Abstract—Software De?ned Network (SDN) is an emerging technology which is comprised of multiple kinds of network technologies, inorder to make the network agile and more user friendly along with improvement in storage infrastructure and in security. Some security threats are evolved along with SDN also. Distributed Denial of Service(DDoS) attack is one of the major attacks in SDN architecture. DDoS attack is cyber attack in which a group of attackers with different IP addresses ?oods the fake requests and massages to victim to make the resource exhaustion in victim and results in Denial of Service in victim. This paper is a study of different methods used by the attackers to create denial of service in SDN architecture. Also this paper includes major defense methodologies to avoid DDoS attacks. In this paper we are making a comparative study between various defense schemes used in DDoS attack in SDN architecture. Keywords—DDoS, SDN, Defense Schemes.I. INTRODUCTION SoftwareDe?nedNetwork(SDN)isanemergingtechnology. In SDN, it takes the advantage of various network architecture, but SDN differs from other architectures such as wireless networks, Mobile networks, campus network, etc. in the way that control plane and data plane are decoupled in manner. more over in SDN, the network intelligence and state are logically centralized. Being an emerging technology SDN faces several traditional security threats and some threats that have emerged along with SDN, discussed in 1.Distributed Denial of Service (DDoS) attack is one of the main attack that can occur in SDN. This makes a challenge to industries to select SDN as their key network2. DDoS attackers selects new methods to attack traditional network, since in traditional networks the administrators choose various defense methods to tackle DDoS attacks. Since the SDN in an emerging technology, it has the overhead of affecting DDoS attack easily. The methods used to prevent attack in traditional network such as thresholds and predetermined, prede?ned data will not work in SDN, but attacks in SDN can identi?ed by the methods such as machine learning techniques, future predictions, etc. In order to use these kind of technologies, we need to have a brief idea about various DDoS attack types in SDN.II. DDOS ATTACKS IN SDN DDoS attack is cyber attack in which a group of attackers with different IP addresses ?oods the fake requests and massages to victim to make the resource exhaustion in victimand results in Denial of Service in victim. DDoS attacks in SDN architecture is a updated version of conventional attack methods. The attack exploits the properties of traditional DDoS attack methods such as volumetric attack , protocol exploitation , resource depletion , etc 2. We can classify the DDoS attack in SDN as data plane attack and control plane attack3. Data plane DDoS attackers exploits the resource, protocol to create DDoS in victim networks 4. There are mainly 5 different methods for Data Plane DDoS attacks 3.A. ICMP ping ?ood attack ICMP ping ?ood attack is a protocol exploitation attack. The attack is carried out in such a way that, attacker ?oods ICMP echo messages to victim, which results in resource exhaustion and disturbs resource utilization of other applications4. The network will be restored immediately after the attack3. Fig 1 shows a ICMP ping ?ood attack, echo request is sent by attacker and victim sends replies to spoofed IPs and thereby gets rejected .Fig. 1. ICMP/Ping ?ood attack methodB. Smurf attack Smurf attack is a updated version of ICMP ping ?ood attack. Smurf attack is a volumetric, re?ection attack in such a way that victim overwhelms with unwanted responses3. Unlike ICMP ping ?ood attack attacker ?oods ICMP echo request to various machine with victim IP .victim will be over?owed with huge number of ICMP replies and results in over?owing of resources like buffers of victim.?g 2 shows how a smurf attackSURVEY ON ATTACKS IN SDN 2works. Attacker sends echo requests to different hosts with IP of victim. Network will work smoothly, when the attack is stopped4.Fig. 2. Smurf attack methodC. UDP ?ood attack In UDP ?ood attack the attacker attacks the victim by ?ooding large number of UDP datagrams. If the attacker is a single host, it uses spoofed IPs to attack victim3. More number of datagrams temporarily makes a Denial of Service in victim. Due to buffer over?ow, packets will lost5. Network will be restored immediately after the attack is stopped.UDP ?ood attack is a volumetric attack3. Fig 3 shows UDP ?ood attack in which victim receives large number of UDP datagrams.Fig. 3. UDP ?ood attack methodD. TCP-SYN ?ood attack TCP-SYN ?ood attack is a kind of protocol exploitation attack, the attack focuses on the resource exhaustion3. Attackers uses this kind of DDoS attack widely. So major part of the researchers focuses on the defense for TCP-SYN ?ood attack. For a TCP connection to occur, three way handshake should be done. But in TCP-SYN ?ood attack, the three way handshake protocol is exploited. Attacker ?oods TCP-SYN requests victim using spoofed IP. Inorder to start a connection victim sends SYN-ACK as the second phase of three way handshake and waits for ACK signal. So this port will be blocked as it neither recieves a ACK signal or a data stream. Fig 4 shows a typical example of TCP-SYN ?ood attack, in which victim receives large number of TCP-SYN signals from attacker and gradually blocks all ports. After TCP-SYN attack communication cannot be re established after the attack3.Fig. 4. TCP SYN ?ood attack methodE. HTTP ?ood attack HTTP ?ood attack is a protocol exploitation attack, in which the victims application resources are drained 3. In HTTP ?ood attack, victim is ?ooded with fake HTTP requests from random spoofed IPs. The victim will not be able to provide new HTTP connections because the attacker maintains fake connections with victim for a long time. Hence, the victim will not be able to provide connections for benign user and results in Denial of Service(DoS).Fig. 5. HTTP ?ood attack methodIII. LITERATURE REVIEW A. SLICOTS : Lightweight Countermeasure for TCP-SYN ?ood attack SLICOTS is a method to ?nd and prevent the attack with help of reactive ?ow installation. SLICOTS converts SDN controller to reactive mode whenever it detect ?ooding attack and prevents attack. In which SLICOTS installs ?ow rules dynamically. All outgoing handshake process through switches will be surveiled by SLICOTS. It helps network by install temporary forwarding rule at handshake time, which will eliminate after certain time6. SLICOTS works in such a way that, whenever an open ?ow switch receives a SYN signal, the controller will check for a forwarding rule in forwarding table. If there is an entry, the information will be collected and SYN-ACK will be sent. But in the absence of such a forwarding rule, SDN controller willSURVEY ON ATTACKS IN SDN 3TABLE I. DDOS ATTACKS IN SDN Attack How Attack Affected Howlong Denial of Service Occurs ICMP/Ping ?ood attack method • echo request ?ooding • attacker sends request as fast as possible • spoofed IP is used • temporary attack • can be restored when attack is stopped Smurf attack • updation of ping of death attack • attacker sends icmp echo as source • huge number of echo replies to victim • temporary attack • can be restored when attack is stopped UDP ?ood attack • huge number of udp datagrams are ?ooded to victim • buffer over?ow • resource exhaustion • temporary attack • will be restored immediately after attack TCP-SYN ?ood attack • ?ooded with fake SYN requests • sends SYN-ACK and port kept open • blocks all ports • After attack, communication cannot be re established HTTP ?ood attack • ?ooded with fake HTTP requests • attacker takes connection and holds it • benign users will not get connection to server • After attack, further connection can’t establishedset a temporary forwarding rule (if and only if the number of illegitimate request less than a threshold) to that host and SYN-ACK will be sent. The temporary forwarding rule will be eliminated after a time period. So a SYN signal that failed to receive a ACK signal is set as RST. If RST received, will be added to pending list or else blocked the entry in table if there are more number of RSTs6. Upon receiving a SYN-ACK, temporary rule will be made in absence of matched forwarding rule. Upon receiving an ACK signal, all related records will be removed from pending-list and permanent rule will installed. Whenever attacker completes a TCP connection and does not send any data further, this is a updated version of TCPSYN ?ood attack7. SLICOTS can address this different type of SYN ?ood attack by adding one more step to its processing. In SLICOTS it uses prede?ned threshold to ?lter the request which is inef?cient all the time. It will be better, if it have real time threshold setting.B. DDoS Defense Using Future Prediction DDoS Defense Using Future Prediction is a defensive SDN mechanism. For a defensive SDN system, statistics for incoming packets are done periodically. This calculated statistics is usedtopredictthenumberofpacketsinnextround.Here,SDN controller uses time series methods to predict the future. Every open-?ow switch will save k previous information which is used to predict incoming packet in next round. In this method, it uses 2 threshold value : an upper threshold and a lower threshold8. Whenever a packet is received in open-?ow switch and if thereis nomatching rulefor packet, thenthe unmatchedpacket will be sent to controller if predicted value is less than lower threshold and sent to security gateway for security check if predicted value is greater than the upper threshold. If the valueis in between the thresholds, the system works based on the feedback given by the controller8. C. Synchronous Long Flows Lightweight DDoS Detection Synchronous Long Flows Lightweight DDoS Detection of mainly focuses on detection DDoS ?ooding attack. This method exploits the application of sliding window protocol. The system maintains a sliding window which store all the sets of adjacent address pairs for n time slots. The system have two different thresholds, one for alarm ringing and other for DDoS attack9 . The detection is carried out in such a way that the system intersects all entries in window. For each entry, the system calculates a value that is the ratio of the intersected results and its current value. Normally this value will be less than ?rst threshold. If the result is higher than threshold value, then there is a chance of DDoS attack at that node. So the system sets alarm to indicate chance of occurrence of DDoS attack9. The system counts the alarm for a time period. If the count of alarm exceeds second threshold, the system makes a judgment that this is a DDoS ?ood attack. The system also makes defense for the DDoS attack with two requirements, that is there is no deep packet inspection and complexity of algorithm is very low. This mechanism select the HCF detection algorithm proposed by Wang et al 10 to make defense . The defense mechanism works based on hop count methods. For every message a hop count should be set, this hop determines whether the sender is genuine or fake. If the sender is fake, system blocks the node. When a packet is received the information is extracted and HCF will check whether IP is spoofed, detects attack and defends it. D. Defense for DDoS at Source End Defense for DDoS at Source End is discussed by yanxianh11. This system mainly creats a shield at source endSURVEY ON ATTACKS IN SDN 4as the defense measure for the distributed denial of service attack. Since source end detection is carried out, this system avoids the overhead of monitoring at the victim end. For a TCP connection 3 way handshake should happen. But TCP-SYN ?ood attackers will not complete this three way handshake. This system works in such a way that it detects half open connections. The attackers use the spoofed IP, all connections used for attacking will be half open. This system also uses a bloom ?lter with a hash data structure for space ef?cient monitoring. In this system modi?ed bloom ?lter is used, which have large array. This bloom?lter splits the IP addressof destination host into several segments and hashes them separately. Since IP addresses are different, the system stores hashed values. For every IP hash value, there is corresponding count bit. Whenever a TCP-SYN packet is going through outgoing channel, the IP is captured and split and hashed. If the corresponding count bit is ‘0’, then count value will be incremented. Upon receiving a SYN-ACK packet, the count bit will be decremented. The count bit will remain unchanged if the ?rst 2 rounds of 3way handshake is completed. The count value will increase, if SYN-ACK is not coming through incoming channel. DDoS alarm will set if the count value of a node is increasing more than a predetermined threshold. On further increasing of count bit, the node will get blocked from the network as it is an attacker. This mechanism is ef?cient enough for a small networks. But it will not give high results in big networks. The algorithm is working based on hash driven monitoring, hash value of 2 different IP in a large network may be same. In such cases, hash driven monitoring will make faulty outcomes. Source side monitoring will have overhead of message delays and deployment of source end detection will degrade the performance of network devices and internet service providerIV. CONCLUSION Distributed Denial of Service attack is the powerful weapon of attackers. In SDN, the Denial of Service can be made using ?ve different methods. Out of this 5 methods, TCPSYN ?ood attack and HTTP ?ood attack is more dangerous. Smurf attack, ICMP ping ?ood attack and UDP ?ood attack is a temporary attack, while other 2 will disturb the network for a long time. All researchers focus on TCP-SYN ?ood attack. In SDN architecture, inorder to defend ?ood attacks machine learning, future prediction methods should be used. SLICOTS defense scheme makes defense without disturbing smooth working of the network. SLICOTS installs temporary forward rules for unmatched packets6. Defense schemes using future prediction also performs well, but on the other hand it disturbs the working of network. Since it using the prediction method and calculates incoming packets in the next round8. So it detects the DDoS attack as early as possible. Source end detection and detection for a synchronous ?ow can be treated as a special case detection method since it cannot be used all the time. Synchronous ?ow detection is mainly based on the entropy in the synchronous ?ow stream10. source end detection is a ef?cient defense for a small network. Source enddetection is easy to implement, but it will affect the network speed and degrade the performance of network devices and ISPs11.