A Feasible Method to combat against DDoS Attack
in SDN Network
Nhu-Ngoc Dao1 , Junho Park1 , Minho Park2 , and Sungrae Cho1
1
School of Computer Science and Engineering, Chung-Ang University, Seoul, South Korea
2
School of Electronic Engineering, Soongsil University, Seoul, South Korea
Email: dnngoc@uclab.re.kr, jhpark@uclab.re.kr, mhp@ssu.ac.kr, and srcho@cau.ac.kr
AbstractIn Software Defined Network, the controller is
so vulnerable to flooding attack. By injecting spoofed request
packets continuously, attackers make a burdensome process to the
controller, cause bandwidth occupation in the controller-switch
channel, and overload the flow table in switch. The final target
of attackers is to downgrade or even shutdown the stability and
quality of service of the network. In this paper, we introduce a
feasible method to protect the network against Distributed Denial
of Service attacks more effectively.
KeywordsSDN, Openflow, DDoS, DoS
I. I NTRODUCTION
Software defined network (SDN) was born with a great
mission to change the way that existing network architectures
and devices are still doing, in term of specializing device
operation and network deployment to reach an intelligent
network. In SDN architecture, the control and data planes are
decoupled, enabling the control of network programmable and
the underlying infrastructure abstracted for applications and
network services [1].
The power of SDN has been being proven day by day,
spreads in various areas, from enterprises to carriers and
service provider environments, from small local area network
to public cloud architectures. In most cases, the SDN shows its
strong success in providing reliability, effectiveness, simplicity,
flexibility with lower cost [2].
However, there are a number of challenges that need to
be resolved, especially in security matter. Because of the
natural feature of centralized controller, it can easily become a
potential target of attackers. Whenever a new packet arrives in
SDN network, and the switch can not find any matched flow
entry, it will forward the packet to the controller to ask about
how to handle. It is a good chance for an attacker to deplete
the resources and threaten the network availability.
Recently, there have been proposed solutions developed to
decrease the impact of the secuirty problems. Some ideas try to
setup specific policies and/or classify the security requirement
data and normal data to separate process. Some of others
customize the framework to make all components co-operate
dependably and securely. However, none of them focus closely
enough to defence against DoS attack [3].
In this paper, we propose a feasible approach of source-
based IP filtering technique to defeat DDoS attack. Our method
works on Openflow protocol, analyzes the user traffic to detect
and prevent the attack.
978-1-4799-8342-1/15/$31.00 2015 IEEE 309
The structure of this paper is organized as follows. Section
II describes how attackers exploit SDN network vulnerabilities
to take resource consumption attack by flooding technique.
Then, we identify the characteristics of DDoS user during
attack time. Based on that, we proposed the suitable policies
for DDoS user and other valid users in section III. The
simulation and evaluation will be present in section IV. Finally,
section V shows the conclusion and defines our future work.
II. H OW TO ATTACK SDN NETWORK BY DD O S?
In [4], Shin et al. investigated flooding attacks against SDN
network. The method is described below.
The first step is to identify the SDN network. Recall
that, almost traditional networks usually have a pre-configured
forwarding table. Therefore, it needs no additional time to
process and create a flow entry for a new incoming packet. In
contrast, the controller in SDN must take a little time to issue
a new flow entry for a new packet. Then, it adds more time to
handle the first packet in comparison with following packets.
Based on this knowledge, attackers can identify whether a
network is SDN or not by checking the difference between
respond times of first packet and following packets. If the
difference is greater than a defined threshold, then the network
is recognized as SDN network.
Finally, the last step is just to inject more random fake
packets into SDN network. The controller must process and
generate corresponding flow entries harder and harder. The
new entries will occupy overall flow table in switch very soon.
From that time, the switch cannot serve users normally. The
quality of service is downgrade or even shutdown.
III. O UR PROPOSED METHOD
A. Analyzation of user behavior
When collecting and analyzing data traffics of the Univer-
sity of Auckland network and a Small ISP Trace in one month,
Peng et al. [5] realized that around 90% of frequent users sent
at least 5 packets to each destinations. In vice versa, abnormal
users transmitted less than 5 packets per connection (error
packets or DDoS packets). The minimum number of packets
per connection of a frequent user is denoted by n. In other side,
there are around 60% of the IP addresses appeared on only one
day in the two weeks period. Most of them are infrequent users
or DDoS attacking addresses. We define the average number
of connections which the frequent users establish, is k.
ICOIN 2015
 Forwarded packet ci The counter of IP address in T table
The minimum number of packets per
n
connection
k The average connections of freq. users
- Set a new entry with
short timeout; s The statistic counter of IP address
- Increase ci by 1;

Y Request statistic
ci k counter s from switch.

Do nothing. Y
sn Block.
Fig. 2. Simulation network topology
N

- Update its entries
with normal timeout;
Fig. 1. The workfow of proposed method
Therefore, the characteristics of DDoS addresses are to
initiate less than k connections (in a constant duration) and
to generate less than n packets per connection.
B. The proposed method
We define a temple table (T table) in the controller. The T
table is used to store source IP addresses of forwarded packets
from the switch. Each unique IP address has a counter ci to
track the number of arrived packets.
During attack time, whenever a new packet forwarded by
the switch arrives at the controller, the controller assumes
that it might be from the DDoS attacking address firstly. The
controller creates a new specific entry with hard timeout and
idle timeout, of which values are smaller than those of normal
entries, to limit its lifetime. Then, the source IP address is
updated into T table for tracking, and its counter ci is increased
by 1 (Fig. 1).
When ci reaches k, we need to analyze its data traffic char-
acteristic by requesting the average number of packet counter s.
If s is greater than n, this means the source address established
and transmited real data connections. In other words, it is
a frequent user. Hence, the controller issues a modification
message to reset all hard timeout and idle timeout of its
existing entries to normal value [6].
In vice versa, if s is smaller than n, this is malicious traffic.
The controller dispatches a dropped rule for the address to the
switch.
IV. S IMULATION AND EVALUATION
A. Simulation network topology
To simulate the proposed method, we build a small topol-
ogy which consists of 01 webserver and 03 PC clients (01
DDoS attacking user, 01 malicious user and 01 frequent user)
connected to the SDN network (Fig. 2).
In the switch, the flow table has capacity of 10.000
entries. Initially, it is empty. The normal entry has
hard timeout and idle timeout equal to 600 seconds
and 60 seconds. The entry for DDoS attacking user
has hard timeout and idle timeout equal to (60, 10)
seconds.
The malicious user has IP address 10.0.0.1. It injects
spoofed packets to the switch infinitely. For each
packet, the destination IP address is generated ran-
domly.
The DDoS attacking user sends spoofed packets to
the switch infinitely. For each packet, the source and
destination IP addresses are generated randomly.
The frequent user has IP address 10.0.0.2. It es-
tablishes 5 different connections to the server, and
transmits 10 packets per connections.
Assume that we already analyzed the collected data of
frequent users and set the values of k and n to 3 and 7,
respectively. The network topology is simulated by OPNET
modeler.
B. Evaluation and discussion
The simulation results are shown below:
The packets from the malicious user are dropped after
it floods 3 packets. The entry has source address
10.0.0.1 and action DROP is installed in the flow table.
The DDoS attacking users packets are handled by
corresponding entries with short hard timeout 60s and
idle timeout 10s.
The frequent user is served by normal entries which
have hard timeout 600s and idle timeout 60s.
In the switch, the number of entries is derceased 49%
after 100s because of block entries of malicious traffic and
flow entries with short timeouts (Fig. 3). The number of

310
 550 20

Bandwidth of the controllerswitch channel (kbps)

500 18
450 w/o proposed method
w/ proposed method 16
Number of entries in flow table

400
14 w/o proposed method
350 w/ proposed method
12
300
10
250

200 8

150 6

100
4
50
2

0 100 200 300 400 500 0 100 200 300 400 500
Time (seconds) Time (seconds)

Fig. 3. Numer of entries in flow table Fig. 5. Bandwidth occupation in the controller-switch channel

4500
V. C ONCLUSION AND FUTURE WORK

4000
SDN is expected to replace the existing traditional network
w/o proposed method
with a lot of advanced features. However, it is facing with
Number of packets arrive at the controller

w/ proposed method
3500 many security challenges. In this paper, we propose a feasible
method to combat against DDoS flooding attack. Although
3000
the method can decrease the impact of DDoS attack, but not
2500 enough when the amount of attack traffic is very huge.

2000
In future work, we need to optimize the method for
adaptive with variable environments and protocols. Implemen-
1500 tation in real SDN network is required for confirmation of its
performance and effect.
1000

500 ACKNOWLEDGMENT
This research was supported by Basic Science Research
0 100 200 300 400 500
Time (seconds) Program through the National Research Foundation of Korea
(NRF) funded by the Ministry of Science, ICT & Future
Planning (NRF-2013R1A1A1076105)
Fig. 4. Number of packets arrive at the controller

R EFERENCES
entries remains around 265 entries (includes normal entries [1] https://www.opennetworking.org.
for frequent users, block entries for malicious user, and short [2] S. Sezer, S. Scott-Hayward, P. Chouhan, B. Fraser, D. Lake, J. Finnegan,
N. Viljoen, M. Miller, and N. Rao, Are we ready for SDN? Implemen-
timeouts entries for DDoS attacking users). The bandwidth tation challenges for software-defined networks, IEEE Communications
occupation in controller-switch channel and the total packets Magazine, vol. 51, no. 7, 2013.
arrive at the controller are decreased 51% and 49% respectively [3] S. Scott-Hayward, G. OCallaghan, and S. Sezer, SDN security: a
(Fig. 4 and Fig. 5). survey, in Proc. IEEE SDN4FNS, 2013.
[4] S. Shin and G. Gu, Attacking Software-defined networks: a first fea-
Because we set short values to the hard timeout and sibility study, in Proc. the second ACM SIGCOMM workshop on Hot
idle timeout of all new forwarded packets from the switch to topics in software defined networking, 2013.
the controller, the impact of DDoS attack is downgraded and it [5] T. Peng, C. Leckie, and K. Ramamohanarao, Protection from distributed
denial of service attacks using history-based IP filtering, in Proc. IEEE
improves the protection against the entry overflow attack. After ICC, 2003.
the controller analyzes the data traffic behavior reported from [6] OpenFlow Switch Specification Version 1.3.4, ONF Specifications,
the switch, the malicious source addresses are also cancelled Open Networking Foundation, 2014.
by block entries. However, the frequent users still are treat as
normal.

In order to get more effectiveness, we can tune the values

of parameters k and n corresponding to different network
environments.

311