Research of DDoS Detection and Multi-layer Defense in SDN

doi:10.3969/j.issn.1671-1122.2017.12.005

Abstract

Abstract:

Software defined network(SDN), has led to disruptive changes in traditional networks. In this paper, we propose a method of DDoS(distributed denial of dervice)detection and defense in SDN. Firstly,a DDoS detection method based on entropy algorithm is proposed. The attack is judged by comparing the entropy with the threshold. Secondly, double defense system is designed.At the forwarding layer, the convection table is processed. At the control level, the new detection method is used to determine the attack. Combining ACL control and traffic management,implement policies using the OpenFlow protocol. Lastly, an experimental simulation platform is constructed using OpenDayLight controller, sFlow monitoring tool and Mininet simulator. The experimental results show that, the proposed detection and defense methods improve the detection rate of DDoS attacks, reduce the false positive rate, and can quickly make defensive response.

Key words: SDN, DDoS, flow table, entropy, detection and defense

CLC Number:

TP309.1

Yang XU, Yi CHEN, Rui HE, Xiaoyao XIE. Research of DDoS Detection and Multi-layer Defense in SDN[J]. Netinfo Security, 2017, 17(12): 22-28.

Figures/Tables 11

References 13

[1]	左青云, 陈鸣, 赵广松, 等.基于OpenFlow的SDN技术研究[J].软件学报, 2013(5):1078-1097.
[2]	左青云,张海粟. 基于OpenFlow的SDN网络安全分析与研究[J]. 信息网络安全,2015(2):26-32.
[3]	FAYAZ S K, TOBIOKA Y, SEKAR V, et al.Bohatei: Flexible And Elastic Ddos Defense[C]// USENIXAssociation. 24th USENIX Security Symposium, August 12-14, 2015,Washington, D.C. New York: IEEE, 2015:817-832.
[4]	王刚. 一种基于SDN技术的多区域安全云计算架构研究[J]. 信息网络安全,2015(9):20-24.
[5]	李鹤飞. 基于软件定义网络的DDoS攻击检测方法和缓解机制的研究[D]. 上海:华东师范大学, 2015.
[6]	金磊. 基于SDN技术的网络入侵阻断系统HYDRA的设计与实现[D]. 南京:东南大学, 2016.
[7]	马俊青. 面向软件定义网络的流量分析与识别技术研究[D]. 南京:南京邮电大学, 2015.
[8]	李赫. 基于SDN的DDoS流量识别与控制技术研究[D].南京:南京邮电大学, 2016.
[9]	陈颖聪,陈广清,陈智明,等. 面向智能电网SDN的二进制代码分析漏洞扫描方法研究[J]. 信息网络安全,2016(7):35-39.
[10]	王秀磊, 陈鸣, 邢长友,等.一种防御DDoS攻击的软件定义安全网络机制[J]. 软件学报,2016, 27(12):3104-3119.
[11]	齐宇. SDN安全研究[J]. 信息网络安全,2016(9):69-72.
[12]	DAYAL N, MAITY P, SRIVASTAVA S, et al.Research Trends in Security and DDoS in SDN[J]. Security & Communication Networks, 2016, 9(26):6386-6411.
[13]	DAO N N, PARK J H, PARK M, et al.A Feasible Method To Combat Against DDoS Attack in SDN Network[C]//Korea Institute of Information Scientists and Engineers (KIISE). International Conference on Information Networking, Januarg 12-14, 2015, Siem Reap, Cambodia. New York: IEEE,2015:309-311.

[1]	Qiaoli YUE, Wanbo LV, Weihong HU, Haikuo ZHANG. Mitigating DDoS Attack Based on DNS Response Value Assessment [J]. Netinfo Security, 2019, 19(9): 56-60.
[2]	Ke ZHANG, Youjie WANG, Shaoyin CHENG, Lidong WANG. Intrusion Collaborative Disposal Method of Spoofed IP Address in DDoS Attacks [J]. Netinfo Security, 2019, 19(5): 22-29.
[3]	Zhibin YU, Cheng MA, Siqi LI, Miao WANG. Research on DDoS Attack Model Based on Web Application Layer [J]. Netinfo Security, 2019, 19(5): 84-90.
[4]	Liangguo CHEN, Shuhua RUAN, Xingshu CHEN, Yonggang LUO. A High-speed Network Flow Reassembly Optimized Scheme for Network Security Analysis [J]. Netinfo Security, 2019, 19(11): 82-90.
[5]	Xiangquan SHI, Jing TAO, Baokang ZHAO. A Network Access Control System in Virtualized Environments [J]. Netinfo Security, 2019, 19(10): 1-9.
[6]	Chengzhe LAI, Wenjuan WANG. Secure Mobility Management Framework with Privacy Preservation for Vehicle Platoon [J]. Netinfo Security, 2018, 18(7): 36-46.
[7]	Qinghe DONG, Qian HE, Bingcheng JIANG, Peng LIU. Scheme of Cloud Database Oriented Multi-tenant Attribute-based Security Isolation and Data Protection [J]. Netinfo Security, 2018, 18(7): 60-68.
[8]	Weijun ZHU, Yongwen FAN, Shaohuan BAN. A Mimic-automaton-based Model for the MSISDN Virtualization and Its Method for Verifying the Security [J]. Netinfo Security, 2018, 18(4): 15-22.
[9]	Zhanzhen WEI, Shourong WANG, Zhaobin LI, Weilong LI. Research on SDN Terminal Access Control Based on OpenFlow [J]. Netinfo Security, 2018, 18(4): 23-31.
[10]	LI Jianfeng, LIU Yuan, ZHANG Hao, WANG Xiaofeng. Research and Implementation of Routing Performance Optimization for IaaS Cloud Platform [J]. 信息网络安全, 2017, 17(9): 10-15.
[11]	ZHANG Xuebo, LIU Jinghao, FU Xiaomei. Design and Implementation of Anti Web DDoS Attack Model Based on Improved Logistic Regression Algorithm [J]. 信息网络安全, 2017, 17(6): 62-67.
[12]	LI Heng, SHEN Huawei, CHENG Xueqi, ZHAI Yong. Review of Network High Flow Distributed Denial of Service Attack and Defense Mechanisms [J]. 信息网络安全, 2017, 17(5): 37-43.
[13]	MEN Hong, YAO Shunli. Research on a Framework Based on Virtual Cloud Network for Monitoring Safe Production [J]. 信息网络安全, 2017, 17(3): 14-20.
[14]	Haoming LIANG, Chunlin CHEN, Xi LIU, Zhipeng LIU. Design and Research on Malicious Web Sites Prevention Model Based on OpenFlow [J]. Netinfo Security, 2017, 17(1): 77-83.
[15]	QI Yu. Research on the Security of SDN [J]. 信息网络安全, 2016, 16(9): 69-72.