FADM: DDoS Flooding Attack Detection and
Mitigation System in Software-Defined Networking
Dingwen Hu, Peilin Hong, and Yixin Chen
Key Laboratory of Wireless-Optical Communications, School of Information Science and Technology,
University of Science and Technology of China, HeFei, Anhui 230027 China
Email: {hdw2016@mail.ustc.edu.cn, plhong@ustc.edu.cn, cyx00@mail.ustc.edu.cn}
Abstract—Distributed Denial-of-Service (DDoS) flooding at-
tack is one of the most serious threats to network security.
Software-Defined Networking (SDN) has recently emerged as a
new network management platform, and its centralized control
architecture brings many new opportunities for defending against
network attacks. In this paper, we propose FADM, an efficient
and lightweight framework to detect and mitigate DDoS attacks
in SDN. Firstly, the network traffic information is collected
through the SDN controller and sFlow agents. Then an entropy-
based method is used to measure network features, and the SVM
classifier is applied to identify network anomalies. By adopting
these methods together, the timeliness and accuracy of attack
detection are effectively improved. To keep the major network
functionality working, we propose an efficient attack mitigation
mechanism based on the white-list and traffic migration. By
introducing the mitigation agent to the network, attack traffic can
be timely blocked while benign traffic can be forwarded as usual,
which prevents the controller resources from being exhausted and
ensures that legitimate users can access the network normally.
The experimental results show that multiple DDoS attacks can
be accurately detected and effectively mitigated by FADM, which
enables the network to recover in a short time.
I. I NTRODUCTION
Distributed Denial-of-Service (DDoS) flooding attack is one
of the most serious threats to current network security. Attack-
ers make use of a botnet to send massive useless packets,
which will rapidly exhaust the target’s resources such as
bandwidth, memory, CPU, etc. Compared with other attacks,
DDoS attacks have various attack methods, large-scale traffic
and distributed infected hosts, all of which make it a challenge
to defend. On October 21, 2016, attackers used the Mirai
botnet to launch two large and complex DDoS attacks against
the Dyn’s Managed DNS platform from 100,000 malicious
endpoints, which caused major Internet platforms and services
to be unavailable to large swathes of users in Europe and North
America [1]. How to detect and defense such a large-scale
DDoS attack is an urgent problem to be studied.
Software-Defined Networking (SDN) has recently emerged
as a new network management platform. In the SDN architec-
ture, the control and data planes are decoupled. As a result,
the network intelligence and state can be logically centralized,
and the underlying network infrastructure is abstract from
applications. SDN has the capabilities of software-based traffic
analysis, logically centralized control, global view of the
network, and dynamic updating of forwarding rules, which
978-1-5090-5019-2/17/$31.00 ©2017 IEEE
make it easy to detect and to react against DDoS attacks [2].
On the other hand, some characteristics of SDN also make
itself vulnerable to DDoS attacks, such as the controller is too
centralized, the switch flow table size is limited, and the band-
width between control and data planes is a bottleneck. How
to take full advantage of the SDN characteristics to defend
against DDoS attacks and protect the SDN infrastructure from
attacks is a very challenging problem.
In this paper, we propose a framework to detect and mitigate
DDoS flooding attacks in SDN network to tackle the challenge
above. Information collection is the prerequisite for attack
detection. According to the characteristics of SDN, we propose
an information collection method combining the SDN con-
troller with sFlow[3] to improve its accuracy and timeliness.
Then we use an entropy-based method to measure the changes
of network features, and use the machine learning algorithm
to automatically detect network anomalies. By using these
methods together, DDoS attacks can be accurately detected
in the early stage.
When the SDN network suffers from DDoS attacks, the con-
troller resources and the bandwidth between data and control
planes will be exhausted by attack traffic. To avoid cutting off
the communication of legitimate users, we can not simply drop
all attack traffic, therefore we introduce the mitigation agent in
the network. When a DDoS attack occurs, all suspected attack
traffic flows are migrated to the agent through the installed
wildcard flow rules. However, some benign traffic flows may
also be migrated to the mitigation agent too, so there must be
a way to identify them and install extra forwarding rules. By
adopting this mitigation mechanism, the network can recover
quickly and provide services for legitimate users.
The main contributions of this work can be summarized as
follows:
1) We propose a real-time DDoS attack detection scheme,
which can effectively improve the timeliness and ac-
curacy of attack detection by adopting the Controller-
based and sFlow-based information collection meth-
ods, entropy-based feature extraction method and SVM-
based classification method.
2) We propose an efficient DDoS attack mitigation mech-
anism based on the white-list and dynamic updating of
forwarding rules. By introducing the mitigation agent to
the network, attack traffic can be timely blocked while
 benign traffic is forwarded as usual, which prevents the
controller resources from being exhausted and ensures
that legitimate users can access the network normally.
3) We implement an efficient, lightweight and protocol-
independent prototype system called FADM. The experi-
mental results show that it can accurately detect multiple
DDoS flooding attacks in the early stage and enables the
network to recover quickly.
This paper is structured as follows: Section II discusses
the related work and the differences with our mechanism.
Section III briefly introduces the design principles and system
architecture. The implementation details of the system are
presented in Section IV and the evaluation experiments are
presented in Section V. Finally, Section VI concludes the paper
and discusses future work.
II. R ELATED W ORK
In recent years, researchers have proposed various methods
to defend against DDoS attacks in SDN environment. Braga
et al. [4], proposed a lightweight method for DDoS attack de-
tection based on six traffic flow features. However, it used the
OpenFlow (OF) protocol to gather traffic information, without
considering the control plane overloading and bandwidth bot-
tleneck, which made it only suitable for small-scale networks.
In order to improve the scalability of native OF approaches,
[5] proposed a new flow statistics collection method combining
OF with sFlow. sFlow[3] is a technology for monitoring traffic
by the sampling mechanisms, and has been widely used to
gather traffic information [6–8]. However, due to sFlow can not
gather the information of all packets, it will affect the accuracy
of anomaly detection. To solve this problem, we propose an
information gathering method combining the SDN controller
with sFlow. In a small-scale network, we collect information
directly through the controller. While in a large-scale network,
we use the sFlow-based method instead.
How to accurately measure the DDoS attack features is very
important for attack detection. In [4], six flow-based features
were employed to detect DDoS flooding attacks, while the flow
rate and flow duration were used in FlowTrApp [6] to classify
a traffic flow as either attack traffic or legitimate traffic.
Meanwhile, entropy was used by [5] and [9] to detect network
anomalies. Compared with other features, the entropy-based
features can measure the network changes more sensitively.
Therefore, we adopt them to measure the features of DDoS
attacks.
With the development of machine learning technologies,
they are widely used in DDoS attack detection. In [4, 10],
Self Organizing Maps (SOM) was used to classify network
traffic as either normal or abnormal. The high time complexity
of SOM leads to poor real-time performance in the attack
detection system. In [11], the neural network was used for
calculating the risk of a DDoS attack, but its time complexity
is also high. In [7, 8, 12], Support Vector Machine (SVM) [13]
was used to detect DDoS in SDN environment. Compared
with other methods, SVM classifier has high classification
accuracy and little processing time. To improve the accuracy
and timeliness of attack detection, we choose SVM as the
classification method.
In the SDN architecture, the dynamic updating of forward-
ing rules makes it easy to defend against DDoS attacks. [6]
and [14] dropped all identified attack traffic by installing flow
rules. Due to the limited size of the switch flow table, it is not
possible to install dropping flow rules for each attack traffic. In
[5], a White List function that maintained a list of Destination
IP addresses/ports was implemented to avoid cutting off a
valuable service (i.e. ftp). However, it could not avoid DDoS
attacks against the service. By contrary, we introduce a white-
list mechanism that contains a list of Source IP addresses,
which is dynamically generated and updated based on network
traffic information.
AVANT-GUARD [15] introduced connection migration and
actuating trigger modules to defend against network attacks.
But it needed to expand the data plane, and could only defend
against TCP-based attacks. FloodGuard [16] introduced a data
plane cache between data and control planes. It fowarded all
table-miss packets to the data plane cache and restrict sending
rate during the saturation attack. But it did not classify attack
traffic and benign traffic, resulting in the benign traffic could
not be quickly forwarded. In our system, we introduce the
mitigation agent in SDN network, which does not need to
extend the data plane, and can timely block the attack traffic
and quickly forward the benign traffic.
III. S YSTEM D ESIGN
A. Design Principles
When designing the FADM, we consider the following
objectives. Firstly, the system should be accurate and sensitive
to DDoS flooding attacks to guarantee real-time detection. In
addition, the attacks should be effectively mitigated to keep
the network robust. Finally, we strive to achieve the goals
mentioned above with the whole system to be as lightweight
and scalable as possible.
B. System Architecture
The architecture of FADM consists of two main modules
as shown in Fig. 1: 1) DDoS detection module, and 2) DDoS
mitigation module.
SDN Controller
DDoS Mitigation
DDoS Detection Mitigation
Server
Control Plane
Mitigation
OpenFlow Agent
Protocol
Data Plane
Fig. 1: System Architecture
 1) DDoS Detection Module: The objective of this module
is to detect DDoS flooding attacks in real time. This module is
running as an application in the controller, which is responsible
for collecting traffic information, extracting network features,
and automatically detecting network anomalies.
2) DDoS Mitigation Module: The purpose of this module
is to effectively mitigate DDoS attacks to enable the network
to recover quickly. This module consists of two components:
i) Mitigation Server, and ii) Mitigation Agent. The mitigation
server is running as an application on the controller, while the
mitigation agent is running on a host in the SDN network. The
two components work together to migrate attack traffic timely
and forward benign traffic normally.
IV. S YSTEM I MPLEMENTATION
A. DDoS Detection Module
The procedure of this module is divided into three phases:
1) information collection, 2) feature extraction, and 3) attack
detection.
1) Information collection: Information collection is the first
phase of DDoS attacks detection. In SDN environment, there
are two commonly used methods for collecting information.
The first one is based on OF protocol. In this method,
the controller periodically sends a state request message to
switches, and the switches respond with one or more reply
messages containing flow statistics. This method can gather
the overall traffic passing through the switch in full detail,
and has been applied to collect traffic flow information in
[4]. However, when the network suffers a high-rate DDoS
attack, the bandwidth between the controller and switches is
exhausted by attack traffic. Meanwhile, the switch flow table
is full and the sizes of reply messages are very large, which
make the channel much more congested. Finally, the controller
can not receive the reply messages timely, or the connection
between the switch is broken. Therefore, the OF-based method
is not suitable for detecting high-rate DDoS attacks.
The second method is based on flow monitoring mechanism
utilizing packet samples. sFlow-RT[17] is a traffic monitoring
software that can be used in SDN networks. In sFlow-RT,
the flow samples and counter samples are gathered by sFlow
Agents embedded in network devices and are sent to sFlow
Collector periodically. This method does not consume the
bandwidth between the controller and switches, so it can
overcome the hindrances presented in the first method. This
method has been successfully used to collect flow statistics
in [5–8]. However, due to sFlow only periodically sampling
packets, it can not gather the information of all packets, which
will cause some impact on the accuracy of anomaly detection.
To address the problems of the two methods mentioned
above, we propose a method to collect information directly
through the SDN controller. According to the OF protocol,
if there is no matching flow entry when a packet arrives,
the switch will send a Packet-In message which contains the
packet header to the controller for actions. Some important
traffic information can be extracted from the packet header,
such as network protocol, IP addresses, ports, etc. Since
each new traffic flow will send a Packet-In message to the
controller, we can collect all traffic information of the whole
network directly through the controller, which generates no
any additional communication.
After extensive testing, we find that the sFlow-based method
cannot collect all traffic information when the normal traffic
arrives at a low rate, while our proposed Controller-based
(CT-based) method can still gather enough information to
maintain a higher accuracy in this condition. On the other
hand, when the normal traffic arrives at a high rate, the switch
buffers will be exhausted by normal traffic and some attack
traffic will be dropped, resulting in that the CT-based method
cannot collect the information completely. But the sFlow
Collector can receive the sampling packets as normal, so the
performance of the sFlow-based method is better than the CT-
based method. Therefore, in order to improve the accuracy of
information collection, we choose these two methods accord-
ing to different network environments. In Small Office/Home
Office (SOHO) environments, the normal traffic rate is low,
the CT-based method is used to collect information. While in
larger enterprise or ISP environments, we use the sFlow-based
method instead.
2) Feature extraction: Feature extraction is the prerequisite
for DDoS attacks detection, and its purpose is to extract the
current network features from the collected information. When
a DDoS attack is launched, a large number of distributed
malicious endpoints simultaneously attack a specific target,
which causes the distribution of IP addresses and ports within
the network to change. The entropy is a measure of the uncer-
tainty of random variables in information theory. High entropy
values signify a more dispersed probability distribution, while
low entropy values denote the concentration of a distribution.
Therefore, we use the entropy to measure the changes of
network features.
We define a flow by a five-tuple {sip, dip, sport, dport,
proto}. Assume that the total number of flows in the 𝑘 time
period is 𝑆𝑘 , the set of source IP addresses is {(𝑠𝑖𝑝𝑘𝑖 , 𝑎𝑘𝑖 )∣𝑖 =
1, 2, ..., 𝑁 }, in which 𝑎𝑘𝑖 represents the number of flows with
the source IP address 𝑠𝑖𝑝𝑘𝑖 in the 𝑘 time period. According to
the definition of entropy, the source IP address entropy can be
defined as:
∑𝑁 ∑𝑁
𝑎𝑘𝑖 𝑎𝑘
𝐻(𝑠𝑖𝑝)𝑘 = − 𝑘 𝑘
𝑝(𝑠𝑖𝑝𝑖 ) log2 𝑝(𝑠𝑖𝑝𝑖 ) = − log2 𝑖
𝑖=1
𝑆
𝑖=1 𝑘
𝑆𝑘
Similarly, we can also define the destination IP address
entropy 𝐻(𝑑𝑖𝑝)𝑘 , source port entropy 𝐻(𝑠𝑝𝑜𝑟𝑡)𝑘 , and des-
tination port entropy 𝐻(𝑑𝑝𝑜𝑟𝑡)𝑘 . Finally, we represent the
network features of the 𝑘 time period with a vector 𝑋𝑘 =
{𝐻(𝑠𝑖𝑝)𝑘 , 𝐻(𝑑𝑖𝑝)𝑘 , 𝐻(𝑠𝑝𝑜𝑟𝑡)𝑘 , 𝐻(𝑑𝑝𝑜𝑟𝑡)𝑘 }.
For instance, when the network suffers from a DDoS
attack, the number of source IP addresses in the network
will increase sharply, which results in increase in the entropy
of the source IP addresses 𝐻(𝑠𝑖𝑝); While the destination
IP addresses are relatively concentrated, the 𝐻(𝑑𝑖𝑝) will be
decreased accordingly. If the source ports and destination ports
of attack packets are randomly generated, the 𝐻(𝑠𝑝𝑜𝑟𝑡) and
𝐻(𝑑𝑝𝑜𝑟𝑡) will also increase significantly. Therefore, the vector
𝑋𝑘 can better reflect the DDoS attack characteristics.
3) Attack detection: The DDoS attack detection can be
regarded as a binary classification problem in the field of
machine learning, which classifies the current network state
as normal or abnormal based on the network feature vector
𝑋𝑘 .
The SVM classifier is a binary classification algorithm based
on statistical learning theory and structural risk minimization
theory. When a training sample set 𝐷 is given, the goal of
SVM is to solve the optimal partition hyperplane to minimize
the sum of the distances between the two different support
vectors to the hyperplane. With a good balance between
learning ability and complexity, SVM has been widely used
in DDoS attack detection, only needing a small number of
training samples to achieve good generalization.
To meet the system requirements for accuracy and effi-
ciency, we choose SVM as the classification algorithm for
detecting DDoS attacks. The network features of pervious 𝑀
time periods are applied to construct the training sample set
𝐷 = {(𝑋𝑖 , 𝑦𝑖 )∣𝑖 = 1, 2, ..., 𝑀, 𝑦𝑖 ∈ {−1, +1}}, in which 𝑋𝑖
is the network feature vector of the 𝑖 time period, and 𝑦𝑖 is
the category of network state, ‘−1’ means ‘normal’ and ‘+1’
means ‘abnormal’. In order to improve the training speed and
the accuracy of the model, the data set needs to be normalized
according to the Min-Max Normalization algorithm, and the
normalized range is [-1,1]. The SVM module is trained by
the data set 𝐷, and then used to classify the network feature
vector 𝑋𝑘 of the 𝑘 time period. The classification result for
‘+1’ indicates that the network may be suffering from DDoS
attacks. By using this method, we can accurately detect DDoS
attacks in real time.
B. DDoS Mitigation Module
This section introduces the working process of the DDoS
mitigation module and its three main functions.
1) Working process: This module contains two compo-
nents: mitigation server and mitigation agent. The working
process of this module is divided into five steps as shown in
Fig. 2: i) When a DDoS attack is detected by the detection
module, the mitigation module enters into the attack mitigation
state; ii) Then the mitigation server identifies attack traffic,
and installs a migrating flow rule which has all fields wild-
carded except the network protocol, destination MAC and IP
addresses; iii) All traffic flows matching the wildcard flow
rule are migrated to the mitigation agent, including similar
attack traffic and some benign traffic; iv) The benign traffic is
identified by the mitigation agent and will be forwarded to the
mitigation server, while the other traffic is dropped directly;
v) The mitigation server installs a forwarding flow rule for the
benign traffic and forwards it to the target host.
As can be seen from the above process, the mitigation server
and agent work together to achieve two functions: attack traffic
migrating and benign traffic forwarding. To identify the attack
traffic and benign traffic, we introduce a white-list mechanism.
1. Detect
attacks Mitigation
Detection
Module Server
4. Identify
2. Install 5. Install
and forward
benign
mitigation forwarding
traffics
flow rule flow rule
Attack
traffics
Mitigation
Agent
Benign
3. Migrate traffics
traffics OF switch
Protected
Hosts
Fig. 2: Working process of DDoS mitigation module
Next, we introduce the detailed implementation of the three
functions.
2) Collecting white-list: There are two types of white lists:
one is the static white-list set by the network administrator,
which can be a single IP address or IP address segment; the
other is the dynamic white-list, which is collected periodically
by the mitigation server according to certain rules.
If the current network is in a normal state, the mitigation
server stores the traffic flow information collected by the
detection module to a database, including the collection time
information. At periodic intervals, the server analyzes the
stored information for updating white-list according to the
following rules:
∙ The flow has a pair-flow;
∙ The number of flows with the same source IP address
exceeds the threshold value (𝐶);
∙ The number of days that the same source IP address
appears in the database exceeds the threshold value (𝑇 ).
The source IP addresses that satisfy the above rules are
added to the white-list and sent to the mitigation agent at the
same time. The threshold value of 𝐶 and 𝑇 should be set
according to the network scale. For large-scale networks, the
threshold should be set larger, and for small-scale networks,
the threshold should be set relatively small.
3) Migrating attack traffic: When the network suffers from
DDoS attacks, the attack traffic must be migrated or dropped to
avoid exhausting the controller resources and bandwidth. Due
to the limited size of the switch flow table, it is not possible to
install migrating or dropping flow rules for each attack traffic,
so we can only install a wildcard flow rule. To avoid cutting
off the communication of legitimate users, we can not simply
drop all suspected attack traffic, so we introduce the mitigation
agent in the network. All suspected attack traffic flows are first
migrated to the mitigation agent, and then further identified
by it. If the traffic is a benign traffic, it is forwarded to the
mitigation server to install a forwarding flow rule.
The mitigation server and agent identify the benign traffic
and attack traffic based on the collected white-list and the
protected host list. If the source IP address is in the white-list,
the traffic is identified as a benign traffic and is handled by
the controller as normal. If the source IP address is not in the
white-list and the destination IP address is in the protected host
list, the traffic is identified as an attack traffic for the protected
target host. Then the mitigation server generates a wildcard
flow rule for the attack traffic. All fields in the flow rule are
wildcarded other than the network protocol, destination MAC
address, and destination IP address. The action of the rule
is set to output the traffic to the mitigation agent. After the
flow rule is installed on the switch, all similar attack traffic
matching the rule will be migrated to the mitigation agent.
4) Forwarding benign traffic: Normally, the benign traffic
will be handled directly by controller. But after the migrating
flow rule is installed on the switch, if the benign traffic has
the same network protocol and destination addresses as the
attack traffic, it will also match the migrating flow rule and
be migrated to the mitigation agent. To prevent these benign
traffic from being dropped, it needs to be forwarded to the
target host through the mitigation server and agent working
together.
The mitigation agent captures all migrated packets, and
identifies benign traffic from them according to the white-list
received from the mitigation server. If the source IP address is
in the white-list, the traffic is identified as a benign traffic
and will be forwarded to the mitigation server. After the
mitigation server receives this traffic, it generates a normal
forwarding flow rule and set the action to output to the target
host. In addition, since the packet received by the mitigation
server is the first packet of the benign traffic, it also needs
to be forwarded to the target host to complete the normal
communication.
V. E VALUATION
In this section we introduce the experimental environment
and evaluate the performance and overhead of FADM.
A. Experimental Environment
In order to evaluate the performance of FADM as accurately
and objectively , we build a experiment environment as
realistic as possible, which is shown in Fig. 3.
FADM POX Controller
DDoS Detection
Mitigation Server
Botnet
Mitigation Agent Open vSwitch
Open vSwitch
Normal
Web Service Open vSwitch
Network
Background traffic
Fig. 3: Experimental Environment
FADM is implemented based on the POX, and all modules
are written in Python language. The DDoS detection module
is an application of POX. It extracts the network feature vector
according to the collected traffic information periodically, and
then uses the LIBSVM [18] library to classify the current
network state as normal or abnormal automatically. The mit-
igation server is an application of POX, while the mitigation
agent is running on a host in the SDN network, and the two
components establish a TCP connection through static flow
rules. The mitigation agent uses the pypcap [19] library to
capture all packets passing through the host.
For simplicity, we use Mininet to simulate the SDN net-
work, including three Open-vSwitch switches and three virtual
hosts. One of the hosts is used to build a Web server, the other
for running the mitigation agent, and the third for sending
background traffic. Both the protected host and mitigation
agent can be extended according to the configuration informa-
tion at any time. For a protected host, we can also configure
multiple mitigation agents to migrate different types of traffic
to different agent.
The Botnet is simulated by four hosts in external network,
which uses the TFN2K tool to launch multiple types of DDoS
flooding attacks.
B. Training SVM Model
SVM is a supervised machine learning algorithm that needs
to be trained before using. In order to make the model more
applicable, we use the Botnet to launch different types and
scales of DDoS attacks on the Web server, and use Tcpreplay
tool to replay the packets captured from the gateway of our
laboratory, with an average traffic rate of 10 Mbps and about
40 active hosts. Then we extract network feature vectors from
the collected information periodically and set the category for
each vector. Finally, all network feature vectors are normalized
and used to train the SVM model. The number of training
samples is shown in Table I.
TABLE I: Training samples number
Attack samples Normal samples Total samples
SYN flood 173 286 459
UDP flood 196 194 390
ICMP flood 183 182 365
C. DDoS Detection Effect
The Detection Rate (DR) and False Alarm rate (FA) [4]
are used to measure the performance of our proposed DDoS
attacks detection scheme, which are defined as:
𝑇𝑃 𝐹𝑃
𝐷𝑅 = , 𝐹𝐴 =
𝑇𝑃 + 𝐹𝑁 𝑇𝑁 + 𝐹𝑃
In which, 𝑇 𝑃 represents the number of attack states that are
correctly identified, while 𝐹 𝑁 represents the number of attack
states that are identified as normal. Therefore, 𝐷𝑅 responses
the attack detection rate. Similarly, 𝐹 𝐴 represents the rate of
the normal state being incorrectly identified as the attack state.
To evaluate the performance of DDoS attacks detection, we
have launched SYN flood attacks on the Web server under
different environments as shown in Table II. Tcpreplay was
used to generate background traffic, which could set the replay
speed to given rate. The time interval of information collection
was 5 seconds, and the sampling rate of sFlow was 1/64.
As shown in Fig. 4, when the background traffic rate was
10Mbps, the accuracy of attack detection using the CT-based
 TABLE II: Parameter values used in experimentations
Background traffic rate (Mbps) Attack rate (pps)
Exp.1 10 100-1000
Exp.2 100 1000-15000
method was higher than the other two methods. This is because
the CT-based method can collect all traffic flow information
of the whole network, while the sFlow-based method can only
collect the sampling packet information. When the background
traffic rate was 100Mbps, the detection performance of the
sFlow-based method was better than that of the CT-based
method, and the detection rate reached 100% when the attack
rate was greater than 3000 packets per second (pps). This
is because the switch buffers were exhausted by background
traffic, which caused some attack packets dropped as well as
no associated Packed-In messages generated. Hence, the CT-
based method could not collect the information completely,
but the sFlow-based method could gather the flow samples
as normal. The performance of the OF-based method was the
worst, and it could not collect information correctly when the
background traffic rate was 100Mbps. In addition, the values
of 𝐹 𝐴 were always 0 in two experiments, which indicated
that no any normal state was identified as an attack state. This
also indicated that the false alarm rate of SVM classifier was
very low.
(a) Background traffic rate = 10Mbps
(b) Background traffic rate = 100Mbps
Fig. 4: Detection rate under different environments
Meanwhile, We use the average delay between the first
attack detection time and attack launched time to evaluate the
real-time performance of attack detection. Table III shows that
the average detection delay of the CT-based and sFlow-based
methods are very small. This is because both of these meth-
ods can collect statistical features directly from the received
packets without the need to query switches as the OF-based
method.
TABLE III: Average attack detection delay
Background traffic CT-based (s) sFlow-based (s) OF-based (s)
10 Mbps 3.9 4.1 12.8
100 Mbps 5.3 4.9 -
D. DDoS Mitigation Effect
To evaluate the effectiveness of the DDoS attack mitigation,
three different types of DDoS attacks on the Web server were
launched using the Botnet, with the attack rate increasing from
1000 to 30000 pps. At the same time, we used four different
hosts in the normal network to download the specified page
from the Web server every 3 seconds, and recorded the average
download time. At the beginning of the DDoS attack, the page
download time increased obviously, but after the migrating
flow rule was installed on the switch and attack packets were
migrated to the mitigation agent, the download time returned
to normal immediately. We define the average page download
time at the beginning of the attack as the network recovery
delay, and its values under various types of attacks are shown
in Fig. 5.
Fig. 5: Network recovery delay
When the network was attacked by SYN flood, the average
network recovery delay was higher than that of UDP flood
and ICMP flood. This is because in the case of SYN flood, all
TCP traffic with the protected destination IP address including
benign traffic we sent to download Web pages was migrated,
which resulted in a longer delay. In the case of two other
DDoS attacks, the benign TCP traffic was handled directly by
the controller, so the network recovery delay was short.
E. System Overhead Analysis
FADM is mainly running on POX controller, so we evaluate
its overhead by the average CPU utilization of the controller.
We launched SYN flood attacks on the Web server with the
duration of 5 minutes and the attack rate of 30000 pps, and
monitored the CPU utilization of the controller.
Fig. 6 shows that the CPU utilization is very low under
normal states, which indicates that the overhead imposed
by FADM is minimal. But when the DDoS attack began at
the 05:00 minute, the CPU utilization significantly increased.
After a period of time, the attack traffic was migrated to
the mitigation agent, and the CPU utilization was restored to
normal. The recovery times of the three methods were 12, 15,
and 99 seconds. When using the CT-based and sFlow-based
information collection methods, the network can recover in a
short time, which indicates that our proposed attack detection
and mitigation mechanism is very effective.
Fig. 6: Average CPU utilization of POX controller
VI. C ONCLUSION
In this paper, we propose FADM, an efficient and
lightweight framework to detect and mitigate DDoS flooding
attacks in SDN environment. Firstly, in order to improve
the accuracy of information collection, we use the CT-based
method and sFlow-based method according to different net-
work environments. Then we use the entropy-based method
to measure the changes of network features, and use the SVM
classifier to identify the current network state as normal or
abnormal. To protect the network to provide normal service
when it suffers from DDoS attacks, we propose an efficient
attack mitigation mechanism based on white-list and dynamic
updating of forwarding rules. By introducing the mitigation
agent in the network, we can migrate the attack traffic timely
and forward the benign traffic normally. The experimental
results show that multiple DDoS flooding attacks can be
accurately detected and effectively mitigated by FADM, which
enables the network to recover in a short time. In addition, the
results show that the overhead of FADM is minimal.
For future work, we intend to investigate using the char-
acteristics of SDN and machine learning methods to detect
application layer DDoS attacks and botnets.
ACKNOWLEDGMENT
This work is partially supported by the National Natural
Science Foundation of China under Grant No. 61671420 and
the Fundamental Research Funds for the Central Universities.
R EFERENCES
[1] S. Hilton, “Dyn analysis summary of fri-
day october 21 attack.” http://dyn.com/blog/
dyn-analysis-summary-of-friday-october-21-attack/.
[2] Q. Yan, F. R. Yu, Q. Gong, and J. Li, “Software-defined net-
working (sdn) and distributed denial of service (ddos) attacks in
cloud computing environments: A survey, some research issues,
and challenges,” IEEE Communications Surveys & Tutorials,
vol. 18, no. 1, pp. 602–622, 2016.
[3] S. Panchen, P. Phaal, and N. McKee, “Inmon corporation’s
sflow: A method for monitoring traffic in switched and routed
networks,” 2001.
[4] R. Braga, E. Mota, and A. Passito, “Lightweight ddos flood-
ing attack detection using nox/openflow,” in Local Computer
Networks (LCN), 2010 IEEE 35th Conference on, pp. 408–415,
IEEE, 2010.
[5] K. Giotis, C. Argyropoulos, G. Androulidakis, D. Kalogeras,
and V. Maglaris, “Combining openflow and sflow for an effec-
tive and scalable anomaly detection and mitigation mechanism
on sdn environments,” Computer Networks, vol. 62, pp. 122–
136, 2014.
[6] C. Buragohain and N. Medhi, “Flowtrapp: An sdn based archi-
tecture for ddos attack detection and mitigation in data centers,”
in Signal Processing and Integrated Networks (SPIN), 2016 3rd
International Conference on, pp. 519–524, IEEE, 2016.
[7] Y. Lu and M. Wang, “An easy defense mechanism against
botnet-based ddos flooding attack originated in sdn environment
using sflow,” in Proceedings of the 11th International Confer-
ence on Future Internet Technologies, pp. 14–20, ACM, 2016.
[8] P. Wang, K.-M. Chao, H.-C. Lin, W.-H. Lin, and C.-C. Lo,
“An efficient flow control approach for sdn-based network threat
detection and migration using support vector machine,” in e-
Business Engineering (ICEBE), 2016 IEEE 13th International
Conference on, pp. 56–63, IEEE, 2016.
[9] A. Lakhina, M. Crovella, and C. Diot, “Mining anomalies
using traffic feature distributions,” in ACM SIGCOMM 2005
Conference on Applications, Technologies, Architectures, and
Protocols for Computer Communications, Philadelphia, Penn-
sylvania, Usa, August, pp. 217–228, 2005.
[10] Y. Xu and Y. Liu, “Ddos attack detection under sdn context,”
in Computer Communications, IEEE INFOCOM 2016-The 35th
Annual IEEE International Conference on, pp. 1–9, IEEE, 2016.
[11] I. Mihai-Gabriel and P. Victor-Valeriu, “Achieving ddos re-
siliency in a software defined network by intelligent risk assess-
ment based on neural networks and danger theory,” in Compu-
tational Intelligence and Informatics (CINTI), 2014 IEEE 15th
International Symposium on, pp. 319–324, IEEE, 2014.
[12] R. Kokila, S. T. Selvi, and K. Govindarajan, “Ddos detection
and analysis in sdn-based environment using support vector
machine classifier,” in Advanced Computing (ICoAC), 2014
Sixth International Conference on, pp. 205–210, IEEE, 2014.
[13] C. Cortes and V. Vapnik, “Support-vector networks,” Machine
Learning, vol. 20, no. 3, pp. 273–297, 1995.
[14] L. V. Morales, A. F. Murillo, and S. J. Rueda, “Extending the
floodlight controller,” in Network Computing and Applications
(NCA), 2015 IEEE 14th International Symposium on, pp. 126–
133, IEEE, 2015.
[15] S. Shin, V. Yegneswaran, P. Porras, and G. Gu, “Avant-guard:
scalable and vigilant switch flow management in software-
defined networks,” in Proceedings of the 2013 ACM SIGSAC
conference on Computer & communications security, pp. 413–
424, ACM, 2013.
[16] H. Wang, L. Xu, and G. Gu, “Floodguard: a dos attack pre-
vention extension in software-defined networks,” in Dependable
Systems and Networks (DSN), 2015 45th Annual IEEE/IFIP
International Conference on, pp. 239–250, IEEE, 2015.
[17] InMon, “sflow-rt.” http://www.inmon.com/products/sFlow-RT.
php.
[18] C. C. Chang and C. J. Lin, LIBSVM: A library for support
vector machines. ACM, 2011.
[19] D. Song, “pypcap.” https://github.com/pynetwork/pypcap.