Abstract
Software-defined networking (SDN) is a trending networking paradigm that focuses on decoupling of the control logic from the data plane. This decoupling brings programmability and flexibility for the network management by introducing centralized infrastructure. The complete control logic resides in the controller, and thus it becomes the intellectual and most important entity of the SDN infrastructure. With these advantages, SDN faces several security issues in various SDN layers that may prevent the growth and global adoption of this groundbreaking technology. Control plane exhaustion and switch buffer overflow are examples of such security issues. Distributed denial-of-service (DDoS) attacks are one of the most severe attacks that aim to exhaust the controller’s CPU to discontinue the whole functioning of the SDN network. Hence, it is necessary to design a defense mechanism to mitigate the attack. In this paper, we present a defense solution to mitigate spoofed flooding DDoS attacks. The proposed defense solution is implemented in the Ryu controller. The mitigation method is based on the concept of moving target defense (MTD) and the existing SDN-in-built capabilities. In this work, the experiments are performed considering the spoofed SYN flooding attack. The proposed solution is evaluated using CPU usage. The experimental results reveal that the proposed defense solution mitigates the attack effectively.
Similar content being viewed by others
Data Availability
Data sharing not applicable to this article as no datasets were generated or analysed during the current study.
References
Aydeger, A., Saputro, N., Akkaya, K., & Rahman, M. (2016). Mitigating crossfire attacks using SDN-based moving target defense. In 2016 IEEE 41st conference on local computer networks (LCN) (pp. 627–630). IEEE.
Aydeger, A., Saputro, N., & Akkaya, K. (2019). A moving target defense and network forensics framework for ISP networks using SDN and NFV. Future Generation Computer Systems, 94, 496–509. https://doi.org/10.1016/j.future.2018.11.045
Bensalah, F., Elkamoun, N., & Baddi, Y. (2021). SDNStat-Sec: A statistical defense mechanism against DDoS attacks in SDN-based VANET. In Advances on smart and soft computing (pp. 527–540). Springer.
Chen, Z., Jiang, F., Cheng, Y., Gu, X., Liu, W., & Peng, J. (2018). XGBoost classifier for DDoS attack detection and analysis in SDN-based cloud. In 2018 IEEE international conference on big data and smart computing (BigComp) (pp. 251–256). IEEE.
Dayal, N., Maity, P., Srivastava, S., & Khondoker, R. (2016). Research trends in security and DDoS in SDN. Security and Communication Networks, 9(18), 6386–6411.
Debroy, S., Calyam, P., Nguyen, M., Stage, A., & Georgiev, V. (2016). Frequency-minimal moving target defense using software-defined networking. In 2016 international conference on computing, networking and communications (ICNC) (pp. 1–6). IEEE.
Dehkordi, A. B., Soltanaghaei, M., & Boroujeni, F. Z. (2020). The DDoS attacks detection through machine learning and statistical methods in SDN. The Journal of Supercomputing, 77, 2383–2415.
Douligeris, C., & Mitrokotsa, A. (2004). DDoS attacks and defense mechanisms: classification and state-of-the-art. Computer Networks, 44, 643–666.
Goransson, P., Black, C., & Culver, T. (2016). Software defined networks: A comprehensive approach. Burlington: Morgan Kaufmann.
Hakiri, A., Gokhale, A., Berthou, P., Schmidt, D. C., & Gayraud, T. (2014). Software-defined networking: Challenges and research opportunities for future internet. Computer Networks, 75, 453–471.
Hyder, M. F., & Fatima, T. (2021). Towards crossfire distributed denial of service attack protection using intent-based moving target defense over software-defined networking. IEEE Access, 9, 112792–112804.
Jafarian, J. H., Al-Shaer, E., & Duan, Q. (2012). Openflow random host mutation: Transparent moving target defense using software defined networking. In Proceedings of the first workshop on Hot topics in software defined networks (pp. 127–132).
Kalkan, K., Altay, L., Gür, G., & Alagöz, F. (2018). JESS: Joint entropy-based DDoS defense scheme in SDN. IEEE Journal on Selected Areas in Communications, 36(10), 2358–2372. https://doi.org/10.1109/JSAC.2018.2869997
Kim, H., & Feamster, N. (2013). Improving network management with software defined networking. IEEE Communications Magazine, 51(2), 114–119.
Kirkpatrick, K. (2013). Software-defined networking. Communications of the ACM, 56, 16–19.
Kreutz, D., Ramos, F. M., Verissimo, P., Rothenberg, C. E., Azodolmolky, S., & Uhlig, S. (2015). Software-defined networking: A comprehensive survey. Proceedings of the IEEE, 103, 14–76.
Kumar, P., Tripathi, M., Nehra, A., Conti, M., & Lal, C. (2018). SAFETY: Early detection and mitigation of TCP SYN flood utilizing entropy in SDN. IEEE Transactions on Network and Service Management, 15(4), 1545–1559.
Liu, Z., He, Y., Wang, W., Wang, S., Li, X., & Zhang, B. (2019). AEH-MTD: Adaptive moving target defense scheme for SDN. In 2019 IEEE International Conference on Smart Internet of Things (SmartIoT) (pp. 142–147). IEEE.
MacFarland, D. C., & Shue, C. A. (2015). The SDN shuffle: Creating a moving-target defense using host-based software-defined networking. In Proceedings of the second ACM workshop on moving target defense (pp. 37–41).
McKeown, N., Anderson, T., Balakrishnan, H., Parulkar, G., Peterson, L., Rexford, J., Shenker, S., & Turner, J. (2008). Openflow: Enabling innovation in campus networks. ACM SIGCOMM Computer Communication Review, 38(2), 69–74.
Mousavi, S. M., & St-Hilaire, M. (2015). Early detection of DDoS attacks against SDN controllers. In 2015 international conference on computing, networking and communications (ICNC) (pp. 77–81). IEEE.
Moustafa, N., & Slay, J. (2016). The evaluation of network anomaly detection systems: Statistical analysis of the UNSW-NB15 data set and the comparison with the KDD99 data set. Information Security Journal: A Global Perspective, 25(1–3), 18–31.
Niyaz, Q., Sun, W., & Javaid, AY. (2016). A deep learning based DDoS detection system in software-defined networking (SDN). CoRR arxiv:1611.07400
Philippe, B. (2008). Scapy. https://scapy.readthedocs.io/en/latest/
Philippe, B. (2016). Open vSwitch. https://www.openvswitch.org//. Accessed December 2018.
Philippe, B. (2017). Ryu. https://www.osrg.github.io/ryu/
Philippe, B. (2019). Mininet. http://mininet.org/
Ramachandran, S., & Shanmugam, V. (2017). Impact of DoS attack in software defined network for virtual network. Wireless Personal Communications, 94(4), 2189–2202.
Specht, S. M., & Lee, R. B. (2003). Distributed denial of service: Taxonomies of attacks, tools and countermeasures, Princeton architecture laboratory for multimedia and security. Technical report.
Steinberger, J., Kuhnert, B., Dietz, C., Ball, L., Sperotto, A., Baier, H., Pras, A., & Dreo, G. (2018). DDoS defense using MTD and SDN. In NOMS 2018-2018 IEEE/IFIP network operations and management symposium (pp. 1–9). IEEE.
Swami, R., Dave, M., & Ranga, V. (2019). Software-defined Networking-based DDoS defense mechanisms. ACM Computing Surveys (CSUR), 52(2), 28.
Swami, R., Dave, & M., Ranga, V. (2020). DDoS attacks and defense mechanisms using machine learning techniques for SDN. In Security and privacy issues in sensor networks and IoT (pp. 193–214). IGI Global.
Swami, R., Dave, M., & Ranga, V. (2021). Detection and analysis of TCP-SYN DDoS attack in software-defined networking. Wireless Personal Communications, 118(4), 2295–2317.
Tourrilhes, J., Sharma, P., Banerjee, S., & Pettit, J. (2014). SDN and OpenFlow evolution: A standards perspective. Computer, 47(11), 22–29. https://doi.org/10.1109/MC.2014.326
Ujjan, R. M. A., Pervez, Z., Dahal, K., Bashir, A. K., Mumtaz, R., & González, J. (2020). Towards sFlow and adaptive polling sampling for deep learning based DDoS detection in SDN. Future Generation Computer Systems, 111, 763–779.
Yan, Q., Yu, F. R., Gong, Q., & Li, J. (2015). Software-defined networking (SDN) and distributed denial of service (DDoS) attacks in cloud computing environments: A survey, some research issues, and challenges. IEEE Communications Surveys & Tutorials, 18(1), 602–622.
Acknowledgements
The research work is supported by MHRD. The experiments are conducted in AI/ML laboratory of Manipal University Jaipur.
Funding
The work is funded by MHRD.
Author information
Authors and Affiliations
Corresponding author
Ethics declarations
Conflict of interest
The authors declare that they have no conflict of interest.
Additional information
Publisher's Note
Springer Nature remains neutral with regard to jurisdictional claims in published maps and institutional affiliations.
Rights and permissions
Springer Nature or its licensor (e.g. a society or other partner) holds exclusive rights to this article under a publishing agreement with the author(s) or other rightsholder(s); author self-archiving of the accepted manuscript version of this article is solely governed by the terms of such publishing agreement and applicable law.
About this article
Cite this article
Swami, R., Dave, M. & Ranga, V. Mitigation of DDoS Attack Using Moving Target Defense in SDN. Wireless Pers Commun 131, 2429–2443 (2023). https://doi.org/10.1007/s11277-023-10544-8
Accepted:
Published:
Issue Date:
DOI: https://doi.org/10.1007/s11277-023-10544-8