Optimal solution to mitigate DDoS attacks in SDN and NFV for
18th November 2020
Nowadays Distributed Denial of Service (DDoS) mitigation is the biggest challenge in
cloud infrastructures. As new technologies like Software Defined Network (SDN) and Network Function Virtualization (NFV) introduced in the market to reduce cost and remove
the dependency from traditional hardware devices involves a greater number of security vulnerabilities when emerging in an organization. In this paper, we propose a DDoS mitigation
framework specifically which is focused on protocol-based attacks using machine learning
algorithm – KNN (K Nearest Neighbour) in a closed-loop system and integrating Open
Net-work Automation Platform (ONAP) vfirewall. Considering real-time traffic, NFV is
installed and switches will report to the SDN controller if malicious traffic is detected. The
main objective of this paper is to define an optimized NFV SDN system which will provide a
defense layer in securing organizations from these attacks with low budget values by avoiding
over-allocation of dedicated hardware to meet the function’s worst-case scenarios.
Keywords: SDN, NFV, DDoS, KNN algorithm, ONAP
1 Introduction 2
1.1 Research Question . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3
2 Literature Review 4
2.1 NFV Security challenges overview . . . . . . . . . . . . . . . . . . . . . . . . . . . 4
2.2 SDN Security challenges overview . . . . . . . . . . . . . . . . . . . . . . . . . . . 5
2.3 Related work . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 6
2.3.1 Traditional Approach to Mitigate DDoS Attacks in SDN/NFV . . . . . . 6
2.3.2 Modern Approach to Mitigate DDoS Attacks in SDN/NFV . . . . . . . . 8
2.4 Overview of Related Works . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 8
3 Research method and specification 10
4 Proposed approach 12
5 Proposed implementation 13
6 Proposed evaluation 15
7 Conclusions 15
DDoS is an emphasized attack in every organization which is adopted to cloud infrastructure
and Internet of Things (IoT) services . The DDoS attack is a malicious attempt by an
attacker to disallow legitimate users to access a server or network resource by overloading it with
artificial simulated traffic. Artificial traffic is simulated by using botnet also known as a zombie
army. A botnet is a group of internet-connected devices or Internet of Things (IoT) devices
that are easily compromised by an attacker. These devices are hijacked by injecting malware
applications and can be operated remotely without the knowledge of the device’s rightful owner.
When these devices are compromised malicious actors will program to target a server and attack
with numerous requests until the server is exhausted/overloaded. During this event resources
will become unavailable for legitimate users and servers will go down. DDoS occurs as the result
of this attack which are intentional disruptions of a target host connected to the internet. The
network layer is always been the main target in communication service providers (CSPs) domain
when compared to other layers of an OSI (Open Systems Interconnection) model layers. The
most common type of attack is a protocol based attack using an SYN flood technique. Where
attacker will send spoofed SYN packets in a secure secure TCP (Transmission Control Protocol)
connection protocol and try to breach target resources by creating a clog in the connection.
Figure 1: Protocol Based SYN Flood Attack
Figure 1 illustrates, How an attacker will try to attack target resources by using a protocolbased SYN flood mechanism. Due to DDoS attacks, businesses are impacted with huge revenue
loss in the form of Service Level Agreement (SLA) penalties, revenue loss, replacing infrastructure to cover the damaged infrastructure and company reputation will be lost. The attacker’s
motivation behind the DDoS attack may be anything but some of the prevalent motivations
for this type of attacks in the cyber environment to penetrate systems are hacktivists/Ideology,
Business feuds, Boredoms, Extortion, and Cyberwarfare. To overcome the above-mentioned
impacts, NFV and SDN framework is applied to mitigate DDoS attacks with less cost/capital
Expense (CAPEX) . Considering the most common type of DDoS attack-packet based SYN
flood attack as the high threat level to the organization we are proposing a mitigation framework
in an SDN and NFV architecture. Every month attackers are coming up with a new type of
DDoS attacks which are hard to explain these attacks. In the recent survey, Amazon mitigated
the largest DDoS with a 2.3 Terabits-per-second (Tbps) attack ever and Akamai reported that
attackers targeted a specific site with a bandwidth range of 1.44 Tbps . Some sources calculated that the average company victim loses $218,339 per DDoS attack, with US organizations
losing an aggregate of $10B per year from these attacks .
SDN is an innovative approach to design, implement, and manage the networks by separating
control plane for network control and data plane for packet forwarding process. Segmentation
in networking stack provides various advantages in terms of stability and management over the
network from central. According to the Open Networking Foundation (ONF) SDN is divided
into three planes: Application plane, Data plane, and control plane. The application plane
is used to define the internal decision-making process, which consists of multiple end-user applications. A northbound API (Application Programming Interface) is used in the application
plane as a communication interface between applications and controllers. Control plane will
manage the switches and serves to higher level. A southbound API is used in a control plane
to communicate with network devices. Control plane is responsible for administrate switches.
SDN controller consists of a set of rules for packet forwarding in a data plane. SDN combines the advantages of system virtualization & cloud computing which creates a centralized
intelligence implementation that allows network visibility for simple network management and
maintenance. SDN also improves the systems’ control and reactivity. Large and complex network organizations will be deploying SDN’s to manage data and control planes efficiently and
performs optimal network operations from a centralized point .
Usually dedicated hardware devices are used to perform specific network related tasks in
a telecommunication organization like routers, firewalls, load balancers, switches, routers, and
so on. but as the technologies evolves, these devices are replaced with a new paradigm in networking called as NFV which allows network providers to handle and improve their network
functions virtually via Virtual Machines (VM’s). NFV uses components of virtualized networking to enable a fully hardware-independent architecture. NFV unlocks several challenges with
the dedicated servers by virtualizing the operations which are supposed to perform in the physical machines with less capital and operating expenditure. Within the data centre and outside
networks data plane and control plane can also be virtualized with NFV .
Many of the organizations will design their network architectures with the combination SDN
and NFV technologies in less capital and sophisticated network aspects. So, that flexible, programmable, and efficient use of resources are achieved. Utilizing these technologies may leads to
a high-level threat of DDoS attacks as they involve security vulnerabilities. We will discuss in
this paper on how to detect various types of DDoS attacks and propose a mitigation method in
SDN and NFV architecture. We are proposing a DDoS mitigation system in SDN is proposed
using ONAP instead of Open Source MANO (OSM – Management And Orchestration) which
is well suitable in NFV architecture that coordinates network resources for cloud-based applications. ONAP and OSM both are open source software platform for NFV Management and
Orchestration (MANO). OSM is a standard software platform according to the ETSI (European
Telecommunications Standards Institute) for NFV reference architecture. However, ONAP has
equivalent features for NFV management and orchestration, major companies are selecting
ONAP and becoming as a leading choice.
1.1 Research Question
• How NFV and Software Defined Network SDN will handle DDoS attacks in an efficient
• What will be the optimal way to implement NFV in cloud platforms as a shield in organizations ?
In this paper, We Primarily focused on how to detect SYN flood attacks and thwart them using
the proposed mitigation framework in NFV and SDN. Secondarily, coming up with a pragmatic
solution using NFV shield in an organization to make a defence layer more concrete in any worst
case scenario from an attacker.
2 Literature Review
In this section, we will discuss the security overview of NFV infrastructure in subsection 2.1. A
brief security overview of SDN will be discussed in subsection 2.2. Further, In subsection 2.3
we will be discussing DDoS mitigation in SDN and NFV related works. The summary of these
related works is contrasted and stated in subsection 2.4 as a table format.
2.1 NFV Security challenges overview
Xiaochun Wu et al  analysed the state of security in an ETSI proposed NFV architecture
and recommended security practices. Security orchestrator should be incorporated on-top of
the NFV Infrastructure (NFVI) for effective network security services. Security orchestrator
consists of various management modules like security services, security policies, security profiles, and credentials proposed by ETSI. MANO is the core part of security control should
collaborate with the security orchestrator to perform management operations. Adding security
function modules in the VNF manager(VNFM) will prevent security issues from multi-tenancy
and shared resources. VNF deployment plays a major role in VNF lifecycle management which
can be achieved by three main factors: first, Single VNF composition (VNFC) which are reusable
microservices in smaller functional blocks to avoid memory leaks and increase the response time
without any interruptions to operational process. However, microservice-based deployment is
complex and vulnerable as it uses REST (Representational State Transfer) mechanism for data
transmission and it also requires authentication from third-party services. second, Respective
order in the chain where it should use only single-tenant networks like web proxy with the same
configurations to share among different tenant networks with a firewall and share the entire
cloud. The entire process of service chaining can be processed by utilizing handling traffic,
but traffic extended paths may lead to transmission delay and vulnerable to Man-In-the-Middle
attacks. To minimize the NF (Network Function) instance researchers approached in a programmable way in order to reduce these risks and intend to probe a new way to develop to optimize
uneven distributions in microservices. Third, select a reasonable location to deploy faster and
dynamic composition network services in a secure manner. While isolating the containers there
will be a risk of ”noisy neighbors” as it does not provide any resource management quotas. In
addition to this author also described about key factors of trust management, monitoring and
event management aspects to improve security in networks. Figure 2 demonstrates the security
ochestrator in NFVI as per the ETSI recommendation.
Figure 2: Security Ochestrator in ETSI-NFVI
In Mahdi Daghmehchi Firoozjaei et al  research paper, author addressed various security
possible threats in an NFVI. Among these threarts we focus on the DDoS related security risks
which is significant to proposed research. Authors explains about the scenario where DDoS
attack may impact at single point of failure if the network topology configuration and NFV
controllers are selected poor. However, DDoS attacks can be mitigated by isolating and live
migration utilizing virtualization capabilities effectively. Also described about the malicious
actors like administrators where they can utilize the opportunity in case there is any open area
or misconfigurations when deploying NFV in a private manner. Integrity should be maintained
by the administrator, frequently check the access logs for any abnormal activity and give role
based access control. Third party have the access to control VNFs during public deployment
module which may lead to network vulnerable if third parties are malicious. To mitigate attacks
like TCP SYN Flood which are inside the network using a botnet an intelligent data analysis
is required to collect the data for any abnormal activities, take automated decisions based on
the report through the decision making groups and report to management levels. Attacker uses
network inside network to attack via botnets which may lead to breach when the firewalls and
Intrusion detect systems are not effective. In every aspect malicious activities are mentioned
in this paper which may be malicious instance, VNF providers, insiders and other actors and
described to probe them with different approaches for better practice. Author suggests mainly
on isolation and introspection of NFV architecture as a fundamental aspect to achieve secure
Overall an end-to-end security features should be incorporated in NFV architecture for
secure network management and effective abnormal behaviours in the networks should be detected, analysed and forecast to eliminate security risks. These literature’s contributed the key
features and essentials areas on where to focus more to our proposal.
2.2 SDN Security challenges overview
Varsha Patil et al.  defined various security challenges in SDN specifically in control, data
and application planes. Firstly, discussed acctaks on data plane where the Southbound API
and may use OpenFflow protocols. Attacker mechanism in this plane is to create a modified
device’s flow table and spoof new table to simulate type of flow. Attacker will create duplicate
which is like a private connection injects new messages between the two victims which is known
as MItM attack. Protocols are inefficient to authentication and create a duplicate traffic and
attack with DDoS mechanism when the right oppertunity comes. Secondly, In Controller plane
attacker may scarce northbound API or southbound message towards network devices which
impacts on compromising traffic flow to bypass the network security policies. Attackers main
target is a SDN controller as it a centralized system to control all the flow SDN architecture by
nature. Effecting controller will lead to entire system down (Single point of failure). Attacker
also uses impersonate sdn controller mechanism which will be almost similar to the actual
SDN controller and make own flow tables to pretend the instructions are coming from a rouge
controller in order to take over the network control. Thirdly, Application plane, In this reliability
between controller and application plays a major role as the application works on third party
Maninder Pal Singh and Abhinav Bhandari  discussed on the DDoS attacks with respect
to New-flow in SDN. The advent of new technologies like SDN and NFV, attackers have become
smarter and utilizing advanced ways of DDoS attacks. Author classified the security issues into
two types they are intrinsic and extrinsic. Most of the organization uses OpenFlow protocol in
switches which is a secure way to defend these attacks and intrinsic is defined as the unmatched
flows sending to SDN controller. various saturation channels are detailed like switch resources,
control channel, data channel, northbound channel and other channels where an attacker can
target. In this survey author specified few defensive techniques based on statistical-analysis,
Information entropy, and machine learning. We focus machine learning based DDoS defense for
SDN which will contribute to our research work. Utilizing Machine Leaning (ML) algorithms
supports detecting in new patterns which are hidden by feeding large data sets that are given
from the previous DDoS attack patterns. Predictions of possible locations and their connections can also be detected using these ML methods. Few of the ML algorithms implemented
to mitigate DDoS attacks are Random Forest, Random Tree, KNN, Decision tree and other
algorithms by feeding KDD-99 (Knowledge Discovery in Databases) data set.
Based on these papers we contrasted ML algorithms and approached with a novel advanced
KNN algorithm in a closed-loop system for an light weight and secure SDN architecture.
2.3 Related work
2.3.1 Traditional Approach to Mitigate DDoS Attacks in SDN/NFV
Talal Alharbi et al.  contrasted on various mitigation methods such as traditional, cloud and
NFV/SDN based DDoS mitigation. Author argues that most of the designs are not secure
enough and some implemented Internet Service Provider (ISP)-based models which may lead to
violate customers privacy. In this paper, a scheme is designed in which there are two stages for
DDoS mitigation by leveraging NFV and SDN. Deploying this framework in an organization’s
datacentre at the premises will reduce latency and improve privacy and security. In First state a
traffic screener is applied to monitor traffic flow inside the network, application & any other layer
and analyse. Inspection of the traffic flow will be processed by using algorithms, policies based
on traffic and packet features. If there are any abnormal activity in the flow it will detected
through screeners, then Virtual Security Functions (VSF) will be called. VSF will Scale up
and down depending on the traffic screeners report. VSF will automatically installed based on
the requirement by an orchestrator in MANO without any network administrators’ interaction.
Resource allocation in a second stage in which various resources like bandwidth, computing and
storage’s will be allocated to Virtual Network Functions (VNF), VSF, and traffic screener. In
this document a theoretical overview of monitoring and resource allocation is design the a SDN
In Luying Zhou et al.  classified DDoS attacks into two types: connectionless & connection oriented, based on these attacks’ three detection areas are given: source-end, victim-end &
Intermediate and explained how to mitigate these attacks by source identification, rate limiting,
signature filtering, and moving target. Furthermore, author selected ESTI standard document
from 2015 which is related to an NFV ecosystem. Figure 3 demonstrates the possible areas to
place SDN controllers in an NFV architecture .
Figure 3: Possible SDN controllers in NFV architecture proposed by ETSI
Considering all these factors author proposed a framework with a custom physical hardware
in data plane, pre-defined functionalities in control plane & application plane and capable of
handling specific DDoS attacks. hardware provide resources like storage to VNF via hardware
virtualization, computing, and networking. Through SDN and NFV control plane will connect
virtualized function with non-virtualized functions. Application plane handles access control,
load balancing, and routing functionalities via physical networks with a pre-defined controlling
programs. SDN controller will perform Anomaly detection operations which consists of traffic
monitoring, analysing & collecting data, and necessary actions based on the reports to mitigate
DDoS attack. VNF is the key functionality in this framework to perform various operations to
handling traffic like blocking the traffic, diverting suspected traffic to other VNFs for further
analysis and limiting the traffic rate in a router through NFV. Figure 4 illustrates the overview
of NFV/SDN mitigation framework in Industrial Control System (ICS).
Figure 4: Overview of NFV/SDN DDoS mitigation framework in ICS
Aman kumar sign et al.  proposed a DDoSify mitigation technique in NFV using an
custom algorithm at the gateway/Virtual Machine. In this paper, algorithm there will be a
threshold value set and once traffic exceeds that threshold value IPSPOOF method is called to
isolate legit users connected to a server (proxy servers or virtual firewalls) during the attack.
New IP (Internet Protocol) address is generated for these users and navigate to other servers
randomly with the OPERATION AFTER ATTACK method. Attack on a server are handled
through a DETTECT ATTACK method. A dedicated VM is deployed to perform the tasks
like routing users to available servers and handle the traffic. In Briefly, a swapping technique
is used based on the MAC IP address which is unique and check if the user is legitimate user
or not. This methodology may lead to the heavy performance issues when group of malicious
activities are detected.
Bahman Rashidi et al.  defines a dynamic DDoS defense architecture with a scalable
and flexible dispatching method as an essential part of the framework. In this paper, SYN
flood attack is focused which is one of the major types of DDoS attacks. Modified Vfence
alogirthm will tackle the TCP SYN flood attacks by using a spoofed SYNACK handshake
if the IP address is not fabricated in an white list accordingly when the data packet is sent
to agent it will automatically deny as in real scenario agent will send set of instruction to
generate ACK packet for a legitimate users. NFV is utilized to create new agents with the
dynamic network functions and for packet forwarding based on the flows SDN is used. VFense
dispatching algorithm is modified with the bucket list forwarding table instead of a flow-based
forwarding table. In this bucket based forwarding table, flow IDs (Identity) are hashed into a
list of buckets with an individual agent assigned to each bucket for handling flows which are
hashed into it. Agents scalability is given during this event for adding or removing the agents
based on the volume of the traffic in a dispatcher.
2.3.2 Modern Approach to Mitigate DDoS Attacks in SDN/NFV
N. S. B¨ulb¨ul et al.  proposed a DDoS mitigation framework in SDN/NFV using machine
learning with a push back rule which is more efficinet and distributed filter. Author addresses
pattern generation and mitigation techniques by design a patterns. According to this paper,
patterns generated from the network traffic are significant to detect the type of an attack. Based
on the literature  entropy-based attack detection module is selected in which it measure the
flow randomness and decreases entropy based on detected packet IP address & port destination if
they are identical & suspicious. These patterns are further analysed to generate attack patterns
without dropping the legit traffic, create a OpenFlow rule in SDN controller and forward these
packets to ingress switch (S3 in this case) for filtering unwanted traffic. S3 will derive a rule
that once the attack traffic exceeds push back mechanism should be called to mitigate attack
traffic. To generate the attack patterns AOI (Attribute-Oriented Induction) and LMP (Longest
Matching Prefix) algorithms are used and differentiated the performance. Finally, AOI gave the
best results to declare the patterns detection accurately as its been evaluated with the multiple
data sets (CTU, CICDDOS, ISCXIDS, and CICIDS).
In this paper , Shi Dong et al. developed two algorithms based on degree of attack
(DDADA) and ML using KNN algorithm (DDAML). Author states that DDoS mitigation
algorithm based on ML are done in the traditional networks. However they implemented an
improved KNN algorithm for SDN DDoS mitigation utilization. These algorithms are developed
based on the entropy traffic behaviour equations. The data is analyse based on the TCP, UDP
(User Datagram Protocol) & ICMP (Internet Control Message Protocol) type of attacks and
evaluated with the other algorithms like NB (Naive Bayes), SVM (Support Vector Machines)
and so on. In this paper the results shows best in flow length, duration, size and ratio. However,
this algorithm have to be implemented in the real SDN environment.
Henan K. H. et al.  proposed a closed-loop mitigation system in SDN using the ID3
algorithm to detect malicious hosts. Author defined two models, Model 1 is a monitor system
which will screen the traffic data frequently and generate the rules if any malicious traffic is
detected in the switches with a pre-defined threshold value. These attacks are monitored with
the telemetries agents and forwards the data to NFV collectors for malicious activity/exceed
pre-set traffic rate analysis. SDN controller will derive the rules and also remove the rules based
on this analysis. switches uses sFlow-RT for real time detection and notification. Model 2 is
a mitigation system to predict a user IP address is malicious or legitimate. In this mitigation
system ID3 Decision tree algorithm with R script to classify the IP address. After evaluating
both the models, model 1 has a backdrop where it cannot detect the attackers whereas the
model 2 identifies the attacker bot-net but not the attacker. Also, if there are too many flood
type attacks controllers and switches will overload.
2.4 Overview of Related Works
In the below tables (1 & 2) overview of the related works is summarized.
Table 1: Overview of related works.
Citation Summary Advantages Disadvantages or Open Areas
Screening mechanism is
used to detect the
malicious traffic in
VNF and resource
allocation is used
to create or delete
DDoS mitigation with
scalable and flexibility
in networks will be
achieved. This paper
is used to design
in a SDN and NFV.
A framework is designed
based on the possible
placements in NFV
ETSI standards. Where
is done by NFV.
Traffic analysis is
given in control plane &
data plane and processing
malicious activity to
SDN controller is done
by application plane.
DDoS mitigation with
scalable and flexibility
in networks will be
achieved. This paper
is used to design
in a SDN and NFV.
testbud have to
DDosify: uses a custom
algorithm based on Java
language to detect the
malicious actors and a
gateway/VM is used to
tackle the attacks
and allocating servers
to the legit users.
In specific to one
server DDoS mitigation
is achieved by allocating
based on algorithm.
Limited to one
algorithm is used
to handle TCP SYN
Flood. Traffic monitoring
is done through VNF
using bucket-based routing
algorithm (modified Vfense
the agents and DDoS
mitigation is achieved
by reducing the traffic
in a attack scenario.
Limited to TCP
SYN Flood Attack,
other types of
should be taken
Based ML algorithms:
AOI and LMP in python
a pushback mechanism is
developed. Using ingress
switches pattern detection
is performed by entropy
mechanism and analyse
the data. SDN controller
will device the rules to
mitigate the malicious
AOI gave the best
results to mitigate
Still vulnerable to
Table 2: Continuation of related works overview.
DDADA and DDAML
algorithm is defined to
mitigate the DDoS attacks
based on the KNN
machine learning algorithm.
Yet to define in real
time SDN environment
Two models proposed,
Model one is to monitor
network traffic which are
predefined traffics with a
predefined threashold using
Sflow-RT in swtiches,
Model two monitor will
actors using deep forest
Predefined attacks can
be detected and mitigated
Model 1 cannot detect
attacker. Model 2
Cannot detect the
and if too many flood
attacks occur then
controller may down.
3 Research method and specification
DDoS mitigation in a SDN and NFV enabled environment is a biggest challenge in the present
era. Many research works focused to mitigate the DDoS attacks in various ways like Deep forest
algorithm, bucket-based dispatching technique, and so on in a traditional network systems. But
in the proposed work the focus on the framework which is well suitable for detecting and
preventing DDoS attacks in organization which are having the cloud infrastructure. We choose
KNN algorithm for the core system to detect the DDoS attack. KNN will give the most accurate
prediction than the other machine learning algorithms. KNN is a lazy learning based algorithm
which requires no training to predict and if the new data is added no it will add easily without
impacting the accuracy of the algorithm.
SDN controller are placed in the NFV architecture as per the ESTI standards which is defined
in the Figure 3. By utilizing the neutron ML2 SDN will be intregrated in the NFV architecture.
The entire proposed system first will be checked the local system and updated in the Openstack
cloud platform once it is successfully installed in the local system. Then using virtualization
VM’s will be created and required packages like OpenFlood controller which is OpenFlow controller. OpenVswitch is used to create the vitalized switches in which OpenvSwitch Database
and OpenFlow API is integrated. First, we will create a tree topology using mininet with four
client and one DDoS attacker. By using hping3 we will generate a traffic in DDoS attacker
system. Once, data flow rate increase or abnormal behaviour is detected in OpenVSwitch it
will check the threshold value first and then once it crosses it will report the data flow to OpenFlood controller. SDN controller which consists of ONAP vfirewall will check in the policies
and rules simultaneously this data will be passed to KNN algorithm. KNN algorithm will check
the patterns and behaviour with CIC data set. This data set consists of pre-defined parameters
of the malicious activity and based on these parameters algorithm will predict if the traffic is
malicious or legitimate. Once the traffic is detected as malicious an instruction is passed via
REST API to drop the packets and set the rule in the Vfirewall to block these agent to prevent
them for future attacks. If the traffic is from the legitimate user SDN controller will send an
instruction to disable the rule if there is any or to create another switch to handle the traffic.
Figure 5 demonstrates the flowchart of the traffic detection which will passed from the attacker
to server scenario.
Figure 5: Flowchart of proposed DDoS mitigation system
4 Proposed approach
In this research, we are using a OpenStack cloud platform to integrate NFVI via OPNFV an
open source tool and install ONAP for management and orchestration. Using a OpenDaylight
tool we will install SDN in which there will be packages to install the OpenVswitch, OVSDB,
OpenFloodLight (OpenFlow controller) and so on to manage the traffic flow. In an SDN
controller we will configure vfirewall and flow rules so that when malicious traffic is detected
SDN controller will pass a rule to drop the packets. Tree based network topology is created
through mininet emulator tool with one host and 5 clients including a DDoS attacker. Figure 6
shows the network topology we are implementing in this research to mitigate DDoS attack.
Figure 6: Network Topology for Traffic Generation
Once the configurations of SDN and NFV is setup in a virtual machine created in OpenStack.
KNN algorithm will be implemented and through hping3 traffic will be generated in the topology
which is created in Figure 6. The traffic will flow from the host to application plane is illustrated
in Figure 7. During this period the traffic should be analysed via OpenvSwitch and check if
the traffic is legitimate or not. If the traffic is suspected to be malicious these packets will
be forwarded to the SDN controller. A threshold value is set in switches, once the traffic hits
above threshold value then it will send report to SDN controller. SDN controller will analyze
this data using KNN algorithm if the traffic is from legitimate user or not then a rule will be
passed to OpenVswitch via OpenFlow protocol to derive the rule. The rules are pre-installed
in the OpenVswitch Database (OVSB) to grant access to packet or drop the packets. The calls
between the application plane, control plane and data plane are integrated through REST API
Figure 7: Traffic flow from hosts to Application plane
The traffic will be measured with the flow type, size and other values into considerations
and analyse with the ROC and AOC curves. Evaluation of these traffic are briefly mention in
the proposed evaluation section(6). Once the result is positive (to detect the traffic is malicious)
then it will initiate a rule to mitigate these DDoS attacks. After detection vFirewall set new
policy or rule will be written to ignore the malicious user by adding the IP address at the gatway
itself only. In this paper we will considering the TCP SYN flood attack so we are feeding the
CIC DDOS 2019 SYN dataset to KNN algorithm in order to analyse the real time TCP SYN
5 Proposed implementation
The proposed research will be implemented in a Openstack cloud platform [openstack] with
Linux operating system. OpenDaylight  is installed for SDN based network solution and
Open Platform for NFV (OPNFV)  is installed for NFV modules and OpenFlow plugin
will be integrated. Further, ONAP vFirewall is installed to create a firewall in NFV  which
should be configure in SDN controller . To generate the network topology we are using a
network emulator tool Mininet  and hping3  is used to generate the traffic. proposed
implementation requirements are listed as below briefly:
• Cloud Platform: Openstack
• Operating System: Linux 18.4
• Processor: 4 core CPU (Central Processing Unit)
• Random Access Memory (RAM): 8GB (Giga Bytes)
• Storage capacity: 50GB
• NFVI: OpenNFV
• SDN Controller: OpenDaylight
• Network Emulator: Mininet
• Traffic Generator: Hping3
Steps involved to implement the proposed concept in practical are listed below:
1. Create Virtual Machine in OpenStack cloud platform.
2. Install NFVI by using OPNFV and configure Vfirewall in SDN controller.
3. By using neutron ML2 (a openstack plugin) configure SDN controllers after installing
4. Analyse the traffic with KNN algorithm in SDN controllers .
5. Install Mininet to generate the tree topology with one host and five clients.
6. In One client install hping3 and generate the traffic.
7. Evaluate the traffic monitoring using different datasets of packet based attacks.
8. Analyse the data from the SDN controller and create rule in OpenFlow to drop the traffic
if there is malicious activity detected.
9. Check if the algorithm is mitigate using a close-loop system or not after detecting the
traffic flow with the attacker.
10. Note down timings of different types of data set rule, analyse, detect and update operation
for performance test.
11. Check vFirewall polices if it is blocking IP as per the whitelist to protect the SDN controller
from future attacks.
6 Proposed evaluation
To analyse the accuracy of DDoS detection the Receiver Operating Characteristic (ROC), and
the Area Under the ROC Curve (AUC) will be noted. The measurements of KNN Algorithm
accuracy after feeding the data set and response time following measurements will be considered:
Recall=TPR = TP
F-measure= 2∗Recall∗Pr ecision
[Measurements Definitions- TP: True Positive, FP: False Positive, TN: True Negative, FN:
False Negative, Precision: Ratio of TPs in total predicted positives, Recall: Percentage of TPs
to the total predicted positives, F-measure: Precision and recall metrics, FPRvi: False Positive
Rate, and TPR: True Positive Rate]
A threshold value is set to TPR and FPR and calculated as per the above measurements to
generate the ROC and AUC curves. These curves are the graphical representation in which we
can detect based on the functions detection (distribute probability from infinity to the threshold
value which is set) probability in y-axis and false alarm detection probability on x-axis. Based
on these results we will analyse the malicious traffic is decided and set the OpenFlow rule. Add
malicious addresses/traffic generated agents to vfirewall whitelist to avoid future attacks in SDN
controller. The total execution time from the time of detection to OpenFlow Rule derivation
till dropping packet from SYN Flood attack is noted.
Considering the above evaluations DDoS attacks should be detected and able to trace the
attacker in an SDN controller. In NFV ONAP vFirewall is intialized to prevent the attacks based
on the white-list when there is any incoming packets. Accuracy of ML based KNN algorithm
will be noted and performance overhead is evaluated by Receiver Operating Characteristic
(ROC), and the Area Under the ROC Curve (AUC). Tree topology is created using Mininet
with one target server, five clients including one DDoS user. Traffic will be generated by hping3
to produce different protocol-based attack traffics. CIC DDOS 2019 data set feed to KNN
algorithm to detect the malicious traffic and predict the attacker.
 X. Wu, K. Hou, X. Leng, X. Li, Y. Yu, B. Wu, and Y. Chen, “State of the art and research
challenges in the security technologies of network function virtualization,” IEEE Internet
Computing, vol. 24, no. 1, pp. 25–35, 2020.
 A. Lioy, G. Gardikis, B. Gaston, L. Jacquin, M. De Benedictis, Y. Angelopoulos, and
C. Xylouris, “Nfv-based network protection: The shield approach,” in 2017 IEEE Conference on Network Function Virtualization and Software Defined Networks (NFV-SDN),
pp. 1–2, 2017.
 C. Catalin, “Aws said it mitigated a 2.3 tbps ddos attack, the largest ever.”
 MalBot, “Ddos attack prevention and protection explained,” Jul 2020.
 M. P. Singh and A. Bhandari, “New-flow based ddos attacks in sdn: Taxonomy, rationales,
and research challenges,” Computer Communications, vol. 154, pp. 509 – 527, 2020.
 A. A. Barakabitze, A. Ahmad, R. Mijumbi, and A. Hines, “5g network slicing using sdn
and nfv: A survey of taxonomy, architectures and future challenges,” Computer Networks,
vol. 167, p. 106984, 2020.
 M. Daghmehchi Firoozjaei, J. P. Jeong, H. Ko, and H. Kim, “Security challenges with
network functions virtualization,” Future Generation Computer Systems, vol. 67, pp. 315
– 324, 2017.
 V. Patil, C. Patil, and R. N. Awale, “Security challenges in software defined network and
their solutions,” in 2017 8th International Conference on Computing, Communication and
Networking Technologies (ICCCNT), pp. 1–5, 2017.
 T. Alharbi, A. Aljuhani, and Hang Liu, “Holistic ddos mitigation using nfv,” in 2017 IEEE
7th Annual Computing and Communication Workshop and Conference (CCWC), pp. 1–4,
 L. Zhou and H. Guo, “Applying nfv/sdn in mitigating ddos attacks,” in TENCON 2017 –
2017 IEEE Region 10 Conference, pp. 2061–2066, 2017.
 “Network functions virtualisation (nfv); ecosystem; report on sdn usage in nfv architectural
framework,” 2015. ETSI GS NFV-EVE, pp. 2015-12.
 A. K. Singh and R. K. Jaiswal, “Ddosify: Server workload migration during ddos attack in
nfv,” in Proceedings of the 2020 9th International Conference on Software and Computer
Applications, ICSCA 2020, (New York, NY, USA), p. 364–369, Association for Computing
 B. Rashidi, C. Fung, and M. Rahman, “A scalable and flexible ddos mitigation system using
network function virtualization,” in NOMS 2018 – 2018 IEEE/IFIP Network Operations
and Management Symposium, pp. 1–6, 2018.
 N. S. B¨ulb¨ul and M. Fischer, “Sdn/nfv-based ddos mitigation via pushback,” in ICC 2020
– 2020 IEEE International Conference on Communications (ICC), pp. 1–6, 2020.
 S. Behal and K. Kumar, “Detection of ddos attacks and flash events using information
theory metrics–an empirical investigation,” Computer Communications, vol. 103, pp. 18 –
 S. Dong and M. Sarem, “Ddos attack detection method based on improved knn with the
degree of ddos attack in software-defined networks,” IEEE Access, vol. 8, pp. 5039–5048,
 H. K. Hyder and C. Lung, “Closed-loop ddos mitigation system in software defined networks,” in 2018 IEEE Conference on Dependable and Secure Computing (DSC), pp. 1–6,
 “Opendaylight – https://www.opendaylight.org/,” Apr 2019.
 “Opennfv – https://www.opnfv.org/,” Apr 2020.
 “Onap vfirewall – https://docs.onap.org/en/dublin/submodules/integration.git/docs/docs vfw.html.”
 P. Patel, V. Tiwari, and M. K. Abhishek, “Sdn and nfv integration in openstack cloud
to improve network services and security,” in 2016 International Conference on Advanced
Communication Control and Computing Technologies (ICACCCT), pp. 655–660, 2016.
 M. Team, “Hping3 – http://mininet.org/download/.”
 “Hping – http://www.hping.org/.”
Note: Please do not forget to include CORE Rankings and/or citations for all
Are you busy and do not have time to handle your assignment? Are you scared that your paper will not make the grade? Do you have responsibilities that may hinder you from turning in your assignment on time? Are you tired and can barely handle your assignment? Are your grades inconsistent?
Whichever your reason may is, it is valid! You can get professional academic help from our service at affordable rates. We have a team of professional academic writers who can handle all your assignments.
Our essay writers are graduates with diplomas, bachelor, masters, Ph.D., and doctorate degrees in various subjects. The minimum requirement to be an essay writer with our essay writing service is to have a college diploma. When assigning your order, we match the paper subject with the area of specialization of the writer.
We value our customers and so we ensure that what we do is 100% original..
With us you are guaranteed of quality work done by our qualified experts.Your information and everything that you do with us is kept completely confidential.
You have to be 100% sure of the quality of your product to give a money-back guarantee. This describes us perfectly. Make sure that this guarantee is totally transparent.Read more
The Product ordered is guaranteed to be original. Orders are checked by the most advanced anti-plagiarism software in the market to assure that the Product is 100% original. The Company has a zero tolerance policy for plagiarism.Read more
The Free Revision policy is a courtesy service that the Company provides to help ensure Customer’s total satisfaction with the completed Order. To receive free revision the Company requires that the Customer provide the request within fourteen (14) days from the first completion date and within a period of thirty (30) days for dissertations.Read more
The Company is committed to protect the privacy of the Customer and it will never resell or share any of Customer’s personal information, including credit card data, with any third party. All the online transactions are processed through the secure and reliable online payment systems.Read more
By placing an order with us, you agree to the service we provide. We will endear to do all that it takes to deliver a comprehensive paper as per your requirements. We also count on your cooperation to ensure that we deliver on this mandate.Read more