ChapterPDF Available

Detecting Denial-of-Service Attacks Using sFlow



Content may be subject to copyright.
Detecting Denial-of-Service Attacks Using sFlow
Shivaraj Hublikar, Vijaya Eligar and Arun Kakhandki
Abstract This paper addresses how to detect denial-of- service attacks using sFlow.
Denial-of-Service (DoS) attack is a critical security challenge in Software Defined
Network (SDN). In DoS attack, the network bandwidth is acquired by disrupting
the services of the server by abruptly increasing the traffic and making the server
unavailable for other users. The most challenging problem of DoS attack is to de-
tect the attack almost instantly and in a precise manner. This paper presents the
detection of DoS attacks by using sFlow analyzer, a SDNs flow monitoring tool.
In the event of any attack sFlow collects sample packets from network traffic, an-
alyzes suspicious behaviour and creates handling rules which are then sent to the
controller. Implementation of DoS attack is carried out by emulating a typical net-
work in Mininet and integrating this with sFlow analyzer. Through the simulated
results, the potential DoS victims and attackers are quickly found.
Key words: bandwidth detection, DoS attack, SDN, sFlow
1 Introduction
In a traditional data network devices are structured into data-plane and control-plane
which are local. If there are ten devices in a network, then each device has its own
data-plane and control-plane that are having all the relevant information regarding
forwarding tables. The data-plane comprises of switches while the control-plane
comprises of controllers of different types. Networking device will get the packets
Shivaraj Hublikar
KLE Technological University, Hubballi, India e-mail:
Vijaya Eligar
KLE Technological University, Hubballi, India e-mail:
Arun Kakhandki
KLSs VDRIT, Haliyal, India e-mail:
2 Shivaraj Hublikar, Vijaya Eligar and Arun Kakhandki
which are decided by forwarding tables. Since the demand of traditional networks is
increasing, working on topology is complex [5]. Even though traditional networks
are global and very popular, they have various drawbacks. Firstly, there is no scope
to extend the network if a new feature or a protocol is to be added. Secondly, any
new command cannot be accepted to improve the functionality of traditional net-
works since it is not programmable. Thirdly, cost of the network is effectively high
since each device contains both data-plane and control-plane. Different topologies
of the network are not possible since the traditional network is configured with set
of predefined rules during the manufacture. Furthermore the physical network in-
frastructure cannot be fully utilized since arranging the traditional network with
predefined polices becomes complicated and error prone.
Recent trends such as machine learning, artificial intelligence, cyber security,
internet of things (IoT) and mobile traffic has heavy traffic which cannot be managed
by the network. SDN manages the overall network programmatically. SDN is very
Fig. 1 Traditonal network
and SDN [11]
unique from the traditional networks which provide entire central control over the
network by separating the control-plane and the data-plane as shown in Fig. 1.
SDN manages the network by centrally controlling the devices which greatly
utilize and improve the network management. This network has data-plane within
the device for sharing the forwarding data, whereas the control-plane is connected
with separate device called controller which handles the information. SDN is cat-
egorized into three parts, Controllers, Southbound Application Program Interfaces
(APIs) and Northbound (APIs. Controller which is the programmable central sys-
tem controls the entire network which has the information of all the resources (like
switches and routers) connected to this network. Switches and routers are the infor-
mation devices which require Southbound APIs as the medium for the controllers to
transfer the data packets. OpenFlow is standard protocol used in Southbound APIs.
SDN uses Northbound APIs to manage the traffic which is monitored by the network
administrators to communicate with applications shown in Fig. 2.
Detecting Denial-of-Service Attacks Using sFlow 3
Fig. 2 SDN Controller
1.1 Open-Flow
Open-Flow is a standard protocol that provides a communication and interface be-
tween control-plane and data-plane in SDN. The data packets are transferred be-
tween devices which have to maintain traffic routing flows that is managed by the
OpenFlow protocol. Each SDN device needs to maintain the set of Flow-tables
that is controlled by OpenFlow switch. The incoming packets are controlled by the
switch which are installed by the control-plane that maintains communication chan-
nel and also contains the Flow-table rules [1]. Fig. 3 presents the logical structure
of an OpenFlow switch. When there is a mismatch in the Flow-tables that does not
Fig. 3 Open Switch Architec-
match with any existing flow rules the mismatch flows try to trigger forwarding
plane to the controller which reduces the bandwidth and memory .The limited com-
munication bandwidth between the control and data-planes could be a bottleneck of
the whole network, and lead to security problems. Todays commercial OpenFlow
switches only support cable connection to the controller. The practical connection
bandwidth is tested to be less than 10Mbps.
Research in SDN and DoS attacks are predominantly focused on detection of
the attack. In July 2001 internet infrastructure was hit worldwide by DoS attack
worms named Code Red and NIMDA. Network scanning was used by Code Red
Worm to attack the network at a rapid propagation rate to detect and exploit Internet
Information Server (IIS) automatically. This DoS attack consumed huge bandwidth
which affected lot of network devices. The attack was complex since the attack came
from various sources of IP addresses for which packet analyzing was a big task. In
order to mitigate or limit the damage to network resources, content filtering of some
type were performed.
4 Shivaraj Hublikar, Vijaya Eligar and Arun Kakhandki
In [2] the authors propose a mechanism that avoids the overloading of switch
TCAMs along with controller and control channel bandwidth and a solution called
SLICOTS, which mitigates a type of flooding attack TCPSYN in SDN. It is built on
top of the controller in order to monitor the network traffic related to TCP requests.
This paper is organized as follows. Section 2 discusses DoS attacks on SDN.
Section 3 presents the DoS detection method based on sFlow tool. Section 4 demon-
strates the method to detect DoS attacks. The simulation results and discussion are
presented in Section 5 followed by conclusion in Section 6.
2 DoS Attack
DoS attack causes serious impact on the computing system. DoS attacks deny ser-
vices to valid users by completely consuming the target resources. DoS attacks are
usually initiated by an individual or group of individuals exploiting aspects of the
Internet Protocol to deny other users from legitimate access to systems and infor-
mation. The router hosts are disconnected if forwarding packets are stopped by
router. The recent applications which are targets to these attacks are web servers,
mail servers and other services [6].
In [9] the authors explain SDN-aimed DoS attacks (data-to-control-plane satu-
ration attacks). The attacker first sends the packets which do not match the packets
in the Flow-tables by generating table-miss packets without the order with some
or all fields, which does not match with existing flow rules on the target switch
as shown in Fig. 4. Then, the attacker launches DoS attacks on the SDN network
Fig. 4 DoS Attack
by flooding with large amount of table-miss packets. These table-miss packets will
target massive packet in messages from the switch to the controller, and consume
their communication bandwidth, CPU computation, and memory in both control
and data-planes [2].
Detecting Denial-of-Service Attacks Using sFlow 5
DoS attacks can be of various types:
Destructive: Attacks which destroy the device to prevent the proper operation
of function, such as deleting or changing properties or information and power
Resource consumption: Attacks which try to reduce the ability of the device
to perform effectively by opening many simultaneous connections to a single
Bandwidth consumption: Attacks which attempt to affect the bandwidth capac-
ity of the network device.
This paper aims to concentrate on bandwidth attack which is done using sFlow
tool. When any DoS attack is detected sFlow generates flow rules by analyzing
samples of packets collected from the network traffic to be sent to the controller. In
this work security services are developed to protect networks against different type
of network attacks for third parties like servers. A DoS attacker attacks the network
by providing enormous flooding traffic in a short time to a server by increasing flow
so that the server gets disconnected.
3 sFlow
sFlow helps to monitor the network, that develops various ways of handling the traf-
fic flows, and to improve the performance of the network which consist of switches
and routers. sFlow [12] is an open-source sampling tool used for measuring the traf-
fic which is compatible with OpenFlow network. It consists of sFlow agents and
collector. The sFlow Agent capture traffic statistics from the device which is under
observation that uses sampling technology. sFlow Datagrams immediately forward
the sampled traffic statistics to a sFlow collector for analysis. The main task of the
two modules is listed below.
1. sFlow Collector: It is a server where sFlow datagrams are collected and stored.
2. sFlow Analyzer: It provides real-time overview of the network traffic flow by
analyzing the received datagrams by analyzing the irregularities of the network
parameters and detailed information. sFlow agents send a stream of sFlow sam-
plings continuously to the collector where they are analyzed to supply a real-time,
network-wide view of traffic flows.
3.1 Integration of Mininet and sFlow
Network simulators play an important role by evaluating network topologies of dif-
ferent types over a small scale. Many network simulators like Mininet, GNS3 and
EsiNet are available. Mininet is used here which is an open-source network simula-
tor used to generate traffic and analyze its flow.
6 Shivaraj Hublikar, Vijaya Eligar and Arun Kakhandki
Mininet [8] is an open source network emulator and is a Command Line Interface
(CLI) and enabled simulator which supports the use of analysis tools like the sFlow,
NetFlow and RMON. Mininet creates virtual switch, hosts, links and controllers on
a single Linux kernel with a single command. Custom topologies are created using
Mininet. It simulates a real machine and can create different hosts. The limitation of
Mininet is that it does not have OpenFlow controller and it runs on slower links (10
or 100 Mbps).
According to [7] these simulators provide a platform to set a network topology
as a replication to the real-world environment about analysis and detection of the
attacks using Mininet and sFlow. The analysis is done in a number of steps in the
tool, which are listed here.
1. will run the shell script command to run the sFlow application.
2. In another window Mininet topology will execute. The ping command is run to
check the connectivity between the hosts of the topology created. A zero percent-
age drop depicts the complete connectivity between the hosts.
3. For accessing the sFlow trend GUI, a local host is created using the command:
localhost: 8008.
4. A Mininet command with sFlow-RT detection of elephant flows is given as:
http://localhost:8008/app/mininet-dashboard/html/. It provides an approach to
run a SDN Controller along with it.
4 Implementation
In this section the implementation of the network is discussed. Initially sFlow-RT
is created to receive a continuous flow of data that is sent from the network devices
and converted into metrics. As soon as the flow reaches certain predefined metric
level it is sent to an analyzer. Next using the Mininet command a topology is built
with link bandwidths of 10 Mbps. Finally the output is the link between two hosts.
In order to make it easier to get started, the latest release of sFlow-RT includes
a Mininet helper script that automates sFlow configuration. The following
example shows how to use the script and build a simple application in Python.
The various steps to detect the flows in a Mininet topology created in Linux
environment using sFlow-RT are listed here and shown in Fig. 5.
1. sFlow-RT: sFlow-RT is an open-source tool that has an embedded OpenFlow
controller, allowing monitoring and flow insertions to OpenFlow supporting
switches. It analyzes certain events of interest, raise triggers and apply traffic
handling rules to a particular controller. In order to analyze sFlow-RT flows and
react on traffic changes, it has to be configured to work together with the existing
2. For Creating Mininet: : In a second terminal, add the –custom argument to the
Mininet command line. The following command builds a depth ‘2’ tree topology
with link bandwidths of 10 Mbit/s.
Detecting Denial-of-Service Attacks Using sFlow 7
Fig. 5 Starting sFlow
cd sflow-rt
sudo mn –custom extras/ –link tc, bw=10 –topo tree, depth=2, fanout=2
The response of the tool after creating the topology is shown in Fig. 6. The
Fig. 6 Creating Topology script extends Mininet, automatically enabling sFlow on each of the
switches in the topology, and posting a JSON representation of the Mininet topol-
ogy using sFlow-RT.
5 Results and Discussion
Whenever the network is simulated without any attack, bandwidth between the two
hosts maintained at 9.63 Mbps. When a DOS attack is initiated on the network, the
bandwidth falls to 30 kbps. The bandwidth has reduced from Mbits to kbits due
to the DoS attack which has increased the datarate. This resulted in the decreased
system performance. The GUI output of the DoS detection is shown in Fig. 7. Here
sFlow is initiated in the local host to detect the DoS attack when host h1 pings h2.
As more number of packets are sent DoS attack is detected.
6 Conclusion
DoS attack was detected by acquiring network bandwidth and disrupting the ser-
vices of the server by abruptly increasing the traffic by making the server unavailable
8 Shivaraj Hublikar, Vijaya Eligar and Arun Kakhandki
Fig. 7 DoS attack detected
for other users. DoS attack was detected using the sFlow tool. In case of any attack
sFlow collects sample packets from network traffic, analyzes suspicious behaviour
and creates handling rules which are then sent to the controller. Implementation of
DoS attack is carried out by emulating a typical network in Mininet and integrating
this with sFlow analyzer. The results indicate efficient identification of DoS attack
by using sFlow.
1. Ambrosin, M., Conti, M., De Gaspari, F., Poovendran, R.: Lineswitch: Tackling control plane
saturation attacks in software-defined networking. IEEE/ACM Transactions on Networking
(TON) 25(2), 1206–1219 (2017)
2. Dridi, L., Zhani, M.F.: A holistic approach to mitigating dos attacks in sdn networks. Interna-
tional Journal of Network Management 28(1), e1996 (2018)
3. Jyothirmai, P., Raj, J.S., Smys, S.: Secured self organizing network architecture in wireless
personal networks. Wireless Personal Communications 96(4), 5603–5620 (2017)
4. Nugraha, M., Paramita, I., Musa, A., Choi, D., Cho, B.: Utilizing openflow and sflow to detect
and mitigate syn flooding attack. 17(8), 988–994 (2014)
5. Ombase, P.M., Kulkarni, N.P., Bagade, S.T., Mhaisgawali, A.V.: Survey on dos attack chal-
lenges in software defined networking
6. Othman, R.A.R.: Understanding the various types of denial of service attack. Business Week
Online (2000)
7. Peter: Mininet flow analytics.
Accessed: 2019-01-10
8. Scarlato, M.: Network monitoring in software defined networking
9. Shang, G., Zhe, P., Bin, X., Aiqun, H., Kui, R.: Flooddefender: Protecting data and control
plane resources under sdn-aimed dos attacks. In: INFOCOM 2017-IEEE Conference on Com-
puter Communications, IEEE, pp. 1–9. IEEE (2017)
10. Sridhar, S., Smys, S.: A hybrid multilevel authentication scheme for private cloud environ-
ment. In: Intelligent Systems and Control (ISCO), 2016 10th International Conference on, pp.
1–5. IEEE (2016)
11. Stallings, W.: Foundations of modern networking: SDN, NFV, QoE, IoT, and Cloud. Addison-
Wesley Professional (2015)
12. Swapna, A.I., Reza, M.R.H., Aion, M.K.: Security analysis of software defined wireless net-
work monitoring with sflow and flowvisor. In: Communication and Electronics Systems (IC-
CES), International Conference on, pp. 1–7. IEEE (2016)
Full-text available
Software-defined networking (SDN) has recently emerged as a new networking technology offering an unprecedented programmability that allows network operators to dynamically manage their infrastructures. However, despite these benefits, deny-of-service (DoS) attacks are considered a major threat to such networks, as they can easily overload the SDN controller and flood switch forwarding tables, resulting in a critical degradation of the network performance. To address this issue, we propose SDN-Guard, a novel holistic approach to protect SDN networks against DoS attacks. Software-defined networking–Guard leverages an intrusion detection system (IDS) to detect potential DoS attacks and then efficiently mitigate their impact by dynamically (1) rerouting malicious traffic, (2) adjusting flow time-outs, and (3) aggregating flow rules. This paper extends our previous work by proposing solutions to minimize the switch-to-IDS traffic without impacting the IDS accuracy. We hence propose to use sampling techniques and devise an integer linear program to find the optimal placement for the IDS and to determine the switches that should mirror the flows towards it so as to minimize network bandwidth consumption. Extensive experiments using Mininet show that SDN-Guard maintains network performance during DoS attacks and succeeds in reducing by up to 32% their impact on controller performance, usage of switch forwarding tables, and control plane bandwidth. Furthermore, our results show that carefully placing the IDS and selecting the switches mirroring, the traffic can reduce by up to 90% the switch-to-IDS traffic. They also show that the IDS accuracy remains at 100% by analyzing only 11% of the network traffic.
Full-text available
Secured self organizing network is an approach to computer network architecture that seeks to address the technical issues in heterogeneous networks that may lack continuous network connectivity. In delay tolerant network packets storage exists when there is any link breakage between the nodes in the network so delay is tolerable in this type of network during the data transmission. But this delay is not tolerable in wireless network for voice packet transmission. This evokes the use of wireless networks. In a network, different wireless network topologies are interoperating with each other so the communication across the network is called overlay network. This network is vulnerable to attacks due to mobile behaviour of nodes and frequent changes in topologies of the network. The attacks are wormhole attack and blackhole attack is analysed in this paper. They are critical threats to normal operation in wireless networks which results in the degradation of the network performance. The proposed recovery algorithm for wormhole and the isolation of blackhole will increase the performance of the network. The performance metrics such as throughput, packet delivery ratio, end–end delay and routing overhead of the network are evaluated.
Full-text available
Software defined networking (SDN) is a new networking paradigm that in recent years has revolutionized network architectures. At its core, SDN separates the data plane, which provides data forwarding functionalities, and the control plane, which implements the network control logic. The separation of these two components provides a virtually centralized point of control in the network, and at the same time abstracts the complexity of the underlying physical infrastructure. Unfortunately, while promising, the SDN approach also introduces new attacks and vulnerabilities. Indeed, previous research shows that, under certain traffic conditions, the required communication between the control and data plane can result in a bottleneck. An attacker can exploit this limitation to mount a new, network-wide, type of denial of service attack, known as the control plane saturation attack. This paper presents LineSwitch, an efficient and effective data plane solution to tackle the control plane saturation attack. LineSwitch employs probabilistic proxying and blacklisting of network traffic to prevent the attack from reaching the control plane, and thus preserve network functionality. We implemented LineSwitch as an extension of the reference SDN implementation, OpenFlow, and run a thorough set of experiments under different traffic and attack scenarios. We compared LineSwitch to the state of the art, and we show that it provides at the same time, the same level of protection against the control plane saturation attack, and a reduced time overhead by up to 30%.
Conference Paper
Full-text available
Today’s mobile and wireless network are growing faster in size and complex to measure the services. Security is one of the most important aspects for such complex network and needs to be monitored properly to provide early detection of security breaches and Denial of Service attack. Tools that measure such detection of network threats and monitors network services requires internal security in their own mechanism. This paper analyzes two of such monitoring and measurement tools: sFlow and FlowVisor for underlying Software Defined Wireless Networking (SDWN) environment by applying STRIDE threat model. This analytical study represents that, sFlow requires an external secure deployment environment to ensure security in data flow and data store for SDWN. FlowVisor comes with secured access control in data store wherein isolated flow slice requires mechanism that improve its security.
Full-text available
Network monitoring is a system that constantly monitors a computer network, to check if it is running properly during ordinary operations; it can also optimize data flow and access in a complex environment and check the network availability all around the world. Network monitoring can be achieved using various software or a combination of plug-and-play hardware and software appliance solutions. For years, different well-known tools have been employed for network monitoring. However, a new network paradigm has emerged, called Software Defined Networking (SDN).The main transformation of the architecture is represented by the separation between the control-plane and the data-plane. The control-plane is represented through a central Controller, while the data- plane is represented by the switches.The central controller keeps information about the state of all the network and can modify it. The SDN model is based on “open interfaces”.The Controller uses open protocols being OpenFlow is the first standard interface designed specifically for SDN. In this thesis I used some tools in order to see how they can be adapted to SDN. The tools are three: Ntop (and its evolution: Ntopng), Wireshark and Argus. In order to evaluate the functioning of the above mentioned tool, I deployed a testbed environment with Mininet and the OpenDaylight Controller. Mininet is a network emulator, which runs end-hosts, switches, routers, and links on a single Linux kernel, while OpenDaylight is a Controller that uses the OpenFlow protocol, and belongs to the OpenDaylight project. Using the above mentioned tools, I noticed that only Wireshark is able to recognize OpenFlow protocol. In fact Argus and Ntop (ntopng as well) cannot recognize the packets relative to OpenFlow, so they are still not able to recognize the commmunications between Controller and Switch. Anyway it was useful to observe how these tools behave in a virtualized environment like Mininet.
Conference Paper
Cloud Computing is the ubiquitous model of a shared pool of configurable computing resources .this paper proposes a multilevel authentication technique for use in Private Cloud network. Authentication of User is a challenging issue due to increasing security threats as it acts as the first defence against attackers. Whole authentication control lies in the server Side so Single-tier authentication is not enough to overcome these problems. We come up with a novel authentication mechanism, called Hybrid Multilevel Authentication, which provides the security against the insider attacks and virtualization attacks. Positives and negatives of other cloud setup were considered. Encryption function is implemented by symmetry-based AES encryption algorithm. This model provides a level of security for each member of that organisation.
Software Defined Network (SDN) is a new technology in computer network area which enables user to centralize control plane. The security issue is important in computer network to protect system from attackers. SYN flooding attack is one of Distributed Denial of Service attack methods which are popular to degrade availability of targeted service on Internet. There are many methods to protect system from attackers, i.e. firewall and IDS. Even though firewall is designed to protect network system, but it cannot mitigate DDoS attack well because it is not designed to do so. To improve performance of DDOS mitigation we utilize another mechanism by using SDN technology such as OpenFlow and sFlow. The methodology of sFlow to detect attacker is by capturing and sum cumulative traffic from each agent to send to sFlow collector to analyze. When sFlow collector detect some traffics as attacker, OpenFlow controller will modify the rule in OpenFlow table to mitigate attacks by blocking attack traffic. Hence, by combining sum cumulative traffic use sFlow and blocking traffic use OpenFlow we can detect and mitigate SYN flooding attack quickly and cheaply.
Security analysis of software defined wireless network monitoring with sFlow and FlowVisor
  • A I Swapna
  • Mrh Reza
  • M K Aion