1. Introduction

2. Background

3. Problem Modeling Modeling and Statement

4. The Proposed Method Proposed

4.1. DDoS Detection and Mitigation System Using sFlow

The suggested DDoS detection and mitigation system is based on real-time traffic monitoring in Software Defined Network (SDN) network environment as a defense model against DDoS attacks. The security system uses statistics maintained while monitoring the traffic passing through SDN OpenFlow switches to detect malicious traffic. Once the attack is detected, the proposed defense system tracks the hosts causing them in order to block them for a specific period of time, allowing only legitimate users to use network facilities by sending packets through OpenFlow switches and links in the SDN network.

Traffic monitoring is crucial for DDoS attacks detection and mitigation by using tools, one of the available tools is sampling Flow (sFlow). Furthermore, sFlow is a sampling technique that can be used to monitor network traffic. The sFlow can be utilized to detect different type of DDoS attacks such as SYN flood, UDP user datagram protocol, etc. Moreover, the OpenFlow and sFlow protocols have provided SDN researchers with an integrated flow monitoring and control system the OpenFlow controller can be utilized to specify the flows to be monitored by sFlow, making controller the layer that sends packet-out messages to program forwarding rules to switches. In this context, in order to get the most out of the sFlow, we will use the powerful analytic engine called sFlow-RT to collect real-time statistics of the switches. In general, the sFlow-RT can be used for traffic monitoring by recording related-time statistics. It is used for load balancing, DDoS attack detection and mitigation. In addition, there are three main components of sFlow which are: i) sFlow collector in external controller or in SDN controller, ii) sFlow agents that are built into the Openvswitch, and iii) sFlow protocol. [23].

The main idea is that the sFlow agents are built into the OpenFlow switches in an SDN network. The primary task of sFlow agents is to send samples of the network traffic from a particular network device such as switches or routers to sFlow collector in the external controller. Then, the sFlow collector can utilize tools like inMon sFlow-RT to automatically detect and mitigate the huge long-queue flows in real-time, see Figure 4 for more details. The sFlow agents embedded in the OpenFlow switches communicate with sFlow collector via sFlow protocol, whereas the OpenfFow switches communicate with OpenDaylight over OpenFlow protocol as shown in Figure 5. The sFlow agent encapsulates sample flow and interfaces counters into sFlow data-grams. These data-grams are sent by sFlow agents to sFlow collector in the external controller via sFlow protocol.

The sFlow agents sample traffic packets based on probability specified by network administrators, network operators, or the end-users. These agents also send interface counters to sFlow collector. Network users can also set threshold for traffic and sampling rates. The primary roles of the SDN collector are to analyze the traffic samples and take measures against DDoS attacks in order to mitigate or stop these attacks if possible.

In addition, the REST APIs, also known an architectural style for an application program interface (API) help each application to retrieve metrics, configure flows, receive notifications, and set appropriate threshold values using $GET$, $PUT$, $POST$ and $DELETE$ data types, which refers to the reading, updating, creating and deleting of operations concerning resources. The sFlow agents can be embedded into OpenFlow switches by using the following code:

The above instruction codes will configure or enable sFlow in OpenvSwitch. The sFlow agent of $eth1$ is embedded into the IP address (192.168.56.102) of the controller. Besides, the sampling rate is set at 300 which means for every 300 packets captured by sFlow agent, one packet is sent to sFlow collector. The polling interval is set at 15 seconds, which means that the agent will send a data-gram to sFlow collector every 15 seconds. Figure 5 shows flow diagram of sFlow agent processing.

All deployed sFlow agents in OpenFlow switches will send traffic samples to the sFlow Real-time (RT) analytic engine. This engine sends a real-time notification of the potential DDoS and information about Bots and the victim server to the relevant application. This Application triggers the controller by using $RESTAPI$ to send instructions to switches to mitigate the DDoS attack. The listed Algorithm 1 demonstrates a pseudo-code designed for DDoS detection and mitigation. The algorithm checks the traffic flows $\lambda$ at any time t in all switches in the SDN network through sFlow that allows to check the usage of the bandwidth accordingly. Once the traffic reaches a pre-set threshold value $\theta$ that identifies to mean a DDoS attack is detected. In this paper $\theta$ is kept equal to 10% of the bandwidth (D), $\theta ={\displaystyle \frac{D}{100}}\times 10$. The utilization of bandwidth is u. It is noteworthy to note that $\theta$ could take any other value, depending on network administrator. The algorithm then blocks the users who behave like a Bot by keeping them on hold for T seconds.

Algorithm 1 Flow Monitoring and DDoS Attack Detection

5. Testbed and Evaluation

5.4. Case Study

The proposed method for detecting and mitigating the DDoS attacks in an SDN environmental setup is implemented by utilizing sFlow and OpenFlow protocols for performance evaluation.

The star topology as shown in Figure 6 has been used. The number of nodes in the SDN network is 13 nodes, there are 9 hosts in this network, $H=9$, four of these hosts are legitimate users, that is, $U=4$ and four of them are bots, $B=4$ and one host is a server. Furthermore, there is also one controller $C=1$ and four OpenFlow switches, $S=4$. We will use an OpenDaylight controller (Nitrogen version) and OpenvSwitch to receive/forward commands using OpenFlow protocols. In addition, the legitimate user sends traffic at rate $\lambda =$ 10 to 80 Kbps, whereas the bot sends traffic at rate $\lambda$ between 1 Mbps and 10 Mbps. Table 1 lists more details about users and traffic rates for generating SDN traffic jam.

The sFlow agents have been configured for all OpenFlow switches of Figure 6, which are described in Table 1. All the OpenFlow switches have been configured automatically using Python.The malicious traffic is generated by using the following $Hping3$ command:

The top four charts in Figure 7 shows regular traffic that is generated by legitimate users, whereas the high traffic generated by the $Hping3$ command to mimic the behavior of the DDoS attack in the SDN network generated by four Bots hosts as demonstrated in the bottom four charts of the same figure.

Figure 8 illustrates the SDN network traffic of the device with IP (192.168.11.35) with and without the DDoS mitigation algorithm. As shown in Figure 9, the traffic exceeds the pre-set threshold of 1.25Mbps in the beginning, which happens because the detection and mitigation algorithms are not running as the controller had not been enabled. Then, after running the detection and mitigation algorithm, the traffic is kept below the threshold value. The suspension of IP address has been set to last for around 60 seconds. Subsequently, the mitigation algorithm removes the suspension after 60 seconds to re-trigger provided the Bot has been still attacking.

Figure 8 shows the DDoS attack performed by just one Bot (Host number 5) with IP address of 192.168.11.35. The Figure confirms that the proposed detection and mitigation algorithm (sFlow-based) is sufficient and can mitigate a large number of DDoS attacks on SDN networks. Figure 9 shows when the sFlow controller is active shown in blue color or pending shown in orange color.

The results also show that the detection time is around 3 seconds in this setting. The authors believe that the results are not fixed as as they may vary based on the value and on the type of DDoS attacks. In addition, the main advantage of using sFlow-based algorithm is that it does not overwhelm the controller with huge mass of overhead data that can delay the traffic by increasing the latency of packets in SDN network because it sends just a sample of the traffic.

Comparing our initial results with the result proposed in framework [26,27,28], our system can detect and mitigate any type of DDoS attack, whereas the work in [26] can only detect SYN DDoS attacks. In addition, the work provided by the authors in manuscript [27] can only detect massive traffic whereas our method can detect low traffic DDoS attacks and mitigate them. The authors in [28] have thwarted the DDoS attacks by remapping controller to send access control back to the data plane, causing latency issues. However, in this paper the increase in the network size is not affecting the overhead traffic between the controller and OpenFlow switches adversely by keeping the sampling rate lower to keep the overhead traffic down.

6. Related Work

7. Conclusion

8. Future Work

References

1. Khan, Latif U. , Zhu Han, Walid Saad, Ekram Hossain, Mohsen Guizani, and Choong Seon Hong. "Digital twin of wireless systems: Overview, taxonomy, challenges, and opportunities.". IEEE Commun. Surv. Tutor. 2022, 24, 2230–2254. [CrossRef]
2. Goransson, Paul, Chuck Black, and Timothy Culver. Software defined networks: a comprehensive approach. Morgan Kaufmann, 2016.
3. Sarwar, Asima, Abdullah M. Alnajim, Safdar Nawaz Khan Marwat, Salman Ahmed, Saleh Alyahya, and Waseem Ullah Khan. "Enhanced anomaly detection system for iot based on improved dynamic SBPSO.". Sensors 2022, 22, 4926.
4. Dhruba Kumar Bhattacharyya and Jugal Kumar Kalita. 2016. DDoS Attacks: Evolution, Detection, Prevention, Reaction, and Tolerance. CRC Press.
5. Harish Barapatre, Jai Deshmukh, Vikrant Kapse, and Pritam Patil. DDoS Spyware for Cloud Computing Environment.
6. Wang, An, Wentao Chang, Songqing Chen, and Aziz Mohaisen. "Delving into internet DDoS attacks by botnets: characterization and analysis.". IEEE/Acm Trans. Netw. 2018, 26, 2843–2855. [CrossRef]
7. Hussain, Mudassar, Nadir Shah, Rashid Amin, Sultan S. Alshamrani, Aziz Alotaibi, and Syed Mohsan Raza. "Software-defined networking: Categories, analysis, and future directions.". Sensors 2022, 22, 5551.
8. Neelam Dayal and Shashank Srivastava. 2017. Analyzing Behavior of DDoS Attacks to Identify DDoS Detection Features in SDN. In 2017 9th International Conference on Communication Systems and Networks (COMSNETS), pp. 274-281. IEEE. [CrossRef]
9. Aladaileh, Mohammad A. , Mohammed Anbar, Iznan H. Hasbullah, Yung-Wey Chong, and Yousef K. Sanjalawe. "Detection techniques of distributed denial of service attacks on software-defined networking controller–a review.". IEEE Access 2020, 8, 143985–143995. [CrossRef]
10. Rawat, Danda B. , and Swetha R. Reddy. "Software defined networking architecture, security and energy efficiency: A survey.". IEEE Communications Surveys and Tutorials 2016, 19, 325–346.
11. Open Network Foundation. (2015, May). OpenFlow Switch Specification (Version 1.5.1). [Online]. Available: https://www.opennetworking.org/wp-content/uploads/2014/10/openflow-switch-v1.5.1.pdf.
12. Tr, O. (2015). Principles and Practices for Securing Software-Defined Networks. Open Networking Foundation. Palo Alto CA, USA.
13. Bhattacharyya, D. K. , and Kalita, J. K. (2016). DDoS Attacks: Evolution, Detection, Prevention, Reaction, and Tolerance. CRC Press.
14. Douligeris, C. , and Mitrokotsa, A. DDoS attacks and defense mechanisms: classification and state-of-the-art. Computer Networks 2004, 44, 643–666. [Google Scholar] [CrossRef]
15. Holl, P. (2015). Exploring DDoS Defense Mechanisms. Network, 25.
16. Mousavi, S. M. , and St-Hilaire, M. (2015). Early detection of DDoS attacks against SDN controllers. In 2015 International Conference on Computing, Networking and Communications, ICNC 2015 (pp. 77-81). IEEE. [CrossRef]
17. Keromytis, A. D. Misra, V., and Rubenstein, D. (2002). Using overlays to improve network security. In Proceedings of SPIE ITCom Conference on Scalability and Traffic Control in IP Networks II (Vol. 2002).
18. Wang, H. , Zhang, D., and Shin, K. G. Detecting SYN flooding attacks. In INFOCOM 2002. Twenty-First Annual Joint Conference of the IEEE Computer and Communications Societies. Proceedings. IEEE 2002, 3, 1530–1539. [Google Scholar]
19. Lersak Limwiwatkul and Arnon Rungsawang, "Distributed denial of service detection using TCP/IP header and traffic measurement analysis," in Communications and Information Technology, 2004. ISCIT 2004. IEEE International Symposium on 2004, 1, 605–610. [CrossRef]
20. Rodrigues, Bruno, Eder Scheid, Christian Killer, Muriel Franco, and Burkhard Stiller. "Blockchain signaling system (BloSS): cooperative signaling of distributed denial-of-service attacks.". Journal of Network and Systems Management 2020, 28, 953–989. [CrossRef]
21. Haider, Shahzeb, Adnan Akhunzada, Iqra Mustafa, Tanil Bharat Patel, Amanda Fernandez, Kim-Kwang Raymond Choo, and Javed Iqbal. "A deep CNN ensemble framework for efficient DDoS attack detection in software defined networks.". Ieee Access 2020, 8, 53972–53983. [CrossRef]
22. Doshi, Keval, Yasin Yilmaz, and Suleyman Uludag. "Timely detection and mitigation of stealthy DDoS attacks via IoT networks.". IEEE Transactions on Dependable and Secure Computing 2021, 18, 2164–2176.
23. Aslam, Muhammad, Dengpan Ye, Aqil Tariq, Muhammad Asad, Muhammad Hanif, David Ndzi, Samia Allaoua Chelloug, Mohamed Abd Elaziz, Mohammed AA Al-Qaness, and Syeda Fizzah Jilani. Adaptive machine learning based distributed denial-of-services attacks detection and mitigation system for SDN-enabled IoT.". Sensors 2022, 22, 2697.
24. Alsaeedi, Mohammed, Mohd Murtadha Mohamad, and Anas A. Al-Roubaiey. "Toward adaptive and scalable OpenFlow-SDN flow control: A survey.". IEEE Access 2019, 7, 107346–107379. [CrossRef]
25. Gupta, Neelam, Mashael S. Maashi, Sarvesh Tanwar, Sumit Badotra, Mohammed Aljebreen, and Salil Bharany. "A comparative study of software defined networking controllers using mininet.". Electronics 2022, 11, 2715. [CrossRef]
26. Nugraha, M. , Paramita, I., Musa, A., Choi, D., and Cho, B. Utilizing OpenFlow and sFlow to Detect and Mitigate SYN Flooding Attack. Journal of Korea Multimedia Society 2014, 17, 988–994. [Google Scholar] [CrossRef]
27. Lin, H. , and Ping Wang. "Implementation of an SDN-based security defense mechanism against DDoS attacks." In Proceedings of the 2016 Joint International Conference on Economics and Management Engineering (ICEME 2016) and International Conference on Economics and Business Management (EBM 2016). 2016.
28. Wang, Yang, Tao Hu, Guangming Tang, Jichao Xie, and Jie Lu. "SGS: Safe-guard scheme for protecting control plane against DDoS attacks in software-defined networking.". IEEE Access 2019, 7, 34699–34710. [CrossRef]
29. Wani, Azka, and Rubeena Khaliq. "SDN-based intrusion detection system for IoT using deep learning classifier (IDSIoT-SDL).". CAAI Transactions on Intelligence Technology 2021, 6, 281–290. [CrossRef]
30. Varghese, Josy Elsa, and Balachandra Muniyal. "An Efficient IDS framework for DDoS attacks in SDN environment.". IEEE Access 2021, 9, 69680–69699. [CrossRef]
31. Mousavi, Seyed Mohammad, and Marc St-Hilaire. "Early detection of DDoS attacks against SDN controllers." In 2015 international conference on computing, networking and communications (ICNC), pp. 77-81. IEEE, 2015.
32. Mousavi, Seyed Mohammad, and Marc St-Hilaire. "Early detection of DDoS attacks against SDN controllers." In 2015 international conference on computing, networking and communications (ICNC), pp. 77-81. IEEE, 2015.
33. Lim, Sharon, J. Ha, H. Kim, Y. Kim, and S. Yang. "A SDN-oriented DDoS blocking scheme for botnet-based attacks." In 2014 Sixth International Conference on Ubiquitous and Future Networks (ICUFN), pp. 63-68. IEEE, 2014.
34. Phan, Trung V., Nguyen Khac Bao, and Minho Park. "A novel hybrid flow-based handler with DDoS attacks in software-defined networking." In 2016 Intl IEEE Conferences on Ubiquitous Intelligence and Computing, Advanced and Trusted Computing, Scalable Computing and Communications, Cloud and Big Data Computing, Internet of People, and Smart World Congress (UIC/ATC/ScalCom/CBDCom/IoP/SmartWorld), pp. 350-357. IEEE, 2016.
35. Eliyan, Lubna Fayez, and Roberto Di Pietro. "DoS and DDoS attacks in Software Defined Networks: A survey of existing solutions and research challenges.". Future Generation Computer Systems 2021, 122, 149–171. [CrossRef]
36. Macedo, R. , de Castro, R., Santos, A., Ghamri-Doudane, Y., and Nogueira, M. (2016). Self-organized SDN controller cluster conformations against DDoS attacks effects. In 2016 IEEE Global Communications Conference, GLOBECOM 2016 - Proceedings (pp. 1-6). IEEE. [CrossRef]
37. Yan, Q. Gong, and F. Richard Yu. "Effective software-defined networking controller scheduling method to mitigate DDoS attacks.". Electronics Letters 2017, 53, 469–471. [Google Scholar] [CrossRef]
38. Zhang, P. , Wang, H., Hu, C., and Lin, C. On Denial of Service Attacks in Software Defined Networks. IEEE Network 2016, 28–33. [Google Scholar] [CrossRef]
39. Xu, Yang, and Yong Liu. "DDoS attack detection under SDN context." In IEEE INFOCOM 2016-the 35th annual IEEE international conference on computer communications, pp. 1-9. IEEE, 2016.
40. Aladaileh, Mohammad A. , Mohammed Anbar, Iznan H. Hasbullah, Yung-Wey Chong, and Yousef K. Sanjalawe. "Detection techniques of distributed denial of service attacks on software-defined networking controller–a review.". IEEE Access 2020, 8, 143985–143995. [CrossRef]
41. Hussain, M. , Shah, N., Amin, R., Alshamrani, S.S., Alotaibi, A. and Raza, S.M. Software-defined networking: Categories, analysis, and future directions. Sensors 2022, 22, 5551. [Google Scholar] [CrossRef]
42. (2018, March). [Online]. Available: https://sflow-rt.com (Accessed: Mar. 2018).
43. Controlling Large Flows with OpenrFlow. [Online]. Available: https://blog.sflow.com/2013/05/controlling-large-flows-with-openflow.html: https://blog.sflow.com/2013/05/controlling-large-flows-with-openflow.html (Accessed: May. 2018).