Detection and Mitigation of Malicious DDoS Floods in Software Defined Networks

Abstract Software-defined networking (SDN) has revolutionized network management by providing modular control and data plane attributes for flexible network management. It implies the concept of separating the control and data plane attributes for flexible network management. However, centralized management due to control plane separation in SDN also exposes it to cyber threats such as Distributed Denial-of-service (DDoS) attacks that can compromise the SDN controllers. In recent research, entropy-based attack detection approaches showed much significance among other detection methods but relying on entropy itself can neglect detection in several variables such as variations in flow specification. Based on these limitations, in this work, we have designed a DDoS attack detection framework inside the SDN control plane by integrating the packet flow initiation and its specifications properties with entropy-based algorithm to ensure correct measures of attack detection. The simulation is performed on Mininet network simulator, for implementing SDN architecture and the testbed is created on UDP flood attacks on commonly used data-centric tree topologies. Based on experimentation, this lightweight framework is designed to mitigate DDoS attacks by detecting its effects in the early stages to prevent SDN controller being hijacked due to immense packet flooding Based on the results, the proposed solution assures the SDN-based DDoS attack detection and mitigation under 150 packets maintaining significantly low detection time and high accuracy.accuracy.