Skip to main content
SpringerLink
Log in

Mitigation of DDoS Attack Using Moving Target Defense in SDN

  • Published:
Wireless Personal Communications Aims and scope Submit manuscript

Abstract

Software-defined networking (SDN) is a trending networking paradigm that focuses on decoupling of the control logic from the data plane. This decoupling brings programmability and flexibility for the network management by introducing centralized infrastructure. The complete control logic resides in the controller, and thus it becomes the intellectual and most important entity of the SDN infrastructure. With these advantages, SDN faces several security issues in various SDN layers that may prevent the growth and global adoption of this groundbreaking technology. Control plane exhaustion and switch buffer overflow are examples of such security issues. Distributed denial-of-service (DDoS) attacks are one of the most severe attacks that aim to exhaust the controller’s CPU to discontinue the whole functioning of the SDN network. Hence, it is necessary to design a defense mechanism to mitigate the attack. In this paper, we present a defense solution to mitigate spoofed flooding DDoS attacks. The proposed defense solution is implemented in the Ryu controller. The mitigation method is based on the concept of moving target defense (MTD) and the existing SDN-in-built capabilities. In this work, the experiments are performed considering the spoofed SYN flooding attack. The proposed solution is evaluated using CPU usage. The experimental results reveal that the proposed defense solution mitigates the attack effectively.

This is a preview of subscription content, log in via an institution to check access.

Access this article

Log in via an institution

Price excludes VAT (USA)
Tax calculation will be finalised during checkout.

Instant access to the full article PDF.

Institutional subscriptions

Fig. 1
Fig. 2
Fig. 3
Fig. 4
Fig. 5
Fig. 6
Fig. 7
Fig. 8

Similar content being viewed by others

Data Availability

Data sharing not applicable to this article as no datasets were generated or analysed during the current study.

References

  1. Aydeger, A., Saputro, N., Akkaya, K., & Rahman, M. (2016). Mitigating crossfire attacks using SDN-based moving target defense. In 2016 IEEE 41st conference on local computer networks (LCN) (pp. 627–630). IEEE.

  2. Aydeger, A., Saputro, N., & Akkaya, K. (2019). A moving target defense and network forensics framework for ISP networks using SDN and NFV. Future Generation Computer Systems, 94, 496–509. https://doi.org/10.1016/j.future.2018.11.045

    Article  Google Scholar 

  3. Bensalah, F., Elkamoun, N., & Baddi, Y. (2021). SDNStat-Sec: A statistical defense mechanism against DDoS attacks in SDN-based VANET. In Advances on smart and soft computing (pp. 527–540). Springer.

  4. Chen, Z., Jiang, F., Cheng, Y., Gu, X., Liu, W., & Peng, J. (2018). XGBoost classifier for DDoS attack detection and analysis in SDN-based cloud. In 2018 IEEE international conference on big data and smart computing (BigComp) (pp. 251–256). IEEE.

  5. Dayal, N., Maity, P., Srivastava, S., & Khondoker, R. (2016). Research trends in security and DDoS in SDN. Security and Communication Networks, 9(18), 6386–6411.

    Article  Google Scholar 

  6. Debroy, S., Calyam, P., Nguyen, M., Stage, A., & Georgiev, V. (2016). Frequency-minimal moving target defense using software-defined networking. In 2016 international conference on computing, networking and communications (ICNC) (pp. 1–6). IEEE.

  7. Dehkordi, A. B., Soltanaghaei, M., & Boroujeni, F. Z. (2020). The DDoS attacks detection through machine learning and statistical methods in SDN. The Journal of Supercomputing, 77, 2383–2415.

    Article  Google Scholar 

  8. Douligeris, C., & Mitrokotsa, A. (2004). DDoS attacks and defense mechanisms: classification and state-of-the-art. Computer Networks, 44, 643–666.

    Article  Google Scholar 

  9. Goransson, P., Black, C., & Culver, T. (2016). Software defined networks: A comprehensive approach. Burlington: Morgan Kaufmann.

    Google Scholar 

  10. Hakiri, A., Gokhale, A., Berthou, P., Schmidt, D. C., & Gayraud, T. (2014). Software-defined networking: Challenges and research opportunities for future internet. Computer Networks, 75, 453–471.

    Article  Google Scholar 

  11. Hyder, M. F., & Fatima, T. (2021). Towards crossfire distributed denial of service attack protection using intent-based moving target defense over software-defined networking. IEEE Access, 9, 112792–112804.

    Article  Google Scholar 

  12. Jafarian, J. H., Al-Shaer, E., & Duan, Q. (2012). Openflow random host mutation: Transparent moving target defense using software defined networking. In Proceedings of the first workshop on Hot topics in software defined networks (pp. 127–132).

  13. Kalkan, K., Altay, L., Gür, G., & Alagöz, F. (2018). JESS: Joint entropy-based DDoS defense scheme in SDN. IEEE Journal on Selected Areas in Communications, 36(10), 2358–2372. https://doi.org/10.1109/JSAC.2018.2869997

    Article  Google Scholar 

  14. Kim, H., & Feamster, N. (2013). Improving network management with software defined networking. IEEE Communications Magazine, 51(2), 114–119.

    Article  Google Scholar 

  15. Kirkpatrick, K. (2013). Software-defined networking. Communications of the ACM, 56, 16–19.

    Article  Google Scholar 

  16. Kreutz, D., Ramos, F. M., Verissimo, P., Rothenberg, C. E., Azodolmolky, S., & Uhlig, S. (2015). Software-defined networking: A comprehensive survey. Proceedings of the IEEE, 103, 14–76.

    Article  Google Scholar 

  17. Kumar, P., Tripathi, M., Nehra, A., Conti, M., & Lal, C. (2018). SAFETY: Early detection and mitigation of TCP SYN flood utilizing entropy in SDN. IEEE Transactions on Network and Service Management, 15(4), 1545–1559.

    Article  Google Scholar 

  18. Liu, Z., He, Y., Wang, W., Wang, S., Li, X., & Zhang, B. (2019). AEH-MTD: Adaptive moving target defense scheme for SDN. In 2019 IEEE International Conference on Smart Internet of Things (SmartIoT) (pp. 142–147). IEEE.

  19. MacFarland, D. C., & Shue, C. A. (2015). The SDN shuffle: Creating a moving-target defense using host-based software-defined networking. In Proceedings of the second ACM workshop on moving target defense (pp. 37–41).

  20. McKeown, N., Anderson, T., Balakrishnan, H., Parulkar, G., Peterson, L., Rexford, J., Shenker, S., & Turner, J. (2008). Openflow: Enabling innovation in campus networks. ACM SIGCOMM Computer Communication Review, 38(2), 69–74.

    Article  Google Scholar 

  21. Mousavi, S. M., & St-Hilaire, M. (2015). Early detection of DDoS attacks against SDN controllers. In 2015 international conference on computing, networking and communications (ICNC) (pp. 77–81). IEEE.

  22. Moustafa, N., & Slay, J. (2016). The evaluation of network anomaly detection systems: Statistical analysis of the UNSW-NB15 data set and the comparison with the KDD99 data set. Information Security Journal: A Global Perspective, 25(1–3), 18–31.

    Google Scholar 

  23. Niyaz, Q., Sun, W., & Javaid, AY. (2016). A deep learning based DDoS detection system in software-defined networking (SDN). CoRR arxiv:1611.07400

  24. Philippe, B. (2008). Scapy. https://scapy.readthedocs.io/en/latest/

  25. Philippe, B. (2016). Open vSwitch. https://www.openvswitch.org//. Accessed December 2018.

  26. Philippe, B. (2017). Ryu. https://www.osrg.github.io/ryu/

  27. Philippe, B. (2019). Mininet. http://mininet.org/

  28. Ramachandran, S., & Shanmugam, V. (2017). Impact of DoS attack in software defined network for virtual network. Wireless Personal Communications, 94(4), 2189–2202.

    Article  Google Scholar 

  29. Specht, S. M., & Lee, R. B. (2003). Distributed denial of service: Taxonomies of attacks, tools and countermeasures, Princeton architecture laboratory for multimedia and security. Technical report.

  30. Steinberger, J., Kuhnert, B., Dietz, C., Ball, L., Sperotto, A., Baier, H., Pras, A., & Dreo, G. (2018). DDoS defense using MTD and SDN. In NOMS 2018-2018 IEEE/IFIP network operations and management symposium (pp. 1–9). IEEE.

  31. Swami, R., Dave, M., & Ranga, V. (2019). Software-defined Networking-based DDoS defense mechanisms. ACM Computing Surveys (CSUR), 52(2), 28.

    Google Scholar 

  32. Swami, R., Dave, & M., Ranga, V. (2020). DDoS attacks and defense mechanisms using machine learning techniques for SDN. In Security and privacy issues in sensor networks and IoT (pp. 193–214). IGI Global.

  33. Swami, R., Dave, M., & Ranga, V. (2021). Detection and analysis of TCP-SYN DDoS attack in software-defined networking. Wireless Personal Communications, 118(4), 2295–2317.

    Article  Google Scholar 

  34. Tourrilhes, J., Sharma, P., Banerjee, S., & Pettit, J. (2014). SDN and OpenFlow evolution: A standards perspective. Computer, 47(11), 22–29. https://doi.org/10.1109/MC.2014.326

    Article  Google Scholar 

  35. Ujjan, R. M. A., Pervez, Z., Dahal, K., Bashir, A. K., Mumtaz, R., & González, J. (2020). Towards sFlow and adaptive polling sampling for deep learning based DDoS detection in SDN. Future Generation Computer Systems, 111, 763–779.

    Article  Google Scholar 

  36. Yan, Q., Yu, F. R., Gong, Q., & Li, J. (2015). Software-defined networking (SDN) and distributed denial of service (DDoS) attacks in cloud computing environments: A survey, some research issues, and challenges. IEEE Communications Surveys & Tutorials, 18(1), 602–622.

    Article  Google Scholar 

Download references

Acknowledgements

The research work is supported by MHRD. The experiments are conducted in AI/ML laboratory of Manipal University Jaipur.

Funding

The work is funded by MHRD.

Author information

Authors and Affiliations

  1. Department of Computer Engineering, National Institute of Technology, Kurukshetra, 136119, India

    Rochak Swami

  2. Department of Computer Science and Engineering, Manipal University Jaipur, Jaipur, India

    Rochak Swami & Mayank Dave

  3. Department of Information Technology, Delhi Tehnological University, Delhi, India

    Virender Ranga

Authors
  1. Rochak Swami
    View author publications

    You can also search for this author in PubMed Google Scholar

  2. Mayank Dave
    View author publications

    You can also search for this author in PubMed Google Scholar

  3. Virender Ranga
    View author publications

    You can also search for this author in PubMed Google Scholar

Corresponding author

Correspondence to Virender Ranga.

Ethics declarations

Conflict of interest

The authors declare that they have no conflict of interest.

Additional information

Publisher's Note

Springer Nature remains neutral with regard to jurisdictional claims in published maps and institutional affiliations.

Rights and permissions

Springer Nature or its licensor (e.g. a society or other partner) holds exclusive rights to this article under a publishing agreement with the author(s) or other rightsholder(s); author self-archiving of the accepted manuscript version of this article is solely governed by the terms of such publishing agreement and applicable law.

Reprints and permissions

About this article

Check for updates. Verify currency and authenticity via CrossMark

Cite this article

Swami, R., Dave, M. & Ranga, V. Mitigation of DDoS Attack Using Moving Target Defense in SDN. Wireless Pers Commun 131, 2429–2443 (2023). https://doi.org/10.1007/s11277-023-10544-8

Download citation

  • Accepted:

  • Published:

  • Issue Date:

  • DOI: https://doi.org/10.1007/s11277-023-10544-8

Keywords

Search

Navigation