An Efficient Approach to Detect DDoS Attack in Software-defined Networking Architecture based on the Entropy of Source IP Address

• Main Authors: Bo-Cheng Huang, 黃柏誠
• Other Authors: Wei-Chung Teng
• Format: Others
• Language: zh-TW
• Published: 2017
• Online Access: http://ndltd.ncl.edu.tw/handle/x3debt

碩士 === 國立臺灣科技大學 === 資訊工程系 === 105 === The pattern of distributed denial-of-service (DDoS) attacks on the Internet draws a lot of attention recently. Although the mythology for launching a DDoS attack is simple, it is not easy to avoid and be free from the attack because of its the distributed traits of packets and blurry rules of attacking methods. With the emergence of software-defined networking (SDN), there are many flexible applications on defending against network-attack on the Internet. Conventionally, users rely on hardware support to filter and figure out attack behaviour, but they can neither change the settings in the switch nor even take actions when they find that attack happens. If users want to establish prevention methods, they have to modify the firmware of the switch or use the GUI applications which are developed by the manufacturers to satisfy their users’ need. In the past, some researchers take entropy to detect DDoS attacks, moreover, they can analyse flows according to timestamps. Others adapt statistical methods to differen- tiate from normal and abnormal flows on different routers and to identify packets sent by attackers. However, no matter entropy or statistical methods are used, they are all effec- tive for detecting attacks in many aspects. The proposed research will combine chunk of entropy with statistical methods to construct an improved mathematical model on the basis of DDoS attack and SDN environment. The proposed method can analyse statistical value in short time and investigate the difference of normal packets and attacking packets. When an attack happens, we can fix the network situation by modifying the flow table in the switch. The proposed research conducts attack/defense experiments through SDN environ- ment, servers and zombies to prove the practice of the proposed model. With Python scripts which is customized by propose method, we attack victims on our own SDN en- vironment and chunk size can be obtained by pretesting automatically. With appropriate chunk size, we can detect attacks within just 1 seconds by observing the attack if p-value is smaller than 0.05. In the situation of proposed chunk-size with fast simulation of normal networking environment, the false alarm rate is about 0.2%.