一种基于SDN的自治域内恶意流量过滤机制

Malicious traffic caused by the viruses, worms, and DDoS attack should pose a serious threat on the servers and network nodes within the AS. It is hard for traditional malicious traffic filtering mechanisms based on the edge router or end firewall to filter the malicious traffic originated from the AS self and to protect the intermediate network nodes. Their filtering policy models based on rule are inflexible and non-extensible for policy making and deploying. This paper proposed an SDN-based mechanism for filtering intradomain malicious traffic, including its system framework, policy model and filtering nodes search algorithm. Firstly, the architecture of this mechanism is based on Controller-Agent model and takes advantages of the centralized control feature of trustworthy and controllable network, and the mechanism is open for various malicious traffic detecting algorithm in support of trustworthy and controllable network's cross-layer unified information view. Secondly, this mechanism includes a filtering policies model based on Exception-Handler, and it has characteristics of hierarchy and inheritance so that the filtering policies are flexible and can be easy extended. The mechanism of this paper provides the domain more powerful, flexible and extensible capability to filter rapidly changing malicious traffic.