计算机工程与应用 ›› 2016, Vol. 52 ›› Issue (1): 81-88.

• 网络、通信与安全 • 上一篇    下一篇

基于SDS架构的多级DDoS防护机制

何  亨1,2,黄  伟1,2,李  涛1,2,曾  朋1,2,董新华3   

  1. 1.武汉科技大学 计算机科学与技术学院,武汉 430065
    2.武汉科技大学 智能信息处理与实时工业系统湖北省重点实验室,武汉 430065
    3.华中科技大学 计算机科学与技术学院,武汉 430074
  • 出版日期:2016-01-01 发布日期:2015-12-30

Multilevel DDoS protection mechanism based on SDS framework

HE Heng1,2, HUANG Wei1,2, LI Tao1,2, ZENG Peng1,2, DONG Xinhua3   

  1. 1.School of Computer Science and Technology, Wuhan University of Science and Technology, Wuhan 430065, China
    2.Hubei Province Key Laboratory of Intelligent Information Processing and Real-Time Industrial System, Wuhan University of Science and Technology, Wuhan 430065, China
    3.School of Computer Science and Technology, Huazhong University of Science and Technology, Wuhan 430074, China
  • Online:2016-01-01 Published:2015-12-30

摘要: 随着互联网的高速发展,网络安全的问题越来越严峻。软件定义网络(SDN)的出现为解决网络安全问题提供了全新的解决方案,如软件定义安全(SDS)。在SDS架构的基础上,针对分布式拒绝服务(DDoS)攻击的特点,提出一种新的DDoS防护机制SDS for DDoS。这种防护机制结合了以往检测方式和防护方式的优点,将安全服务原子化,并实现安全策略盒的多级防护策略。在受到DDoS攻击时,机制可以根据检测到的攻击力度进行动态决策,还能先验式地对攻击流量进行阻隔,不仅增加了决策的可信度,还解决了以往所采用的静态防护和后验式防护的不足。实验验证了机制的可行性,能有效地避免服务器受到DDoS攻击,更突出了它在决策时的灵活性和在遭受攻击时的先验性。

关键词: 软件定义网络, 软件定义安全, 分布式拒绝服务, 策略盒, 动态决策

Abstract: With the rapid development of Internet, the issues of network security become more and more serious. Software Defined Network(SDN) has provided a new solution to solve the security problem in network, such as Software Defined Security(SDS). Based on the SDS architecture, aiming at the attack features of Distributed Denial of Service(DDoS), a new DDoS protection mechanism is proposed, namely SDS for DDoS. The protection mechanism contains the advantages of previous detection and protection approaches, atomizes the security services and realizes a security strategy box of multilevel protection. Under the attacks of DDoS, the mechanism can make a dynamic decision according to the detection of attack intensity and barrier the attacks from the beginning, which dose not only increase the credibility of the decision but solves the shortcomings of static protection and posterior type protection. Experimental results demonstrate the feasibility of the mechanism, which can effectively prevent the server from DDoS attacks, and highlight its flexibility in decision and priori under attacks.

Key words: software defined network, software defined security, distributed denial of service, strategy box, dynamic decision