Distributed denial-of-service (DDoS) attacks, which are becoming increasingly serious, have become one of the biggest threats to network security. Traditional defense mechanisms such as instruction detection, traffic filtering and multiple authentication are limited to static networks, which leads to obvious drawbacks. Software-defined networking (SDN) is a typical dynamic network that provides defenses against DDoS. The existing SDN-based DDoS protection solutions are still in development with many problems that need improvement. A DDoS detection scheme combined with trigger detection and in-depth detection is given here to shorten the detection period with low system overhead. A low-overhead, coarse-grained trigger detection algorithm is integrated with a precise, fine-grained, in-depth detection algorithm to reduce system complexity while ensuring high detection accuracy. An SDN DDoS detection system has been implemented on the Mininet platform to test and evaluate the system. The test show that the detection system has low system overhead, high detection accuracy, and strong practical value.
摘要 分布式拒绝服务 (distributed denial-of-service, DDoS) 攻击已成为网络安全的最大威胁之一。传统的对抗方式如入侵检测、流量过滤和多重验证等, 受限于静态的网络架构, 存在明显的缺陷。软件定义网络 (software-defined networking, SDN) 作为一种新型动态网络体系, 其数控分离、集中控制与动态可编程等特性颠覆了现有的网络架构, 为对抗DDoS攻击提供了新的思路。现有基于SDN的DDoS防护方案处于研究的起步阶段, 且存在较多问题。针对现有方案中检测周期过小将导致系统开销大的问题, 该文提出由触发检测和深度检测相结合的DDoS联合检测方案, 将低开销、粗粒度的触发检测算法与高精度、细粒度的深度检测算法相结合, 在保障高检测精度的前提下降低了系统的复杂度; 同时, 在Mininet平台上实现了基于SDN的DDoS攻击检测系统, 设计实验对系统进行测试和评估。实验结果表明:该系统具有开销小、检测准确率高的特性, 实用价值较强。