Distributed denial of service (DDoS) attack mitigation in software defined network (SDN)-based cloud computing environment

  • Kriti Bhushan
  • B. B. GuptaEmail author
Original Research


In recent time, software defined networking (SDN) has evolved into a new and promising networking paradigm. In the SDN-based cloud, the essential features of SDN, including global view of the whole network, software-based traffic analysis, centralized control over the network, etc. can greatly improve the DDoS attack detection and mitigation capabilities of the cloud. However, integration of SDN in the cloud itself introduces new DDoS attack vulnerabilities. Limited flow-table size is a vulnerability that can be exploited by the adversaries to perform DDoS attacks on the SDN-based cloud. In this paper, we first discuss various essential features of SDN that makes it a suitable networking technology for cloud computing. In addition, we represent the flow table-space of a switch by using a queuing theory based mathematical model. Further, we propose a novel flow-table sharing approach to protect the SDN-based cloud from flow table overloading DDoS attacks. This approach utilizes idle flow-table of other OpenFlow switches in the network to protect the switch’s flow-table from overloading. Our approach increases the resistance of the cloud system against DDoS attacks with minimal involvement of the SDN controller. Thus, it has very low communication overhead. Our claims are well supported by the extensive simulation-based experiments.


Software defined networks (SDN) DDoS attack SDN-based cloud Flow table Cloud computing 



This research work is being supported by Project Grant (SB/FTP/ETA-131/2014) from SERB, DST, Government of India.


  1. Ahmad I, Namal S, Ylianttila M, Gurtov A (2015) Security in software defined networks: a survey. IEEE Commun Surv Tutor 17(4):2317CrossRefGoogle Scholar
  2. Azodolmolky S, Wieder P, Yahyapour R (2013) SDN-based cloud computing networking. In: 15th IEEE international conference on transparent optical networks (ICTON), Cartagena, pp 1–4Google Scholar
  3. Bhushan K, Gupta BB (2017) Security challenges in cloud computing: state-of-art. Int J Big Data Intell 4(2):81–107CrossRefGoogle Scholar
  4. Bhushan K, Gupta BB (2018) A novel approach to defend multimedia flash crowd in cloud environment. Multimed Tools Appl 77(4):4609–4639CrossRefGoogle Scholar
  5. Braga R, Mota E, Passito A (2010) Lightweight DDoS flooding attack detection using NOX/OpenFlow. In: IEEE 35th conference on local computer networks (LCN), Denver, pp 408–415Google Scholar
  6. Butler B (2017) Cisco brings its SDN to Amazon, Microsoft and Google’s public cloud. Accessed 20 Oct 2017
  7. Chonka A, Xiang Y, Zhou W, Bonti A (2011) Cloud security defence to protect cloud computing against HTTP-DoS and XML-DoS attacks. J Netw Comput Appl 34(4):1097–1107CrossRefGoogle Scholar
  8. Curtis AR, Mogul JC, Tourrilhes J, Yalagandula P, Sharma P, Banerjee S (2011) DevoFlow: scaling flow management for high-performance networks. ACM SIGCOMM Comput Commun Rev 41(4):254–265CrossRefGoogle Scholar
  9. Darwish M, Ouda A, Capretz LF(2013) Cloud-based DDoS attacks and defenses. In: IEEE international conference on information society (i-Society), Toronto, pp 67–71Google Scholar
  10. Dou W, Chen Q, Chen J (2013) A confidence-based filtering method for DDoS attack defense in cloud environment. Future Gener Comput Syst 29(7):1838–1850CrossRefGoogle Scholar
  11. Feamster N, Rexford J, Zegura E (2014) The road to SDN: an intellectual history of programmable networks. ACM SIGCOMM Comput Commun Rev 44(2):87–98CrossRefGoogle Scholar
  12. Gao CZ, Cheng Q, Li X, Xia SB (2018) Cloud-assisted privacy-preserving profile-matching scheme under multiple keys in mobile social network. Clust Comput:1–9.
  13. Gupta BB, Misra M, Joshi RC (2008) FVBA: A combined statistical approach for low rate degrading and high bandwidth disruptive DDoS attacks detection in ISP domain. In: 16th IEEE international conference on networks (ICON), New Delhi, pp 1–4Google Scholar
  14. Gupta BB, Joshi RC, Misra M (2009) Defending against distributed denial of service attacks: issues and challenges. Inf Secur J Glob Perspect 18(5):224–247CrossRefGoogle Scholar
  15. Hewlett-Packard (2012) Realizing the power of SDN with HP virtual application networks. Accessed 22 Oct 2017
  16. Jarraya Y, Madi T, Debbabi M (2014) A survey and a layered taxonomy of software-defined networking. IEEE Commun Surv Tutor 16(4):1955–1980CrossRefGoogle Scholar
  17. Jing G (2017) Research on application of DDos attack detection technology based on software defined network. Acta Tech CSAV 62(1B):489–498Google Scholar
  18. Jouini M, Rabai LB (2016) A security framework for secure cloud computing environments. IJCAC 6(3):32–44Google Scholar
  19. Kanizo Y, Hay D, Keslassy I (2013) Palette: distributing tables in software-defined networks. In: IEEE INFOCOM, Turin, pp 545–549Google Scholar
  20. Katta NP, Rexford J, Walker D (2013) Incremental consistent updates. In: 2nd ACM SIGCOMM workshop on Hot topics in software defined networking, Hong Kong, pp 49–54Google Scholar
  21. Kleinrock L (1975) Queueing systems, vol 1. Wiley, New YorkzbMATHGoogle Scholar
  22. Kreutz D, Ramos FM, Verissimo PE, Rothenberg CE, Azodolmolky S, Uhlig S (2015) Software-defined networking: a comprehensive survey. Proc IEEE 103(1):14–76CrossRefGoogle Scholar
  23. Li J, Li J, Chen X, Jia C, Lou W (2015a) Identity-based encryption with outsourced revocation in cloud computing. IEEE Trans Comput 64(2):425–437MathSciNetCrossRefzbMATHGoogle Scholar
  24. Li J, Li YK, Chen X, Lee PP, Lou W (2015b) A hybrid cloud approach for secure authorized deduplication. IEEE Trans Parallel Distrib Syst 26(5):1206–1216CrossRefGoogle Scholar
  25. Li P, Li J, Huang Z, Gao CZ, Chen WB, Chen K (2017a). Privacy-preserving outsourced classification in cloud computing. Clust Comput:1–10.
  26. Li P, Li J, Huang Z, Li T, Gao CZ, Yiu SM, Chen K (2017b) Multi-key privacy-preserving deep learning in cloud computing. Future Gener Comput Syst 74:76–85CrossRefGoogle Scholar
  27. Li J, Zhang Y, Chen X, Xiang Y (2018) Secure attribute-based data sharing for resource-limited users in cloud computing. Comput Secur 72:1–12CrossRefGoogle Scholar
  28. Lin YD, Pitt D, Hausheer D, Johnson E, Lin YB (2014) Software-defined networking: standardization for cloud computing’s second wave. Computer 47(11):19–21CrossRefGoogle Scholar
  29. Lo CC, Huang CC, Ku J (2010) A cooperative intrusion detection system framework for cloud computing networks. In: 39th international conference on parallel processing workshops (ICPPW), San Diego, pp 280–284Google Scholar
  30. McKeown N, Anderson T, Balakrishnan H, Parulkar G, Peterson L, Rexford J, Shenker S, Turner J (2008) OpenFlow: enabling innovation in campus networks. ACM SIGCOMM Comput Commun Rev 38(2):69–74CrossRefGoogle Scholar
  31. Mell P, Grance T (2011) The NIST definition of cloud computing. National Institute of Standards and Technology, GaithersburgCrossRefGoogle Scholar
  32. Mininet (2017) Accessed 26 Oct 2017
  33. ONF (2015) OpenFlow Switch Specification. Version-1.5.1. Accessed 20 Oct 2017
  34. ONF (2017). Accessed 20 Oct 2017
  35. Ouf S, Nasr M (2015) Cloud computing: the future of big data management. IJCAC 5(2):53–61Google Scholar
  36. POX (2017), Accessed 26 Oct 2017
  37. Ratten V (2015) Cloud computing technology innovation advances: a set of research propositions. IJCAC 5(1):69–76Google Scholar
  38. Srivastava A, Gupta BB, Tyagi A, Sharma A, Mishra A (2011) A recent survey on DDoS attacks and defense mechanisms. In: Advances in parallel distributed computing, Heidelberg, pp 570–580Google Scholar
  39. Wang B, Zheng Y, Lou W, Hou YT (2015) DDoS attack protection in the era of cloud computing and software-defined networking. Comput Netw 81:308–319CrossRefGoogle Scholar
  40. Wen X, Chen Y, Hu C, Shi C, Wang Y (2013) Towards a secure controller platform for openflow applications. In: 2nd ACM SIGCOMM workshop on Hot topics in software defined networking, Hong Kong, pp 171–172Google Scholar
  41. Xie H, Tsou T, Lopez D, Yin H (2012) Use cases for ALTO with software defined networks. Accessed 27 Oct 2017
  42. Xing T, Huang D, Xu L, Chung CJ, Khatkar P (2013) Snortflow: a openflow-based intrusion prevention system in cloud environment. In: IEEE Research and Educational Experiment Workshop (GREE), pp 89–92Google Scholar
  43. Yan Q, Yu FR (2015) Distributed denial of service attacks in software-defined networking with cloud computing. IEEE Commun Mag 53(4):52–59CrossRefGoogle Scholar
  44. Yan Q, Yu FR, Gong Q, Li J (2016) Software-defined networking (SDN) and distributed denial of service (DDoS) attacks in cloud computing environments: a survey, some research issues, and challenges. IEEE Commun Surv Tutor 18(1):602–622CrossRefGoogle Scholar
  45. Yan Q, Gong Q, Yu FR (2017) Effective software-defined networking controller scheduling method to mitigate DDoS attacks. Electron Lett 53(7):469–471CrossRefGoogle Scholar
  46. Yeganeh SH, Tootoonchian A, Ganjali Y (2013) On scalability of software-defined networking. IEEE Commun Mag 51(2):136–141CrossRefGoogle Scholar
  47. Yu S, Tian Y, Guo S, Wu DO (2014) Can we beat DDoS attacks in clouds? IEEE Trans Parallel Distrib Syst 25(9):2245–2254CrossRefGoogle Scholar
  48. Yuan B, Zou D, Yu S, Jin H, Qiang W, Shen J (2016) Defending against flow table overloading attack in software-defined networks. IEEE Trans Serv Comput. Google Scholar

Copyright information

© Springer-Verlag GmbH Germany, part of Springer Nature 2018

Authors and Affiliations

  1. 1.National Institute of Technology KurukshetraKurukshetraIndia

Personalised recommendations