The basic idea of a software defined networking (SDN) network is to implement separation between a control plane and a forwarding plane. The SDN network generally includes a controller, a switch, and a host. The controller is configured to formulate, based on a view of the entire network, a routing policy, and deliver the routing policy to the switch in a form of a flow entry, so that the switch saves the flow entry to a flow table, and thereby the controller implements centralized control on the entire network by controlling the flow table in the switch; the switch is configured to forward a data packet of the host according to a local flow entry of the switch.
In an SDN network, a general communication scenario of a host is shown in FIG. 1, where a host A sends a data packet to a switch 1 connected to the host A, and it is assumed that a destination host of the data packet is a host B in the SDN network; the switch 1 searches a local flow table for a flow entry of the data packet, and if the switch 1 finds the flow entry of the data packet, the switch 1 forwards the data packet according to the flow entry, or if the switch 1 does not find the flow entry of the data packet, the switch 1 sends a Packet-in message to a controller; the controller selects a forwarding path for the data packet, and delivers the forwarding path to all switches on the forwarding path in a form of a flow entry; and the switch 1 and the switches on the forwarding path forward the data packet according to the delivered flow entry.
Because the controller has delivered the flow entry for communication between the host A and the host B to all switches on the forwarding path, when the host A subsequently sends a data packet whose destination host is the host B, the switch 1 may directly forward the data packet according to the flow entry, and the switch 1 does not generate a Packet-in message again.
If a destination host of a data packet sent by a host is a host C outside an SDN network, a communication scenario is shown in FIG. 2, where
a host A sends a data packet to a switch 1 connected to the host A, and it is assumed that a destination host of the data packet is the host C, and the SDN network does not include the host C;
the switch 1 searches a local flow table of the switch for a flow entry of the data packet, and because the host C is not in the SDN network, the switch 1 cannot find the flow entry of the data packet, and sends a Packet-in message to a controller; and
the controller receives the Packet-in message, and searches the SDN network for the host C; because the host C is not in the SDN network, the controller cannot find the host C, and then the controller discards the Packet-in message, and does not deliver a flow entry for the data packet to the switch 1.
If the host A subsequently sends again a data packet whose destination host is the host C, both the switch 1 and the controller repeat the foregoing steps, and finally the controller discards the Packet-in message.
Based on the foregoing communication method of a host in an SDN network, it may be considered that the Packet-in message in the scenario shown in FIG. 1 is a normal Packet-in message, while the Packet-in message in the scenario shown in FIG. 2 is an invalid Packet-in message. If a host in the SDN network performs a malicious attack on a controller, and sends a large quantity of data packets whose destination host is not in the SDN network or whose destination host even does not exist, a switch connected to the host generates a large quantity of invalid Packet-in messages and sends the invalid Packet-in messages to the controller, and the controller needs to consume a large quantity of processing resources to process these invalid Packet-in messages, to search for the destination host that is not in the SDN network or that even does not exist, thereby affecting processing of a normal Packet-in message by the controller.
Therefore, detection of a malicious attack on a controller from a host needs to be performed in an SDN network. Currently, a method for detecting a malicious attack from a host is that: a controller collects statistics about a quantity of Packet-in messages, correspondingly generated by each host as a source host, received in a unit time; calculates, by using the quantity, a rate at which each host generates Packet-in messages as a source host; and determines, according to the rate, whether each host performs a malicious attack on the controller.
In such a method for detecting a malicious attack from a host, a controller needs to receive a Packet-in message reported by each switch and process the Packet-in message; in addition, the controller further needs to separately collect statistics about a quantity of Packet-in messages, correspondingly generated by each host as a source host, received in a unit time, and then determine whether each host performs a malicious attack on the controller. An amount of data processed by the controller is large, and performance of the controller is low.