ISDSDN: Mitigating SYN Flood Attacks in Software Defined Networks


Software defined networking (SDN) has emerged over the past few years as a novel networking technology that enables fast and easy network management. Separating the control plane and the data plane in SDNs allows for dynamic network management, implementation of new applications, and implementing network specific functions in software. This paper addresses the problem of SYN flood attacks in SDNs which are considered among the most challenging threats because their effect exceeds the targeted end system to the controller and TCAM of OpenFlow switches. These attacks exploit the three-way handshaking connection establishment mechanism in TCP, where attackers overwhelm the victim machine with flood of spoofed SYN packets resulting in a large number of half-open connections that would never complete. Therefore, degrading the performance of the controller and populating OpenFlow switches’ TCAMs with spoofed entries. In this paper, we propose ISDSDN, a mechanism for SYN flood attack mitigation in software defined networks. The proposed mechanism adopts the idea of intentional dropping to distinguish between legitimate and attack SYN packets in the context of software defined networks. ISDSDN is implemented as an extension module of POX controller and is evaluated under different attack scenarios. Performance evaluation shows that the proposed mechanism is very effective in defending against SYN flood attacks.

This is a preview of subscription content, log in to check access.

Fig. 1
Fig. 2
Fig. 3
Fig. 4
Fig. 5
Fig. 6
Fig. 7
Fig. 8
Fig. 9
Fig. 10
Fig. 11
Fig. 12
Fig. 13
Fig. 14
Fig. 15


  1. 1.

    Scroxton, A.: Enterprise SDN adoption rapidly approaching tipping point, claims report. (2017). Accessed 10 May 2020.

  2. 2.

    Kalkan, K., Gur, G., Alagoz, F.: Defense mechanisms against DDoS attacks in SDN environment. IEEE Commun. Magaz. 55(9), 175–179 (2017)

    Article  Google Scholar 

  3. 3.

    Swami, R., Dave, M., Ranga, V.: Software-defined networking-based DDoS defense mechanisms. ACM Comput. Surv. 52(2), 1–36 (2019)

    Article  Google Scholar 

  4. 4.

    Ranger, S.: GitHub hit with the largest DDoS attack ever seen. (2018). Accessed 10 May 2020

  5. 5.

    Antonakakis, M., April, T., Bailey, M., Bernhard, M., Bursztein, E., Cochran, J., Durumeric, Z., Halderman, J.A., Invernizzi, L., Kallitsis, M. and Kumar, D.: Understanding the mirai botnet. In 26th USENIX Security Symposium (2017)

  6. 6.

    Zhang, P., Wang, H., Hu, C., Lin, C.: On denial of service attacks in software defined networks. IEEE Netw. 30(6), 28–33 (2016)

    Article  Google Scholar 

  7. 7.

    Abhishta, A., van Rijswijk-Deij, R., Nieuwenhuis, L.J.: Measuring the impact of a successful DDoS attack on the customer behaviour of managed DNS service providers. ACM SIGCOMM Comput. Commun. Rev. 48(5), 70–76 (2019)

    Article  Google Scholar 

  8. 8.

    Gkountis, C., Taha, M., Lloret, J. and Kambourakis, G.: Lightweight algorithm for protecting SDN controller against DDoS attacks. In 10th IFIP Wireless and Mobile Networking Conference (WMNC), 1-6 (2017)

  9. 9.

    Pascoal, T.A., Dantas, Y.G., Fonseca, I.E., Nigam, V.: Slow TCAM exhaustion DDoS attack. IFIP International Conference on ICT Systems Security and Privacy Protection 17–31, (2017)

  10. 10.

    Al-Duwairi, B. and Manimaran, G.: Intentional dropping: a novel scheme for SYN flood mitigation. In INFOCOM 2005. 24th Annual Joint Conference of the IEEE Computer and Communications Societies. Proceedings IEEE, Vol. 4, 2820-2824 (2005)

  11. 11.

    Mohammadi, R., Javidan, R., Conti, M.: Slicots: An sdn-based lightweight countermeasure for tcp syn flooding attacks. IEEE Trans. Netw. Service Manag. 14(2), 487–497 (2017)

    Article  Google Scholar 

  12. 12.

    Kreutz, D., Ramos, F.M., Verissimo, P.E., Rothenberg, C.E., Azodolmolky, S., Uhlig, S.: Software-defined networking: a comprehensive survey. Proc. IEEE 103(1), 14–76 (2014)

    Article  Google Scholar 

  13. 13.

    Xu, Y. and Liu, Y.: DDoS attack detection under SDN context. In IEEE INFOCOM 2016-the 35th annual IEEE international conference on computer communications, 1-9 (2016)

  14. 14.

    Fichera, S., Galluccio, L., Grancagnolo, S.C., Morabito, G., Palazzo, S.: OPERETTA: An OPEnflow-based REmedy to mitigate TCP SYNFLOOD attacks against web servers. Comput. Netw. 92, 89–100 (2015)

    Article  Google Scholar 

  15. 15.

    Bernstein, D.: SYN cookies. Accessed (10 May 2020)

  16. 16.

    Lemon, J.: Resisting SYN Flood DoS Attacks with a SYN Cache. BSDCon 2002, 89–97 (2002)

    Google Scholar 

  17. 17.

    Cisco systems: Security Configuration Guide: Denial of Service Attack Prevention, Cisco IOS Release 15SY. Accessed 10 May 2020

  18. 18.

    Ghosh, A., Wong, L., Di Crescenzo, G. and Talpade, R.: InFilter: predictive ingress filtering to detect spoofed IP traffic. In 25th IEEE International Conference on Distributed Computing Systems Workshops, 99-106 (2005)

  19. 19.

    Mirkovic, J., Reiher, P.: D-WARD: a source-end defense against flooding denial-of-service attacks. IEEE Trans. Depend. Secure Comput. 2(3), 216–232 (2005)

    Article  Google Scholar 

  20. 20.

    Li, J., Mirkovic, J., Wang, M., Reiher, P. and Zhang, L.: SAVE: Source address validity enforcement protocol. In Proceedings. Twenty-First Annual Joint Conference of the IEEE Computer and Communications Societies, Vol. 3, 1557–1566 (2002)

  21. 21.

    Jin, C., Wang, H. and Shin, K.G.: Hop-count filtering: an effective defense against spoofed DDoS traffic. In Proceedings of the 10th ACM conference on Computer and communications security, 30–41 (2003)

  22. 22.

    Peng, T., Leckie, C., Ramamohanarao, K.: Protection from distributed denial of service attacks using history-based IP filtering. IEEE Int. Conf. Commun. 1, 482–486 (2003)

    Article  Google Scholar 

  23. 23.

    Shin, S., Yegneswaran, V., Porras, P. and Gu, G.: Avant-guard: Scalable and vigilant switch flow management in software-defined networks. In Proceedings of the 2013 ACM SIGSAC conference on Computer & communications security (pp. 413–424) (2013)

  24. 24.

    Nugraha, M., Paramita, I., Musa, A., Choi, D., Cho, B.: Utilizing OpenFlow and sFlow to detect and mitigate SYN flooding attack. J. Kor. Multimed. Soc. 17(8), 988–994 (2014)

    Article  Google Scholar 

  25. 25.

    Ambrosin, M., Conti, M., De Gaspari, F., Poovendran, R.: Lineswitch: Tackling control plane saturation attacks in software-defined networking. IEEE/ACM Trans. Netw. 25(2), 1206–1219 (2016)

    Article  Google Scholar 

  26. 26.

    Liu, X., Cho, B., Kim, J.: Sd-ovs: SYN flood attack defending open vswitch for sdn. International Workshop on Information Security Applications 29–41, (2016)

  27. 27.

    Dhaliwal, A., S.: Detection and Mitigation of SYN and HTTP flood DDoS attacks in Software Defined Networks. MS thesis, Ryerson University, Toronto, Canada (2017)

  28. 28.

    Mohammadi, R., Conti, M., Lal, C., Kulhari, S.C.: SYN-Guard: an effective counter for SYN flood attack in software-defined networking. Int. J. Commun. Syst. 32(17), e4061 (2019)

    Article  Google Scholar 

  29. 29.

    Kumar, P., Tripathi, M., Nehra, A., Conti, M., Lal, C.: SAFETY: Early detection and mitigation of TCP SYN flood utilizing entropy in SDN. IEEE Trans. Netw. Serv. Manag. 15(4), 1545–1559 (2018)

    Article  Google Scholar 

  30. 30.

    Jamjoom, H. and Shin, K.G.: Persistent dropping: An efficient control of traffic aggregates. In Proceedings of the 2003 conference on Applications, technologies, architectures, and protocols for computer communications, 287–298 (2003)

  31. 31.

    Agarwal, S., Kodialam, M. and Lakshman, T.V.: Traffic engineering in software defined networks. In 2013 Proceedings IEEE INFOCOM, 2211–2219 (2013)

  32. 32.

    Hu, F., Hao, Q., Bao, K.: A survey on software-defined network and openflow: from concept to implementation. IEEE Commun. Surv. Tutor. 16(4), 2181–2206 (2014)

    Article  Google Scholar 

  33. 33.

    Paxson, D.V., Sargent, M., Allman, M.: Computing TCP’s retransmission timer. RFC 6298, (2011)

  34. 34.

    Goldschmidt, P.: TCP Reset Cookies–a heuristic method for TCP SYN Flood mitigation. Student Conference of IT Innovation, Technology and Science, Brno Faculty of Information Technology (2020)

  35. 35.

    Wang, R., Jia, Z. and Ju, L.: An entropy-based distributed DDoS detection mechanism in software-defined networking. In 2015 IEEE Trustcom/BigDataSE/ISPA, Vol. 1, 310-317 (2015)

  36. 36.

    Bae, Y., Kim, I., Hwang, S.O.: An efficient detection of TCP Syn flood attacks with spoofed IP addresses. J. Intellig. Fuzzy Syst. 35(6), 5983–5991 (2018)

    Article  Google Scholar 

  37. 37.

    Afek, Y., Bremler-Barr, A.: Network anti-spoofing with SDN data plane. In IEEE INFOCOM 2017-IEEE Conference on Computer Communications, 1-9 (2017)

  38. 38.

    About POX. Accessed 10 May 2020

  39. 39.

    Mininet. Accessed 10 May 2020

  40. 40.

    Scapy. Accessed 10 May 2020

  41. 41.

    curl tool. Available at: Accessed 10 May 2020

  42. 42.

    ISDSDN project repository. Accessed 10 May 2020

Download references

Author information



Corresponding author

Correspondence to Basheer Al-Duwairi.

Additional information

Publisher's Note

Springer Nature remains neutral with regard to jurisdictional claims in published maps and institutional affiliations.

Rights and permissions

Reprints and Permissions

About this article

Verify currency and authenticity via CrossMark

Cite this article

Al-Duwairi, B., Al-Quraan, E. & AbdelQader, Y. ISDSDN: Mitigating SYN Flood Attacks in Software Defined Networks. J Netw Syst Manage 28, 1366–1390 (2020).

Download citation


  • DDoS
  • SDN
  • Network security
  • Intentional dropping
  • TCAM