Proactive DDoS attack detection in software-defined networks with Snort rule-based algorithms

The exponential growth of application-layer programs has imposed significant constraints on the existing underlying network infrastructure. To address this escalating demand, a transition towards a software-oriented network infrastructure becomes indispensable. Software-defined networks (SDN), which decouples the data and control planes, transforming them into a programmable network controlled by a central controller, emerges as the solution. This approach enhances network management, leading to reduced operational expenditures (OPEX), heightened quality of service, and the achievement of desired scalability. However, the shift towards a programmable network infrastructure exposes vulnerabilities to existing security threats. In this research, additional security measures were proposed with the aim of detecting and preventing security threats, particularly distributed denial of service (DDoS) attacks. For simulation purposes, the Mininet platform is employed. The Ryu controller is configured as an SDN controller, responsible for transmitting and removing OpenFlow messages to and from switches, along with handling incoming packets. Snort plays a crucial role in analyzing suspicious traffic entering the network. This incoming traffic undergoes examination based on predefined rules, triggering an alert if any traffic matches these rules. The internet control message protocol (ICMP) flooding method was employed to execute DDoS attacks. Based on the results and findings, an extensive volume of packets was observed during attacks on the SDN network. Furthermore, connectivity tests conducted through ping tests towards the targeted machine resulted in 100% packet loss. This outcome signified the denial of resource access on the targeted machine during an attack, consequently leading to a decline in overall network performance. Analysis of the amassed data revealed that early detection through rule-based Snort implementation could significantly mitigate the impact on SDN networks. Consequently, the adoption of Snort for proactive DDoS attack detection in SDN networks was proposed. This approach empowered network administrators to respond promptly upon the occurrence of a Snort-generated alert.