Mitigation of DDoS Attacks in Cloud Servers Using Software-Defined Networking with Validation on CICDDoS 2019 and CAIDA Datasets

Abstract

Cloud computing has become a critical technology for hosting services, applications, and storage due to its scalability and flexibility. However, its open and distributed architecture makes it a prime target for Distributed Denial of Service (DDoS) attacks, which attempt to overwhelm servers by generating a flood of malicious traffic. These attacks can severely degrade performance, exhaust resources, and cause service outages, resulting in significant financial and operational losses. Traditional defense techniques, such as firewalls and signature-based intrusion detection systems, are increasingly ineffective because they lack the ability to adapt to evolving attack patterns and cannot scale efficiently in large cloud environments. This research proposes a Software-Defined Networking (SDN) based framework for mitigating DDoS attacks in cloud servers. SDN provides a centralized and programmable control plane that allows dynamic monitoring and mitigation of network traffic. In the proposed system, the SDN controller analyzes incoming flows, extracts traffic features, and enforces mitigation rules through OpenFlow switches to block or reroute malicious traffic. The approach is validated using two widely recognized datasets: CICDDoS2019, which represents modern DDoS attack scenarios, and CAIDA, which contains real-world Internet backbone traces of large-scale DDoS attacks. Experimental evaluation shows that the SDN-based framework achieves high detection accuracy, strong precision and recall, and a low false positive rate compared to conventional approaches. The results confirm that SDN enables faster and more adaptive responses to abnormal traffic patterns, making it a suitable defense mechanism for protecting cloud infrastructures. This study demonstrates the potential of combining SDN with traffic analysis for robust DDoS mitigation and provides insights into deploying scalable security solutions in cloud computing environments.

Introduction

1. Background

Cloud computing is essential for modern services (e.g., e-commerce, banking, healthcare), but its open and distributed nature makes it vulnerable to DDoS attacks, where compromised systems flood target servers to disrupt service. Traditional security mechanisms like firewalls and intrusion detection systems struggle to handle these large-scale, evolving threats.

2. Problem with Traditional Defenses

• Firewalls can't distinguish between legitimate high traffic and attacks.

• Signature-based systems fail against new or modified (zero-day) attacks.

• There's a need for more intelligent, adaptable, and real-time defenses.

3. SDN as a Solution

Software-Defined Networking (SDN) separates the control plane from the data plane, giving a centralized controller full visibility and control of the network:

• Enables real-time traffic monitoring

• Allows dynamic rule installation to block malicious flows

• Is programmable, making it ideal for adaptive security solutions

4. Related Work

• Prior research (e.g., Braga, Bawany) shows that SDN can be combined with machine learning for DDoS detection.

• Datasets like CICDDoS2019 (synthetic, labeled) and CAIDA (real-world traffic) are commonly used for training and validating detection models.

• Existing SDN-based systems show promise but face challenges in scalability and real-world deployment.

5. Proposed Framework

A novel SDN-based DDoS mitigation framework was developed with these components:

A. Traffic Collection

• Uses OpenFlow switches to collect flow statistics

• Captures both attack and benign traffic from CICDDoS2019 and CAIDA

B. Feature Extraction

• Extracts features like packet rate, source entropy, flow duration

• Preprocessed and normalized to aid classification

C. Attack Detection (Machine Learning)

• Uses Random Forest and SVM models trained on CICDDoS2019

• Validated on CAIDA to ensure real-world applicability

D. Mitigation

• SDN controller installs rules to block or reroute malicious flows in real-time

• Adjusts flow timeouts dynamically to handle heavy traffic

E. Performance Metrics

• Evaluated using accuracy, precision, recall, F1-score, and false positive rate

6. Experimental Setup

• Simulated cloud environment using Mininet and POX controller

• Replayed attack traffic from datasets into the virtual network

• Hardware: Intel i7 CPU, 16GB RAM, Ubuntu 20.04

7. Results & Findings

? Detection Performance

• Random Forest: ~98% accuracy on CICDDoS2019, ~94% on CAIDA

• SVM: Slightly lower accuracy (~96%)

• Low false positive rates (2.3% for RF, 3.1% for SVM)

?? Mitigation Performance

• Fast response time (rules installed in milliseconds)

• Legitimate traffic not affected

• CPU usage increased <8% under heavy attack; memory remained stable

???? Compared to Traditional Methods

• Outperforms static filtering and signature-based systems

• More adaptive to evolving attack patterns

Conclusion

In this research, we proposed an SDN-based framework for mitigating DDoS attacks in cloud servers, validated using both the CICDDoS2019 and CAIDA datasets. The results demonstrated that combining the centralized control of SDN with machine learning-based detection offers significant improvements in accuracy, response time, and resource efficiency compared to traditional static defence methods. The experiments showed that Random Forest and SVM classifiers could effectively detect malicious flows with an accuracy of more than 94% even on real-world traffic. Importantly, the mitigation strategy did not disrupt normal traffic, proving that SDN can selectively block malicious sources while maintaining service quality. This ability to adapt in real time makes SDN a promising direction for defending modern cloud infrastructures from large-scale DDoS attacks [34]. At the same time, the study also highlighted limitations. A single controller may become a performance bottleneck under extremely large-scale attacks, and machine learning models may need retraining when traffic patterns evolve. Nevertheless, the findings confirm that SDN provides a flexible and programmable solution that can be extended and improved over time.

References

[1] P. Mell and T. Grance, The NIST Definition of Cloud Computing, NIST Special Publication 800-145, 2011. [2] A. Zargar, J. Joshi, and D. Tipper, “A survey of defense mechanisms against distributed denial of service (DDoS) flooding attacks,” IEEE Communications Surveys & Tutorials, vol. 15, no. 4, pp. 2046–2069, 2013. [3] Y. Xie and S. Yu, “Monitoring the application-layer DDoS attacks for popular websites,” IEEE/ACM Transactions on Networking, vol. 17, no. 1, pp. 15–25, Feb. 2009. [4] N. McKeown, T. Anderson, H. Balakrishnan, G. Parulkar, L. Peterson, J. Rexford, S. Shenker, and J. Turner, “OpenFlow: Enabling innovation in campus networks,” ACM SIGCOMMComputer Communication Review, vol. 38, no. 2, pp. 69–74, Apr. 2008. [5] S. Scott-Hayward, G. O’Callaghan, and S. Sezer, “SDN security: A survey,” in Proc. IEEE SDN for Future Networks and Services (SDN4FNS), Trento, Italy, Nov. 2013, pp. 1–7. [6] R. Braga, E. Mota, and A. Passito, “Lightweight DDoS flooding attack detection using NOX/OpenFlow,” in Proc. IEEE Local Computer Network Conference, Denver, USA, Oct. 2010, pp. 408–415. [7] N. Z. Bawany, J. A. Shamsi, and K. Salah, “DDoS attack detection and mitigation using SDN: Methods, practices, and solutions,” Arabian Journal for Science and Engineering, vol. 42, no. 2, pp. 425–441, 2017. [8] A. Hussain, J. Heidemann, and C. Papadopoulos, “A framework for classifying denial of service attacks,” in Proc. ACM SIGCOMM Conf. on Applications, Technologies, Architectures, and Protocols for Computer Communication, Karlsruhe, Germany, 2003, pp. 99–110. [9] A. Zargar, J. Joshi, and D. Tipper, “A survey of defense mechanisms against distributed denial of service (DDoS) flooding attacks,” IEEE Communications Surveys & Tutorials, vol. 15, no. 4, pp. 2046–2069, 2013. [10] Y. Xie and S. Yu, “Monitoring the application-layer DDoS attacks for popular websites,” IEEE/ACM Transactions on Networking, vol. 17, no. 1, pp. 15–25, Feb. 2009. [11] N. McKeown, T. Anderson, H. Balakrishnan, G. Parulkar, L. Peterson, J. Rexford, S. Shenker, and J. Turner, “OpenFlow: Enabling innovation in campus networks,” ACM SIGCOMM Computer Communication Review, vol. 38, no. 2, pp. 69–74, Apr. 2008. [12] R. Braga, E. Mota, and A. Passito, “Lightweight DDoS flooding attack detection using NOX/OpenFlow,” in Proc. IEEE Local Computer Network Conference, Denver, USA, Oct. 2010, pp. 408–415. [13] N. Z. Bawany, J. A. Shamsi, and K. Salah, “DDoS attack detection and mitigation using SDN: Methods, practices, and solutions,” Arabian Journal for Science and Engineering, vol. 42, no. 2, pp. 425–441, 2017. [14] S. Scott-Hayward, G. O’Callaghan, and S. Sezer, “SDN security: A survey,” in Proc. IEEE SDN for Future Networks and Services (SDN4FNS), Trento, Italy, Nov. 2013, pp. 1–7. [15] I. Sharafaldin, A. H. Lashkari, and A. A. Ghorbani, “Toward generating a new intrusion detection dataset and intrusion traffic characterization,” in Proc. 4th Int. Conf. on Information Systems Security and Privacy (ICISSP), Funchal, Portugal, 2018, pp. 108–116. [16] A. Hussain, J. Heidemann, and C. Papadopoulos, “A framework for classifying denial of service attacks,” in Proc. ACM SIGCOMM Conf. on Applications, Technologies, Architectures, and Protocols for Computer Communication, Karlsruhe, Germany, 2003, pp. 99–110. [17] K. Benton, L. J. Camp, and C. Small, “OpenFlow vulnerability assessment,” in Proc. 2nd ACM SIGCOMM Workshop on Hot Topics in Software Defined Networking (HotSDN), Hong Kong, 2013, pp. 151–152. [18] I. Sharafaldin, A. H. Lashkari, and A. A. Ghorbani, “Toward generating a new intrusion detection dataset and intrusion traffic characterization,” in Proc. 4th Int. Conf. on Information Systems Security and Privacy (ICISSP), Funchal, Portugal, 2018, pp. 108–116. [19] A. Hussain, J. Heidemann, and C. Papadopoulos, “A framework for classifying denial of service attacks,” in Proc. ACM SIGCOMM Conf. on Applications, Technologies, Architectures, and Protocols for Computer Communication, Karlsruhe, Germany, 2003, pp. 99–110. [20] H. Wang, L. Xu, and G. Gu, “FloodGuard: A DoS attack prevention extension in software-defined networks,” in Proc. 45th IEEE/IFIP Int. Conf. on Dependable Systems and Networks (DSN), Rio de Janeiro, Brazil, 2015, pp. 239–250. [21] S. M. Mousavi and M. St-Hilaire, “Early detection of DDoS attacks against SDN controllers,” in Proc. Int. Conf. on Computing, Networking and Communications (ICNC), Anaheim, USA, 2015, pp. 77–81. [22] R. Braga, E. Mota, and A. Passito, “Lightweight DDoS flooding attack detection using NOX/OpenFlow,” in Proc. IEEE Local Computer Network Conference, Denver, USA, Oct. 2010, pp. 408–415. [23] N. Z. Bawany, J. A. Shamsi, and K. Salah, “DDoS attack detection and mitigation using SDN: Methods, practices, and solutions,” Arabian Journal for Science and Engineering, vol. 42, no. 2, pp. 425–441, 2017. [24] B. Lantz, B. Heller, and N. McKeown, “A network in a laptop: Rapid prototyping for software-defined networks,” in Proc. 9th ACM SIGCOMM Workshop on Hot Topics in Networks (HotNets), Monterey, USA, 2010, pp. 1–6. [25] J. Erickson, “POX: A Python-based SDN controller,” POX Documentation, 2013. [26] I. Sharafaldin, A. H. Lashkari, and A. A. Ghorbani, “Toward generating a new intrusion detection dataset and intrusion traffic characterization,” in Proc. 4th Int. Conf. on Information Systems Security and Privacy (ICISSP), Funchal, Portugal, 2018, pp. 108–116. [27] The CAIDA UCSD “DDoS Attack 2007 Dataset,” Cooperative Association for Internet Data Analysis, University of California San Diego, 2007. [28] T. Subbulakshmi and V. Priyadharshini, “Performance metrics for evaluating machine learning algorithms in intrusion detection systems,” International Journal of Computer Applications, vol. 179, no. 24, pp. 1–5, 2018. [29] S. M. Mousavi and M. St-Hilaire, “Early detection of DDoS attacks against SDN controllers,” in Proc. Int. Conf. on Computing, Networking and Communications (ICNC), Anaheim, USA, 2015, pp. 77–81. [30] A. Zargar, J. Joshi, and D. Tipper, “A survey of defense mechanisms against distributed denial of service (DDoS) flooding attacks,” IEEE Communications Surveys & Tutorials, vol. 15, no. 4, pp. 2046–2069, 2013. [31] H. Wang, L. Xu, and G. Gu, “FloodGuard: A DoS attack prevention extension in software-defined networks,” in Proc. 45th IEEE/IFIP Int. Conf. on Dependable Systems and Networks (DSN), Rio de Janeiro, Brazil, 2015, pp. 239–250. [32] R. Braga, E. Mota, and A. Passito, “Lightweight DDoS flooding attack detection using NOX/OpenFlow,” in Proc. IEEE Local Computer Network Conference, Denver, USA, 2010, pp. 408–415. [33] N. Z. Bawany, J. A. Shamsi, and K. Salah, “DDoS attack detection and mitigation using SDN: Methods, practices, and solutions,” Arabian Journal for Science and Engineering, vol. 42, no. 2, pp. 425–441, 2017. [34] S. Scott-Hayward, G. O’Callaghan, and S. Sezer, “SDN security: A survey,” in Proc. IEEE SDN for Future Networks and Services (SDN4FNS), Trento, Italy, 2013, pp. 1–7. [35] Y. Hu, W. Wang, X. Gong, X. Que, and S. Cheng, “Reliability-aware controller placement in software-defined networks,” IEEE Communications Letters, vol. 18, no. 2, pp. 732–735, 2014. [36] U. Fiore, F. Palmieri, A. Castiglione, and A. De Santis, “Network anomaly detection with the restricted Boltzmann machine,” Neurocomputing, vol. 122, pp. 13–23, 2013. [37] H. Haddadi, S. M. Mousavi, and A. Leon-Garcia, “Online learning for traffic classification in SDN,” in Proc. IEEE Int. Conf. on Cloud Networking (CloudNet), Pisa, Italy, 2014, pp. 205–210.

Copyright

Copyright © 2025 Aditya Gupta, Anurag Verma, Praveen Yadav. This is an open access article distributed under the Creative Commons Attribution License, which permits unrestricted use, distribution, and reproduction in any medium, provided the original work is properly cited.