Research On Cloud Data Center DDoS Attack Defense Method Based On SDN

Cloud computing and Software-defined networking(SDN)are hot topics in the IT industry in recent years.Although cloud computing can be deployed and managed without SDN,the excellent features of SDN,a new network architecture,are very attractive to cloud service provider,and the cloud data center has become one of the main deployment scenarios for SDN in practical applications.Nowadays,cloud computing has become popular and has changed people's work and lifestyle from many aspects,bringing great convenience to people.With the increasing popularity of SDN,the demand for defending against Distributed Denial of Service(DDoS)is increasing in new scenarios.In order to defend against DDoS attack from the internal SDN cloud data center,we proposed a DDoS attack detection and defense scheme with the advantages of centralized control and data plane programmability of SDN.The scheme consists of four modules,namely the network monitoring module,the attack detection module,the attack mitigation module and the reset module.This scheme aggregates the fine-grained flow information during network monitoring,it combines the detection based on the send/receive ratio with the network monitoring,and can timely detect and mitigate DDoS attack,and limit the attack in source and clean flow tables in switches during the process.This thesis proposed two methods for adaptively adjusting the attack detection trigger threshold.Compared with the fixed threshold method commonly used in traditional DDoS attack detection or detection triggering methods,these two methods can better adapt to the large-scale growth of "East-West" traffic and its strong dynamics in cloud data center in recent years.These two methods can dynamically adjust the threshold based on changes of network traffic without the need of setting manually.The simulation results show that both algorithms can reduce the number of attack detection while ensuring the detection performance,reducing the load of the controller with a greater advantage than the fixed threshold.Experiments show that the DDoS attack defense scheme proposed in this thesis can quickly detect and mitigate DDoS attack.Thus,the useless flow entries added to the switch due to malicious attack can be deleted,the occupied resources of switches can be released,and the impact of DDoS attack on the cloud data center can be reduced.