:519-524.
[11] 许名广,刘亚萍,邓文平.网络控制器OpenDaylight的研究与分析[J].计算机科学,2015,42(z1):249-252.(XU M G, LIU Y P, DENG W P. Research and analysis of OpenDaylight controller[J]. Computer Science, 2015, 42(z1):249-252.)
[12] KHATTAK Z K, AWAIS M, IQBAL A. Performance evaluation of OpenDaylight SDN controller[C]//Proceedings of the 2014 IEEE International Conference on Parallel and Distributed Systems. Piscataway, NJ:IEEE, 2014:671-676.
[13] YUAN B, ZOU D, YU S, et al. Defending against flow table overloading attack in software-defined networks[J]. IEEE Transactions on Services Computing, 1939, PP(99):1-1.
[14] 闫鲁生.OpenDayLight北向接口技术及其应用[J].指挥信息系统与技术,2015,6(5):74-78.(YAN L S. Implementation of northbound interface technology on OpenDayLight platform[J]. Command Information System and Technology, 2015, 6(5):74-78.)
[15] 张俊.基于Mininet和OpenDayLight的SDN构建[J].无线互联科技,2015(18):5-7.(ZHANG J. Construction of software defined network based on the Mininet and OpenDayLight[J]. Wireless Internet Technology, 2015(18):5-7.)

基于OpenDayLight的恶意扫描防护技术

Malicious scanning protection technology based on OpenDayLight

PDF

可视化

摘要/Abstract

引用本文

使用本文

参考文献

相关文章 15

编辑推荐

Metrics

[1]	王云燕, 胡爱花. 网络攻击下双层结构多智能体系统一致性[J]. 计算机应用, 2021, 41(5): 1399-1405.
[2]	许红亮, 杨桂芹, 蒋占军. 基于软件定义网络的数据中心自适应多路径负载均衡算法[J]. 计算机应用, 2021, 41(4): 1160-1164.
[3]	陈港, 孟相如, 康巧燕, 阳勇. 基于拓扑分割与聚类分析的虚拟软件定义网络映射算法[J]. 《计算机应用》唯一官方网站, 2021, 41(11): 3309-3318.
[4]	王波, 任英琦, 黄冬艳. H-Algorand:基于多块输出的公有链共识机制[J]. 计算机应用, 2020, 40(7): 2150-2154.
[5]	朱梦迪, 束永安. 软件定义网络中控制数据平面一致性的验证[J]. 计算机应用, 2020, 40(6): 1751-1754.
[6]	赵季红, 吴豆豆, 曲桦, 殷振宇. 基于软件定义网络的可靠性虚拟网络映射保障机制[J]. 计算机应用, 2020, 40(3): 770-776.
[7]	向雄, 田检. 基于软件定义网络的对等网传输调度优化[J]. 计算机应用, 2020, 40(3): 777-782.
[8]	刘向举, 刘鹏程, 徐辉, 朱晓娟. 基于软件定义物联网的分布式拒绝服务攻击检测方法[J]. 计算机应用, 2020, 40(3): 753-759.
[9]	池亚平, 莫崇维, 杨垠坦, 陈纯霞. 面向软件定义网络架构的入侵检测模型设计与实现[J]. 计算机应用, 2020, 40(1): 116-122.
[10]	周爱平, 朱琛刚. 基于概要数据结构的全网络持续流检测方法[J]. 计算机应用, 2019, 39(8): 2354-2358.
[11]	贾梦瑶, 王兴伟, 张爽, 易波, 黄敏. 基于软件定义网络的卫星网络容错路由机制[J]. 计算机应用, 2019, 39(6): 1772-1779.
[12]	李兆斌, 刘泽一, 魏占祯, 韩禹. 基于哈希链的软件定义网络路径安全[J]. 计算机应用, 2019, 39(5): 1368-1373.
[13]	邹承明, 刘攀文, 唐星. 动态主机配置协议泛洪攻击在软件定义网络中的实时防御[J]. 计算机应用, 2019, 39(4): 1066-1072.
[14]	范宏伟, 胡宇翔, 兰巨龙. 两段式虚拟网络功能硬件加速资源部署机制[J]. 计算机应用, 2018, 38(9): 2575-2580.
[15]	朱晓东, 王劲林, 王玲芳. 软件定义网络中协同存储数据面快速转发[J]. 计算机应用, 2018, 38(8): 2343-2347.