Detecting Denial-of-Service Attacks Using sFlow
Shivaraj Hublikar, Vijaya Eligar and Arun Kakhandki
Abstract This paper addresses how to detect denial-of- service attacks using sFlow.
Denial-of-Service (DoS) attack is a critical security challenge in Software Deﬁned
Network (SDN). In DoS attack, the network bandwidth is acquired by disrupting
the services of the server by abruptly increasing the trafﬁc and making the server
unavailable for other users. The most challenging problem of DoS attack is to de-
tect the attack almost instantly and in a precise manner. This paper presents the
detection of DoS attacks by using sFlow analyzer, a SDNs ﬂow monitoring tool.
In the event of any attack sFlow collects sample packets from network trafﬁc, an-
alyzes suspicious behaviour and creates handling rules which are then sent to the
controller. Implementation of DoS attack is carried out by emulating a typical net-
work in Mininet and integrating this with sFlow analyzer. Through the simulated
results, the potential DoS victims and attackers are quickly found.
Key words: bandwidth detection, DoS attack, SDN, sFlow
In a traditional data network devices are structured into data-plane and control-plane
which are local. If there are ten devices in a network, then each device has its own
data-plane and control-plane that are having all the relevant information regarding
forwarding tables. The data-plane comprises of switches while the control-plane
comprises of controllers of different types. Networking device will get the packets
KLE Technological University, Hubballi, India e-mail: email@example.com
KLE Technological University, Hubballi, India e-mail: firstname.lastname@example.org
KLSs VDRIT, Haliyal, India e-mail: email@example.com
2 Shivaraj Hublikar, Vijaya Eligar and Arun Kakhandki
which are decided by forwarding tables. Since the demand of traditional networks is
increasing, working on topology is complex . Even though traditional networks
are global and very popular, they have various drawbacks. Firstly, there is no scope
to extend the network if a new feature or a protocol is to be added. Secondly, any
new command cannot be accepted to improve the functionality of traditional net-
works since it is not programmable. Thirdly, cost of the network is effectively high
since each device contains both data-plane and control-plane. Different topologies
of the network are not possible since the traditional network is conﬁgured with set
of predeﬁned rules during the manufacture. Furthermore the physical network in-
frastructure cannot be fully utilized since arranging the traditional network with
predeﬁned polices becomes complicated and error prone.
Recent trends such as machine learning, artiﬁcial intelligence, cyber security,
internet of things (IoT) and mobile trafﬁc has heavy trafﬁc which cannot be managed
by the network. SDN manages the overall network programmatically. SDN is very
Fig. 1 Traditonal network
and SDN 
unique from the traditional networks which provide entire central control over the
network by separating the control-plane and the data-plane as shown in Fig. 1.
SDN manages the network by centrally controlling the devices which greatly
utilize and improve the network management. This network has data-plane within
the device for sharing the forwarding data, whereas the control-plane is connected
with separate device called controller which handles the information. SDN is cat-
egorized into three parts, Controllers, Southbound Application Program Interfaces
(APIs) and Northbound (APIs. Controller which is the programmable central sys-
tem controls the entire network which has the information of all the resources (like
switches and routers) connected to this network. Switches and routers are the infor-
mation devices which require Southbound APIs as the medium for the controllers to
transfer the data packets. OpenFlow is standard protocol used in Southbound APIs.
SDN uses Northbound APIs to manage the trafﬁc which is monitored by the network
administrators to communicate with applications shown in Fig. 2.
Detecting Denial-of-Service Attacks Using sFlow 3
Fig. 2 SDN Controller
Open-Flow is a standard protocol that provides a communication and interface be-
tween control-plane and data-plane in SDN. The data packets are transferred be-
tween devices which have to maintain trafﬁc routing ﬂows that is managed by the
OpenFlow protocol. Each SDN device needs to maintain the set of Flow-tables
that is controlled by OpenFlow switch. The incoming packets are controlled by the
switch which are installed by the control-plane that maintains communication chan-
nel and also contains the Flow-table rules . Fig. 3 presents the logical structure
of an OpenFlow switch. When there is a mismatch in the Flow-tables that does not
Fig. 3 Open Switch Architec-
match with any existing ﬂow rules the mismatch ﬂows try to trigger forwarding
plane to the controller which reduces the bandwidth and memory .The limited com-
munication bandwidth between the control and data-planes could be a bottleneck of
the whole network, and lead to security problems. Todays commercial OpenFlow
switches only support cable connection to the controller. The practical connection
bandwidth is tested to be less than 10Mbps.
Research in SDN and DoS attacks are predominantly focused on detection of
the attack. In July 2001 internet infrastructure was hit worldwide by DoS attack
worms named Code Red and NIMDA. Network scanning was used by Code Red
Worm to attack the network at a rapid propagation rate to detect and exploit Internet
Information Server (IIS) automatically. This DoS attack consumed huge bandwidth
which affected lot of network devices. The attack was complex since the attack came
from various sources of IP addresses for which packet analyzing was a big task. In
order to mitigate or limit the damage to network resources, content ﬁltering of some
type were performed.
4 Shivaraj Hublikar, Vijaya Eligar and Arun Kakhandki
In  the authors propose a mechanism that avoids the overloading of switch
TCAMs along with controller and control channel bandwidth and a solution called
SLICOTS, which mitigates a type of ﬂooding attack TCPSYN in SDN. It is built on
top of the controller in order to monitor the network trafﬁc related to TCP requests.
This paper is organized as follows. Section 2 discusses DoS attacks on SDN.
Section 3 presents the DoS detection method based on sFlow tool. Section 4 demon-
strates the method to detect DoS attacks. The simulation results and discussion are
presented in Section 5 followed by conclusion in Section 6.
2 DoS Attack
DoS attack causes serious impact on the computing system. DoS attacks deny ser-
vices to valid users by completely consuming the target resources. DoS attacks are
usually initiated by an individual or group of individuals exploiting aspects of the
Internet Protocol to deny other users from legitimate access to systems and infor-
mation. The router hosts are disconnected if forwarding packets are stopped by
router. The recent applications which are targets to these attacks are web servers,
mail servers and other services .
In  the authors explain SDN-aimed DoS attacks (data-to-control-plane satu-
ration attacks). The attacker ﬁrst sends the packets which do not match the packets
in the Flow-tables by generating table-miss packets without the order with some
or all ﬁelds, which does not match with existing ﬂow rules on the target switch
as shown in Fig. 4. Then, the attacker launches DoS attacks on the SDN network
Fig. 4 DoS Attack
by ﬂooding with large amount of table-miss packets. These table-miss packets will
target massive packet in messages from the switch to the controller, and consume
their communication bandwidth, CPU computation, and memory in both control
and data-planes .
Detecting Denial-of-Service Attacks Using sFlow 5
DoS attacks can be of various types:
•Destructive: Attacks which destroy the device to prevent the proper operation
of function, such as deleting or changing properties or information and power
•Resource consumption: Attacks which try to reduce the ability of the device
to perform effectively by opening many simultaneous connections to a single
•Bandwidth consumption: Attacks which attempt to affect the bandwidth capac-
ity of the network device.
This paper aims to concentrate on bandwidth attack which is done using sFlow
tool. When any DoS attack is detected sFlow generates ﬂow rules by analyzing
samples of packets collected from the network trafﬁc to be sent to the controller. In
this work security services are developed to protect networks against different type
of network attacks for third parties like servers. A DoS attacker attacks the network
by providing enormous ﬂooding trafﬁc in a short time to a server by increasing ﬂow
so that the server gets disconnected.
sFlow helps to monitor the network, that develops various ways of handling the traf-
ﬁc ﬂows, and to improve the performance of the network which consist of switches
and routers. sFlow  is an open-source sampling tool used for measuring the traf-
ﬁc which is compatible with OpenFlow network. It consists of sFlow agents and
collector. The sFlow Agent capture trafﬁc statistics from the device which is under
observation that uses sampling technology. sFlow Datagrams immediately forward
the sampled trafﬁc statistics to a sFlow collector for analysis. The main task of the
two modules is listed below.
1. sFlow Collector: It is a server where sFlow datagrams are collected and stored.
2. sFlow Analyzer: It provides real-time overview of the network trafﬁc ﬂow by
analyzing the received datagrams by analyzing the irregularities of the network
parameters and detailed information. sFlow agents send a stream of sFlow sam-
plings continuously to the collector where they are analyzed to supply a real-time,
network-wide view of trafﬁc ﬂows.
3.1 Integration of Mininet and sFlow
Network simulators play an important role by evaluating network topologies of dif-
ferent types over a small scale. Many network simulators like Mininet, GNS3 and
EsiNet are available. Mininet is used here which is an open-source network simula-
tor used to generate trafﬁc and analyze its ﬂow.
6 Shivaraj Hublikar, Vijaya Eligar and Arun Kakhandki
Mininet  is an open source network emulator and is a Command Line Interface
(CLI) and enabled simulator which supports the use of analysis tools like the sFlow,
NetFlow and RMON. Mininet creates virtual switch, hosts, links and controllers on
a single Linux kernel with a single command. Custom topologies are created using
Mininet. It simulates a real machine and can create different hosts. The limitation of
Mininet is that it does not have OpenFlow controller and it runs on slower links (10
or 100 Mbps).
According to  these simulators provide a platform to set a network topology
as a replication to the real-world environment about analysis and detection of the
attacks using Mininet and sFlow. The analysis is done in a number of steps in the
tool, which are listed here.
1. Start.sh will run the shell script command to run the sFlow application.
2. In another window Mininet topology will execute. The ping command is run to
check the connectivity between the hosts of the topology created. A zero percent-
age drop depicts the complete connectivity between the hosts.
3. For accessing the sFlow trend GUI, a local host is created using the command:
4. A Mininet command with sFlow-RT detection of elephant ﬂows is given as:
http://localhost:8008/app/mininet-dashboard/html/. It provides an approach to
run a SDN Controller along with it.
In this section the implementation of the network is discussed. Initially sFlow-RT
is created to receive a continuous ﬂow of data that is sent from the network devices
and converted into metrics. As soon as the ﬂow reaches certain predeﬁned metric
level it is sent to an analyzer. Next using the Mininet command a topology is built
with link bandwidths of 10 Mbps. Finally the output is the link between two hosts.
In order to make it easier to get started, the latest release of sFlow-RT includes
a Mininet helper script sﬂow.py that automates sFlow conﬁguration. The following
example shows how to use the script and build a simple application in Python.
The various steps to detect the ﬂows in a Mininet topology created in Linux
environment using sFlow-RT are listed here and shown in Fig. 5.
1. sFlow-RT: sFlow-RT is an open-source tool that has an embedded OpenFlow
controller, allowing monitoring and ﬂow insertions to OpenFlow supporting
switches. It analyzes certain events of interest, raise triggers and apply trafﬁc
handling rules to a particular controller. In order to analyze sFlow-RT ﬂows and
react on trafﬁc changes, it has to be conﬁgured to work together with the existing
2. For Creating Mininet: : In a second terminal, add the –custom argument to the
Mininet command line. The following command builds a depth ‘2’ tree topology
with link bandwidths of 10 Mbit/s.
Detecting Denial-of-Service Attacks Using sFlow 7
Fig. 5 Starting sFlow
sudo mn –custom extras/sﬂow.py –link tc, bw=10 –topo tree, depth=2, fanout=2
The response of the tool after creating the topology is shown in Fig. 6. The
Fig. 6 Creating Topology
sﬂow.py script extends Mininet, automatically enabling sFlow on each of the
switches in the topology, and posting a JSON representation of the Mininet topol-
ogy using sFlow-RT.
5 Results and Discussion
Whenever the network is simulated without any attack, bandwidth between the two
hosts maintained at 9.63 Mbps. When a DOS attack is initiated on the network, the
bandwidth falls to 30 kbps. The bandwidth has reduced from Mbits to kbits due
to the DoS attack which has increased the datarate. This resulted in the decreased
system performance. The GUI output of the DoS detection is shown in Fig. 7. Here
sFlow is initiated in the local host to detect the DoS attack when host h1 pings h2.
As more number of packets are sent DoS attack is detected.
DoS attack was detected by acquiring network bandwidth and disrupting the ser-
vices of the server by abruptly increasing the trafﬁc by making the server unavailable
8 Shivaraj Hublikar, Vijaya Eligar and Arun Kakhandki
Fig. 7 DoS attack detected
for other users. DoS attack was detected using the sFlow tool. In case of any attack
sFlow collects sample packets from network trafﬁc, analyzes suspicious behaviour
and creates handling rules which are then sent to the controller. Implementation of
DoS attack is carried out by emulating a typical network in Mininet and integrating
this with sFlow analyzer. The results indicate efﬁcient identiﬁcation of DoS attack
by using sFlow.
1. Ambrosin, M., Conti, M., De Gaspari, F., Poovendran, R.: Lineswitch: Tackling control plane
saturation attacks in software-deﬁned networking. IEEE/ACM Transactions on Networking
(TON) 25(2), 1206–1219 (2017)
2. Dridi, L., Zhani, M.F.: A holistic approach to mitigating dos attacks in sdn networks. Interna-
tional Journal of Network Management 28(1), e1996 (2018)
3. Jyothirmai, P., Raj, J.S., Smys, S.: Secured self organizing network architecture in wireless
personal networks. Wireless Personal Communications 96(4), 5603–5620 (2017)
4. Nugraha, M., Paramita, I., Musa, A., Choi, D., Cho, B.: Utilizing openﬂow and sﬂow to detect
and mitigate syn ﬂooding attack. 17(8), 988–994 (2014)
5. Ombase, P.M., Kulkarni, N.P., Bagade, S.T., Mhaisgawali, A.V.: Survey on dos attack chal-
lenges in software deﬁned networking
6. Othman, R.A.R.: Understanding the various types of denial of service attack. Business Week
7. Peter: Mininet ﬂow analytics. https://blog.sﬂow.com/2016/05/mininet-ﬂow-analytics.html.
8. Scarlato, M.: Network monitoring in software deﬁned networking
9. Shang, G., Zhe, P., Bin, X., Aiqun, H., Kui, R.: Flooddefender: Protecting data and control
plane resources under sdn-aimed dos attacks. In: INFOCOM 2017-IEEE Conference on Com-
puter Communications, IEEE, pp. 1–9. IEEE (2017)
10. Sridhar, S., Smys, S.: A hybrid multilevel authentication scheme for private cloud environ-
ment. In: Intelligent Systems and Control (ISCO), 2016 10th International Conference on, pp.
1–5. IEEE (2016)
11. Stallings, W.: Foundations of modern networking: SDN, NFV, QoE, IoT, and Cloud. Addison-
Wesley Professional (2015)
12. Swapna, A.I., Reza, M.R.H., Aion, M.K.: Security analysis of software deﬁned wireless net-
work monitoring with sﬂow and ﬂowvisor. In: Communication and Electronics Systems (IC-
CES), International Conference on, pp. 1–7. IEEE (2016)