Research On Entropy-based Detection And Defense Methods Against DDoS Amplification Attack In SDN

DDoS amplification attack is a kind of typical network attack methods,which has characteristics of huge attack intensity and scale.It is difficult to detect and defend the attack because of its camouflage and distribution.As a novel network architecture,SDN can dynamically adjust and get the global network state by defining network in software way according to the application requirements.Without apprporaite mechanisms,DDoS amplification attack could be more harmful and bring more damages in SDN than that in traditional network,as SDN exploited as an attacker or an amplifier.Therefore,detection and defense technologies against DDoS amplification attack in SDN is necessary as studied in this dissertation.In this thesis,the principles of DDoS amplification attack and characteristics of SDN were analyzed.When SDN is used as an attacker or amplifier of DDoS amplification attack illegally,or SDN is suffered from attack from outside,entropy could be used to detect these symptoms.The main works of the dissertation were as followings:Firstly,a set of entropy-based detection methods against DDoS amplification attack in SDN were proposed.Based on the analysis of the principle of DDoS amplification attack and the characteristics of the SDN,the corresponding traffic feature parameters are selected,according to three different roles of SDN,including the victim,the attacker and the amplifier.The entropy is calculated using corresponding feature information extracted from the flow entry by SDN controller.The non-parametric CUSUM algorithm is utilized to gain the cumulative value.A judgement of attack could be made,according to the progressive combination rules.Secondly,a set of defense methods against DDoS amplification attack in SDN were proposed.According to three different roles of SDN,including the victim,the attacker and the amplifier,the defense process includes two phases,tracking and mitigation.In the tracking phase,according to the feature of the same destination IP address of the attack packets in the DDoS amplification attack,establishing the set of pairs of source-destination IP address.In the mitigation phase,new flow table is sent to the Open Flow switch according to the set of pairs of IP address.By filtering and rate limiting attack traffic,defense could be achieved.Thirdly,on Mininet simulation platform,a SDN simulation environment was constructed,and the detection and defense methods above were deployed on the SDN controller.Injecting the sample dataset into the three scenarios of three roles of SDN,some experimental results gained.Analysis of the experimental data shows the correctness and effectiveness of methods proposed in this thesis.