分散式阻斷攻擊 (Distributed denial-of-service attack，DDoS)，近年來仍是被高度 關注的網路攻擊模式，DDoS 攻擊在方法上容易實行，但因封包來源的分散性以 及攻擊手段難以辨認，至今仍然是難以預防以及排除的攻擊。在軟體定義網路 (Software-defined networking，SDN) 崛起後，網路攻擊與防禦出現了更彈性的應 用，傳統上必須依靠硬體支援來過濾以及排除攻擊行為，對於使用者來說無法輕 易更改交換器內設定，甚至無法於攻擊發生時做出應變，若要針對特定事件或對 象建立預防行為，也必須透過硬體來修改內部設定，或是使用已經建立之硬體內 建應用程式介面，來達到使用者的需求。
過去有些研究利用熵值大小來判斷 DDoS 攻擊，進而分析不同時間的流量異 常情況;也有利用統計學方法來區分不同節點之間的流量差異，藉此找出攻擊的 封包，不管是熵值或是統計學方法，在不同向度的攻擊偵測中都有其成效。本研 究基於 DDoS 攻擊與 SDN 架構兩個前提，結合熵值區塊與統計學上的變異數分 析，建構出一個改良數學模型，並能夠有效率的算出統計值，在發現攻擊的短時 間內，即能夠發現封包與平時的差異，發現攻擊後再透過修改 flow table，達到改 善網路情況的效果。
本研究透過實際的 SDN 交換器、伺服器以及殭屍電腦進行攻擊防禦實驗，證 實此模型可行性。由自行撰寫之腳本指令，實際於跨網段進行攻擊測試，封包收 集區塊大小能夠透過動態前測的方式產生，適當的區塊大小能夠在 1 秒內的時間， 測得 p-value 小於 0.05，意即流量發生異常;在大量快速模擬常態網路封包的情況 下，誤報率大約是 0.2%。

The pattern of distributed denial-of-service (DDoS) attacks on the Internet draws a lot of attention recently. Although the mythology for launching a DDoS attack is simple, it is not easy to avoid and be free from the attack because of its the distributed traits of packets and blurry rules of attacking methods. With the emergence of software-defined networking (SDN), there are many flexible applications on defending against network-attack on the Internet. Conventionally, users rely on hardware support to filter and figure out attack behaviour, but they can neither change the settings in the switch nor even take actions when they find that attack happens. If users want to establish prevention methods, they have to modify the firmware of the switch or use the GUI applications which are developed by the manufacturers to satisfy their users’ need.
In the past, some researchers take entropy to detect DDoS attacks, moreover, they can analyse flows according to timestamps. Others adapt statistical methods to differen- tiate from normal and abnormal flows on different routers and to identify packets sent by attackers. However, no matter entropy or statistical methods are used, they are all effec- tive for detecting attacks in many aspects. The proposed research will combine chunk of entropy with statistical methods to construct an improved mathematical model on the basis of DDoS attack and SDN environment. The proposed method can analyse statistical value in short time and investigate the difference of normal packets and attacking packets. When an attack happens, we can fix the network situation by modifying the flow table in the switch.
The proposed research conducts attack/defense experiments through SDN environ- ment, servers and zombies to prove the practice of the proposed model. With Python scripts which is customized by propose method, we attack victims on our own SDN en- vironment and chunk size can be obtained by pretesting automatically. With appropriate chunk size, we can detect attacks within just 1 seconds by observing the attack if p-value is smaller than 0.05. In the situation of proposed chunk-size with fast simulation of normal networking environment, the false alarm rate is about 0.2%.

[1] C. Zhang, Z. Cai, W. Chen, X. Luo, and J. Yin, “Flow level detection and filtering of low-rate ddos,” in Elsevier Computer Networks, vol. 56, no. 15, pp. 3417–3431, 2012.
[2] sdxcentral, “Understanding the SDN Architecture.” https://www.sdxcentral. com/sdn/definitions/inside-sdn-architecture/.
[3] S. Azodolmolky, R. Nejabati, E. Escalona, R. Jayakumar, N. Efstathiou, and D. Simeonidou, “Integrated OpenFlow–GMPLS control plane: an overlay model for software defined packet over optical networks,” in Opt. Express, vol. 19, p. B421, dec 2011.
[4] A. Cloudflare, “The DDoS That Knocked Spamhaus Offline (And How We Mit- igated It ).” https://blog.cloudflare.com/the-ddos-that-knocked-spamhaus-offline- and-ho/, 2013.
[5] HackRead, “Anonymous Brings Down Taiwan Government Websites.” https:// www.hackread.com/anonymous-brings-down-taiwan-govt-websites/.
[6] N. McKeown, T. Anderson, H. Balakrishnan, G. Parulkar, L. Peterson, J. Rexford, S. Shenker, and J. Turner, “OpenFlow: enabling innovation in campus networks,” ACM SIGCOMM Computer Communication Review, vol. 38, no. 2, pp. 69–74, 2008.
[7] R. U. Rehman, Intrusion detection systems with Snort: advanced IDS techniques using Snort, Apache, MySQL, PHP, and ACID. Prentice Hall Professional, 2003.
[8] C.E.Shannon,“Amathematicaltheoryofcommunication,”ACMSIGMOBILEMo- bile Computing and Communications Review, vol. 5, no. 1, pp. 3–55, 2001.
[9] J. M. Joyce, “Kullback-leibler divergence,” in International Encyclopedia of Statis- tical Science, pp. 720–722, Springer, 2011.
[10] L.Feinstein,D.Schnackenberg,R.Balupari,andD.Kindred,“Statisticalapproaches to ddos attack detection and response,” in Proceedings of IEEE DARPA Information Survivability Conference and Exposition., vol. 1, pp. 303–314, 2003.
[11] H. Scheffe, The analysis of variance, vol. 72. John Wiley & Sons, 1999. 51
[12] A.KuzmanovicandE.W.Knightly,“Low-ratetcp-targeteddenialofserviceattacks: the shrew vs. the mice and elephants,” in Proceedings of the conference on Appli- cations, technologies, architectures, and protocols for computer communications, pp. 75–86, ACM, 2003.
[13] ”Wikipedia”, “”denial-of-service attack — wikipedia, the free encyclopedia”.” ”https://en.wikipedia.org/w/index.php?title=Denial-of-service_ attack&oldid=776189877”, ”2017”. [Online; accessed 20-April-2017].
[14] R. Karimazad and A. Faraahi, “An Anomaly-Based Method for DDoS Attacks De- tection using RBF Neural Networks,” in Proceedings of Int. Conf. Netw. Electron. Eng., vol. 11, pp. 44–48, 2011.
[15] S. Oshima, T. Nakashima, and T. Sueyoshi, “DDoS Detection Technique Using Sta- tistical Analysis to Generate Quick Response Time,” in Proceedings of Int. Conf. Broadband, Wirel. Comput. Commun. Appl., pp. 672–677, 2010.
[16] S. Floyd and V. Jacobson, “Random early detection gateways for congestion avoid- ance,” IEEE/ACM Transactions on Networking (ToN), vol. 1, no. 4, pp. 397–413, 1993.
[17] Ryu,SDN,“Frameworkcommunity“, ryusdnframework”.”http://osrg.github. io/ryu, 2015.
[18] A. OpenDaylight, “Linux foundation collaborative project,” Disponível online: http://www.opendaylight.org, 2017.
[19] S. Shin, P. Porras, V. Yegneswaran, M. Fong, and G. Gu, “FRESCO: Modular Com- posable Security Services for Software-Defined Networks,” in Proceedings of Netw. Distrib. Syst. Secur. Symp. (NDSS), vol. 2, pp. 1–16, 2013.
[20] CISCO, “Snort - Network Intrusion Detection & Prevention System,” 2017.
[21] “Scapy.” http://www.secdev.org/projects/scapy.
[22] “Pcapy | Core Security.” https://www.coresecurity.com/corelabs-research/open- source-tools/pcapy.
[23] Iperf.fr, “iPerf - The TCP, UDP and SCTP network bandwidth measurement tool.” https://iperf.fr/, 2016.
52
[24] A. Rényi, “On measures of entropy and information,” in Proceedings of the fourth Berkeley symposium on mathematical statistics and probability, vol. 1, pp. 547–561, 1961.
[25] D. R. Anderson, Information Theory and Entropy. Springer, 2008.
[26] D. Intrusion and D. Evaluation, “MIT Lincoln Laboratory : DARPA Intrusion De- tection Evaluation.” https://www.ll.mit.edu/ideval/data/2000/LLS\DDOS\ 1.0.html, 2015.
[27] Organization of CAIDA, “CAIDA data.” https://www.caida.org/data/ passive/ddos-20070804\dataset.xml, 2007.
[28] K. Kumar, R. Joshi, and K. Singh, “A distributed approach using entropy to detect ddos attacks in isp domain,” in Proceedings of Signal Processing, Communications and Networking, ICSCN’07. International Conference on, pp. 331–337, 2007.
[29] J. Wang, X. Yang, and K. Long, “A new relative entropy based app-ddos detection method,” in Proceedings of Computers and Communications (ISCC), IEEE Sympo- sium on, pp. 966–968, 2010.
[30] H.Leveneetal.,“Robusttestsforequalityofvariances,”Contributionstoprobabil- ity and statistics, vol. 1, pp. 278–292, 1960.
[31] B. L. Welch, “The generalization ofstudent’s’ problem when several different popu- lation variances are involved,” Biometrika, vol. 34, no. 1/2, pp. 28–35, 1947.
[32] A.Kapila,B.A.Frigyik,andM.R.Gupta,IntroductiontotheDirichletDistribution and Related Processes. University of Washington Department of Electrical Engi- neering, 2010.
[33] “hping security tool - man page.” http://www.hping.org/manpage.html.