A Comprehensive Survey of Distributed Denial of Service Detection and Mitigation Technologies in Software-Defined Network
Abstract
:1. Introduction
- We provide a description of the security vulnerabilities that exist in SDN as well as the prevalent DDoS attacks that target SDN networks.
- We conducted a literature review on popular DDoS attack detection and mitigation technologies in SDN and categorized and evaluated them according to the technologies utilized. DDoS attack detection and mitigation technologies in SDN environments encompass statistical analysis techniques, machine learning techniques, hybrid detection techniques, policy-based techniques, and, particularly, moving target defense techniques, which are less commonly discussed in the literature. Furthermore, we conducted a comparative assessment of the benefits and drawbacks linked to these technologies.
- Finally, we analyze the experimental environment used in the relevant literature and briefly summarize the research challenges and gaps in DDoS attack defense technology in SDN.
2. Research Methodology
- RQ 1: What are the weaknesses of SDN compared to traditional networks, and to what DDoS attacks is it more susceptible?
- RQ 2: What technical methods do researchers typically use to detect and mitigate DDoS attacks in SDN environments?
- RQ 3: What are the benefits and drawbacks of current detection and mitigation technologies? What are the current challenges in research?
- Search terms: This stage primarily determines the keywords to search and search strings. For the research of DDoS attacks on SDN, the identified keywords were as follows: “SDN”, “DDoS”, “Controller Resource Saturation”, and “Flow Table Overloading”. Meanwhile, to define the search string, the Boolean operation “OR” was used to select optional words and synonyms, while “AND” was used to select relevant terms, thereby generating the search string. The following keywords were selected as the search string: “(software-defined network” OR “SDN”) AND (“DDoS” OR “Controller Resource Saturation” OR “Bandwidth Saturation” OR “Flow Table Overloading”)”.
- Search library: We selected Google scholar, IEEE Xplore, Springer, Science Direct, Wiley, Hindawi, and ACM as the databases to search the literature. At the same time, we also searched the relevant literature on CNKI and selected articles with higher impact factors.
- Inclusion/exclusion criteria: We further reviewed the literature retrieved from the database and established exclusion criteria to eliminate studies that were not relevant to the defined research question. The exclusion criteria are defined as follows:
- Multiple research studies.
- Studies that do not provide an equivalent amount of information.
- The literature without adequate experimental support.
- Not strongly correlated with SDN.
3. Vulnerable Points and DDoS Attacks in SDN
- The security of the data plane. The limited storage space for flow table entries in data plane switches can lead to overload or buffer overflow when attackers send a large amount of traffic, depleting the computing resources of the control plane. There is a vulnerability in the timeout mechanism of the OpenFlow protocol used for communication between the controller and the switch. Flow table entries are not updated in real-time, so when attackers send false flow table entries to the switch, they continue to be stored in the switch, affecting the normal forwarding of related packets and potentially disrupting the network topology [9].
- The security of the control plane. The control plane controller has network control capabilities. When the controller is hijacked, attackers can use it to carry out network eavesdropping, IP address spoofing, and routing modifications, which can compromise the integrity and confidentiality of the network [8]. A hijacked controller can also send false messages to launch DDoS attacks and deplete network resources.
- The security of the application plane. The application layer defines the functionality of the network controller. However, due to the absence of strict access control mechanisms, attackers can execute malicious programs on the application layer to gain access to network intelligence or deplete resources. Attackers can also target specific applications in SDN systems by sending resource-intensive requests to consume the network bandwidth and disrupt network availability [10].
- The security of communication and protocols. The OpenFlow protocol used in the southbound interface encrypts data using SSL/TLS for secure communication. However, the OpenFlow 1.3.0 specification made TLS optional, which means that communication in the southbound interface may not be secure [11]. Therefore, attackers can intercept or tamper with data packets in southbound communication or exploit the interactive nature of the OpenFlow protocol to launch DDoS attacks and deplete network resources. The absence of standardized protocols in the northbound interface makes data transmission vulnerable to eavesdropping, significantly compromising network confidentiality.
- Data plane DDoS attacks. Data plane OpenFlow switches use ternary content-addressable memory (TCAM) to store forwarding rules. TCAM has high storage efficiency but is expensive and has limited space. When there is a need to store forwarding rules for a large amount of traffic, table overflow can occur [13]. On the other hand, OpenFlow switches have a vulnerability in their static timeout policy. The flow rules stored in the switch are only deleted if no matching packets are received within a certain period of time. The Low-Rate Flow Table Overflow (LOFT) attack exploits this vulnerability by sending low-rate attack traffic based on the flow table timeout rules, saturating the switch’s flow table entries and preventing the normal forwarding of traffic [14]. Another common data plane attack is switch spoofing [15]. Since data plane switches do not have the ability to identify controller flow tables, attackers can send malicious flow table entries to modify the switch’s IP address. When the controller tries to connect to the switch using an IP address, the malicious switch impersonates the IP address and communicates with the controller, causing the controller to lose connection with legitimate switches and disrupt network availability.
- Control plane DDoS attack. When a switch processes packets that do not match its flow table entries, it sends a Packet In message to the controller in order to retrieve the corresponding flow table information. Attackers inject a large number of invalid packets, causing the switch to send numerous Packet In messages to the controller. This action consumes controller resources and achieves the goal of saturating the controller with a DDoS attack.
- Application plane DDoS attacks. Application plane DDoS attacks exploit the weak access control mechanism of SDN [7]. Applications with design flaws can create a large number of threads, which can consume memory resources or deplete the bandwidth resources of northbound interfaces. Malicious applications can simultaneously consume controller resources by generating a large number of resource-intensive requests. Traditional application plane attacks, such as HTTP Flood and DNS Flood attacks, are also major DDoS attack methods in SDN.
4. DDoS Attack Detection Technology in SDN
4.1. Statistical Analysis-Based DDoS Attack Detection Technology
4.1.1. Information Entropy-Based DDoS Attack Detection Technology
4.1.2. Traffic Statistics-Based DDoS Attack Detection Technology
4.2. Machine Learning-Based DDoS Attack Detection Technology
4.3. Deep Learning-Based DDoS Attack Detection Technology
4.4. Hybrid Detection Technology
5. DDoS Attack Mitigation Techniques in SDN
5.1. Policy-Based DDoS Attack Mitigation Techniques
5.2. Moving Target Defense Technology
5.2.1. Port Address Hopping-Based Defense Technology
5.2.2. Other Moving Target Defense Technology
6. Experiment Environment Analysis of the Literature
6.1. SDN Simulator and Controller
6.2. DDoS Traffic Generation Tools and Datasets
7. Research Challenges and Gap
- Application plane security. At present, most DDoS attack detection methods are deployed on the SDN control plane and data plane, neglecting security detection on the application plane. In fact, the security of the northbound interface of the SDN control plane also plays a crucial role in the normal operation of the SDN. Due to the openness and flexibility of SDN, there is a lack of strict access control, identity authentication, and abnormal detection mechanisms in the application layer. Attackers can launch a high volume of API calls within a short timeframe using malicious applications, resulting in controller crashes and the complete paralysis of the entire network. Therefore, strengthening the security of the SDN application layer is also an important measure to defend against DDoS attacks.
- Real network scenarios and load balance. In real-world scenarios, SDN architecture inevitably faces synchronization and load-balancing issues caused by multi-controller systems. Currently, most research is based on simulation experiments of single-controller SDN systems. In real SDN deployments, a single controller system is unreliable. In a multi-controller system, the traffic of switches is distributed among various switches, which poses difficulties for DDoS attack detection. On one hand, DDoS attacks are more covert due to dispersed traffic, requiring more targeted detection thresholds. On the other hand, SDN with multiple controllers also needs to consider load balancing, distributing traffic evenly among different controllers to prevent being mistaken for an attack due to heavy load on a single controller. Wang et al. [111] deployed a DDoS attack defense scheme in a multi-controller system but did not consider the synchronization strategy of multiple controllers. The problem of effectively allocating resources, achieving load balancing, and synchronizing flow table information from multiple controllers is a challenge that SDN security policy deployment needs to address.
- Network information synchronization. Network information synchronization is the core issue of DDoS dynamic defense methods. If the synchronization of the sender and receiver information cannot be guaranteed during the information hopping process, it impacts network availability. The commonly used synchronization methods at present are time-based synchronization methods and protocol-based synchronization methods [112]. Time-based synchronization methods are affected by network latency and time accuracy, making it difficult to achieve accurate information synchronization. The protocol-based synchronization method requires prior communication negotiation and confirmation between the parties involved in the communication. However, this method is susceptible to replay attacks and tampering, which can disrupt the synchronization of network information jumps. Security research on information synchronization methods for dynamic defense is also a research direction.
- Distinguishing between DDoS attacks and flash events. In a real network, there are often multiple legitimate users accessing the network simultaneously, which can lead to flash events. During these events, the website server is unable to provide normal services [113]. Unlike DDoS attacks, this event is caused by a surge in network traffic from legitimate users and cannot be prevented solely through DDoS attack defense strategies. Luo et al. [114] introduced methods to distinguish and detect flash events and DDoS attacks, along with a dataset for detection. Sun et al. [64] proposed a method for detecting flow feature-based DDoS attacks and discriminating flash events in SDN. At present, it is also an urgent problem to distinguish between DDoS attacks and flash events in SDN and adopt different mitigation strategies to avoid affecting the legitimate use of the network by normal users.
- Adaptive DDoS attack defense. Attackers often adapt their attack methods based on the intelligence gathered in the early stages to evade network defenses and detection methods. Studying adaptive attack detection mechanisms for DDoS attacks in SDN has become an important topic. Based on statistical information for detecting DDoS attack methods, dynamic detection thresholds are set according to the actual network traffic size and attack methods in order to reduce false alarm rates. They minimize the impact on network availability while ensuring accurate detection. In machine learning detection methods, selecting traffic features based on attack types helps train the model for detection. This approach reduces model complexity while improving accuracy [115]. The currently commonly used method is to combine lightweight identification methods with heavyweight detection algorithms to efficiently and accurately detect and identify DDoS attacks. In dynamic defense methods, the selection of the information jump space and period also requires an adaptive adjustment in order to achieve an adaptive information jump. At present, research is focused on achieving network adaptive DDoS attack detection and minimizing the impact on network availability. This involves developing DDoS defense measures that target various attack methods and scales.
- Protocol security. At present, there is no clear industry standard for security in SDN network architecture. Although organizations such as the Open Network Foundation [116] and the European Telecommunications Standards Association [117] have established certain security standards, there are still no fully recognized security standards domestically and internationally. This lack of recognized standards also impacts the security of SDN. Kloti et al. [118] conducted a security analysis on the OpenFlow protocol and experimentally verified that attackers can easily perform sniffing and DoS attacks on devices that deploy OpenFlow. In response to vulnerabilities in the SDN communication protocol, attackers can also compromise SDN security through methods such as man-in-the-middle attacks and spoofing attacks. Therefore, establishing security protocol standards is also an important measure to defend against DDoS attacks and ensure the security of SDN.
8. Conclusions
Funding
Data Availability Statement
Conflicts of Interest
References
- Chen, J.; Zheng, X.; Rong, C. Survey on software-defined networking. In Proceedings of the Second International Conference on Cloud Computing and Big Data in Asia, Huangshan, China, 17–19 June 2015; Springer: Cham, Switzerland, 2015; pp. 115–124. [Google Scholar]
- Scott-Hayward, S.; Natarajan, S.; Sezer, S. A Survey of Security in Software Defined Networks. IEEE Commun. Surv. Tutor. 2016, 18, 623–654. [Google Scholar] [CrossRef]
- Ubale, T.; Jain, A.K. Survey on DDoS attack techniques and solutions in software-defined network. In Handbook of Computer Networks and Cyber Security; Springer: Cham, Switzerland, 2020; pp. 389–419. [Google Scholar]
- Mittal, M.; Kumar, K.; Behal, S. Deep learning approaches for detecting DDoS attacks: A systematic review. Soft Comput. 2023, 27, 13039–13075. [Google Scholar] [CrossRef]
- Ali, T.E.; Chong, Y.W.; Manickam, S. Machine Learning Techniques to Detect a DDoS Attack in SDN: A Systematic Review. Appl. Sci. 2023, 13, 3183. [Google Scholar] [CrossRef]
- Karnani, S.; Shakya, H.K. Mitigation strategies for distributed denial of service (DDoS) in SDN: A survey and taxonomy. Inf. Secur. J. Glob. Perspect. 2023, 32, 444–468. [Google Scholar] [CrossRef]
- Kaur, S.; Kumar, K.; Aggarwal, N.; Singh, G. A comprehensive survey of DDoS defense solutions in SDN: Taxonomy, research challenges, and future directions. Comput. Secur. 2021, 110, 102423. [Google Scholar] [CrossRef]
- Behal, S.; Singh, J. Detection and Mitigation of DDoS attacks in SDN: A Comprehensive Review, Research Challenges and Future Directions. Comput. Sci. Rev. 2020, 37, 100279. [Google Scholar]
- Maleh, Y.; Qasmaoui, Y.; El Gholami, K.; Sadqi, Y.; Mounir, S. A comprehensive survey on SDN security: Threats, mitigations, and future directions. J. Reliab. Intell. Environ. 2023, 9, 201–239. [Google Scholar] [CrossRef]
- Ahmad, S.; Mir, A.H. SDN Interfaces: Protocols, Taxonomy and Challenges. Int. J. Wirel. Microwave Technol. 2022, 12, 11–32. [Google Scholar] [CrossRef]
- Alhijawi, B.; Almajali, S.; Elgala, H.; Salameh, H.B.; Ayyash, M. A survey on DoS/DDoS mitigation techniques in SDNs: Classification, comparison, solutions, testing tools and datasets. Comput. Electr. Eng. 2022, 99, 107706. [Google Scholar] [CrossRef]
- Patwardhan, A.; Jayarama, D.; Limaye, N.; Vidhale, S.; Parekh, Z.; Harfoush, K. SDN Security: Information disclosure and flow table overflow attacks. In Proceedings of the 2019 IEEE Global Communications Conference (GLOBECOM), Waikoloa, HI, USA, 9–13 December 2019; IEEE: New York, NY, USA, 2019; pp. 1–6. [Google Scholar]
- Cao, J.; Xu, M.; Li, Q.; Sun, K.; Yang, Y.; Zheng, J. Disrupting SDN via the data plane: A low-rate flow table overflow attack. In Proceedings of the International Conference on Security and Privacy in Communication Systems, Niagara Falls, ON, Canada, 22–25 October 2017; Springer: Cham, Switzerland, 2017; pp. 356–376. [Google Scholar]
- Dover, J.M. A Denial of Service Attack against the Open Floodlight SDN Controller; Dover Networks LCC.: Edgewater, MD, USA, 2013. [Google Scholar]
- Rauf, B.; Abbas, H.; Usman, M.; Zia, T.A.; Iqbal, W.; Abbas, Y.; Afzal, H. Application Threats to Exploit Northbound Interface Vulnerabilities in Software Defined Networks. ACM Comput. Surv. 2021, 54, 1–36. [Google Scholar] [CrossRef]
- Yadav, S.K.; Suguna, P.; Velusamy, R.L. Entropy based mitigation of Distributed-Denial-of-Service (DDoS) attack on Control Plane in Software-Defined-Network (SDN). In Proceedings of the 2019 10th International Conference on Computing, Communication and Networking Technologies (ICCCNT), Kanpur, India, 6–8 July 2019; IEEE: New York, NY, USA, 2019; pp. 1–7. [Google Scholar]
- Ahalawat, A.; Dash, S.S.; Panda, A.; Babu, K.S. Entropy based DDoS detection and mitigation in OpenFlow enabled SDN. In Proceedings of the 2019 International Conference on Vision Towards Emerging Trends in Communication and Networking (ViTECoN), Vellore, India, 30–31 March 2019; IEEE: New York, NY, USA, 2019; pp. 1–5. [Google Scholar]
- Carvalho, R.N.; Bordim, J.L.; Alchieri EA, P. Entropy-based DoS attack identification in SDN. In Proceedings of the 2019 IEEE International Parallel and Distributed Processing Symposium Workshops (IPDPSW), Rio de Janeiro, Brazil, 20–24 May 2019; IEEE: New York, NY, USA, 2019; pp. 627–634. [Google Scholar]
- Hemmati, Z.; Mirjalily, G.; Mohtajollah, Z. Entropy-based DDoS Attack Detection in SDN using Dynamic Threshold. In Proceedings of the 2021 7th International Conference on Signal Processing and Intelligent Systems (ICSPIS), Tehran, Iran, 29–30 December 2021; IEEE: New York, NY, USA, 2021; pp. 1–5. [Google Scholar]
- Ujjan RM, A.; Pervez, Z.; Dahal, K.; Khan, W.A.; Khattak, A.M.; Hayat, B. Entropy based features distribution for anti-DDoS model in SDN. Sustainability 2021, 13, 1522. [Google Scholar] [CrossRef]
- Tao, L.; Sheng, Y. DDoS attack detection and recognition based on cross entropy in SDN environment. Comput. Appl. Softw. 2018, 38, 328–333. [Google Scholar]
- Kalkan, K.; Altay, L.; Gür, G.; Alagöz, F. JESS: Joint entropy-based DDoS defense scheme in SDN. IEEE J. Sel. Areas Commun. 2018, 36, 2358–2372. [Google Scholar] [CrossRef]
- Xuanyuan, M.; Ramsurrun, V.; Seeam, A. Detection and mitigation of DDoS attacks using conditional entropy in software-defined networking. In Proceedings of the 2019 11th International Conference on Advanced Computing (ICoAC), Chennai, India, 18–20 December 2019; IEEE: New York, NY, USA, 2019; pp. 66–71. [Google Scholar]
- Li, R.; Wu, B. Early detection of DDoS based on φ-entropy in SDN networks. In Proceedings of the 2020 IEEE 4th Information Technology, Networking, Electronic and Automation Control Conference (ITNEC), Chongqing, China, 12–14 June 2020; IEEE: New York, NY, USA, 2020; Volume 1, pp. 731–735. [Google Scholar]
- Kalkan, K.; Gür, G.; Alagöz, F. SDNScore: A statistical defense mechanism against DDoS attacks in SDN environment. In Proceedings of the 2017 IEEE Symposium on Computers and Communications (ISCC), Heraklion, Greece, 3–6 July 2017; IEEE: New York, NY, USA, 2017; pp. 669–675. [Google Scholar]
- Fouladi, R.F.; Ermiş, O.; Anarim, E. A DDoS attack detection and defense scheme using time-series analysis for SDN. J. Inf. Secur. Appl. 2020, 54, 102587. [Google Scholar] [CrossRef]
- Shohani, R.B.; Mostafavi, S.; Hakami, V. A statistical model for early detection of DDoS attacks on random targets in SDN. Wirel. Pers. Commun. 2021, 120, 379–400. [Google Scholar] [CrossRef]
- Wang, M.H.; Wu, S.Y.; Yen, L.H.; Yen, L.H.; Tseng, C.C. PathMon: Path-specific traffic monitoring in OpenFlow-enabled networks. In Proceedings of the 2016 Eighth International Conference on Ubiquitous and Future Networks (ICUFN), Vienna, Austria, 5–8 July 2016; IEEE: New York, NY, USA, 2016; pp. 775–780. [Google Scholar]
- Sahay, R.; Blanc, G.; Zhang, Z.; Debar, H. ArOMA: An SDN based autonomic DDoS mitigation framework. Comput. Secur. 2017, 70, 482–499. [Google Scholar] [CrossRef]
- Yuhua, X.; Zhixin, S. Research progress in abnormal traffic detection in software-defined networks. J. Softw. 2020, 31, 183–207. Available online: http://www.jos.org.cn/1000–9825/5879.htm (accessed on 6 November 2019).
- Kokila, R.T.; Selvi, S.T.; Govindarajan, K. DDoS detection and analysis in SDN-based environment using support vector machine classifier. In Proceedings of the 2014 Sixth International Conference on Advanced Computing (ICoAC), Chennai, India, 17–19 December 2014; IEEE: New York, NY, USA, 2014; pp. 205–210. [Google Scholar]
- Mehr, S.Y.; Ramamurthy, B. An SVM based DDoS attack detection method for Ryu SDN controller. In Proceedings of the 15th International Conference on Emerging Networking Experiments and Technologies, Orlando, FL, USA, 9–12 December 2019; pp. 72–73. [Google Scholar]
- Ye, J.; Cheng, X.; Zhu, J.; Feng, L.; Song, L. A DDoS attack detection method based on SVM in software defined network. Secur. Commun. Netw. 2018, 2018, 9804061. [Google Scholar] [CrossRef]
- Zhao, J.; Zeng, P.; Shang, W.; Tong, G. DDoS attack detection based on one-class SVM in SDN. In Proceedings of the International Conference on Artificial Intelligence and Security, Hohhot, China, 17–20 July 2020; Springer: Singapore, 2020; pp. 189–200. [Google Scholar]
- Myint Oo, M.; Kamolphiwong, S.; Kamolphiwong, T.; Vasupongayya, S. Advanced support vector machine (ASVM) based detection for distributed denial of service (DDoS) attack on software defined networking (SDN). J. Comput. Netw. Commun. 2019, 2019, 8012568. [Google Scholar] [CrossRef]
- Abdullahi Wabi, A.; Idris, I.; Mikail Olaniyi, O.; Joseph, A.; Surajudeen Adebayo, O. Modeling DDOS attacks in sdn and detection using random forest classifier. J. Cyber Secur. Technol. 2023, 1–14. [Google Scholar] [CrossRef]
- Santos, R.; Souza, D.; Santo, W.; Ribeiro, A.; Moreno, E. Machine learning algorithms to detect DDoS attacks in SDN. Concurr. Comput. Pract. Exp. 2020, 32, e5402. [Google Scholar] [CrossRef]
- Khashab, F.; Moubarak, J.; Feghali, A.; Bassil, C. DDoS attack detection and mitigation in SDN using machine learning. In Proceedings of the 2021 IEEE 7th International Conference on Network Softwarization (NetSoft), Tokyo, Japan, 28 June–2 July 2021; IEEE: New York, NY, USA, 2021; pp. 395–401. [Google Scholar]
- Dong, S.; Sarem, M. DDoS attack detection method based on improved KNN with the degree of DDoS attack in software-defined networks. IEEE Access 2019, 8, 5039–5048. [Google Scholar] [CrossRef]
- Latah, M.; Toker, L. Towards an efficient anomaly-based intrusion detection for software-defined networks. IET Netw. 2018, 7, 453–459. [Google Scholar] [CrossRef]
- Nam, T.M.; Phong, P.H.; Khoa, T.D.; Huong, T.T.; Nam, P.N.; Thanh, N.H.; Thang, L.X.; Tuan, P.A.; Dung, L.Q.; Loi, V.D. Self-organizing map-based approaches in DDoS flooding detection using SDN. In Proceedings of the 2018 International Conference on Information Networking (ICOIN), Chiang Mai, Thailand, 10–12 January 2018; IEEE: New York, NY, USA, 2018; pp. 249–254. [Google Scholar]
- Hnamte, V.; Balram, G. Implementation of Naive Bayes Classifier for Reducing DDoS Attacks in IoT Networks. J. Algebr. Stat. 2022, 13, 2749–2757. [Google Scholar]
- Nadeem, M.W.; Goh, H.G.; Ponnusamy, V.; Aun, Y. DDoS Detection in SDN using Machine Learning Techniques. Comput. Mater. Contin. 2022, 71, 1. [Google Scholar] [CrossRef]
- Alubaidan, H.; Alzaher, R.; AlQhatani, M.; Mohammed, R. DDoS Detection in Software-Defined Network (SDN) Using Machine Learning. Int. J. Cybern. Inform. 2023, 12, 93–104. [Google Scholar] [CrossRef]
- Wang, J.; Wang, L. SDN-Defend: A Lightweight Online Attack Detection and Mitigation System for DDoS Attacks in SDN. Sensors 2022, 22, 8287. [Google Scholar] [CrossRef] [PubMed]
- Wang, J.; Wang, L.; Wang, R. A Method of DDoS Attack Detection and Mitigation for the Comprehensive Coordinated Protection of SDN Controllers. Entropy 2023, 25, 1210. [Google Scholar] [CrossRef]
- Jmal, R.; Ghabri, W.; Guesmi, R.; Alshammari, B.M.; Alshammari, A.S.; Alsaif, H. Distributed Blockchain-SDN Secure IoT System Based on ANN to Mitigate DDoS Attacks. Appl. Sci. 2023, 13, 4953. [Google Scholar] [CrossRef]
- Priyadarshini, I.; Mohanty, P.; Alkhayyat, A.; Sharma, R.; Kumar, S. SDN and application layer DDoS attacks detection in IoT devices by attention-based Bi-LSTM-CNN. Trans. Emerg. Telecommun. Technol. 2023, 34, e4758. [Google Scholar] [CrossRef]
- Li, C.; Wu, Y.; Yuan, X.; Sun, Z.; Wang, W.; Li, X.; Gong, L. Detection and defense of DDoS attack–based on deep learning in OpenFlow-based SDN. Int. J. Commun. Syst. 2018, 31, e3497. [Google Scholar] [CrossRef]
- Bastola, S.B.; Shakya, S.; Sharma, S. Distributed Denial of Service Attack Detection on Software Defined Networking Using Deep Learning. In Proceedings of the 2017 International Conference on Advances in Computing, Communications and Informatics (ICACCI), Udupi, India, 13–16 September 2017. [Google Scholar]
- Makuvaza, A.; Jat, D.S.; Gamundani, A.M. Deep neural network (DNN) solution for real-time detection of distributed denial of service (DDoS) attacks in software defined networks (SDNs). SN Comput. Sci. 2021, 2, 1–10. [Google Scholar] [CrossRef]
- Zhao, J.; Xu, M.; Chen, Y.; Xu, G. A DNN Architecture Generation Method for DDoS Detection via Genetic Alogrithm. Future Internet 2023, 15, 122. [Google Scholar] [CrossRef]
- Al-Dunainawi, Y.; Al-Kaseem, B.R.; Al-Raweshidy, H.S. Optimized Artificial Intelligence Model for DDoS Detection in SDN Environment. IEEE Access 2023, 11, 106733–106748. [Google Scholar] [CrossRef]
- Aslam, M.; Ye, D.; Tariq, A.; Asad, M.; Hanif, M.; Ndzi, D.; Chelloug, S.A.; Elaziz, M.A.; Al-Qaness, M.A.A.; Jilani, S.F. Adaptive Machine Learning Based Distributed Denial-of-Services Attacks Detection and Mitigation System for SDN-Enabled IoT. Sensors 2022, 22, 2697. [Google Scholar] [CrossRef]
- Zhijun, W.; Qing, X.; Jingjie, W.; Meng, Y.; Liang, L. Low-rate DDoS attack detection based on factorization machine in software defined network. IEEE Access 2020, 8, 17404–17418. [Google Scholar] [CrossRef]
- Li, J.; Liu, Y.; Gu, L. DDoS attack detection based on neural network. In Proceedings of the 2010 2nd International Symposium on Aware Computing, Tainan, Taiwan, 1–4 November 2010; IEEE: New York, NY, USA, 2010; pp. 196–199. [Google Scholar]
- Malik, J.; Akhunzada, A.; Bibi, I.; Imran, M.; Musaddiq, A.; Kim, S.W. Hybrid deep learning: An efficient reconnaissance and surveillance detection mechanism in SDN. IEEE Access 2020, 8, 134695–134706. [Google Scholar] [CrossRef]
- Cui, Y.; Yan, L.; Li, S.; Xing, H.; Pan, W.; Zhu, J.; Zheng, X. SD-Anti-DDoS: Fast and efficient DDoS defense in software-defined networks. J. Netw. Comput. Appl. 2016, 68, 65–79. [Google Scholar] [CrossRef]
- Deepa, V.; Sivakumar, B. Detection of DDoS Attack using Multiple Kernel Level (MKL) Algorithm. In Proceedings of the 2022 International Conference on Innovative Trends in Information Technology (ICITIIT), Kottayam, India, 12–13 February 2022; IEEE: New York, NY, USA, 2022; pp. 1–5. [Google Scholar]
- Qi, N.; Wang, W.; Xiao, M.; Jia, L.; Tsiftsis, T. A Learning-Based Spectrum Access Stackelberg Game: Friendly Jammer-Assisted Communication Confrontation. IEEE Trans. Veh. Technol. 2021, 70, 700–713. [Google Scholar] [CrossRef]
- Jia, L.; Xu, Y.; Sun, Y.; Feng, S.; Anpalagan, A. Stackelberg Game Approaches for Anti-Jamming Defence in Wireless Networks. IEEE Wirel. Commun. 2018, 25, 120–128. [Google Scholar] [CrossRef]
- Yao, R.; Zhang, Y.; Wang, S.; Qi, N.; Miridakis, N.I.; Tsiftsis, T.A. Deep Neural Network Assisted Approach for Antenna Selection in Untrusted Relay Networks. IEEE Wirel. Commun. Lett. 2019, 8, 1644–1647. [Google Scholar] [CrossRef]
- Hu, D.; Hong, P.; Chen, Y. FADM: DDoS flooding attack detection and mitigation system in software-defined networking. In Proceedings of the GLOBECOM 2017—2017 IEEE Global Communications Conference, Singapore, 4–8 December 2017; IEEE: New York, NY, USA, 2017; pp. 1–7. [Google Scholar]
- Guozi Sun Jiang, W.; Yu, G.U.; Danni, R.E.N.; Huakang, L.I. DDoS attacks and flash event detection based on flow characteristics in SDN. In Proceedings of the 2018 15th IEEE International Conference on Advanced Video and Signal Based Surveillance (AVSS), Auckland, New Zealand, 27–30 November 2018; IEEE: New York, NY, USA, 2018; pp. 1–6. [Google Scholar]
- Novaes, M.P.; Carvalho, L.F.; Lloret, J.; Proenca, M.L. Long short-term memory and fuzzy logic for anomaly detection and mitigation in software-defined network environment. IEEE Access 2020, 8, 83765–83781. [Google Scholar] [CrossRef]
- Banitalebi Dehkordi, A.; Soltanaghaei, M.R.; Boroujeni, F.Z. The DDoS attacks detection through machine learning and statistical methods in SDN. J. Supercomput. 2021, 77, 2383–2415. [Google Scholar] [CrossRef]
- Long, Z.; Jinsong, W. A hybrid method of entropy and SSAE-SVM based DDoS detection and mitigation mechanism in SDN. Comput. Secur. 2022, 115, 102604. [Google Scholar] [CrossRef]
- Singh, A.K.; Jaiswal, R.K.; Abdukodir, K.; Muthanna, A. Ardefense: DDos detection and prevention using nfv and sdn. In Proceedings of the 2020 12th International Congress on Ultra Mod Ern Telecommunications and Control Systems and Workshops (ICUMT), Brno, Czech Republic, 5–7 October 2020; IEEE: New York, NY, USA, 2020; pp. 236–241. [Google Scholar] [CrossRef]
- Ali, A.; Yousaf, M.M. Novel three-tier intrusion detection and prevention system in software defined network. IEEE Access 2020, 8, 109662–109676. [Google Scholar] [CrossRef]
- Sarwar, M.A.; Hussain, M.; Anwar, M.U.; Ahmad, M. FlowJustifier: An optimized trust-based request prioritization approach for mitigation of SDN controller DDoS attacks in the IoT paradigm. In Proceedings of the 3rd International Conference on Future Networks and Distributed Systems, Paris, France, 1–2 July 2019; pp. 1–9. [Google Scholar]
- Deng, S.; Gao, X.; Lu, Z.; Li, Z.; Gao, X. DoS vulnerabilities and mitigation strategies in software-defined networks. J. Netw. Comput. Appl. 2019, 125, 209–219. [Google Scholar] [CrossRef]
- Ravi, N.; Shalinie, S.M.; Lal, C.; Conti, M. AEGIS: Detection and mitigation of TCP SYN flood on SDN controller. IEEE Trans. Netw. Serv. Manag. 2020, 18, 745–759. [Google Scholar] [CrossRef]
- Cao, Y.; Jiang, H.; Deng, Y.; Wu, J.; Zhou, P.; Luo, W. Detecting and mitigating ddos attacks in SDN using spatial-temporal graph convolutional network. IEEE Trans. Dependable Secur. Comput. 2021, 19, 3855–3872. [Google Scholar] [CrossRef]
- Wang, M.; Zhou, H.; Chen, J.; Tong, B. An approach for protecting the openflow switch from the saturation attack. In Proceedings of the 2015 4th National Conference on Electrical, Electronics and Computer Engineering, Xi’an, China, 12–13 December 2015; Atlantis Press: Dordrecht, The Netherlands, 2015. [Google Scholar]
- Bawany, N.Z.; Shamsi, J.A. Seal: Sdn based secure and agile framework for protecting smart city applications from ddos attacks. J. Netw. Comput. Appl. 2019, 145, 102381. [Google Scholar] [CrossRef]
- Yuan, B.; Zou, D.; Yu, S.; Jin, H.; Qiang, W.; Shen, J. Defending against flow table overloading attack in software-defined networks. IEEE Trans. Serv. Comput. 2016, 12, 231–246. [Google Scholar] [CrossRef]
- Bhushan, K.; Gupta, B.B. Distributed denial of service (DDoS) attack mitigation in software defined network (SDN)-based cloud computing environment. J. Ambient. Intell. Humaniz. Comput. 2019, 10, 1985–1997. [Google Scholar] [CrossRef]
- Katta, N.; Alipourfard, O.; Rexford, J.; Walker, D. Infinite CacheFlow in software-defined networks. In Proceedings of the Third Workshop on Hot Topics in Software Defined Networking (HotSDN′14), Chicago, IL, USA, 22 August 2014; Association for Computing Machinery: New York, NY, USA, 2014; pp. 175–180. [Google Scholar]
- Dang, V.T.; Huong, T.T.; Thanh, N.H.; Nam, P.N.; Thanh, N.N.; Marshall, A. Sdn-based synproxy—A solution to enhance performance of attack mitigation under tcp syn flood. Comput. J. 2019, 62, 518–534. [Google Scholar] [CrossRef]
- Pascoal, T.A.; Dantas, Y.G.; Fonseca, I.E.; Nigam, V. Slow TCAM exhaustion DDoS attack. In Proceedings of the IFIP International Conference on ICT Systems Security and Privacy Protection, Rome, Italy, 29–31 May 2017; Springer: Cham, Switzerland, 2017; pp. 17–31. [Google Scholar]
- Ma, D.; Xu, Z.; Lin, D. Defending blind DDoS attack on SDN based on moving target defense. In Proceedings of the International Conference on Security and Privacy in Communication Networks, Beijing, China, 24–26 September 2014; Springer: Cham, Switzerland, 2014; pp. 463–480. [Google Scholar]
- Abou El Houda, Z.; Khoukhi, L.; Hafid, A.S. Bringing intelligence to software defined networks: Mitigating ddos attacks. IEEE Trans. Netw. Serv. Manag. 2020, 17, 2523–2535. [Google Scholar] [CrossRef]
- Hong, G.C.; Lee, C.N.; Lee, M.F. Dynamic threshold for DDoS mitigation in SDN environment. In Proceedings of the 2019 Asia-Pacific Signal and Information Processing Association Annual Summit and Conference (APSIPA ASC), Lanzhou, China, 18–21 November 2019; IEEE: New York, NY, USA, 2019; pp. 1–7. [Google Scholar]
- Alamri, H.A.; Thayananthan, V. Bandwidth control mechanism and extreme gradient boosting algorithm for protecting software-defined networks against ddos attacks. IEEE Access 2020, 8, 194269–194288. [Google Scholar] [CrossRef]
- Wang, L.; Li, Q.; Jiang, Y.; Jia, X.; Wu, J. Woodpecker: Detecting and mitigating link-flooding attacks via sdn. Comput. Netw. 2018, 147, 1–13. [Google Scholar] [CrossRef]
- Weizhen, L.; Hailong, L.; Kaiyu, H. End jump technology research review. Comput. Appl. Res. 2021, 38, 2251–2257. [Google Scholar] [CrossRef]
- Atighetchi, M.; Pal, P.; Webber, F.; Jones, C. Adaptive use of network-centric mechanisms in cyber-defense. In Proceedings of the Sixth IEEE International Symposium on Object-Oriented Real-Time Distributed Computing, Hokkaido, Japan, 16 May 2003; IEEE: New York, NY, USA, 2003; pp. 183–192. [Google Scholar]
- Leyi, S.; Chunfu, J.; Shuwang, L. Research on Active Network Protection Based on Terminal Information Jump. J. Commun. 2008, 2, 106–110. [Google Scholar]
- Badishi, G.; Herzberg, A.; Keidar, I. Keeping denial-of-service attackers in the dark. IEEE Trans. Dependable Secur. Comput. 2007, 4, 191–204. [Google Scholar] [CrossRef]
- Zhang, L.; Guo, Y.; Yuwen, H.; Wang, Y. A port hopping based dos mitigation scheme in SDN network. In Proceedings of the 2016 12th International Conference on Computational Intelligence and Security (CIS), Wuxi, China, 16–19 December 2016; IEEE: New York, NY, USA, 2016; pp. 314–317. [Google Scholar]
- Chowdhary, A.; Alshamrani, A.; Huang, D.; Liang, H. MTD analysis and evaluation framework in software defined network (MASON). In Proceedings of the 2018 ACM International Workshop on Security in Software Defined Networks & Network Function Virtualization, Tempe, AZ, USA, 21 March 2018; pp. 43–48. [Google Scholar]
- Ziyu, Z.; Erdian, G.; Wei, L. Research on encryption-based port jump technology in software-defined network. Comput. Appl. Softw. 2017, 34, 322–328. [Google Scholar]
- Sifalakis, M.; Schmid, S.; Hutchison, D. Network address hopping: A mechanism to enhance data protection for packet communications. In Proceedings of the IEEE International Conference on Communications, ICC 2005, Seoul, Republic of Korea, 16–20 May 2005; IEEE: New York, NY, USA, 2005; Volume 3, pp. 1518–1523. [Google Scholar]
- Zheng, K.; Zhao, X.; Li, X.; Zhou, Y. A SDN-based IP Address Hopping Method Design. In Proceedings of the 2016 5th International Conference on Measurement, Instrumentation and Automation (ICMIA 2016), Shenzhen, China, 17–18 September 2016; Atlantis Press: New York, NY, USA, 2016. [Google Scholar]
- De, T.; Wei, L. SDN address hopping scheme based on chaotic sequence. Comput. Digit. Eng. 2018, 46, 2315–2318. [Google Scholar]
- Chang, S.Y.; Park, Y.; Babu, B.B.A. Fast IP hopping randomization to secure hop-by-hop access in SDN. IEEE Trans. Netw. Serv. Manag. 2018, 16, 308–320. [Google Scholar] [CrossRef]
- Xu, X.; Hu, H.; Liu, Y.; Zhang, H.; Chang, D. An Adaptive IP Hopping Approach for Moving Target Defense Using a Light-Weight CNN Detector. Secur. Commun. Netw. 2021, 2021, 8848473. [Google Scholar] [CrossRef]
- Lou, W.; Li, H.; Hu, K.; Liu, M.; Dong, Q. Flow count synchronous SDN address hopping technology based on DH-RSA negotiation. In Proceedings of the 2021 International Conference on Neural Networks, Information and Communication Engineering, Qingdao, China, 27–28 August 2021; SPIE: Bellingham, WA, USA, 2021; Volume 11933, pp. 251–259. [Google Scholar]
- Jinglei, T.; Hongqi, Z.; Cheng, L.; Zhang, Y.; Chang, D.; Liu, X.; Zhang, H. Research progress on moving target defense technology for SDN. J. Netw. Inf. Secur. 2018, 4, 12. [Google Scholar]
- Shi, L.; Jia, C.; Lü, S.; Liu, Z. Port and address hopping for active cyber-defense. In Proceedings of the Pacific-Asia Workshop on Intelligence and Security Informatics, Chengdu, China, 11–12 April 2007; Springer: Berlin/Heidelberg, Germany, 2007; pp. 295–300. [Google Scholar]
- Yixun, H.; Kangfeng, Z.; Yixian, Y.; Xinxin, N. Network Layer Moving Target Defense Scheme based on OpenFlow. J. Commun. 2017, 38, 102–112. [Google Scholar]
- Liu, Z.; He, Y.; Wang, W.; Wang, S.; Li, X.; Zhang, B. AEH-MTD: Adaptive moving target defense scheme for SDN. In Proceedings of the 2019 IEEE International Conference on Smart Internet of Things (SmartIoT), Tianjin, China, 9–11 August 2019; IEEE: New York, NY, USA, 2019; pp. 142–147. [Google Scholar]
- Yuyang, Z.; Guang, C.; Chunsheng, G.; Mian, D. Moving targets defense attack surface dynamic transfer technology research review. J. Softw. 2018, 29, 2799–2820. [Google Scholar]
- Lixia, X.; Ying, D. Link SDN flooding attack moving targets defense mechanism. J. Tsinghua Univ. 2019, 59, 36–43. [Google Scholar] [CrossRef]
- Liu, J.; Zhang, H.; Guo, Z. A defense mechanism of random routing mutation in SDN. IEICE Trans. Inf. Syst. 2017, 100, 1046–1054. [Google Scholar] [CrossRef]
- Hyder, M.F.; Fatima, T.; Khan, S.M.; Arshad, S. Countering crossfire DDoS attacks through moving target defense in SDN networks using OpenFlow traffic modification. Trans. Emerg. Telecommun. Technol. 2023, 34, e4853. [Google Scholar] [CrossRef]
- Chowdhary, A.; Pisharody, S.; Alshamrani, A.; Huang, D. Dynamic game based security framework in SDN-enabled cloud networking environments. In Proceedings of the ACM International Workshop on Security in Software Defined Networks & Network Function Virtualization, Scottsdale, AZ, USA, 24 March 2017; pp. 53–58. [Google Scholar]
- Zhou, Y.; Cheng, G.; Jiang, S.; Chen, Z. Cost-effective moving target defense against DDoS attacks using trilateral game and multi-objective Markov decision processes. Comput. Secur. 2020, 97, 101976. [Google Scholar] [CrossRef]
- Du, M.; Wang, K. An SDN-Enabled Pseudo-Honeypot Strategy for Distributed Denial of Service Attacks in Industrial Internet of Things. IEEE Trans. Ind. Inform. 2020, 16, 648–657. [Google Scholar] [CrossRef]
- Priyadarsini, M.; Bera, P.; Das, S.K.; Rahman, M.A. A security enforcement framework for SDN controller using game theoretic approach. IEEE Trans. Dependable Secur. Comput. 2022, 20, 1500–1515. [Google Scholar] [CrossRef]
- Wang, Y.; Hu, T.; Tang, G.; Xie, J.; Lu, J. SGS: Safe-Guard Scheme for Protecting Control Plane Against DDoS Attacks in Software-Defined Networking. IEEE Access 2019, 7, 34699–34710. [Google Scholar] [CrossRef]
- Weizhen, H.; Fucai, C.; Jie, N.; Jinglei, T.; Shumin, H.; Guozhen, C. Research progress of Dynamic Jump Technology for Network Layer. J. Netw. Inf. Secur. 2021, 7, 44–55. [Google Scholar]
- Bhatia, S.; Mohay, G.; Tickle, A.; Ahmed, E. Parametric differences between a real-world distributed denial-of-service attack and a flash event. In Proceedings of the 2011 Sixth International Conference on Availability, Reliability and Security, Vienna, Austria, 22–26 August 2011; IEEE: New York, NY, USA, 2011; pp. 210–217. [Google Scholar]
- Kai, L.; Junyong, L.; Meijuan, Y.; Yan, L.; Lizheng, G. A review on the Identification of DDoS attacks with Flash Crowd. Comput. Sci. 2015, 42, 313–316+322. [Google Scholar]
- Jia, L.; Qi, N.; Chu, F.; Fang, S.; Wang, X.; Ma, S.; Feng, S. Game-theoretic learning anti-jamming approaches in wireless networks. IEEE Commun. Mag. 2022, 60, 60–66. [Google Scholar] [CrossRef]
- ONF. Software-Defined Networking (SDN) Definition. Available online: https://opennetworking.org/sdn-resources/sdn-definition (accessed on 30 June 2022).
- European Telecommunications Standards Institute. Available online: http://www.etsi.org/ (accessed on 30 June 2022).
- Kloti, R.; Kotronis, V.; Smith, P. OpenFlow: A security analysis. In Proceedings of the Twenty first IEEE International Conference on Network Protocols (ICNP), Göttingen, Germany, 7–10 October 2013; pp. 1–6. [Google Scholar]
- Sjoholmsierchio, M.; Hale, B.; Lukaszewski, D.; Xie, G.G. Strengthening SDN security: Protocol dialecting and downgrade attacks. In Proceedings of the 2021 IEEE 7th International Conference on Network Softwarization (NetSoft), Tokyo, Japan, 28 June–2 July 2021; IEEE: New York, NY, USA, 2021; pp. 321–329. [Google Scholar]
- Yang, W.; Guang-ming, T.; Shuo, W.; Jiang, C. DDoS Attack Defense mechanism at SDN Application Layer based on API Call management. J. Netw. Inf. Secur. 2022, 8, 73–87. [Google Scholar]
Covered Topic | Ref. [3] | Ref. [5] | Ref. [6] | Ref. [7] | Ref. [8] | Our Work | |
---|---|---|---|---|---|---|---|
Vulnerable points and DDoS attack types in SDN | √ | √ | √ | √ | √ | √ | |
DDoS attack detection technology | Statistical analysis and information entropy | - | - | √ | √ | √ | √ |
Machine learning | √ | √ | - | √ | √ | √ | |
Hybrid detection | √ | - | √ | √ | √ | ||
DDoS attack mitigation techniques | Policy-based techniques | √ | - | √ | √ | √ | √ |
Moving target defense | - | - | √ | - | - | √ | |
Experimental environment analysis | √ | - | √ | √ | √ | √ | |
Research challenges and gaps | √ | √ | √ | √ | √ | √ |
Attack Type | SDN Plane | Security Vulnerabilities Exploited |
---|---|---|
Flow Table Overflow | Data Plane | The OpenFlow switch possesses a restricted amount of storage capacity for flow tables. |
Switch spoofing | Data Plane | The OpenFlow switch lacks authentication for flow tables. |
Saturated DDoS attacks | Control Plane | Packet In datagram blocking controller |
Malicious program DDoS attacks | Application plane | The application plane lacks robust authentication and access control mechanisms for applications. |
Northbound interface bandwidth exhausted | Application plane | The application layer lacks robust authentication and access control mechanisms for applications, and the northbound interface has limited bandwidth resources [7]. |
Calculation Parameters | Features | Strengths | Weaknesses | Improvement Methods |
---|---|---|---|---|
Shannon Entropy | Probability of variation in traffic characteristics | Easy to calculate. Less computing resources | Low detection accuracy | Dynamic threshold adjustment. Joint detection of multiple traffic features |
Generalized entropy (GE) | Expansion of Shannon entropy and amplification of the variation in Shannon entropy. | The parameter exhibits a higher level of sensitivity towards variations in traffic characteristics. | When the order of magnitude is high, the computational complexity experiences an increase. | Set different orders for different DDoS attacks |
Relative entropy (KL divergence) | Measuring the difference between normal traffic and malicious traffic | High recognition rate for known attacks | Dependent on previous traffic data models | Extract traffic characteristics of different attack types and use relative entropy to detect attack types |
Conditional entropy | Reflecting the interrelationships among various attributes of traffic flow | High detection accuracy | The computational time and space complexity are significant, posing challenges in meeting real-time requirements. | Selecting an appropriate conditional entropy detection model for different DDoS attacks |
Joint entropy | Using multiple traffic packet header features for entropy calculation | Compared to a single entropy value, the accuracy is elevated. Can detect unknown attacks | More resources are required for computation. Static thresholds are prone to false alarms | Threshold adaptive adjustment Selecting accurate detection features to reduce computational complexity |
φ-entropy | Introducing parameters φ Sensitivity of adjusting entropy to probability changes in flow characteristics | Amplified the correlation between traffic, with high sensitivity. | The parameters φ need to be pre-set, and different designs are needed according to the changes in network traffic φ Parameters. | φ Parameter adaptive change |
Algorithm Classification | Algorithm | References |
---|---|---|
Traditional machine learning | SVM | [31,32,33,34,35] |
Decision Tree | [36,37,38] | |
KNN | [38,39,40,41] | |
Naive Bayes | [38,42,43,44] | |
Random Forest | [36,37,38] | |
Deep learning | SOM | [41,45,46] |
ANN | [47,48,49] | |
LSTM | [48,49,50] | |
DNN | [51,52,53] | |
RNN | [50,53] |
Tactics | Strengths | Weaknesses | References |
---|---|---|---|
Port hopping | No protocol modification required Simple deployment | Poor DDoS attack defense capability easy to discover hopping rule | [89,90,91,92] |
IP address hopping | No protocol modification required Good DDoS attack defense capability | Implementation is relatively complex Small hopping address space | [94,95,96,97,98] |
Hybrid hopping | Strong security difficult to discover hopping rule | Difficulty in deployment High deployment cost Terminal time synchronization issue | [100,101,102] |
Routing hopping | Can defend against link layer DDoS attacks | Protocol modification required implementation complexity impact on network availability | [104,105] |
Tactics | Strengths | Weaknesses | References |
---|---|---|---|
Port address hopping | No protocol modification required Simple deployment | Poor DDoS attack defense capability Easy to discover hopping rule | [89,90,91,92,93,94,95,96,97,98,99,100,101,102] |
Routing reconstruction | Can defend against link layer DDoS attacks | Protocol modification required implementation complexity impact on network availability | [104,105] |
Shadow host/Honeypot | Can identify attack types Traceable attacker | Possible identification by attackers | [106,109] |
Game theory | Game strategy can deceive attackers and diminish attack effectiveness. | An attack model needs to be developed. It needs to be used in conjunction with other defense strategies. | [107,108,109,110] |
Experiment Controller | Detection Techniques | Mitigation Techniques | Literature Proportion | |||
---|---|---|---|---|---|---|
Statistical Analysis | Machine Learning and Deep Learning | Hybrid Detection | Policy-Based | Moving Target Defense | ||
Ryu | [17,20,22,27,29] | [33,36,37,41,43,46,52,55,58] | - | [72,80,84] | [97] | 30% |
Pox | [16,18,19,23,26] | [40,46,49,51,57,59] | [60] | [70,74,77] | [85] | 26.7% |
Floodlight | [24,28,71,79,81] | [45,46,47,48,51,52] | [66,67,68] | [82] | - | 23.3% |
OpenDaylight | [21] | [46] | - | [83] | [91,96,108,110] | 13.3% |
ONOS | - | [34,46] | - | [75] | [75] | 5% |
NOX | - | [46] | - | - | - | 1.7% |
Traffic Simulator | Description | Research Works |
---|---|---|
Scapy | Scapy is an interactive packet processing program that allows users to build, send, receive, and parse network protocol packets at the underlying level. | [18,19,20,24,74,82,83] |
Hping3 | Hping3 is a command line TCP/IP packet assembly/testing tool that provides richer functionality than traditional ping. | [21,33,37,47,64,67] |
D-ITG | D-ITG is a high-performance network traffic generation tool that can generate complex network traffic with multiple streams and protocols and can simulate traffic loads in high-concurrency scenarios. | [52,55] |
BotNet simulator | As a zombie network simulator, it can simulate the attack behavior of a large number of controlled nodes and simulate real distributed attack scenarios | [29,60] |
TFN2K | The early distributed denial of service attack tools were used to analyze the behavior patterns and attack mechanisms of attackers. | [60] |
Dataset | Description | Research Works |
---|---|---|
CIC-DDoS 2019 | Data containing normal traffic and multiple types of DDoS attacks provides a simulation of DDoS attack scenarios in modern data center environments. | [32,58,65,72,84] |
CAIDA | The dataset includes anonymized packet-level records, stream-level data, and real-time or historical BGP routing information for network measurement, topology analysis, and security research. | [52,57,73,79] |
NSL-KDD | A preprocessed classic dataset containing four types of network attacks and normal traffic is used to evaluate the performance of intrusion detection systems. | [39,48,52] |
CIC-IDS-2017 | Contains a large amount of data that simulates different types of attacks and normal traffic in real network environments, suitable for the development and testing of machine learning-based intrusion detection systems. | [31,36,54] |
ISCX | A dataset of various types of network attack traffic, including mixed attacks and normal traffic, supporting research on new attack techniques. | [56,66,75] |
DARPA | Datasets from the Early Large Intrusion Detection Project “Intrusion Detection System Evaluation” of the US Defense Advanced Research Projects Agency | [42] |
UNSW-NB15 | Contains data for 9 types of attacks and normal traffic, characterized by rich features and diverse types of attacks | [59] |
CTU-13 | Provided PCAP format network traffic data for a range of malicious software activities, especially Botnet | [66] |
MAWI Working Group Traffic Archive | Public large-scale network traffic data archiving is mainly used for research in network engineering, transmission protocol analysis, and traffic modeling. | [26] |
Kaggle | DDoS and other network attack datasets contributed by the cybersecurity community | [35] |
LLS 2.0 DDoS dataset | This dataset is specifically designed for DDoS attack scenarios and contains DDoS attack traffic samples of different scales and complexities. | [23] |
Technology | Scope | Plane | Key Points | Strengths | Weaknesses |
---|---|---|---|---|---|
Statistical analysis | Detection | Data/control | Utilizing statistical parameters of traffic characteristics or information entropy for the detection of DDoS attacks. | Low resource consumption and high real-time performance | High false alarm rate (FAR) |
Machine learning | Detection/Mitigation | Control | The deployment of machine learning algorithms in control planes to identify DDoS attack traffic in networks. | High accuracy | Model training is complex and has low real-time performance |
Hybrid detection | Detection/Mitigation | Data/Control | Statistical analysis and machine learning multi-level detection methods for DDoS attack detection. | Balancing real-time detection and accuracy | Difficulty in deployment Parameter settings affect detection effectiveness |
MTD | Mitigation | Control | Dynamic changes in network information to mitigate DDoS attacks | Improve the security of SDN | High requirements for network systems and communication synchronization issues |
Policy-based mitigation | Mitigation | Data/Control/ Application | Set traffic forwarding policies to effectively discard malicious traffic and ensure the transmission of clean traffic. | Easy to implement and minimal resource usage | May affect normal traffic |
Disclaimer/Publisher’s Note: The statements, opinions and data contained in all publications are solely those of the individual author(s) and contributor(s) and not of MDPI and/or the editor(s). MDPI and/or the editor(s) disclaim responsibility for any injury to people or property resulting from any ideas, methods, instructions or products referred to in the content. |
© 2024 by the authors. Licensee MDPI, Basel, Switzerland. This article is an open access article distributed under the terms and conditions of the Creative Commons Attribution (CC BY) license (https://creativecommons.org/licenses/by/4.0/).
Share and Cite
Su, Y.; Xiong, D.; Qian, K.; Wang, Y. A Comprehensive Survey of Distributed Denial of Service Detection and Mitigation Technologies in Software-Defined Network. Electronics 2024, 13, 807. https://doi.org/10.3390/electronics13040807
Su Y, Xiong D, Qian K, Wang Y. A Comprehensive Survey of Distributed Denial of Service Detection and Mitigation Technologies in Software-Defined Network. Electronics. 2024; 13(4):807. https://doi.org/10.3390/electronics13040807
Chicago/Turabian StyleSu, Yinghao, Dapeng Xiong, Kechang Qian, and Yu Wang. 2024. "A Comprehensive Survey of Distributed Denial of Service Detection and Mitigation Technologies in Software-Defined Network" Electronics 13, no. 4: 807. https://doi.org/10.3390/electronics13040807