See discussions, stats, and author profiles for this publication at: https://www.researchgate.

net/publication/352762116

Preventive Determination and Avoidance of DDoS Attack with SDN over the IoT
Networks

Preprint · June 2021

DOI: 10.13140/RG.2.2.12057.54886

CITATIONS READS
0 339

5 authors, including:

Khan Mohammad Shayshab Azad Nayon Hossain

Green University of Bangladesh 8 PUBLICATIONS   16 CITATIONS   
4 PUBLICATIONS   16 CITATIONS   
SEE PROFILE
SEE PROFILE

Md. Jahidul Islam Anichur Rahman

Green University of Bangladesh National Institute of Textile Engineering and Research (NITER)
65 PUBLICATIONS   522 CITATIONS    60 PUBLICATIONS   532 CITATIONS   

SEE PROFILE SEE PROFILE

Some of the authors of this publication are also working on these related projects:

Digital Evaluation of Broad Question Answer Script View project

Consortium Blockchain for Industry 4.0 CPS Security View project

All content following this page was uploaded by Md. Jahidul Islam on 26 June 2021.

The user has requested enhancement of the downloaded file.

 2021 International Conference on Automation, Control and
Mechatronics for Industry 4.0 (ACMI), 8-9 July 2021, Rajshahi,
Bangladesh

Preventive Determination and Avoidance of DDoS

Attack with SDN over the IoT Networks
Khan Mohammad Shayshab Azad∗ , Nayon Hossain† , Md. Jahidul Islam‡ ,
Anichur Rahman§ , Sumaiya Kabir¶
Department of Computer Science and Engineering
Green University of Bangladesh, and
National Institute of Textile Engineering and Research (NITER)§ ,
Email: shayshabazad@gmail.com∗ , hossainnayon786@gmail.com† , jahid@cse.green.edu.bd‡ ,
anis cse@niter.edu.bd§ , sumaiya@cse.green.edu.bd¶

Abstract—The Internet of Things (IoT) is growing increasingly
along with the development of security issues. The IoT system
is unable in protecting against ransomware and various forms
of malicious threats. The way a vast number of IoT devices are
treated is uncomfortable and insecure. Security problems have
become increasingly important with the spread of IoT devices.
The Software-Defined Networking (SDN) paradigm provides a
way to control IoT devices securely. For the IoT paradigm, we
have suggested a general system for detecting and mitigating
Distributed Denial-of-Service (DDoS) attacks using an SDN.
The proposed architecture consists of a pool of controllers
comprising SDN controllers, IoT gateway-integrated. Also, we
have offered an IoT DDoS attack detection and mitigation
algorithm attached to the proposed SDN IoT platform. Finally,
the proposed algorithm shows the experimental results that have
improved performance and the proposed architecture adapts to
heterogeneous and fragile devices to enhance IoT security.
Index Terms—Internet of Things, IoT Security, Denial of
Service, DDoS, IoT Attacks, IoT
computers. The evolving SDN paradigm provides a way for
IoT devices to be managed safely. First and foremost, we
offer a simple framework based on the SDN paradigm [3]
[4]. A controller pool of SDN-IoT controllers, IoT gateway-
integrated SDN-IoT switches, and IoT appliances compose
the provided structure [5]. An algorithm for detection and
mitigation of DDoS attacks using the suggested SDN-IoT
system is then recommended, and the Similarity to Cosine
of the packet message rate vectors at boundary SD IoT shift
ports is used in the proposed algorithm to determine whether
the DDoS attacks occur in the IoT. Eventually, experimental
show that the proposed algorithm provided is remarkably
efficient, and the proposed architecture adapts to disparate and
vulnerable IoT security enhancement devices.
Fig. 1 show how to occurs DDoS attack.

I. I NTRODUCTION
The IoT is a paradigm for all the different Internet-
connected devices that are not conventional computers. This
covers everything from smart refrigerators, speakers, cameras,
washing machines, vehicles, traffic lights, airplane engines,
and home monitoring systems to fitness trackers and smart-
watches. As the access to broadband internet networks in-
creases and processors become more accessible, more Wi-
Fi devices are being developed. In the next decade, IoT will
be linked to billions of devices with several vulnerabilities.
There are no security protocols and no processing and storage
resources for these networking devices to allow re walls and
diagnostic tools [1]. Also, they do not link to the Internet
directly via Wi-Fi. A lot of examples have shown in recent
Fig. 1. DDoS Attack Over the IoT Network
years that IoT is susceptible to viruses. The majority of IoT
appliances could anonymously become accomplices to DDos
Based on the above discussion, these paper contributions as
attacks without security precautions [2]. A DoS attack attempts
follows:
to disrupt a network or online resource by its victim, usually
with an overwhelming excess of the type of operation it would • An SDN IoT framework comprising of a pool of SDN
typically receive. This might take the form of requests from controllers and IoT gateway that is capable of dealing
registered and prospective users for authentication, game-play with the DDoS attacks.
processor cycles, notifications, download requests, etc. The • A DDoS attacks detecting algorithm based on the Sim-
DDoS attack shows the ubiquity of vulnerabilities in IoT, and ilarity to Cosine packet message rate vectors to identify
the DDoS attack was inadvertently applied to multiple IoT the attacks and defeat the attackers on time.
978-1-6654-3843-8/21/$31.00 ©2021 IEEE
 Organization: This paper has been organized as follows:
the background knowledge and literature are discussed in
section II. Most importantly, the proposed model has been
presented in section III. Section IV is analyzed the result
and performance evolution properly. Moreover, limitations and
future works also shown in section V Finally, we conclude this
paper in section VI with limitations and future plans as well.
II. BACKGROUND AND R ELATED W ORK
The challenges of dealing with different types of security
and privacy issues are not new [6]. From time to time,
researchers have developed fresh ideas to detect and administer
such kind of problems. This section contains the summary of
some of the most recent and related articles in this context
with a wrap-up initiation of the attacks and SDN.
A. DDoS Over IoT Network
Due to the numerous link requests for a period of time that
causes the target to slow down, crash or shut down, DoS and
DDoS are two of the most difficult attacks to mitigate. The
weakness of the three-way handshake of the TCP connection
sequence [7], may be exploited by the flooding attack. The
host machine first receives a synchronized message to start
the handshake. By sending an acknowledgment flag to the
first host, the server acknowledges the message and then closes
the link. By sending malicious pings to the device, the Ping of
death attack will manipulate IP protocols. This attack does not
require enormous data; it only needs to exploit the standard
protocol. Through using a malware program named smurf
attack, smurf attack will manipulate IP and ICMP protocol
[8].
Fig. 2 shows a short definition and description of classifi-
cation of IoT Attacks.
Fig. 2. Classification of IoT Attacks
Moreover, SDN technology is a network management strat-
egy that allows an interactive, programmatically, efficient
network design to improve the network’s efficiency and mon-
itoring. SDN seeks to overcome the decentralization and
complexity of traditional network static architecture. The SDN
aims to centralize network intelligence into one network aspect
as shown in Fig. 3. Intelligent centralization, however, has its
stability, scalability, and elasticity drawbacks, and this is the
main issue for SDN.
Fig. 3. A Strategy of Software Defined Networking (SDN)
B. Related Works
Recently, Vishwakarma [9] Discuss the idea of botnets that
run behind IoT security. The different DDoS defense strategies
are generally defined and compared to recognize the security
vulnerabilities present in them. Also, they mention the open
research problems and challenges to be tackled for a better
and smarter defense of DDoS. Their [10] security scheme
To prevent attacks on IoT servers, the protection framework
leverages the cloud and SDN paradigm. A new framework
called learning-driven detection mitigation has been proposed
to detect DDoS using a semi-monitored machine learning
algorithm and mitigate DoS in IoT. In the testbed and the
emulated topology, they tested and compared the results. In
[11], The suggestion was to experimentally test an entropy-
based approach using a stateful SDN data plane to detect and
mitigate DDoS attacks on the IoT applications. The findings
obtained show that real IoT data traffic is targeted. The taxon-
omy offers a detail of the reasons for the implementation of
the solution. The results of this study show the key advantages
and disadvantages of each approach by analyzing current
developments and future viewpoints when applied to partic-
ular scenarios [12]. This study [13] A novel anomaly-based
Intrusion Detection System (IDS) is proposed that can detect
and mitigate this evolving form of DDoS attacks promptly. By
numerical and testbed tests, the proposed ability to see and
reduce stealthy DDoS attacks with even a few limited attack
sizes per source is demonstrated. An [14] improved distributed
low-rate attack mitigation mechanism was suggested. In spe-
cific, to discharge the practical forwarding state table pressure,
eDLAM retains a tiny, lightweight malicious request table.
The mitigation system consists of real-time traffic filtering
through firewall devices that can reverse filter traffic analysis
through visualized network features on the local servers based
on signature botnet attack packets. To make the decision
more accurate, cloud service and centralized collaboration
consolidate and compare information from distributed local
servers [15].
With the convergence of different technologies, such as
machine learning, real-time analytics, embedded devices, the
IoT’s visibility has grown [16]. Conventional industries are
all subject to authorization for the IoT, such as embedded
devices, wireless sensor networks, control devices, automation,
and others. [17], [18]. Though, he likes the word ”IoT.” Radio
Frequency Recognition (RFR) was seen to be the key to the
IoT, enabling computers to track all individual things.
Wide distribution, transparency, and relatively high IoT
processing capacity made them a perfect target for cyber
attacks. When many IoT nodes gather and process private
information, they become a gold mine of information for
malicious actors [19]. During service, the interruption may
occur in IoT devices, causing them to be in shutdown mode. Fig. 4. Scheme Design
Security attack taxonomy within IoT networks is designed to
help IoT developers become more aware of the possibility of
security vulnerabilities to implement better defenses [20]. B. SDN IoT Framework
The architecture can be split into three layers—the layer of
III. P ROPOSED M ETHODOLOGY operation, the layer of control, and the layer of the structure.
Our proposed SDN frameworks provide program network-
ing and centralized management so that IoT devices can
be configured through an SDN. An SDN has been used to
increase one machine’s effectiveness with another machine
touch in IoT. In the context of Industry 4.0, the IoT archi-
tecture described by the software is suggested to improve the
interaction between the system effectively. Building the IoT
architecture as an SDN-based framework is a potential solution
for data security and system stability because the SDN can use
OpenFlow or another southbound SDN interface to manage a
network.

A. System Design & Processes

During regular operations, IoT devices usually have fairly
straightforward traffic patterns. To block traffic that would
be outside the ordinary, the machine attempts to learn these
patterns. However, a home router is an incredibly restricted
system from a hardware perspective, so a balance must be
struck between the capacity to learn and energy consumption.
This is particularly evident because most chips in home routers
do not even support floating-point operations, which are
widely used for different learning methods. SDN controllers,
SDN switches, and DDoS attack software are among the
experimental framework’s critical tools. In particular, as the
SDN IoT controller, Floodlight is deployed on the operating
system. As the SDN IoT switch, vSwitch is used. Mininet
is deployed on Ubuntu LTS to simulate the topology of the
SDN-IoT network.
Fig. 4 depicts a high-level scheme design where a master
SDN controller is connected to the cluster controllers while
the IoT devices communicate with the intermediary cluster
controllers.
Fig. 5. SDN-IoT Framework
Our proposed methodology in SDN IoT Framework is
shown in Fig. 5. The Fog Node takes data from the IoT
sensor node in the first compression stage. Then it tests
the device’s authenticity. Data packets are discarded if the
system is unauthorized. Otherwise, the data is collected for
a specific time in an array. Also, using a sorting algorithm,
the information is ordered in sequence order. After that, a
measurement occurs in which the mean data set values are
determined for every two consecutive values. So here, for each
pair of values, we get one deal. The mean weights are rounded,
and the mean values’ fractional parts are omitted during the
measurement. After doing so, by writing the mean values in
it, a file is created. The file is then transferred to a server.
The Fog eventually separates the records of the temporary
collection from itself.
C. Proposed Algorithm
To measure the vector similarity concerning the packet in
the rate of the boundary SDN-IoT switch input port using this
method, the key to the suggested algorithm is to add cosine
similarity which is shown in Algorithm 1.
The trick to the proposed algorithm is to add cosine sim-
ilarity to calculate the similarity of the algorithm. Vectors
concerning the packet rate of the boundary SD-IoT switches’
input port. The primary in this subsection, the behavior of the
proposed DDoS attack detection and mitigation. Obtaining x
and y of the data vectors similarity measurement

Algorithm 1: Distributed Denial of service Attack Fig. 6. Environment Desing using Mininet
Detection and Mitigation Algorithm for SDN IoT
Input: Set of all boundary SDN IoT switches.
easy to handle and hide, but also creates security problems.
Output: DDoS attack and detection
Similar to SDN, via the programmable SDN-IoT architecture,
1 if α ∈ edge then
SD-IoT can provide proactive schemes for detecting and
2 while m ≤ sm do
minimizing DDoS assaults.
3 while j ≤ 2k do
This section describes the steps involved in simulating an
4 foreach ∆t do
SDN DDoS attack. The first thing we need to do to perform
5 count = the num of P kin
the simulation is to build the network. A command line on
6 λj = count / ∆t
terminal orders the creation of a system with one switch, one
7 end
controller, and six hosts. Fig. 7 and 8 shows the command line
8 end
used to create the network.
9 end
10 X = {λi }where i = 2, 4, 6, ....., 2k
11 Y = {λj }where j = 1, 3, 5, ....., 2k − 1
12 Calculate ρX, Y by Equation1
13 if ηU ≤ ρx, Y ≤ 1 then
14 s =s + 1
15 end
16 end

IV. S ETTING E NVIRONMENT AND R ESULT A NALYSIS

A. Environment Setup Fig. 7. Linux Command for Floodlight
It is two layers control layer of the primary and the control
layer of the fundamental. The critical layer of control interacts
with the layer of the upstream application. It interacts with
the layer of essential downstream control, and the layer of
structure interacts with the layer of primary power.
Environment design using Mininet shown in Fig. 6. Here
we saw that one controller, four switches, and some host.
At this point, the Fog sends the file that is initially
compressed into the Fog. The Cloud gets the Fog file and
regenerates the data values of the file. The Cloud stores the file
after compression until the edge devices receive a request for
this data. After receiving a request from the terminal computer,
the compressed data is decompressed. After completion of Fig. 8. Linux Command for Sflow-rt
compression, the Cloud eliminates temporary data.
Through its programmable feature, SDN offers security There are h1, h2, h3, and h5 terminals. Three hosts and
solutions for DoS attacks. The centralized control of logic is one for regular traffic to simulate a DDoS attack. On Mininet
 TABLE I
C OMPARATIVE ANALYSIS WITH E XISTING W ORKS

Authors Technologies Application DDoS Attack Detection DDoS Attack Prevetion Algorithms
Silva et al. [12] SDN & ML IoT YES YES No
Bawany et al. [21] SDN IoT YES YES No
Wang et al. [22] SDN Cloud Computing YES YES No
Ahmed et al. [23] SDN IoT YES YES No
Sahoo et al. [24] SDN IoT YES NO No
Tuan et al. [25] SDN & ML ISP Networks YES YES No
Proposed SDN & ML IoT YES YES YES

terminals, we run DDoS scripts only manually. We run the

familiar traffic script to activate regular network traffic. Until
they start running other DDoS scripts, we can also see the
targeted host that gave a DDoS hand, the port number, and
the time used to generate the attack traffic, the IP address
10.0.0.4 allocated the attacker. To run the terminal, we are
opening up the other two h1 and h3 terminals. Script for DDoS
with the same credentials. The large number of packets sent
to the victim in a very few seconds can be seen, as shown in
Figure 5 (a, b, c). We need to take a look at the graph shown
to see what happened during the DDoS attack period on the Fig. 9. A Graph to Present Normal Traffic
network.
B. Performance Analysis
Fig. 9 and 10 shows the distinguish between normal traffic
and DDoS traffic. The graph also shows the sudden rise in
the number of packets after the SDN network. It takes less
than 40 seconds to produce regular traffic, which is a direct
indicator of attack by DoS. While the generation of regular
traffic packets was around thirty packets per second, The DoS
packets, on the other hand, hit about two hundred fifty packets
per second. This network fluctuation Traffic created by a DoS
attack can cause the entire network to crash if DoS. It lasted
a lot longer. Traffic is provided in the graph in several packets Fig. 10. A Graph to Present DDoS Attack Traffic
and times. The two most essential characteristics for DoS
attack detection are presented in seconds. Developers should
used for the third limitation of the proposed model, where
concentrate on packets’ arrival time from our 36 points of
much of the system would be real-time in the DDOS attack
view to detect DDoS in SDN because this characteristic is
time. A collection of sample data in a particular range that
not taken into account by most of them. The graph shown in
can be varied has shown the implementation. If the variety of
Fig. 8 is generated by a flow-rt tool that is a pre-installed
system attackers increases, with the increasing number of data
packet analyzer tool in Mininet. Moreover, Table I shows
ranges, optimization can be reduced. But, as we have found
the comparative analysis of the presented method with recent
a low error rate in our proposed system, the growing field
existing works.
of attackers will not impact. In the proposed system to make
.
our IoT network more effective, future work can recognize
V. L IMITATION AND F UTURE W ORK blockchain technology. Instead of using simulated, we will
The first restriction of the proposed model makes it very use actual traffic flows and devices.
difficult to determine the Virtual Private Network (VPN) user’s
VI. CONCLUSION
actual IP address. Our system is not the best approach to
detect broad unstructured VPN attacks. Only simulated traffic We examine our contributions to fulfilling our work’s pur-
is used for the second restriction of the proposed model, pose, Multi-Level IoT DDoS mitigation platform. We are
where much of the traffic would be in real-time during DDOS developing an algorithm using the proposed SD-IoT system
attacks. Our layout is not the right approach for massive to detect and mitigate DDoS attacks. We protect against IoT
unstructured attacks. In our work, only virtual devices are DDoS attacks that include the level of edge computing. We are
designing a network specified by Software to handle many IoT [17] R. Doshi, N. Apthorpe, and N. Feamster, “Machine learning ddos
devices and mitigate IoT DDoS attacks. Our system leverages detection for consumer internet of things devices,” in 2018 IEEE Security
and Privacy Workshops (SPW). IEEE, 2018, pp. 29–35.
the distributed SDN architecture. Our system can detect hack- [18] M. Conti, A. Dehghantanha, K. Franke, and S. Watson, “Internet of
ers and prevent hackers by using our SDN based framework. things security and forensics: Challenges and opportunities,” 2018.
The purpose of this work was to detect and mitigate DDoS [19] P. B. Pajila and E. G. Julie, “Detection of ddos attack using sdn in iot: A
survey,” in Intelligent Communication Technologies and Virtual Mobile
attacks. We notice that the objective is accomplished entirely Networks. Springer, 2019, pp. 438–452.
by our system method. Then we research some possible areas [20] C. Zhang and R. Green, “Communication security in internet of thing:
of use. We also have some restrictions on some great benefits. preventive measure and avoid ddos attack over iot network,” in Proceed-
ings of the 18th Symposium on Communications & Networking. Society
for Computer Simulation International, 2015, pp. 8–15.
ACKNOWLEDGMENT [21] N. Z. Bawany, J. A. Shamsi, and K. Salah, “Ddos attack detection
and mitigation using sdn: methods, practices, and solutions,” Arabian
This research is supported and funded by the Green Uni- Journal for Science and Engineering, vol. 42, no. 2, pp. 425–441, 2017.
versity of Bangladesh (GUB). [22] B. Wang, Y. Zheng, W. Lou, and Y. T. Hou, “Ddos attack protection in
the era of cloud computing and software-defined networking,” Computer
Networks, vol. 81, pp. 308–319, 2015.
R EFERENCES [23] M. E. Ahmed and H. Kim, “Ddos attack mitigation in internet of things
using software defined networking,” in 2017 IEEE third international
[1] A. Rahman, M. J. Islam, M. S. I. Khan, S. Kabir, A. I. Pritom, and M. R. conference on big data computing service and applications (BigDataSer-
Karim, “Block-sdotcloud: Enhacing security of cloud storage through vice). IEEE, 2017, pp. 271–276.
blockchain-based sdn in iot network,” 2020. [24] K. S. Sahoo, D. Puthal, M. Tiwary, J. J. Rodrigues, B. Sahoo, and
[2] I. D. Guedalia, J. Guedalia, R. P. Chandhok, and S. Glickfield, “Methods R. Dash, “An early detection of low rate ddos attack to sdn based data
to discover, configure, and leverage relationships in internet of things center networks using information distance metrics,” Future Generation
(iot) networks,” Feb. 20 2018, uS Patent 9,900,171. Computer Systems, vol. 89, pp. 685–697, 2018.
[3] D. Yin, L. Zhang, and K. Yang, “A ddos attack detection and mitigation [25] N. N. Tuan, P. H. Hung, N. D. Nghia, N. V. Tho, T. V. Phan, and N. H.
with software-defined internet of things framework,” IEEE Access, Thanh, “A ddos attack mitigation scheme in isp networks using machine
vol. 6, pp. 24 694–24 705, 2018. learning based on sdn,” Electronics, vol. 9, no. 3, p. 413, 2020.
[4] M. J. Islam, M. Mahin, S. Roy, B. C. Debnath, and A. Khatun,
“Distblacknet: A distributed secure black sdn-iot architecture with nfv
implementation for smart cities,” in 2019 International Conference on
Electrical, Computer and Communication Engineering (ECCE). IEEE,
2019, pp. 1–6.
[5] B. K. Mukherjee, S. I. Pappu, M. J. Islam, and U. K. Acharjee, “An sdn
based distributed iot network with nfv implementation for smart cities,”
in International Conference on Cyber Security and Computer Science.
Springer, 2020, pp. 539–552.
[6] M. J. Islam, M. Mahin, A. Khatun, S. Roy, S. Kabir, and B. C. Debnath,
“A comprehensive data security and forensic investigation framework for
cloud-iot ecosystem,” GUB Journal of Science and Engineering, vol. 4,
2019.
[7] K. Bhardwaj, J. C. Miranda, and A. Gavrilovska, “Towards iot-ddos
prevention using edge computing,” in {USENIX} Workshop on Hot
Topics in Edge Computing (HotEdge 18), 2018.
[8] M. De Donno, N. Dragoni, A. Giaretta, and A. Spognardi, “Analysis of
ddos-capable iot malwares,” in 2017 Federated Conference on Computer
Science and Information Systems (FedCSIS). IEEE, 2017, pp. 807–816.
[9] R. Vishwakarma and A. K. Jain, “A survey of ddos attacking techniques
and defence mechanisms in the iot network,” Telecommunication Sys-
tems, vol. 73, no. 1, pp. 3–25, 2020.
[10] N. Ravi and S. M. Shalinie, “Learning-driven detection and mitigation
of ddos attack in iot via sdn-cloud architecture,” IEEE Internet of Things
Journal, vol. 7, no. 4, pp. 3559–3570, 2020.
[11] J. Galeano-Brajones, J. Carmona-Murillo, J. F. Valenzuela-Valdés, and
F. Luna-Valero, “Detection and mitigation of dos and ddos attacks in iot-
based stateful sdn: An experimental approach,” Sensors, vol. 20, no. 3,
p. 816, 2020.
[12] F. S. D. Silva, E. Silva, E. P. Neto, M. Lemos, A. J. V. Neto, and
F. Esposito, “A taxonomy of ddos attack mitigation approaches featured
by sdn technologies in iot scenarios,” Sensors, vol. 20, no. 11, p. 3078,
2020.
[13] K. Doshi, Y. Yilmaz, and S. Uludag, “Timely detection and mitigation of
stealthy ddos attacks via iot networks,” arXiv preprint arXiv:2006.08064,
2020.
[14] G. Liu, W. Quan, N. Cheng, H. Zhang, and S. Yu, “Efficient ddos
attacks mitigation for stateful forwarding in internet of things,” Journal
of Network and Computer Applications, vol. 130, pp. 1–13, 2019.
[15] L. Zhou, H. Guo, and G. Deng, “A fog computing based approach to
ddos mitigation in iiot systems,” Computers & Security, vol. 85, pp.
51–62, 2019.
[16] M. Nawir, A. Amir, N. Yaakob, and O. B. Lynn, “Internet of things (iot):
Taxonomy of security attacks,” in 2016 3rd International Conference on
Electronic Design (ICED). IEEE, 2016, pp. 321–326.

View publication stats