Detecting Hybrid DDoS Attacks with Flow Differentiation in Software-Defined Networking

• Main Authors: Kai-Zhong Zhou, 周楷鐘
• Other Authors: Yuan-Cheng Lai
• Format: Others
• Language: en_US
• Published: 2019
• Online Access: http://ndltd.ncl.edu.tw/handle/8r8h9d

碩士 === 國立臺灣科技大學 === 資訊管理系 === 107 === Distributed denial-of-service (DDoS) attacks have become one of the main attacks in the network nowadays. The target except providing servers for services, it may also be a link in infrastructure. For the current single type (server or link) DDoS attacks, many pieces of research have been conducted in the past, providing ways to detect these single type DDoS attacks. However, as the attacks techniques evolving, hybrid DDoS attacks can attack multiple targets (servers or links) simultaneously, attacking servers and chains as they attack multiple targets. The situation will be slightly smaller than the single type of DDoS attack, which makes hybrid DDoS attack difficult to detect. However, regardless of the attack type, the main purpose of the DDoS attack is to deny the server from providing normal services. Therefore, this thesis proposes a novel approach (FDD) to strengthen the current detection to detect hybrid DDoS attacks. This approach monitors target area where the service servers are located on target link which connecte to the external network to calculate the differentiation input and output through target area. Under hybrid DDoS attack, the number of flows which destine to the servers in target area increases while the number of flows which depart from the servers in target area is almost fixed. Therefore, by the phenomenon that the differentiation between the request and the response is used to indicate the degree of harm caused by hybrid DDoS attacks behavior to the service, thereby detecting it. The contribution of this thesis: (1) prove that hybrid DDoS attack does cause damage to service; (2) propose the approach, Flow Differentiation Detector (FDD), to detect hybrid DDoS attacks; (3) deployed FDD in SDN controller, OpenDayLight, to implement the hybrid DDoS attack detection system. Finally, the experimental results that FDD the average detection accuracy under different ratio of hybrid DDoS attacks in the topology which there are 7 switches is 96.7% better than Combiner (COM) whose the average detection accuracy is 90%; no matter what the number of servers in the target area or the topology change, the FDD has good effects.