An SDN-Assisted Defense Mechanism for the Shrew DDoS Attack in a Cloud Computing Environment

This article has been updated


The integration of cloud computing with Software Defined Networking (SDN) addresses several challenges of a typical cloud infrastructure such as complex inter-networking, data collection, fast response, etc. Though SDN-based cloud opens new opportunities, the SDN controller may itself become vulnerable to several attacks. The unique features of SDN are used by the attackers to implement the severe Distributed Denial of Service (DDoS) attacks. Several approaches are available in literature to defend against the traditional DDoS flooding attacks in SDN-cloud. To elude the detection systems, attackers try to employ the cultivated attack strategies. Such sophisticated DDoS attack strategies are implemented by generating low-rate attack traffic. The most common type of Low-Rate DDoS (LR-DDoS) attack is the Shrew attack. The existing approaches are not capable to detect, mitigate, and traceback such attacks. Thus, this work discusses a new mechanism which not only detects and mitigates the shrew attack but traces back the location of the attack sources as well. The attack is detected using the information entropy variations, and the attack sources are traced-back using the deterministic packet marking scheme. The experiments are performed in a real SDN-cloud scenario, and the experimental results show that the approach requires 1 packet and 8.27 packets on an average to locate the bots and attackers respectively. The approach detects and traces back the attack sources in between 14.45 ms to 10.02 s and provides 97.6% accuracy.

This is a preview of subscription content, access via your institution.

Fig. 1
Fig. 2
Fig. 3
Fig. 4
Fig. 5
Fig. 6
Fig. 7
Fig. 8
Fig. 9
Fig. 10
Fig. 11
Fig. 12
Fig. 13
Fig. 14
Fig. 15

Change history

  • 03 February 2021

    The term ‘Mechanism’ in the article title was erroneously published as ‘Mechduanism’. The error has been corrected.


  1. 1.

    Agrawal, N., Tapaswi, S.: A proactive defense method for the stealthy EDoS attacks in a cloud environment. Int. J. Netw. Manag. 30, e2094 (2020).

    Article  Google Scholar 

  2. 2.

    Jabbarifar, M., Shameli-Sendi, A., Kemme, B.: A scalable network-aware framework for cloud monitoring orchestration. J. Netw. Comput. Appl. 133, 1–14 (2019).

    Article  Google Scholar 

  3. 3.

    Yan, Q., Yu, F.R., Gong, Q., Li, J.: Software-defined networking (SDN) and distributed denial of service (DDoS) attacks in cloud computing environments: a survey, some research issues, and challenges. IEEE Commun. Surv. Tutor. 18(1), 602–622 (2016).

    Article  Google Scholar 

  4. 4.

    Mousavi, S.M., St-Hilaire, M.: Early detection of DDoS attacks against software defined network controllers. J. Netw. Syst. Manag. 26(3), 573–591 (2018).

    Article  Google Scholar 

  5. 5.

    Jarraya, Y., Madi, T., Debbabi, M.: A survey and a layered taxonomy of software-defined networking. IEEE Commun. Surv. Tutor. 16(4), 1955–1980 (2014).

    Article  Google Scholar 

  6. 6.

    Sahay, R., Meng, W., Jensen, C.D.: The application of software defined networking on securing computer networks: a survey. J. Netw. Comput. Appl. 131, 89–108 (2019).

    Article  Google Scholar 

  7. 7.

    Yeganeh, S.H., Tootoonchian, A., Ganjali, Y.: On scalability of software-defined networking. IEEE Commun. Mag. 51(2), 136–141 (2013).

    Article  Google Scholar 

  8. 8.

    Banikazemi, M., Olshefski, D., Shaikh, A., Tracey, J., Wang, G.: Meridian: an SDN platform for cloud network services. IEEE Commun. Mag. 51(2), 120–127 (2013).

    Article  Google Scholar 

  9. 9.

    Mayoral, A., Vilalta, R., Munoz, R., Casellas, R., Martínez, R.: SDN orchestration architectures and their integration with cloud computing applications. Opt. Switch. Netw. 26, 2–13 (2017).

    Article  Google Scholar 

  10. 10.

    Conti, M., Lal, C., Mohammadi, R., Rawat, U.: Lightweight solutions to counter DDoS attacks in software defined networking. Wirel. Netw. 25(5), 2751–2768 (2019).

    Article  Google Scholar 

  11. 11.

    Agrawal, N., Tapaswi, S.: Detection of low-rate cloud DDoS attacks in frequency domain using fast hartley transform. Wirel. Pers. Commun. 112, 1762 (2010).

    Article  Google Scholar 

  12. 12.

    Agrawal, N., Tapaswi, S.: Defense mechanisms against DDoS attacks in a cloud computing environment: state-of-the-art and research challenges. IEEE Commun. Surv. Tutor. 21(4), 1–27 (2019).

    Article  Google Scholar 

  13. 13.

    Dong, S., Abbas, K., Jain, R.: A survey on distributed denial of service (DDoS) attacks in SDN and cloud computing environments. IEEE Access. 7, 80813–80828 (2019).

    Article  Google Scholar 

  14. 14.

    Cambiaso, E., Papaleo, G., Aiello, M.: Slowcomm: design, development and performance evaluation of a new slow DoS attack. J. Inf. Secur. Appl. 35, 23–31 (2017).

    Article  Google Scholar 

  15. 15.

    Agrawal, N., Tapaswi, S.: Low rate cloud ddos attack defense method based on power spectral density analysis. Inf. Process. Lett. 138, 44–50 (2018).

    MathSciNet  Article  MATH  Google Scholar 

  16. 16.

    Hong, K., Kim, Y., Choi, H., Park, J.: SDN-assisted slow HTTP DDoS attack defense method. IEEE Commun. Lett. 22(4), 688–691 (2017).

    Article  Google Scholar 

  17. 17.

    Perez-Diaz, J.A., Valdovinos, I.A., Choo, K.K.R., Zhu, D.: A flexible SDN-based architecture for identifying and mitigating low-rate DDoS attacks using machine learning. IEEE Access 8, 155859–155872 (2020).

    Article  Google Scholar 

  18. 18.

    Luo, J., Yang, X., Wang, J., Xu, J., Sun, J., Long, K.: On a mathematical model for Low-Rate Shrew DDoS. IEEE Trans. Inf. Forensics Secur. 9(7), 1069–1083 (2014).

    Article  Google Scholar 

  19. 19.

    Xie, R., Xu, M., Cao, J., Li, Q.: SoftGuard: defend against the low-rate TCP attack in SDN. In: Proceedings of the IEEE International Conference on Communications (ICC), pp. 1–6, Shanghai, China, (2019).

  20. 20.

    Somani, G., Gaur, M.S., Sanghi, D., Conti, M., Rajarajan, M., Buyya, R.: Combating DDoS attacks in the cloud: requirements, trends, and future directions. IEEE Cloud Comput. 4(1), 22–32 (2017).

    Article  Google Scholar 

  21. 21.

    Agrawal, N., Tapaswi, S.: A lightweight approach to detect the low/high rate IP spoofed cloud DDoS attacks. In: Proceedings of the of IEEE \(7^{th}\) International Symposium on Cloud and Service Computing (SC2), pp. 118–123 (2017).

  22. 22.

    Dong, P., Du, X., Zhang, H., Xu, T.: A detection method for a novel DDoS attack against SDN controllers by vast new low-traffic flows. In: Proceedings of the IEEE International Conference on Communications (ICC), pp. 1-6, Kuala Lumpur, Malaysia (2016).

  23. 23.

    Agrawal, N., Tapaswi, S.: Defense schemes for variants of distributed-denial-of-service (DDoS) attacks in cloud computing: a survey. Inf. Secur. J. 26(2), 61–73 (2017).

    Article  Google Scholar 

  24. 24.

    Singh, M.P., Bhandari, A.: New-flow based DDoS attacks in SDN: taxonomy, rationales, and research challenges. Comput. Commun. 154, 509–527 (2020).

    Article  Google Scholar 

  25. 25.

    Yan, Q., Yu, F.R.: Distributed denial of service attacks in software-defined networking with cloud computing. IEEE Commun. Mag. 53(4), 52–59 (2015).

    Article  Google Scholar 

  26. 26.

    Fouladi, R.F., Ermiş, O., Anarim, E.: A DDoS attack detection and defense scheme using time-series analysis for SDN. J. Inf. Secur. Appl. 54, 102587 (2020).

    Article  Google Scholar 

  27. 27.

    Xing, T., Huang, D., Xu, L., Chung, C.J., Khatkar, P.: Snortflow: a openflow-based intrusion prevention system in cloud environment. In: Proceedings of the of IEEE \(2^{nd}\) GENI Research and Educational Experiment Workshop (GREE), pp. 89–92. (2013).

  28. 28.

    Chen, Z., Jiang, F., Cheng, Y., Gu, X., Liu, W., Peng, J.: XGBoost classifier for DDoS attack detection and analysis in SDN-based cloud. In: Proceedings of the IEEE International Conference on Big Data and Smart Computing (BigComp), pp. 251–256. (2018).

  29. 29.

    Zhu, L., Tang, X., Shen, M., Du, X., Guizani, M.: Privacy-preserving DDoS attack detection using cross-domain traffic in software defined networks. IEEE J. Sel. Areas Commun. 36(3), 628–643 (2018).

    Article  Google Scholar 

  30. 30.

    Zheng, J., Li, Q., Gu, G., Cao, J., Yau, D.K., Wu, J.: Realtime DDoS defense using COTS SDN switches via adaptive correlation analysis. IEEE Trans. Inf. Forensics Secur. 13(7), 1838–1853 (2018).

    Article  Google Scholar 

  31. 31.

    Wang, R., Jia, Z., Ju, L.: An entropy-based distributed DDoS detection mechanism in software-defined networking. In: Proceedings of the IEEE Trustcom/BigDataSE/ISPA, pp. 310–317. (2015).

  32. 32.

    Sahay, R., Blanc, G., Zhang, Z., Debar, H.: ArOMA: an SDN based autonomic DDoS mitigation framework. Comput. Secur. 70, 482–499 (2017).

    Article  Google Scholar 

  33. 33.

    Chesla, A., Doron, E.: Techniques for traffic diversion in software defined networks for mitigating denial of service attacks. United States patent application US 14/728,405 (2016)

  34. 34.

    Wang, B., Zheng, Y., Lou, W., Hou, Y.T.: DDoS attack protection in the era of cloud computing and software-defined networking. Comput. Netw. 81, 308–319 (2015).

    Article  Google Scholar 

  35. 35.

    Buragohain, C., Medhi, N.: FlowTrApp: an SDN based architecture for DDoS attack detection and mitigation in data centers. In: Proceedings of the IEEE \(3^{rd}\) International Conference on Signal Processing and Integrated Networks (SPIN), pp. 519–524. (2016).

  36. 36.

    Singh, K., Singh, P., Kumar, K.: A systematic review of IP traceback schemes for denial of service attacks. Comput. Secur. 56, 111–139 (2016).

    Article  Google Scholar 

  37. 37.

    Zhang, H., Reich, J., Rexford, J.: Packet Traceback for Software-Defined Networks, pp. 1–7. Princeton University Press, Princeton (2015)

    Google Scholar 

  38. 38.

    Belenky, A., Ansari, N.: IP traceback with deterministic packet marking. IEEE Commun. Lett. 7(4), 162–164 (2003).

    Article  Google Scholar 

  39. 39.

    Francois, J., Festor, O.: Anomaly traceback using software defined networking. In: Proceedings of the IEEE International Workshop on Information Forensics and Security (WIFS), pp. 203–208. (2014).

  40. 40.

    Savage, S., Wetherall, D., Karlin, A., Anderson, T.: Network support for IP traceback. IEEE/ACM Trans. Netw. 9(3), 226–237 (2001).

    Article  Google Scholar 

  41. 41.

    Belenky, A., Ansari, N.: On deterministic packet marking. Comput. Netw. 51(10), 2677–2700 (2007).

    Article  MATH  Google Scholar 

  42. 42.

    Rajam, V.S., Shalinie, S.M.: A novel traceback algorithm for DDoS attack with marking scheme for online system. In: Proceedings of the IEEE International Conference on Recent Trends In Information Technology (ICRTIT), pp. 407–412. (2012).

  43. 43.

    Jin, G., Yang, J.: Deterministic packet marking based on redundant decomposition for IP traceback. IEEE Commun. Lett. 10(3), 204–206 (2006).

    Article  Google Scholar 

  44. 44.

    Yu, S., Zhou, W., Guo, S., Guo, M.: A feasible IP traceback framework through dynamic deterministic packet marking. IEEE Trans. Comput. 65(5), 1418–1427 (2016).

    MathSciNet  Article  MATH  Google Scholar 

  45. 45.

    Xiang, Y., Zhou, W., Guo, M.: Flexible deterministic packet marking: an IP traceback system to find the real source of attacks. IEEE Trans. Parallel Distrib. Syst. 20(4), 567–580 (2009).

    Article  Google Scholar 

  46. 46.

    Patel, H., Jinwala, D.C.: LPM: a lightweight authenticated packet marking approach for IP traceback. Comput. Netw. 140, 41–50 (2018).

    Article  Google Scholar 

  47. 47.

    Goodrich, M.T.: Probabilistic packet marking for large-scale IP traceback. IEEE/ACM Trans. Netw. 16(1), 15–24 (2008).

    Article  Google Scholar 

  48. 48.

    Nur, A.Y., Tozal, M.E.: Record route IP traceback: combating DoS attacks and the variants. Comput. Secur. 72, 13–25 (2018).

    Article  Google Scholar 

  49. 49.

    Hoque, N., Bhattacharyya, D.K., Kalita, J.K.: Botnet in DDoS attacks: trends and challenges. IEEE Commun. Surv. Tutor. 17(4), 2242–2270 (2015).

    Article  Google Scholar 

  50. 50.

    Xiang, Y., Li, K., Zhou, W.: Low-rate DDoS attacks detection and traceback by using new information metrics. IEEE Trans. Inf. Forensics Secur. 6(2), 426–437 (2011).

    Article  Google Scholar 

  51. 51.

    Sahoo, K.S., Puthal, D., Tiwary, M., Rodrigues, J.J., Sahoo, B., Dash, R.: An early detection of low rate DDoS attack to SDN based data center networks using information distance metrics. Future Gener. Comput. Syst. 89, 685–697 (2018)

    Article  Google Scholar 

  52. 52.

    Chen, Y., Hwang, K., Kwok, Y.K.: Collaborative defense against periodic shrew DDoS attacks in frequency domain. ACM Trans Inf. Syst. Secur. (TISSEC) 66(9), 1–30 (2005).

    Article  Google Scholar 

  53. 53.

    Amazon Web Services.

  54. 54.


  55. 55.

    FlowVisor OpenFlow Controller.

  56. 56.

    OpenDayLight SDN Controller.

  57. 57.

    Low Orbit Ion Canon.

Download references

Author information



Corresponding author

Correspondence to Neha Agrawal.

Additional information

Publisher's Note

Springer Nature remains neutral with regard to jurisdictional claims in published maps and institutional affiliations.

Rights and permissions

Reprints and Permissions

About this article

Verify currency and authenticity via CrossMark

Cite this article

Agrawal, N., Tapaswi, S. An SDN-Assisted Defense Mechanism for the Shrew DDoS Attack in a Cloud Computing Environment. J Netw Syst Manage 29, 12 (2021).

Download citation


  • Cloud computing security
  • Software defined networking (SDN)
  • SDN-Cloud (SDN-C)
  • Low-rate DDoS (LR-DDoS) attack
  • Shrew attack
  • Performance analysis