Research On DDoS Attack Detection And Mitigation Mechanism In SDN Environment

SDN(Software Define Networking)realizes the separation of network control and data forwarding,build a new network architecture,promotes the innovation of network technology application,and greatly improves the data interaction ability of the network.SDN decoupled the closed structure of the traditional network system and transformed it into three layers: data plane,controller plane and application plane,which greatly enhanced the openness of the network.,can fully meet the network architecture requirements of different application environments,and provides effective support for the emergence and development of cloud storage,cloud computing,virtual network,wireless LAN and other technologies.As a new network architecture,SDN has the advantage of programmability.While its application scope is expanding,its security problems are becoming increasingly prominent,which has become the focus of common concern among technicians.The SDN data plane,controller plane,application plane,North-API and South-API are gradually becoming the targets of attackers.The emergence of various DDo S attacks seriously endangers the security of SDN network.In view of the above security risks,based on the analysis of the characteristics of DDo S attacks,this paper summarizes the detection methods and mitigation mechanisms.The main work of this paper is as follows:(1)This paper proposes a DDo S attack detection scheme based on information entropy and network self-similarity in SDN environment.This scheme makes full use of the characteristics of SDN architecture,obtains the target IP address by reading the stream table information,and judges according to the calculated information entropy,so as to initially identify DDo S attacks.Then,the improved R/S method is used to calculate the network self-similarity and further judge whether there is DDo S attack in the network.It realizes fast,efficient and lightweight DDo S attack detection in SDN network.(2)A DDo S attack mitigation scheme based on the above detection method in SDN environment is proposed.Based on the detection method proposed in this paper,the vulnerability mechanism of destination IP address is evaluated.According to different vulnerability values of different destination IP address,different forwarding strategies are issued by the controller to alleviate DDo S attacks and protect SDN network security.(3)The mininet simulation platform is used to complete the simulation test,and the design effect of this scheme is evaluated and analyzed.Experimental results show that the detection rate of DDo S attack detection module is 98% at 25% attack rate,and the false alarm rate is 2%.The DDo S attack mitigation module can quickly detect the attack and close the port in time at the beginning of the attack.The packet loss rate decreases to 3.6%,which reduces the impact of the attack on the SDN network.