SF-DaM: an efficient lightweight approach for detecting and mitigating the TCP SYN flooding attacks in SDN
摘要
Software-Defined Networking (SDN) provides centralized programmability and management; however, its control plane remains highly vulnerable to Distributed Denial of Service (DDoS) attacks. Among these, TCP SYN flooding attacks are considered the most effective and widely used method to saturate both the SDN control plane and the targeted victim end systems. Existing defense mechanisms often suffer from complexity, hardware dependency, high overhead, or limited effectiveness against spoofed and stealthy evasion variants (e.g., ACK-spoofing and full-handshake floods). In this paper, we propose SF-DaM, a lightweight and efficient controller-based defense that combines topology-aware spoofing detection, threshold-based monitoring, and a behavioral validation phase. This multi-phase design enables SF-DaM to rapidly detect spoofed, conventional, and stealthy evasion attacks while minimizing false positives during flash crowds. SF-DaM is fully implemented as a POX controller extension and evaluated in Mininet across diverse scenarios, including large-scale and high-rate attacks. Comprehensive experiments compare SF-DaM with SLICOTS, SYN-Guard, and OPERETTA, analyzing detection time, HTTP response time, CPU utilization, control-channel bandwidth, and flow-rule overhead. The results demonstrate that SF-DaM achieves faster detection, lower controller load, and improved benign performance, while maintaining high detection accuracy (up to 99.98%), precision, recall, and MCC. Sensitivity analysis further demonstrates robustness across threshold variations. By requiring no hardware modifications, SF-DaM offers a practical and deployable defense solution for OpenFlow-based SDNs.