SDN mainly consist of three components, that is the application layer, the data plane
also known as infrastructure layer, and the control plane. The application is mainly located
within the upper side, and contains several application logic and Northbound interfaces,
NBIs. The control plane exists within the middle, and contains NBIs, control-Data-planeinterfaces, CDPIs, and the control logic. On the other hand, the data plane is located in the
bottom of the design and contains several CDPIs and the forwarding engines (Blial et al.,
2016). The NBIs aids the application plane to communicate with the control plane, and sends
down their network needs to the controller whereas the control plane sends up the desired
network behavior, events, and statistics to offer application with abstract view of the entire
networks. Nevertheless, the CDPIs or southbound interface aid the network components that
exists within the infrastructure plane to communicate with the control plane. Also, the data
layer transfers its statistics, events, notifications, and reports up to the control layer, while, in
turn, the control layer sends down its network needs to the network components that exists
within the data layer, and the data plane obeys the stipulated rules of the control plane (). On
the other hand, the management and admin element are accountable for offering static tasks
to all the planes, which encompasses of the data plane, control plane, and application.
Further, the service agreement and contracts, SLAs, would be configured within the last
element, that is, the application plane (Li, Chen and Fu, 2019). Lastly, the design has multiple
coordinators, which are spread in the control and data plane, which are responsible to set up
the isolation and share configuration between the control and data plane.
The OpenFlow switch is an example of data plane and provides an open protocol that
is the OpenFlow protocol, which aids the researchers in programming the flow table that exist
in the networking devices. The administrators can inserts their novel protocols and security
paradigm, also, they can add their addressing strategy rather than the present IP protocol
model. However, they could merely separate their research flows from the production flows,
to ensure they adopt and test their new concepts without interfering with others. The switch
entails three main segments, which are the flow table, OpenFlow protocol, and secure
channel. The switch contains several flow tables, and every flow table contains several flow
entries. Every entry within the table contains three fields, and the packet header is the initial
field, which identifies every flow (Priya and Radhika, 2019). The header contains certain
information like the ethernet sources address, type of ethernet, ethernet destination address,
TCP port number, IP source address, TCP port number, and IP destination address. The
action within the second field aids the switch in addressing the received flow’s packets.
Statistics in the third field, which keeps information concerning the packets like number of
packets, time since the last packet match flow, and the number of bytes. Additionally, the
secure channel is another section of the switch, which assists instructions and packets to be
send back and forth between the switch and controller in a secure environment. the final
segment is the OpenFlow, which provides an open and standard path for controller to
communicate with the switch.
There are primarily three forms of actions that can be executed by the switch, where
the fist action forwards a flow to a particular port to allow the packets reach their destination.
This situation is applicable when there are rules in the flow table regarding how to address
the received flow. The second action encapsulates and forwards merely the first package of
every flow to the controller via secure channel. This can only occur if there is no saved action
within the flow table concerning how to process that flow. The key reason for the
encapsulation and forwarding the initial packet for every flow towards the controller is to
essentially reduce the controller bottleneck of the overhead. In other case, all the packets in
every flow send to the controller for processing (Bholebawa and Dalal, 2018). After processing
the flow within the controller, response is sent and saved within the corresponding flow entry.
The third action essentially drops the flow, which is executed to significantly prevent attacks
like the DDoS attacks, or even to reduce the fake broadcast traffic from the end users. Lastly,
these rules and actions are installed by the controller within the data layer. Further, these
actions can be installed proactively by the controller that means on its accord. However, the
controller can select to install such actions reactively in line with the reports or notifications
from switches if there are no matches amid the incoming packets and existing rules.
Overview of DDoS Attack
This form of attack leads to the inability of authentic user to access various services;
hence, it is considered as the DoS, the Denial of Service, attacks. In most cases of the attack,
the hacker would send services inquiries to enterprise mainly to register with the company or
acquire connection to certain enterprises authentic services instances. The inquires would
overwhelm the firm’s server and would be unable to deliver the required services to other
legitimate users. Another plausible attack instance is the one in which several machines are
utilized to execute a DoS attack. The firm’s network links numerous essential machines.
hence, suppose an attacker acquire access to one or more additional machines owned by the
company, this could abuse the opportunity and carry out the DoS attack against other systems
in similar network subnet (Alieyan et al., 2016). However, this attack is extensive in this
situation, the hacker can take over numerous machines and equally use them to access the
DoS. This form of DoS attacks is often described a thee Distributed Denial of Services attack,
Fig 1: DDoS attack classification
Besides Bandwidth and resource deficiency attacks, there are other classifications of
DDoS attacks, that is the resource and bandwidth depletion. The bandwidth depletion is a
form of an attack that tries to overwhelm the network using different network packets, and is
subdivided into the attack that either amplifies or floods the system. The amplification attacks
attempt towards the advantage of the IP address broadcast components found on the majority
of routers, while the flooding attacks mainly overwhelm the resources of a network by
sending excess quantity of UDP or ICMP packets (Cetinkaya, Ishii and Hayakawa, 2019). The
amplification attack component allows the directing system to offer a broadcast internet
protocol address rather than particular address as the destination address, like in Fragile or
Smurf attacks. On the other hand, in the resource depletion attacks, the hacker essentially
utilizes all the resources of the targeted system. This form of attack can be conducted by
attacking the network protocols like Neptune, or creating malformed packets, and sending
them over the network to the targeted machine.
DDoS attack detection
The main strategies in detecting DDoS attacks are categorized as the detection of
attack created on the traffic components and the detection of attack created on the traffic
abnormality. The initial gathers several attack attributes and creates a database of the DDoS
attack attributes. Thus, it can be determined if the DDoS attacks the network by linking and
assessing the data statistics encompassed within the current network data packet and the
nature of database. Further, the model reasoning, expert systems, features matching, and state
transition are main implementation techniques. These techniques are generally applied in the
construction of traffic models consisting of the analysis of aberrant flow variations to
evaluate whether or not the traffic is abnormal or determine if or not the server has been
attacked. The data gathering, filtering and processing for the irregularity detection are
approached by a variety of methods (Xu and Liu, 2016). The machine learning and statistic
analysis are the primary common techniques of anomaly detection. In the machine learning
detection, rather than setting up a fixed filter, an algorithm is mainly trained to continuously
update its filtering criteria founded on the network’s events.
An example of the system is the neural network, which consist of multiple nodes
operating in parallel for data processing. When the nodes are trained or provided with a huge
amount of the data, the collective knowledge of the nodes or neurons develop a pattern for
the processing of similar information. the three primary layers of the neural networks
includes the output, input, and hidden layers within the middle to process the input
information. further, as more information is processed, the nodes learn more and establishes
an explicit pattern. Since the algorithm is the driving force behind the decision making of
such networks, some universal algorithms within the network intrusion and detection of
anomaly are multilayer perception, MLP, Kmeans Clustering, K-M, Gaussian classifier,
GAU, and Markov model.
DDoS Attacks against the Controller
The control function is taken from the switch and given to the system controller,
which is considered as the brain of the network in the SDN architecture. The rules of parent
level are easily used to the network with the aid of the controller. Further, the controller can
essentially add novel regulations to the transmission devices and transform the existing rules.
Thus, it would enable it to carry out such changes through communication with the
transmission devices through a secure channel via the OpenFlow protocols. Unity and
continuity of the information traffic are guaranteed via this channel. Therefore, if the secure
channel malfunctions, the link between the transmission device and controller also breaks. In
most cases, the DDoS attacks is often centered on the SDN architecture. Hence, whereas the
hacker is attacking the SDN network, the system presents them with three key targets, as
illustrated in the figure below, to consume the controller sources, to occupy the bandwidth of
the channel amid the switch and controller, and to fill tables within the switch with redundant
flows (Mousavi and St-Hilaire, 2018). Additionally, in the DDoS attack against the controller,
the hacker sends s a huge quantity of packets to the OpenFlow switch through the zombie
users. Thus, making it challenging for the controller to distinguish between the traffic sent by
legal traffic and the attackers.
Fig 2: primary targets of DDoS attacks on SDN
The OpenFlow switch often operates by seeking a match within the flow input by
assessing the packet header, such as the source IP, target port, source port, and target IP
address among others. If a match is not found, the packet is sent to the controller by
encapsulating the packet header within the flow request with the OpenFlow protocol
PACKET_IN message. After which, the network controller responds with the OFPT
FLOW_MOD message that entails the intended processing on the packet and the flow’s
timeout in the flow table given to the packet (Kuerban et al., 2016). As the amount of packets
sent to the controller increases, the controller sources ate consumed, memory, bandwidth, and
CPU, thee new flow input for novel genuine packets arriving within the network cannot be
processed, that causes the collapse of the CDN architecture. The research conducted by
Alshamrani et al. (2017) established that the existing mechanisms to avert the DDoS attacks
are ineffective. They also assessed the impact of the misbehavior and the novel flow attacks
on SDN, and collected the traffic information from the transmission devices on the data layer
intermittently and after which used the machine learning cataloging algorithm to effectively
respond to the abrupt changes in the traffic that happened within the SDN architecture at the
attack moment. Additionally, the PACKET_IN messages that flows between the transmission
device and controller as the attack moment were applied as the base. The algorithms like
Naïve Bayes, NB, Support Vector Machine, SVM, and J48, were utilized for the
classification. Besides, Latah and Toker (2018) in their research detected the DDoS attacks by
assessing the rate of arriving packets within the period of attack. When certain packets,
among those that coming to the network controller, passed the pre-determined threshold, the
inspection unit, which applies the SVM was triggered to predict the DDoS flooding attacks.
On the other hand, Li et al (2018) suggested a bidirectional recurrent neural network,
RNN, theory covering all the layers of the SDN architecture to predict and essentially block
the DDoS attacks. Even though the projected technique was designed and developed for the
real-time prediction, and blocking of the DDoS attacks has an exceptional precision rate, it
might not be very effective in the large networks, in which more than a single controller is
utilized. Overall, the assessed method can disrupt the synchronized operations of the
controller and overall degrade the network performance.
DDoS Attacks against the OpenFlow Switch
Both the flow table and OpenFlow switch are perceived as the primary targets, since
they consist of the transmission, administrative and access control data. According to Li, Meng
and Kwok (2016), the hackers initially target to interrupt the functionality of the network
through virtual or physical unauthorized access to the system. Thus, making it implausible for
the OpenFlow switch to store the regulations covering all the flow since it has restricted
storage capacity. Also, as the packets originates from unidentified addresses, novel rules are
necessitated to be added to the OpenFlow switch. Therefore, the attacker sends a huge
quantity of packets from unknown address within a short period, the controller writes the
rules for these packets and sends them to the flow table, which causes the flow table with
restricted storage capacity to be full within a short time. Hence, no storage space is left in the
flow table for new rules to be stored. Therefore, the transmission of the authentic traffic
stops. Besides the flow table, the memory of the flow cache is equally targeted for DDoS
After receiving the packets generated in the input port, the switch with a responsive
cache memory device sent the packet to the flow cache memory. From the arriving packets,
the system searches for a match for the flows within the flow table, and if such match is
established, the packet is sent from the memory of the cache to the output port (Padmaja and
Vetriselvi, 2016). However, if the match is not found, the packet is sent to the controller
through the control channel plus PACKET_IN message that enable the controller to respond
with an OFPT_FLOW_MOD message by evaluating the idle_timeout and hard_timeout that
is responsible for defining the required rules for the packet and the period it would take the
rules to stay. When the rules are sent from the controller and the switch receives it, the packet
is processed and the written rules by the controller is taken into the transmission table cache
storage capacity to have the sent packets processed directly. This technique makes the
OpenFlow switch defenseless against any DDoS attacks. Thus, the huge quantity of the
packets sent to the switch by malicious nodes are taken to the memory cache, and the
response from controller that encompasses of the data on the flow regulations is anticipated.
Besides, the packets from malicious nodes fill the switch buffer and the packets originating
from the authentic users begins to drop (Bholebawa and Dalal, 2016).
The research conducted by Ye et al. (2018) collected information on the network traffic
generated from the transmission devices on the data layer through the use of controller. The
study extracted six-tuple distinctive values linked to the DDoS attack from the switch flow
table through SVM mechanism. A higher rate of prediction precision was established,
nonetheless, the test precision rate of the Internet Control Message Protocol, ICMP, attack
flow founded to be extremely low. However, the research by Myint Oo et al. (2019) showed that
numerous security needs are required as the SDN controller promptly manages the several
switches within the data layer. Further, they established that the required security could not
be attained with the existing software and equipment, which has not implemented the SDN
architecture. Essentially, the DDoS attack on the switches in the data layer pose a substantial
threat for the continuity of the network’s SDN architecture. The SVM-optimized G and C
parameters by the cross-validation-genetic algorithm, (CV-GA) were applied in the
prediction of the DDoS attacks. Nanda et al. (2016) suggested the application of algorithm of
machine learning, trained on the historical network attack information, to promptly categorize
the possible malicious association and the targets to reduce or eradicate the security threats.
The study applied C4.5, Decision Table, DT, Naïve Bayes, and Bayesian Network algorithm,
which established that the prediction of malicious users within the data layer through
estimations applying the machine learning algorithms was plausible. Guaranteeing the user
identification could enable the SDN controller to swiftly and efficiently write the new rules to
avert the attack, which is deemed significant for the efficacy and network continuity.
Another study by Jankowski and Amanowicz (2016) applied the algorithm of machine
learning of Learning Vector Quantization, LVQ1, Self-Organizing Maps, SOM, and their
improved version, Multi-pass Self-Organizing Maps, M-SOM, and Hierarchical Learning
Vector Quantization, H-LVQ1, among others to predict and effectively monitor malicious
events on the data layer. The study attained promising outcomes with the application of HLVQ1 algorithm as compared to the SOM, LVQ1 and M-SOM among other algorithms used
in the research. On the other hand, the study carried out by Meti, Narayan and Baligar (2017)
used two-stage research, in which, in the initial phase the K-Nearest Neighbors, KNN, and
Naïve Bayes machine learning algorithms were trained to distinguish amid the authentic and
attack traffic. The research detected the attacker through the application of a three-way
handshake service. The detected hacker was blocked by generating an access control list,
ACL. However, Mowla, Doh and Chae (2018) suggested a cognitive switch-based DDoS
prediction and mitigation within the SDN-driven content delivery networks. The study
applied the logistic regression and SVM algorithms for classification of traffic, and the
classification initiated the use of security rules to the switch, to avert from novel types of the
flooding attacks, and effectively predict and defend against every potential DDoS attack. The
research mainly focused on the DDoS attack within SDN structure and provides models of
machine learning supported with components selections techniques to predict the attack.
Thus, the objective of developing DDoS attack prediction system founded on a high rate of
fertility of the machine learning for SDN structure. The prediction of the DDoS attack on the
SDN controller and switches located within the data layer are extremely significant for the
network continuity and the authentic traffic prediction at the moment of attack. Thus, if the
system detects an attack traffic on the controller, it is easier for the controller to promptly
write novel regulations to the switches’ flow table located within the data layer to avert the
attack. This offers a substantial advantage for the attack aversion. Overall, the research
proposed the application of the feature selection techniques with models of machine learning
to predict DDoS attacks, since this strategy would make a substantial contribution to the
effective prediction of the DDoS attacks within the SDN network.
Alieyan, K., Kadhum, M.M., Anbar, M., Rehman, S.U. and Alajmi, N.K., 2016, October. An overview of
DDoS attacks based on DNS. In 2016 International Conference on Information and
Communication Technology Convergence (ICTC) (pp. 276-280). IEEE.
Alshamrani, A., Chowdhary, A., Pisharody, S., Lu, D., & Huang, D. (2017, November). A defense
system for defeating DDoS attacks in SDN based networks. In Proceedings of the 15th ACM
International Symposium on Mobility Management and Wireless Access (pp. 83-92).
Bholebawa, I.Z. and Dalal, U.D., 2016. Design and performance analysis of OpenFlow-enabled
network topologies using Mininet. International Journal of Computer and Communication
Engineering, 5(6), p.419.
Blial, O., Ben Mamoun, M. and Benaini, R., 2016. An overview on SDN architectures with multiple
controllers. Journal of Computer Networks and Communications, 2016.
Cetinkaya, A., Ishii, H. and Hayakawa, T., 2019. An overview on denial-of-service attacks in control
systems: Attack models and security analyses. Entropy, 21(2), p.210.
Jankowski, D. and Amanowicz, M., 2016. On efficiency of selected machine learning algorithms for
intrusion detection in software defined networks. International Journal of Electronics and
Telecommunications, 62(3), pp.247-252.
Kuerban, M., Tian, Y., Yang, Q., Jia, Y., Huebert, B. and Poss, D., 2016, August. FlowSec: DOS
attack mitigation strategy on SDN controller. In 2016 IEEE International Conference on
Networking, Architecture and Storage (NAS) (pp. 1-2). IEEE.
Latah, M. and Toker, L., 2018. A novel intelligent approach for detecting DoS flooding attacks in
software-defined networks. International Journal of Advances in Intelligent Informatics.
Li, C., Wu, Y., Yuan, X., Sun, Z., Wang, W., Li, X. and Gong, L., 2018. Detection and defense of
DDoS attack–based on deep learning in OpenFlow‐based SDN. International Journal of
Communication Systems, 31(5), p.e3497.
Li, T., Chen, J. and Fu, H., 2019, April. Application scenarios based on SDN: an overview. In Journal
of Physics: Conference Series (Vol. 1187, No. 5, p. 052067). IOP Publishing.
Li, W., Meng, W. and Kwok, L.F., 2016. A survey on OpenFlow-based Software Defined Networks:
Security challenges and countermeasures. Journal of Network and Computer
Applications, 68, pp.126-139.
Meti, N., Narayan, D.G. and Baligar, V.P., 2017, September. Detection of distributed denial of service
attacks using machine learning algorithms in software defined networks. In 2017 international
conference on advances in computing, communications and informatics (ICACCI) (pp. 13661371). IEEE.
Mousavi, S.M. and St-Hilaire, M., 2018. Early detection of DDoS attacks against software defined
network controllers. Journal of Network and Systems Management, 26(3), pp.573-591.
Mowla, N.I., Doh, I. and Chae, K., 2018. CSDSM: Cognitive switch-based DDoS sensing and
mitigation in SDN-driven CDNi word. Computer Science and Information Systems, 15(1),
Myint Oo, M., Kamolphiwong, S., Kamolphiwong, T. and Vasupongayya, S., 2019. Advanced support
vector machine-(ASVM-) based detection for distributed denial of service (DDoS) attack on
software defined networking (SDN). Journal of Computer Networks and
Nanda, S., Zafari, F., DeCusatis, C., Wedaa, E. and Yang, B., 2016, November. Predicting network
attack patterns in SDN using machine learning approach. In 2016 IEEE Conference on
Network Function Virtualization and Software Defined Networks (NFV-SDN) (pp. 167-172).
Padmaja, S. and Vetriselvi, V., 2016, February. Mitigation of switch-Dos in software defined network.
In 2016 International Conference on Information Communication and Embedded Systems
(ICICES) (pp. 1-5). IEEE.
Priya, A.V. and Radhika, N., 2019. Performance comparison of SDN OpenFlow
controllers. International Journal of Computer Aided Engineering and Technology, 11(4-5),
Xu, Y. and Liu, Y., 2016, April. DDoS attack detection under SDN context. In IEEE INFOCOM 2016the 35th annual IEEE international conference on computer communications (pp. 1-9). IEEE.
Ye, J., Cheng, X., Zhu, J., Feng, L. and Song, L., 2018. A DDoS attack detection method based on
SVM in software defined network. Security and Communication Networks, 2018.