SDN中DDoS攻擊檢測與混合防御技術

摘" 要： DDoS攻擊是軟件定義網絡（SDN）安全領域的一大威脅，嚴重威脅網絡控制器及交換機等設備的正常運行，因此提出一種SDN中DDoS攻擊檢測與混合防御技術。在DDoS攻擊檢測方面，利用卡方檢驗值對SDN中控制器收到的Packet_In數據流內數據幀數量進行統計分析，將高于數據流卡方閾值的數據流初步判斷為可疑流；繼續計算數據流與可疑流的相對Sibson距離，區分可疑流是DDoS攻擊流還是正常突發流；最后通過計算數據流之間的Sibson距離，根據DDoS攻擊流的特征，確定攻擊流是否為DDoS攻擊流。在DDoS攻擊防御方面，采用共享流表空間支持和Packet_In報文過濾方法混合防御，被DDoS攻擊的交換機流表空間過載，將過載流表引流到其他交換機，從而完成數據層的防御；溯源得到DDoS攻擊MAC地址并進行 Packet_In數據流過濾，完成控制層的防御。實驗結果表明，所提方法可有效檢測軟件定義網絡交換機和控制器內的DDoS攻擊流，能夠防御不同的DDoS攻擊。

關鍵詞： 軟件定義網絡； DDoS攻擊流； 攻擊檢測； 混合防御； 卡方檢驗值； Sibson距離； 流表空間共享

中圖分類號： TN929.5?34； TP393.08" " " " " " "文獻標識碼： A" " " " " " " " " " " 文章編號： 1004?373X（2025）02?0085?05

DDoS attack detection and hybrid defense technology in SDN

LI Xiaofei1， CHEN Yi2

（1. Information Technology Center， Hebei University， Baoding 071002， China; 2. Computer Teaching Department， Hebei University， Baoding 071001， China）

Abstract： DDoS attack is a major threat in the security field of software?defined network （SDN）， which seriously threatens the normal operation of network controllers， switches and other devices. Therefore， a DDoS attack detection and hybrid defense technology in SDN is proposed. In terms of DDoS attack detection， the statistical analysis of the number of data frames in the Packet?IN data stream received by the controller in SDN is conducted by means of chi?square test values. The data streams above the card side threshold of the data stream are judged preliminarily as suspicious streams. The relative Sibson distance between the data stream and the suspicious stream is calculated sequentially to distinguish whether the suspicious stream is a DDoS attack flow or a normal burst flow. The Sibson distance between data flow is calculated to determine whether the attack flow is a DDoS attack flow based on the features of the DDoS attack flows. In terms of DDoS attack defense， the hybrid defense is conducted by mean of shared flow tablespace support and Packet?IN packet filtering. The flow tablespace of the switch attacked by DDoS is overloaded， and the overloaded flow table is drained to other switches to complete the defense at the data layer. The MAC address of DDoS attack is traced， and the Packet_In data flow is filtered to complete the defense of control layer.The experimental results show that the proposed method can effectively detect DDoS attack flows in SDN switches and controllers， and can defend against different DDoS attacks.

Keywords： software?defined network; DDoS attack flow; attack detection; hybrid defense; chi?square test value; Sibson distance; flow tablespace sharing

0" 引" 言

軟件定義網絡是一種全新的、可靠的網絡架構，它可以有效地將控制中心與傳輸中心隔離開來，從而實現對網絡的有效管理和控制[1]。引入一個集中的控制器來管理網絡流量和策略，交換機按照控制器發出的指令轉發數據。軟件定義網絡中的應用程序編程接口允許第三方開發者編寫應用程序來與網絡控制器進行交互，實現自定義的網絡功能和服務[2]。……