Distributed Denial of Service (DDoS) attacks purposely exhaust system resources of the target system to disrupt the services of the target system. Among the DDoS attacks, HTTP DDoS attack is a representative DDoS attack pattern against a web server. The HTTP DDoS attacker tries to make a web server unavailable by sending a significant amount of HTTP GET messages to the target web server using compromised hosts, called bots or zombie PCs. This attack is often called HTTP GET flooding DDoS attack. Alternatively, the attacker could exploit the HTTP property of a web server of maintaining a connection until an HTTP message is completed. If incomplete HTTP messages are continuously sent thru a number of connections, the connection resources of the web server will soon be exhausted. This attack is called Slow HTTP DDoS attack.

The DDoS defense mechanism can be classified into two categories, a network-based DDoS defense mechanism and a destination-based DDoS defense mechanism depending on the deployment location of defense mechanism. Network-based DDoS defense mechanisms are deployed on network devices such as switches or routers. When traffic entering the network devices reveals an abnormal pattern, the network devices with network-based DDoS defense mechanisms detect and mitigate DDoS attacks. Destination-based (server-side) DDoS defense mechanisms are deployed on end systems such as web servers. When the end-system detects a symptom of attacks, the destination-based DDoS defense mechanisms detect and mitigate DDoS attacks.

A great deal of DDoS defense methods has been investigated to defend HTTP DDoS attacks, mainly having relied on the destination-based DDoS defense mechanisms. This is because, unlike typical DDoS attacks that generate high-volume and high-rate traffic, HTTP DDoS attack traffic is similar to the traffic generated by legitimate clients, which makes it difficult to detect on the network devices with network-based DDoS defense mechanisms.

The desired behavior of the DDoS defense mechanism is to detect DDoS attacks before they inflict damage to the target system and to block detected attacks as close as possible to the attack source. In the respect, the network-based DDoS defense mechanism must be more preferable to the destination-based DDoS defense mechanism. In the network-based DDoS defense mechanism, the network devices can detect DDoS attacks before the target web server. It may be more preferable to cooperative with network devices to mitigate the attack traffic close to the attack sources.

Software Defined Networking (SDN) can be used as a good networking paradigm in providing an effective network-based DDoS defense against various types of DDoS attacks. The centralized SDN controller in the SDN architecture can detect DDoS attacks in the network by utilizing global view of its own network and employing more various external application algorithms for DDoS defense. It is very feasible because the SDN controller can actively defend various types of DDoS attacks by deploying security policies in the form of flow rules to the forwarding devices.

This dissertation describes an SDN-based HTTP DDoS defense mechanism that can defend HTTP DDoS attacks in the network. In the DDoS defense method included in this work, the HTTP DDoS defense mechanism works by being deployed on the SDN controller in the form of an SDN application. HTTP DDoS Defense Application (HDDA) running on the SDN controller receives the HTTP messages from suspicious clients reported by the web server. HDDA analyzes the suspicious HTTP messages to decide if they are for real HTTP DDoS attack or not on behalf of the web servers. The decision made by HDDA is used to block HTTP DDoS attack traffics by deploying flow rules blocking the attack traffic at network devices such as router switches in the network. This mechanism gives rise to several advantages: (1) Relieving the web server of installing and operating heavy algorithms or equipment for HTTP DDoS defense, (2) Allowing the web server to keep carrying out its own service tasks without any disruption, (3) Reducing the whole defense cost against HTTP DDoS attacks and enhancing the defense capability by centralizing efficient DDoS defense mechanisms onto the SDN controller.

The performance analyses demonstrate that the proposed SDN-based HTTP DDoS defense method can successfully mitigate the problems caused by HTTP GET Flooding and Slow HTTP DDoS attacks. It was also proved that the proposed method can provide HTTP DDoS attack immunity effectively to the web server without server-side defense mechanisms. It is expected with the proposed SDN-based HTTP DDoS defense mechanism and the following performance evaluation results that the proposed methodology can provide the greater safety and reliability to the Internet service provider and the web service provider facing a more diversifying Internet service era.