Research On Traffic Scheduling And Scrubbing Strategy Of SDN-based DDoS Scrubbing Center

With the emergence of 5G,IoT,multi-cloud and other new technology scenarios,the available resources of DDoS attacks are constantly expanding,the intensity of DDoS attacks is constantly strengthening,and the methods of DDoS attacks are constantly innovating,which poses a major threat to network security.Therefore,flexible protection methods of DDoS attack are needed as an important part of network security capability.However,existing DDoS protection methods depending on physical security equipment in traditional networks will lead to many problems.For example,the lack of flexibility in protection and deployment,high maintenance costs,etc.Hence,the research goal of this thesis focuses on how to construct a flexible scheduling and handling plan for DDoS attack traffic in new technology scenarios.The research work of this thesis is developed around the above issues,and the main research contents are listed as follows:(1)In order to solve poor effectiveness problem in DDoS attack traffic scheduling,a DDoS protection method based on multidimensional scheduling and SDN is proposed.This method takes advantage of the SDN controller to centrally monitor global network resources.Firstly,the path optimization method based on Top-K is utilized to optimize the solution set,thereby reducing computational overhead.Then,according to the characteristics of DDoS attacks,the path set is comprehensively evaluated by three indexs: link dynamic remaining bandwidth,the number of flow tables and path length to generate traffic scheduling path.Finally,flow tables of source-based scheduling are sent to switches on the scheduling path in reverse order,which reduces the number of requests from the switch to the SDN controller,reduces the establishment delay of scheduling path and improves the scheduling efficiency.The experimental results show that the scheduling protection method proposed in this thesis can flexibly schedule DDoS attack traffic and reduce the impact of attacks on the network.(2)In order to solve the lack of flexible deployment of physical scrubbing equipment and inefficient use of scrubbing capabilities problems in DDoS attack handling,the traffic scrubbing strategy of SDN-based DDoS scrubbing center is proposed.Firstly,based on the types of DDoS attacks,different scrubbing granularities need to be set for the scrubbing strategy.Then,a hierarchical scrubbing strategy is adopted.The scrubbing strategy is composed of four kinds of scrubbing methods,including network-layer DDoS attack traffic blocking,user-tolerance-based rate-limiting,application-layer DDoS attack traffic transferring,and server traffic transferring.By setting scrubbing thresholds,different scrubbing methods are triggered.When the attack traffic is transferred,load balancing is deployed to disperse the traffic.Finally,the timeouts of flow tables are set to avoid using expired scrubbing strategies.The experimental results show that the scrubbing strategy proposed in this thesis can flexibly transfer and handle DDoS attack traffic.(3)Based on the above methods,the prototype system of SDN-based DDoS scrubbing center traffic scheduling and scrubbing was designed and implemented.The overall architecture of the prototype system was designed and implemented,including network measurement,scheduling path planning,scrubbing strategy generation,flow table generation and distribution.Users can deploy this system based on their own network topology,and set the hierarchical scrubbing strategy of DDoS attacks based on their own situation.The system could record the scheduling path and scrubbing strategy,and store them in the log file,which is convenient for the follow-up research on the processing of attacks,and has good functionality.