SDN-BASED DDOS ATTACK PREVENTION METHOD, DEVICE AND SYSTEM

摘要

An SDN-based DDOS attack prevention method, device and system, the method comprising: issuing, via a controller, to a first packet forwarding device a traffic statistic instruction, the traffic statistic instruction instructing the first packet forwarding device to count traffics and carrying a destination IP address; collecting, by the controller, statistic data reported by the first packet forwarding device, the statistic data comprising traffic statistic information flowing to the destination IP address; acquiring, by the controller, and according to the statistic data, a global traffic statistic value flowing to the destination IP address; determining whether the global traffic statistic value exceeds a predetermined threshold, and issuing a DDoS protection policy to a second packet forwarding device based on a determination result indicating that the global traffic statistic value exceeds the predetermined threshold; correspondingly, receiving, by the second packet forwarding device, the DDoS protection policy transmitted by the controller; and protecting, according to the DDoS protection policy, the traffic flowing to the destination IP address, thus reducing a range of an effect of a DDoS attack on a network, and improving network security.