Since its inception, the number of internet users has increased exponentially, leading to the emergence of architectures that can justifiably be termed the Internet of Things (IoT) or the Internet of Everything (IoE). This evolution facilitates the convergence of the physical and digital worlds, heralding an era where sensations are experienced by objects and humans across vast distances remotely, akin to direct interactions among users. This architectural framework incorporates internet-connected devices, smart objects, sensors, and associated web-based services that require processing prior to communication—collectively referred to as the Internet of Things (IoT) or the Internet of Everything (IoE) today. Currently, over three billion users access the internet for various activities, including banking transactions, shopping from vendors around the globe, web-based monitoring and control, social media interactions, and many other applications [1].

As the web of everything continues to evolve, addressing the diverse requirements for intelligent and seamless connectivity will be essential. This involves leveraging advanced technologies, enhancing interoperability, and ensuring that all components of the network work together efficiently to meet the needs of end-users. These requirements cannot be effectively addressed through the intervention of network administrators, operators, or end-users alone; rather, they can only be fulfilled if the internet is engineered to be self-sustaining and self-responding. The growing number of IoT-based services in areas such as smart homes, healthcare, smart cities, agriculture, and supply chains all contribute to enhancing living conditions. However, the sheer volume of devices presents numerous challenges within the current legacy networking paradigm, which is often outdated. For instance, network manageability remains a significant challenge. The integration of edge computing, blockchain, and wireless resources, combined with the advancements in SDN, presents a unique opportunity to overcome existing limitations. By fostering interoperability and leveraging the capabilities of the software community, developers can create more dynamic, efficient, and manageable network architectures that meet the evolving demands of modern applications [2].

Finally, information security and privacy remain prominent areas of concerns. This raises awareness for practitioners and researchers who are concerned about their own safety and the safety of others as a result. The increasing interconnection of devices and systems, coupled with the diversity of hacker motivations, creates a challenging security environment. Ensuring robust security mechanisms while maintaining ease of use is critical to protecting sensitive information and mitigating the risks associated with network security breaches. Addressing these challenges is critical to protecting both businesses and consumers in an evolving digital environment [3,4].

There have been no fundamental changes to traditional network architectures, which consist of groups of routers and switches, along with devices from various manufacturers. These devices are meant to be used together to build heterogeneous networks. Because these devices may be from different manufacturers and used by different technicians under different brands, they require the construction of heterogeneous networks. Different systems from different vendors might be incompatible, making heterogeneous networks expensive to configure and difficult to operate, monitor, and maintain. Configuring different systems increases the vulnerability of hardware and software resources. This requires improving network architectures designed to meet the challenges of these growing networks, making them easy to manage, dynamic enough to accommodate different devices from different vendors, and capable of meeting changing workload requirements by scaling up or down resources with the help of cloud infrastructure. Software-defined networks (SDN) are one of the most promising approaches to improving current hardware-based network systems. Therefore, this project aims to develop a model for detecting distributed denial of service (DDoS) attacks on dynamic and diverse Internet of Things (IoT) or Internet of Everything (IoE) systems, which can be applied in smart environments to infer that the geographic distribution of attack sources follows specific patterns [5,6].

While IoT environments enhance productivity and convenience in a digitally connected society, the increasing complexity of these systems exposes them to significant risks, including distributed denial of service (DDoS) attacks. Addressing these vulnerabilities through effective security measures and proactive management is critical to protecting the integrity and reliability of IoT systems. This is due to the volatility of attack methods and patterns used by attackers.

DDoS attacks present significant challenges to Internet service availability, necessitating effective strategies to identify and differentiate between legitimate and malicious traffic congestion. Software-Defined Networking (SDN) offers a robust solution by simplifying network management and enhancing the ability to respond dynamically to varying traffic conditions, ultimately improving resilience against DDoS attacks. Furthermore, DDoS attacks can range from the misuse of application-level vulnerabilities to high-volume flooding on a network. Although, it is easy to probe the service availability and to ease traffic on the network, the most significant challenge lies in differentiating between legitimate congestion-based traffic and attacker-generated congestion. SDN addresses these shortcomings by separating network control and management from the data plane to minimise complexity through implementing flow rules in thousands per server rack [7], through effective network security and memory management at both the network control and data planes. One way of combating such DDoS menaces is through identifying for network users the legitimate IoT traffic from anomalous DDoS-generated traffic, bearing thus the SDN with the ability to detect in order to respond to abnormalities in the network in timely manner to analyze the impact of various traditional DDoS attacks imposing threats on SDN architectures [8].

The emergence of software-defined networking (SDN) represents a revolutionary approach to networking, particularly in addressing security challenges. Its integration with the Internet of Things, along with features such as resource pooling and on-demand self-service via cloud computing, is establishing SDN as a pivotal area of research and application in modern networking environments, making the deployment of threat/attack detection strategies in the IoT environment an essential part of the operational ecosystem [9].

Software-Defined Networking (SDN) presents significant advantages in collecting deployability information and improving security through dynamic control and advanced application capabilities. By leveraging these features, SDN can effectively enhance network resilience and provide robust solutions for detecting and mitigating various types of attacks.

In this framework, the authors have proposed an SDN-based security system that aims at protecting the SDN network from DDoS attacks. The proposed algorithm in this system uses statistical data collected by the sFlow and OpenFlow protocols to detect and mitigate the DDoS attacks. Also, the proposed algorithm can identify high network traffic to block it based on selected threshold values. It represents a significant advancement in the application of SDN technology for enhancing network security, particularly in the context of increasingly sophisticated DDoS threats. The main contributions of the paper are summarised as below:

A novel framework for detecting and mitigating the DDoS is executed in an SDN environment using the sFlow and OpenFlow protocols.

The rest of the paper is organized as follows: Section 2 provides background on software-defined networks (SDNs), distributed denial-of-service (DDoS) attacks, defense techniques, and related work. Section 3 introduces the problem modeling and statement, Section 4 explains the proposed method, Section 5 describes the testing and evaluation environment, and Section 6 presents contemporary work. Section 7 concludes with concluding results and remarks, followed by Section 8 for further work.

The Internet of Tings (IoT) is the interconnection of smart devices that integrate together as a single network via various services or protocols. The IoT enables the collection of sensitive information from smart devices to perform critical operations. It also allows smart devices to communicate with each other at high speed, and the SDN provides orchestration for network management by decoupling the control plane and the data plane. This section presents a review of the Software Defined Networking (SDN) and Distributed Denial of Service attack (DDoS) supported by related work and its discussions.

Mitigating DDoS attacks is one of the main causes of concern for network administrators. SDN as shown in Fig. 3, is a promising networking paradigm that can be used to tackle DDoS attacks. Furthermore, it is assumed that the network consists of a set of nodes, 𝒩≠∅, where the number of network nodes is N=|𝒩|, N∈Z, and N≥4. In addition, there is a subset of these nodes as hosts ℋ⊂𝒩 such that the number of these hosts is H=|ℋ|, H∈Z and H≥2, and some of these hosts (or users) are legitimate in the sense 𝒰⊂ℋ, the number of these legitimate users U=|𝒰| and some of them are Bot or Zombie users ℬ⊂ℋ, the number of these bots are B=|ℬ|, and B∈Z. Moreover, some of these nodes are switches 𝒮≠∅, 𝒮⊂𝒩, S=|𝒮|, and S∈Z>0. Finally, there is at least one controller in the network 𝒞≠∅, 𝒞⊂𝒩, the number of controller in the network is C=|𝒞|, and C∈Z>0. Each host can send traffic with rate γ≥0 and γ∈R. The bandwidth of the link between switches and between users and switches is D, and D>0. The main problem here is to detect bots in ℬ that are generating high traffic, and stop them from overwhelming the switches and bandwidth. Further, to allow only legitimate users in 𝒰 to send packets through links and switches. The proposed model is explained in the section that follows how it is designed to tackle the problem at hand by mitigating DDoS attack.

The authors have proposed in this framework a defense approach to detect and mitigate DDoS attacks in an SDN environment.

DDoS Detection and Mitigation System Using sFlow

The proposed distributed denial-of-service (DDoS) detection and mitigation system relies on real-time traffic monitoring within an SDN environment as a defense against DDoS attacks. The security system uses statistics recorded while monitoring traffic passing through SDN OpenFlow switches to detect malicious traffic. Once the attack is detected, the proposed defense system tracks the hosts that caused it in order to block them for a specified period of time, allowing only legitimate users to use the network facilities by sending packets over OpenFlow switches and links in the SDN network. Traffic monitoring is critical to detecting and mitigating DDoS attacks using tools like Sampling Flow (sFlow).

Furthermore, sFlow is a sampling technique used to monitor network traffic. It can be used to detect various types of DDoS attacks, such as SYN floods, UDP user datagrams, and more. Furthermore, the OpenFlow and sFlow protocols provide SDN researchers with an integrated flow monitoring and control system where the OpenFlow controller can be used to determine which flows should be monitored by sFlow, making the controller the layer that sends packet output messages to software forwarding rules to switches. In this context, to make the most of sFlow, we will use the powerful analytics engine sFlow-RT to collect real-time statistics for switches. In general, sFlow-RT can be used to monitor traffic by recording relevant time-release statistics. It is also used for load balancing, DDoS attack detection, and mitigation. Additionally, there are three main components of sFlow: i) the sFlow aggregator in an external controller or in an SDN controller, ii) the sFlow agents integrated into Openvswitch, and iii) the sFlow protocol. Software-defined networking enables a logical and centralized separation of the network control plane from the data plane [23].

The main idea is to integrate sFlow agents into the OpenFlow switches within an SDN network. The main task of sFlow agents is to send samples of network traffic from a specific network device, such as a switch or router, to an sFlow aggregator in an external controller. The sFlow aggregator can then use tools like the inMon sFlow-RT to automatically detect and mitigate large and long-waiting packet flows in real time, as shown in Fig. 4. The sFlow agents embedded in the OpenFlow switches communicate with the sFlow cluster via the sFlow protocol, while OpenfFlow switches communicate with OpenDaylight via the OpenFlow protocol, as shown in Fig. 5. The sFlow agent encapsulates sample flow and interfaces counters into sFlow data-grams. These data-grams are sent by sFlow agents to sFlow collector in the external controller via sFlow protocol.

The sFlow agents sample data packets based on probabilities defined by network administrators, operators, or end users. They also send interface counters to the sFlow aggregator. Network users can also specify threshold values for data traffic and sampling rates. The primary role of the SDN aggregator is to analyze data samples and take necessary measures against DDoS attacks to mitigate or, where possible, stop them.

In addition, the REST APIs, also known an architectural style for an application program interface (API) help each application to retrieve metrics, configure flows, receive notifications, and set appropriate threshold values using GET, PUT, POST and DELETE data types, which refers to the reading, updating, creating and deleting of operations concerning resources. The sFlow agents can be embedded into OpenFlow switches by using the following code:

sudo ovs-vsctl – –id=@sflow create sflow agent=eth1

target=∖“192.168.56.102:6343∖” sampling=300 polling=15

– – set bridge s1 sflow=@sflow

The above instruction codes will configure or enable sFlow in OpenvSwitch. The sFlow agent of eth1 is embedded into the IP address of 192.168.56.102 for the controller. In addition, the sampling rate is set at 300. In other words, for every 300 packets captured by the sFlow agent, only one packet is sent to the sFlow collector. The polling period is set to 15 s. Alternatively, the client will send a data message to the sFlow collector every 15 s. Fig. 5 shows flow diagram of sFlow agent processing.

The sFlow agents are installed on OpenFlow switches, enabling them to sample network traffic in real time. These agents continuously monitor traffic and capture flow data, which is essential for analyzing network performance and security. The agents send the collected traffic data to the sFlow analytics engine in real time. This data includes information about packet flows, protocols, and bandwidth usage, allowing for comprehensive traffic analysis. The sFlow analytics engine processes the incoming data to identify anomalies or patterns that may indicate a distributed denial of service (DDoS) attack. By analyzing traffic trends, the engine can detect sudden spikes or unusual behaviors that are typical of DDoS attacks. When a potential DDoS attack is detected, the analytics engine sends immediate notifications to the affected application on the targeted server. This early alert mechanism enables a rapid response, enabling the application to implement countermeasures or strategies to mitigate the effects of the attack.

The listed Algorithm 1 demonstrates a pseudo-code designed for the detection of DDoS attacks and mitigation. The algorithm checks the traffic flow rate λ at any time t in all switches in the SDN network through sFlow that allows to check the usage of the bandwidth accordingly. Once the traffic reaches a pre-set threshold value θ that identifies to mean DDoS-based attack is detected. In this paper, the value of θ is kept equal to 10% of the bandwidth (D), θ1=(D100×10). The utilization of bandwidth is u. It is noteworthy to note that θ could take any other value, depending on network administrator. The algorithm then blocks the users who behave like a Bot by keeping them on hold for T seconds, a value set for 60 s in this paper. The algorithm is made more complex by making the threshold value a range instead of single value, thus setting up a criterion for how long the time period, T1, should be. However, if else the value of θ is kept equal or less than 15% of the bandwidth (D) θ2=(D100×15), then the time period is kept as T2.

In this work, Mininet was used as a network simulator and OpenDaylight as an SDN controller to develop a test environment to demonstrate how it can serve as a reference topology for security applications. The computer system used for simulation purposes was a Core i7-4790 processor at 3.60 GHz and 32 GB of RAM. An Oracle VM Box was also used to create a virtual machine to host the SDN network devices involved.

There are multiple solutions available to mitigate distributed denial-of-service (DDoS) attacks. DDoS attacks can be at the application level, the control level, or at a large scale. One common method used by large enterprises and service providers to protect against DDoS threats is BGP remotely activated blackhole (RTBH). This attack instructs routers to block data traffic at the edge before it enters the protected target network, reducing network overload. The number of internet users has increased significantly, now accounting for 57% of the world’s population. Such a large number of internet users make them vulnerable to various security threats, including denial-of-service attacks via geographically distributed devices. Hence the name distributed denial-of-service (DDoS) is assigned to such attackers. Distributed denial-of-service (DDoS) attacks are a serious threat, exploiting network vulnerabilities and using malicious software, such as Trojans, to disrupt services. Understanding these mechanisms is critical to developing effective mitigation strategies to protect networks from these threats [31].

Various devices can also be used to mitigate distributed denial-of-service (DDoS) attacks by filtering out all types of attacks that drain resources, disrupting many services and thus degrading network performance. SDN technologies, such as Open Flow, provide multiple methods for controlling routing and switching, making existing networks more feature-rich, allowing network resources to be adjusted through so-called dynamic control defense to meet emerging demands [32].

With the development of computer networks, current network systems and data centers have become feature-rich, complex, and highly data-intensive, so that system designers often need to modify network software and coordinate network resources according to specific requirements. However, traditional network architectures do not meet these requirements from the perspective of enterprises, telecom companies, and end users. For example, decision-making power in legacy networks is distributed across different network components, making adding new devices or services to the network a daunting task. This is achieved by integrating AI into the data layer using software-defined networking (SDN) architectures [33,34].

SDN networks, combined with machine learning-based defense systems, significantly improve the classification and management of incoming requests. This capability enables more effective threat and anomaly detection, contributing to a more secure and efficient network environment in the face of the latest DDoS attack scenarios in SDN and cloud computing [35,36]. These algorithms include PATMOS, a new hybrid flow-based processor with a protocol that uses a rumor-like approach to identify attacks [37–39], and an SDN scheduling algorithm that ensures SDN is unavailable during certain attacks. Using different algorithms, SDN can learn different DDoS techniques and counterattacks before they can harm the server.

SDNs are useful because they help repel automated botnet attacks and can detect DDoS attacks early, delaying server downtime. A new protocol called PATMOS is used to mitigate DDoS attacks in multi-controller SDNs by clustering controllers Additionally, SDN networks can operate automatically with minimal supervision to handle DDoS attacks such as UDP, HTTP, etc. Essentially, an effective method must be used to ensure DDoS attacks are detected by appropriate packet traffic management in an SDN network environment.

In [40,41], the authors propose an SDN-enabled adaptive machine learning-based distributed denial-of-service (AMLSDM) detection and mitigation framework for Internet of Things (IoT)-based networks. The authors used a combination of three techniques: the Snort intrusion detection system, the sFlow sampling standard, and the OpenFlow protocol. They used Snort to quickly detect DDoS attacks. Although the authors did not provide details of their system, the researchers behind this work believe that the proposed method is complex and may raise concerns about packet latency in such small networks [42].

The authors in [43] proposed a defense framework based on sFlow and OpenFlow. However, their proposed model did not include their algorithm. They were able to provide some preliminary results. They demonstrated that their proposed system can only detect massive DDoS attacks in secure environments and may not handle traffic in hostile environments.

The authors in [44] proposed a defense system against SYN DDoS attacks using sFlow and OpenFlow. However, the proposed model was unable to handle other types of DDoS attacks. After examining the above, it is clear that most of the proposed models are only able to detect and mitigate massive attacks by adaptively balancing attack detection coverage and accuracy. Some recommended modules also focused on a specific type of DDoS attack [45–47]. Table 2 is reproduced by comparing the work in this paper with the results of some contemporary research.

In conclusion, the findings of this framework have been examined and evaluated as a defense system for detecting and mitigating DDoS attacks in SDN networks. Preliminary simulation results confirm that the proposed defense system can efficiently detect and mitigate DDoS attacks within approximately three seconds. The proposed method has provided a comparative analysis of regular traffic from legitimate users while mimicking DDoS behavior using the Hping3 command to generate traffic congestion, as detailed in Table 1. The traffic analysis indicates that, with the DDoS mitigation algorithm in place, traffic remains below the threshold value of 1.25 Mbps. Additionally, the system suspends the IP address for around 60 s if a bot continues to attack. These findings demonstrate that the proposed sFlow-based detection and mitigation algorithm is effective in handling a significant number of DDoS attacks on the SDN network. Moreover, results indicate that the proposed method does not adversely affect overhead traffic. Finally, by utilizing the suggested defense system, scalability concerns can be effectively managed, as network administrators can adjust the sampling rate to minimize overhead traffic between the controller and OpenFlow switch.

This article demonstrates that SDN can play a crucial role in reducing the impact of DDoS attacks. A preliminary framework for detecting DDoS attacks within an SDN architecture has been presented as a defense mechanism, utilizing overflow and sFlow technologies. Initial results indicate that the proposed model can effectively minimize the consequences of DDoS attacks in an SDN-based environment.

This work is planned to progress in three key directions using the OpenDaylight (ODL) controller for mitigating DDoS attacks. Firstly, a multi-level controller approach (comprising global and local controllers) will be explored to address DDoS attacks while minimizing overhead traffic between the data plane of switches and the control plane in a single-controller architecture. Secondly, the authors plan to investigate running OpenDaylight on a Raspberry Pi 3. The preliminary idea involves developing a DDoS mitigation script (mitigation algorithm) to implement on the Raspberry Pi 3 device architecture. Finally, the current system utilizes a randomly set sampling rate; the authors aim to identify methods for selecting the optimal sampling rate to ensure fast detection times and reduced packet latency.

In addition to measuring how effective a system is at detecting and mitigating DDoS attacks, another security effectiveness metric is the false positive rate, which measures how often legitimate users are incorrectly identified as attackers. A high false positive rate can annoy legitimate users with recurrent disconnections, which can significantly weaken network availability. Although this study did not explicitly measured the FPR, reducing false positives remains a critical goal for improving the accuracy and reliability of SDN-based DDoS mitigation systems. Future studies will consider FPR analysis.