DDoS (Distributed Denial-of-Service)攻擊已是當今網路的主要攻擊之一，目標除了提供服務的伺服器，亦可能為基礎設施的鏈路，針對目前單一型態(伺服器或鏈路)之DDoS攻擊，過去許多研究已提供了偵測這些單一型態的DDoS攻擊的方法，然而隨著攻擊手法推陳出新，混合型的DDoS攻擊能同時攻擊多種目標(伺服器或鏈路)，由於攻擊多種目標時，攻擊伺服器及鏈路會相較單一型態之DDoS攻擊情況來得輕微，導致現行單一型態DDoS攻擊偵測方法不易查覺。
然而不論攻擊型態為何，DDoS攻擊最主要目的為讓伺服器無法提供正常服務，故本研究提出了一個能偵測混合型的DDoS攻擊的方法FDD (Flow Differentiation Detector)，此方法以服務伺服器所在位置(目標區域)連接對外網路的重要鏈路(目標鏈路)為觀察點，觀察資料流流入及流出個數的差異量。在發生混合型的DDoS攻擊的情況下，流經目標鏈路且請求目標區域的服務伺服器之資料流仍然會增加，但從目標區域回應的資料流數目變化很小。因此利用請求與回應兩者之間差異量來表示混合攻擊行為對於服務造成的危害程度，藉此偵測混合型的DDoS攻擊。
本研究的貢獻為(1)證明混合型DDoS攻擊確實能對目標區域造成危害；(2)提出能偵測混合型的DDoS攻擊的方法FDD；(3)於實際SDN控制器上實作FDD，並量測其偵測效果。實驗結果顯示FDD一個有7個交換器的SDN網路下針對混合型DDoS攻擊能保持平均偵測率達96.7%，優於直接混合現行偵測伺服器之DDoS攻擊及偵測鏈路之DDoS攻擊之綜合方法Combiner (COM)的平均偵測率90%，並發現不論目標區域或是網路拓樸大小改變，FDD均能保持良好的偵測效果。

Distributed denial-of-service (DDoS) attacks have become one of the main attacks in the network nowadays. The target except providing servers for services, it may also be a link in infrastructure. For the current single type (server or link) DDoS attacks, many pieces of research have been conducted in the past, providing ways to detect these single type DDoS attacks. However, as the attacks techniques evolving, hybrid DDoS attacks can attack multiple targets (servers or links) simultaneously, attacking servers and chains as they attack multiple targets. The situation will be slightly smaller than the single type of DDoS attack, which makes hybrid DDoS attack difficult to detect.
However, regardless of the attack type, the main purpose of the DDoS attack is to deny the server from providing normal services. Therefore, this thesis proposes a novel approach (FDD) to strengthen the current detection to detect hybrid DDoS attacks. This approach monitors target area where the service servers are located on target link which connecte to the external network to calculate the differentiation input and output through target area. Under hybrid DDoS attack, the number of flows which destine to the servers in target area increases while the number of flows which depart from the servers in target area is almost fixed. Therefore, by the phenomenon that the differentiation between the request and the response is used to indicate the degree of harm caused by hybrid DDoS attacks behavior to the service, thereby detecting it.
The contribution of this thesis: (1) prove that hybrid DDoS attack does cause damage to service; (2) propose the approach, Flow Differentiation Detector (FDD), to detect hybrid DDoS attacks; (3) deployed FDD in SDN controller, OpenDayLight, to implement the hybrid DDoS attack detection system. Finally, the experimental results that FDD the average detection accuracy under different ratio of hybrid DDoS attacks in the topology which there are 7 switches is 96.7% better than Combiner (COM) whose the average detection accuracy is 90%; no matter what the number of servers in the target area or the topology change, the FDD has good effects.

P. Criscuolo, “Distributed Denial of Service, Tribe Flood Network 2000, and Stacheldraht CIAC-2319,” UCRLID-136939, Rev, vol. 1, 2000.
M. Aamir and M. Arif, “Study and Performance Evaluation on Recent DDoS Trends of Attack & Defense,” International Journal of Information Technology and Computer Science, vol. 5, no. 8, pp. 54-65, 2013.
C. L. Schuba, I. V. Krsul, M. G. Kuhn, E. H. Spafford, A. Sundaram, and D. Zamboni, “Analysis of a Denial of Service Attack on TCP,” IEEE Symposium on Security and Privacy, pp. 208-223, 1997.
T. Peng, C. Leckie, and K. Ramamohanarao, “Survey of Network-based Defense Mechanisms Countering the DoS and DDoS Problems,” ACM Computing Surveys (CSUR), vol. 39, no. 1, p. 3, 2007.
T. Hamano, R. Suzuki, T. Ikegawa, and H. Ichikawa, “A Redirection-based Defense Mechanism against Flood-type Attacks in Large-scale ISP Networks,” Asia-Pacific Conference on Communications and International Symposium on Multi-Dimensional Mobile Communications Proceeding, vol. 2, pp. 543-547, 2004.
S. Ranjan, R. Swaminathan, M. Uysal, A. Nucci, and E. Knightly, “DDoS-shield: DDoS-resilient Scheduling to Counter Application Layer Attacks,” IEEE Transactions on networking, vol. 17, no. 1, pp. 26-39, 2008.
F. Kargl, J. Maier, and M. Weber, “Protecting Web Servers from Distributed Denial of Service Attacks,” International Conference on World Wide Web, pp. 514-524, 2001.
R. Mohammadi, R. Javidan, and M. Conti, “SLICOTS: An SDN-based Lightweight Countermeasure For TCP SYN Flooding Attacks,” IEEE Transactions on Network and Service Management, vol. 14, no. 2, pp. 487-497, 2017.
S. Verma et al., “Stopping Amplified DNS DDoS Attacks through Distributed Query Rate Sharing,” International Conference on Availability, Reliability and Security (ARES), pp. 69-78, 2016.
P. Kumar, M. Tripathi, A. Nehra, M. Conti, and C. Lal, “SAFETY: Early Detection and Mitigation of TCP SYN Flood Utilizing Entropy in SDN,” IEEE Transactions on Network and Service Management, vol. 15, no. 4, pp. 1545-1559, 2018.
B. Rashidi, C. Fung, and E. Bertino, “A Collaborative DDoS Defence Framework Using Network Function Virtualization,” IEEE Transactions on Information Forensics and Security, vol. 12, no. 10, pp. 2483-2497, 2017.
S. Torabi, A. Boukhtouta, C. Assi, and M. Debbabi, “Detecting Internet Abuse by Analyzing Passive DNS Traffic: A Survey of Implemented Systems,” IEEE Communications Surveys & Tutorials, vol. 20, no. 4, pp. 3389-3415, 2018.
C.-C. Chen, Y.-R. Chen, W.-C. Lu, S.-C. Tsai, and M.-C. Yang, “Detecting Amplification Attacks with Software Defined Networking,” IEEE conference on dependable and secure computing, pp. 195-201, 2017.
T. R. Sree and S. M. S. Bhanu, “HAP: Detection of HTTP Flooding Attacks in Cloud Using Diffusion Map and Affinity Propagation Clustering,” IET Information Security, vol. 13, no. 3, pp. 188-200, 2018.
T. Nguyen et al., “Reliable Detection of Interest Flooding Attack in Real Deployment of Named Data Networking,” IEEE Transactions on Information Forensics and Security, vol. 14, no. 9, pp. 2470-2485, 2019.
J. Wang, M. Zhang, X. Yang, K. Long, and J. Xu, “HTTP-sCAN: Detecting HTTP-flooding Attack by Modeling Multi-features of Web Browsing Behavior from Noisy Web-logs,” China Communications, vol. 12, no. 2, pp. 118-128, 2015.
A. Studer and A. Perrig, “The Coremelt Attack,” European Symposium on Research in Computer Security, pp. 37-52, 2009.
M. S. Kang, S. B. Lee, and V. D. Gligor, “The Crossfire Attack,” IEEE Symposium on Security and Privacy, pp. 127-141, 2013.
L. Xue, X. Ma, X. Luo, E. W. Chan, T. T. Miu, and G. Gu, “LinkScope: Toward Detecting Target Link Flooding Attacks,” IEEE Transactions on Information Forensics and Security, vol. 13, no. 10, pp. 2423-2438, 2018.
C. Liaskos and S. Ioannidis, “Network Topology Effects on the Detectability of Crossfire Attacks,” IEEE Transactions on Information Forensics and Security, vol. 13, no. 7, pp. 1682-1695, 2018.
J. Wang, R. Wen, J. Li, F. Yan, B. Zhao, and F. Yu, “Detecting and Mitigating Target Link-flooding Attacks Using SDN,” IEEE Transactions on Dependable and Secure Computing, 2018.
K. Sakuma, H. Asahina, S. Haruta, and I. Sasase, “Traceroute-based Target Link Flooding Attack Detection Scheme by Analyzing Hop Count to the Destination,” Asia-Pacific Conference on Communications (APCC), pp. 1-6, 2017.
T. Hirayama, K. Toyoda, and I. Sasase, “Fast Target Link Flooding Attack Detection Scheme by Analyzing Traceroute Packets Flow,” IEEE International Workshop on Information Forensics and Security (WIFS), pp. 1-6, 2015.
J. Zheng, Q. Li, G. Gu, J. Cao, D. K. Yau, and J. Wu, “Realtime DDoS Defense Using COTS SDN Switches via Adaptive Correlation Analysis,” IEEE Transactions on Information Forensics and Security, vol. 13, no. 7, pp. 1838-1853, 2018.
J. Quittek, T. Zseby, B. Claise, and S. Zander, "Requirements for IP Flow Information export (IPFIX)," RFC 3917 (informational)2004.
“https://github.com/wenfengshi/ddos-dos-tools/blob/master/small_frag.trafgen.”