ONOS Flood Defender: A Real-Time Flood Attacks Detection and Mitigation System in SDN Networks

Abstract

Cybercriminals are constantly developing new and sophisticated methods for exploiting network vulnerabilities. Software‐defined networking (SDN) faces security challenges more than other traditional networks because the controller is a bottleneck device. This necessitates the implementation of robust security systems, including intrusion detection to mitigate the effect of attacks. Distributed denial of service (DDoS) attacks targeting the centralized controller of an SDN network can disrupt the entire network. If the controller becomes unavailable due to an attack, flow rules (FRs) cannot be deployed at the network switches, affecting data forwarding and network management. This study focuses on the detection and mitigation of synchronized (SYN) and normal transmission control protocol (TCP) DDoS flood attacks. It introduces two enhanced statistical detection and mitigation algorithms that work seamlessly with the open network operating system (ONOS) SDN controller, and sFlow‐RT engine in real‐time. Through a comprehensive set of experiments, our empirical findings demonstrate that the proposed algorithms efficiently detect and mitigate attacks with minimal average detection time, and negligible impact on resource consumption. By utilizing tuned threshold values based on network traffic volume, TCP flood attack detection (TFAD) algorithm and the synchronized TCP flood attack detection (STFAD) Algorithm achieved a minimal average detection time, of 4.032 and 3.430 s, respectively. These algorithms also have high detection accuracy in distinguishing normal traffic when appropriate threshold values are applied. Overall, this research significantly contributes to fortifying SDN networks with robust security measures, enhancing their resilience against evolving cyber threats.