摘要在基于SDN的网络环境中,很多以前的网络安全应用无法做到的事情现在都已成为可能。制约钓鱼网站的传统方法在基于SDN的网络环境中并不适用,网络中流表信息的动态更新相比传统的网络环境将更快和更加复杂。所以需要针对基于SDN的网络环境开发新型的防火墙应用和安全框架,并充分利用SDN网络环境的灵活性和可操作性,对网络状态进行实时的监控和细粒度的过滤分析,这样才能对多变的网络环境做出及时有效可靠的应对措施。32270
本文在对当今传统DNS钓鱼网站攻击方式进行分析的基础上,设计并实现了一个基于SDN技术的恶意网站防护系统原型,实现了对于恶意站点DNS请求报文的分析与过滤。本文的主要工作如下:
(1)分析并研究了当前DNS钓鱼网站的攻击模式,对所涉及的相关技术进行了归纳分析,对攻击流程进行了简要的概括;
(2)在对传统的DNS钓鱼攻击分析的基础上,设计并实现了一个基于SDN技术的恶意网站防护系统原型,在Mininet仿真环境中实现了对于恶意网站域名的过滤、流量的阻截;
(3)对所实现的恶意网站防护系统原型进行了实验验证,实验结果表明,系统在保证用户正常的访问网站的同时,过滤了不安全的钓鱼网站,并且可以将危险的流量导向备份站点以杜绝用户的损失。
关键词 SDN Mininet Floodlight DNS报文分析 毕业论文设计说明书外文摘要
Title a SDN-based Malicious Website Protection
Abstract
In the OpenFlow-based network environment,it is possible to achieve what it used to be impossible with the traditional network security application.The traditional
solution to prevent phishing site is not applicable in the SDN-based network environment,because when compared to the traditional network environment,the dynamic update of the flow table message will be more frequent and complicated.
So it is necessary to develop a new firewall application and security framework,and make full use of the operability and flexibility of the OpenFlow-based network environment to have realtime monitoring and make fine-grained violation resolution of the network state,so as to make timely,effective and reliable solution to changeable network environment.The main work are as follow:
(1) Analyzed and studied the current attack pattern of DNS-based phishing site,summarized and analyzed the relevant technology and the attacking process.
(2) Based on the analysis of the traditional DNS-based phishing attacks,designed and implemented a prototype of SDN-based malicious website protection module,achieved the filtration of malicious domains and blocking such traffic.
(3) Performed experiments on the designed module,the results showed that the system can filter unsafe phishing websites when user surf the internet at the same time at only a small overhead to the user's network access speed.
Keywords SDN Mininet Floodlight DNS packet analysis
目 次
1 引言 1
1.1 研究背景与目的 1
1.2 国内外研究现状 2
1.3 研究内容 3
1.4 组织结构 3
2 SDN和环境配置 5
2.1 SDN定义 5
2.1.1 ONF SDN架构定义 5
2.1.2 ETSI NFV架构定义 6
2.1.3 OpenDaylight开源项目 7
2.2 MININET仿真环境 8
2.2.1 Mininet特性 8
2.2.2 Mininet实验环境的配置流程 9