IQR-based approach for DDoS detection and mitigation in SDN

Abstract

Software-defined networking (SDN) is a trending networking paradigm that focuses on decoupling of the control logic from the data plane. This decoupling brings programmability and flexibility for the network management by introducing centralized infrastructure. The complete control logic resides in the controller, and thus it becomes the intellectual and most important entity of the SDN infrastructure. With these advantages, SDN faces several security issues in various SDN layers that may prevent the growth and global adoption of this groundbreaking technology. Control plane exhaustion and switch buffer overflow are examples of such security issues. Distributed denial-of-service (DDoS) attacks are one of the most severe attacks that aim to exhaust the controller's CPU to discontinue the whole functioning of the SDN network. Hence, it is necessary to design a quick as well as accurate detection scheme to detect the attack traffic at an early stage. In this paper, we present a defense solution to detect and mitigate spoofed flooding DDoS attacks. The proposed defense solution is implemented in the SDN controller. The detection method is based on the idea of an statistical measure — Interquartile Range (IQR). For the mitigation purpose, the existing SDN-in-built capabilities are utilized. In this work, the experiments are performed considering the spoofed SYN flooding attack. The proposed solution is evaluated using different performance parameters, i.e., detection time, detection accuracy, packet_in messages, and CPU utilization. The experimental results reveal that the proposed defense solution detects and mitigates the attack effectively in different attack scenarios.