Distributed Denial of Service (DDoS) threshold

based mitigation for Software Defined Networking

(SDN) in healthcare systems
Laila M.Halman Mohammed J.F. Alenazi
Department of Computer Engineering, CCIS Department of Computer Engineering, CCIS
King Saud University King Saud University
Riyadh, KSA Riyadh, KSA
[email protected] [email protected]

Abstract—Although the nature of software defined networks the DDoS attacks restrict the patients data availability as
(SDN) of centralized controller (logically) makes it vulnerable well as the data flow in the network. The major objective
to various threats, they still can handle an escalating number of a DDoS attack is not only to breaching of data, it can
of these threats due to their decoupled control plane and data.
These attacks still affect the performance of the network causing restrict the user to access necessary information from a portal
a degradation of different key performance indicators (KPIs). also. The Cybersecurity and Infrastructure Security Agency
Healthcare systems is one of the major systems that get attacked (CISA) claims that identification of DDoS attacks is very
due to the sensitive nature of the data they contain either tricky as it can be performed virtually. The companies used
medical or financial, making them a popular target of diffident to handle different kinds of sensitive data are the major
types of attacks. With the huge variety of network architectures,
connected devices, possible attacks and threats, it becomes harder targets of this attack. The sensitive data can be modified by
to , identify and handle these threats in a proper time, which malicious intruders and false information may be injected into
leads to either huge delay or performance degradation or even the different data streams by a false node[3].
worse which is a successful attack, a proper way to predict and A medical record can contain a higher significant financial
classify an incoming threat is needed to help dealing with the value associated with credit card data. So, proper DDoS de-
incoming threats in time. Giving healthcare systems as a vital
example, in this paper we conduct a study for the effect of using tection and prevention mechanisms are necessary to tackle the
SDNs for DDoS, and the effect on different network KPIs with issues related to m-healthcare. Access control mechanisms like
different scenarios, and propose a threshold based technique to authentication, authorization, identification and accountability
classify the DDoS attacks in healthcare SDNs, aiming to block are highly needed to protect sensitive data, a typical SDN
the traffic that is considered a hazard as a DDos attack , then enabled architecture for healthcare systems is presented in
analysing the accuracy and the performance of the proposed
approach. Fig.2.
Index Terms—Software Defined Networking; Network Man- Apart from these security and privacy issues the technology
agement; Network Resilience; attack prediction; Distributed also suffers from the low bandwidth of the mobile network,
Denial of Service (DDoS); Healthcare. high cost for cellular network links, inadequate availability
of internet connections, and the heterogeneous platforms sup-
I. I NTRODUCTION ported by different mobile devices. These problems must be
Software-defined networking (SDN) is a promising solution addressed properly to develop a complete security solution of
that aims to simplify network management by separating the this technology with easy accessibility in real-life scenarios[4].
control plane from the packet forwarding plane. Network man- Our contribution in this paper can be summarized as follows.
agement decisions, such as packet forwarding, are decoupled First, we present a novel low complexity system designed
from packet forwarding devices (e.g., switch and router) and for healthcare systems, based on a threshold based DDoS
handled by an external, programmable, and logically central- Classifier (TBDC), that classifies the traffic in SDNs to detect
ized device called the SDN controller [1]. On the other hand, and mitigate possible DDoS attacks. Second, we provide a
devices in traditional networks are configured separately, using preliminary deployment of an emulated healthcare system
a vendor-specific command, which increases the complexity network and analyse the important KPIs. Finally, we apply
of network management and network innovations [2]. The DDoS attacks to the healthcare system network and compare
simplified SDN architecture of a typical data center is shown the results before and after applying our proposed system to
in Fig.1. detect and mitigate the DDoS attacks.
The main challenge of healthcare systems is the security The next parts of this paper is organized as follows. In Section
assurance of clinical and financial sensitive data.The most II, we present the related background and previous work.
sensitive issue here is data availability. Across the network, In section III, we introduce the main aspects of evaluating
 Application layer
(Management Plane)

Northbound-API

Control layer
(Control Plane)

SDN Controllers

Southbound-API (OpenFlow)

Infrastructure layer
(Data Plane)

Programmable switches

Fig. 1: A typical three-tier data center architecture illustrating software-defined networking interfaces

our proposed approach, including the network topologies, the In server virtualization in particular, development has been
emulation environment and the performance metrics. Section rapid. Creating a new virtual server can be done via a ready-
IV presents the emulation and the evaluation results. Finally, made template and only takes a few seconds. But if (and this
Section V presents conclusions and suggested future work. is usually the case) this server is to speak out on a network,
this subnet must be created and firewall rules set for how this
II. BACKGROUND AND R ELATED W ORK subnet may communicate with other networks. Traditionally,
this is done by someone in the network team and automation
In this section we present a short review of related works
has not been as fast. The benefit of being able to quickly create
on SDN, Methods related to manage attack and Distributed
a virtual server is to some extent lost.
Denial of Service (DDoS) threats.
Another factor is scalability. Logically separating different
A. SDNs subnets is done today with the help of vlan. There is according
to the standard 4096 vlan and it is probably enough for a
SDN or Software Defined Network is a way to design typical company, but not for a cloud provider of platforms.
the infrastructure to allow system administrators, network The next problem is the layer two protocol ethernet. The
engineers and devoplers to manage and control the network reason why ethernet ”won” the battle for the local network
devices in a data center in a dynamic way using programmable against other technologies a few years ago is largely because
and open interfaces via the REST API. it is a simple technology and the hardware needed is cheap to
The main requirement for software-defined networks comes manufacture. But really, this protocol is poorly equipped for
from today’s need for dynamic, scalable, cost-effective and virtual environments where IP addresses move around between
flexible infrastructure in a data center, which avoids the tradi- different platforms and perhaps different data centers.
tional static, hardware-based and monolithic IT architectures
that are obsolete [5]. B. DDoS attacks
The software-defined architecture executes the control plan , There are different types of DDoS attacks c, from Smurfs
which controls and makes the decisions where the traffic goes, to Teardrops, to Pings of Death. Some of the most common
and the data path , which handles and sends the packages. DDoS attacks are:
The very idea behind sdn is not really new. The concept • ICMP (Ping) Flood.
of server virtualization is about laying a layer between the • SYN Flood.
physical server and the operating systems that execute there. • Ping of Death.
A similar idea exists when it comes to storage virtualization. • Slowloris.
It has now simply become the network’s turn to be virtualized. • NTP Amplification.
Nor is it particularly new. Operators have used technologies • HTTP Flood.
such as Multiprotocol Label Switching (MPLS) to be able • Zero-day DDoS Attacks.
to place customers’ networks on top of the operator’s own • Volume Based Attacks. Imperva counters these attacks
physical network [6]. by absorbing them with a global network of scrubbing
 Healthcare Applications

SDN Controller

OpenFlow
Switches

Fig. 2: An SDN-enabled architecture for Healthcare Systems

centers that scale, on demand, to counter multi-gigabyte When the pandemic struck and more people started working
DDoS attacks. from home, health care also became a target. The combination
of different online services for booking and responding to tests
In the past, most DDoS attacks have been about harming the
and the widespread use of insufficiently protected IoT devices
affected company or organization by making one or more web
have contributed to a large number of healthcare activities
pages inaccessible. Now it is instead common for the attacker
being affected by DDoS attacks [8].
to demand a ransom to interrupt the attack. Another common
Devices that are not updated become tools for cybercrim-
approach is to use DDoS attacks as a pure distraction where
inals The recently discovered bot network ”Meris”, which
the IT departments are kept busy while the attackers step in
includes about 250,000 infected devices, has also become
with ransomware (hostage programs) or try to steal data.
a tool for DDoS attacks. Most of these devices are not
Considering the reporting from the media, authorities and computers but routers, switches, access points for Wi-Fi and
the security industry itself, it can in some cases be the other devices sold by one and the same Latvian company,
case that companies focus on one type of cyber threat at a MicroTik. Admittedly, MicroTik discovered and remedied the
time. Unfortunately, the reality is more complex than that. current vulnerability as early as 2018, but due to the nature
Companies have to deal with many parallel threats. It is of the devices, users are rarely in contact with MicroTik and
never possible to settle down and old approaches can easily the majority have not made the necessary updates either. This
come back in a partly new suit, comments Peter Gustafsson, in turn has made MicroTik’s devices a tool in the hands of
responsible for Barracuda Networks in the Nordic region [7]. cybercriminals. Although the DDoS attacks remind us of how
New type of attack does not require a large botnet Some complicated everyday life has become for IT security man-
of the companies that have recently been affected by DDoS agers, there are good opportunities to stop this type of attack
attacks are Bandwidth, VoIP.ms, Voip Unlimited and Voipfone. in time. Companies that work with a modern infrastructure in
So-called ”Black Storm attacks” are particularly dangerous for application and network security in combination with active
service providers in communications. These types of attacks do protection against DDoS attacks have very good opportunities
not require the attacker to use a large botnet and are therefore to handle attacks of this kind.
relatively easy to carry out. In a ”Black Storm attack”, the
attacker sends the User Datagram Protocol (UDP) request C. Previous work
to many devices and servers on a network. The request is By conducting a detailed survey for the existing work
”spoofed”, that is, disguised, in this case to look like it comes regarding DDoS attacks in SDNs, most of the focus is on
from other devices in the same network. developing DDoS attacks detecting techniques using different
The approach then triggers a kind of snowball effect that can SDN based architectures. These techniques mainly focus on
quickly knock out a service provider (CSP) with a storm of using SDN technology in different layers (mainly network,
internal data traffic. Although the method has so far only been application and transport layers) to detect and mitigate the
described in tests, companies should be prepared for attackers attacks. Although there is small focus on healthcare systems,
to strike for real as well. a lot of the approaches that uses different techniques can be
 Wireless link
OpenFlow
Wired link

SDN Controller

Patients' portal Server Patients’ DB Server

H1

H17

1 Mbps 2 Mbps
H2
2 Mbps
OpenFlow H18
Switch 3 Medical workstation (Doctor)
OpenFlow
Switch 1
OpenFlow
H13 Switch 2 H19
Medical workstation
(Employee)

H14 H20
1
H15 Medical workstation) Laboratory(
H16

Fig. 3: First Scenario: Evaluation Network Topology in absence of attacks

TABLE I: Summarization of Related Works Based Security Against DDoS Attacks

Author/year Defense type Location Controller Aim
Dao et al. Detect and mit- Both Data and control ISP To propose a context-aware security approach to detect attacks in small
(2015) [9] igate plane networks.
Phan et al. Detect Control plane Floodlight To propose high accuracy detection framework deals with a Man in the Middle
(2016) [10] attack.
Chin et al Detect Data plane Openday light Detect flooding in SDN networks in effective and salable manner.
(2015) [11]
Tortonesi et mitigate only Data plane Pox To proposed DDoS mitigation approach Capable of edge defence due to the
al. (2016) programmable controller in the data plane, the work load on the control plane
[12] is shared by the data plane.
Ravi et al Detect and mit- Both Data and control Pox To propose a novel DDoS detection and defense model depending on the real-
(2020) [13] igate plane time training that keeps the flow rules that are generated by machine learning
up-to-date.
Wang et al Detect and mit- Data plane Pox proposed a defense method based on sFlow and improved Self-Organizing Map
(2022) [14] igate (SOM) model in SDN.
Mbasuva et Detect only Data plane Openday light propose an ensemble Deep Learning (DL) Intrusion Detection System (IDS) to
al (2022) detect DDoS attack traffic in SDNs.
[15]

used for the suitable scenarios. The techniques varies in a A. Network Topology
wide spectrum, for example using cloud environment as in
[16] which focuses on analyzing the impact of DDoS attack Here we introduce a typical network topology that is used
in hybrid cloud, or Orchestrator–based architecture as in [17]. for healthcare systems as shown in Fig. 3 to study the behavior
The amount of work done is significantly high with the focus in the case of normal performance and the performance under
on using AI, machine learning, with different algorithms, DDoS attacks. In this topology, there are three OpenFlow
either to classify the traffic, detect possible attacks , or mitigate switches numbered as shown, all these switches are connected
them as in [18], [19], [20], [21]. to the SDN controller which is responsible for managing the
traffic flow, which include the forwarding rules. Communi-
cation between the SDN controller in the control plane and
switches in the forwarding plane will be through the OpenFlow
III. E VALUATION
protocol. Beside that, there are eighteen hosts representing
different clients that generate data traffic named either as
In this section we present our evaluation environment. This devices or workstations. The network includes two other hosts,
includes the network topology, the metrics used to measure the one is considered as patients database, and the other as the
performance, and the experimental tools and setup in details. patient portal server, receiving data traffic from the clients.
 Wireless link
OpenFlow
Wired link

SDN Controller

Patients’ Portal Server

Patients’ DB Server

Victim

H1

H17

1 Mbps 2 Mbps
H2
2 Mbps
OpenFlow H18
Switch 3 Medical workstation (Doctor)
OpenFlow
Switch 1
OpenFlow
H13 Switch 2 H19
Medical workstation
(Employee)

H14 H20
1
H15 Medical workstation) Laboratory(
H16

Fig. 4: Second Scenario: SDN network topology, Illustration of a DDoS attack

TABLE II: Emulation Parameters Values

mininet is an open source simulator that applies OpenFlow and
Parameter Values software-defined networking using per-process virtualization;
Emulator Mininet 2.3.0 it provides a rapid prototyping workflow for creating and
Operating System Ubuntu 20.04.3 customizing software consisting of hosts and switches on a
Memory 5.9 GB of RAM
single computer Define the network. Traffic was generated
CPU Intel core i7-8565U @ 1.80GHz
with and intercepted using hping3 and D-ITG ; the results were
Traffic Generator DITG, Hping3
Link Bandwidth 1,2,5 Mbps
analyzed with D-ITG: Distributed Internet Traffic Generator.
SDN Framework Ryu
Open vSwitch 2.13.3
IV. R ESULTS AND D ISCUSSIONS

B. Performance Metrics In this section, we perform the evaluation based on the

methodology discussed in Section III to our proposed system.
Network performance measurements are determined by sev-
eral factors; In this paper, we propose to measure the through-
put of healthcare applications under different scenarios. First, A. First Scenario: Normal network performance of healthcare
we measure throughput in the absence of DDoS attacks and systems
the challenges of our proposed system, where traffic travels
over multiple paths without network congestion. In the first scenario, we deploy the network shown in figure
Then, we measure the throughput of healthcare applications 3 using DITG. All the applications installed on the different
without integrating our proposed system, and in the case of workstations/end devices connected to the switches are set
DDoS attacks through a single path to the destination without to start sending to the servers. These applications are using
prioritization and queuing to separate traffic flows. Finally, the paths shown in the figures thought the switches. These
we measure the throughput of healthcare applications under switches are configured to operate typically with spanning tree
DDoS attacks conditions by integrating our proposed system protocol to avoid any broadcast storms. However, they are not
to evaluate the performance in terms of network resilience and configured to provide any QoS capabilities. Here we expect
QoS for different types of services. normal operation with no lost packets so all to be delivered.
The figures here show the performance of the network without
C. Experimental Setup a challenge. The results in figures 6, 7, 8 show the normal
All our experiments were performed on Ubuntu 20, behavior of the network with the load assigned for the test,
Equipped with 5.9 GB RAM and 1.80 GHz processor. network with extra delay due to links limitations. The performance is
is emulation was done using Mininet 2.3.0 with Ryu controller. stable without abnormalities noticed as expected.
 Normal Normal Traffic
100 Attack 150 Normal + DDoS Traffic
TBDC Method
125
80
Number of samples

Packet Loss(pps)
100
60
75
40 50

20 25
0
0
0 25 50 75 100 125 150 175 200 0 10 20 30 40 50 60
Bytes per packet Time(s)
Fig. 5: Second Scenario: Distribution of samples by size (bytes per packet) Fig. 7: Packet loss analysis for the 2 scenarios vs the proposed approach

Normal Traffic 50
2.5
Normal + DDoS Traffic
TBDC Method 40
2.0
Throughput(kbps)

30
1.5
Delay(s)

20
1.0
10 Normal Traffic
0.5 Normal + DDoS Traffic
0 TBDC Method
0.0 0 10 20 30 40 50 60
0 10 20 30 40 50 60 Time(s)
Time(s)
Fig. 8: Throughput analysis for the 2 scenarios vs the proposed approach
Fig. 6: Delay analysis for the 2 scenarios vs the proposed approach

C. Proposed classification approach deployment and perfor-

mance
B. Second Scenario: Effects of the DDoS attacks on network
performance In this work we propose a threshold based DDoS Classifier
(TBDC) aiming to classify suspicious traffic to help detecting
the possibility of DDoS attack, and blocking the suspicious
In this scenario, we deploy the network with DDos attacks incoming traffic. To deploy the approach and analyse its
as shown in Fig. 4 using DITG and Hping 3. The attack targets performance, we designed a monitor application using Ryu
the patient portal server connected to switch 1 using SYN and controller to extract the features from the network. These
UDP attacks through devices connected to switch 1. The effect features includes datapath id, input port, MAC address des-
of the new challenge now (the DDos attacks) can be seen in the tination, output port, number of packets, number of bytes and
extra delay and packet loss and the reduced throughput as seen duration. (EventOFPFlowStatsReply) callback has been used
in Fig.6, 7, 8. As expected the attacks affect the performance to request from every switch on the network the statistics of
of the network negatively even with low loads assigned in the each flow.
emulations. A total number of 265 samples have been collected using
the developed monitor application, out of the 265 samples a [2] I. Bedhief, M. Kassar, and T. Aguili, “From evaluating to enabling
217 represented a normal traffic, while 48 samples included a sdn for the internet of things,” in 2018 IEEE/ACS 15th International
Conference on Computer Systems and Applications (AICCSA), pp. 1–8,
DDoS attack traffic. Oct 2018.
The deployment included some pre-processing steps, first, [3] J. Jang-Jaccard and S. Nepal, “A survey of emerging threats in cy-
the samples which have a value of zero in the duration or bersecurity,” Journal of Computer and System Sciences, vol. 80, no. 5,
pp. 973–993, 2014. Special Issue on Dependable and Secure Computing.
packets have been replaced with 0.9, the second step was [4] S. Ray, K. N. Mishra, and S. Dutta, “Detection and prevention of ddos
calculating the throughput in Kbit/sec, packet rate, and bytes attacks on m-healthcare sensitive data: a novel approach,” International
to packet ratio using the collected features. Journal of Information Technology, 2022.
[5] S. Khan, A. Gani, A. W. Abdul Wahab, M. Guizani, and M. K. Khan,
By analysing the data in the scenarios aforementioned, it “Topology discovery in software defined networks: Threats, taxonomy,
became clear that the throughput and packets per second are and state-of-the-art,” IEEE Communications Surveys Tutorials, vol. 19,
no. 1, pp. 303–324, 2017.
non linear features, but, still it can be proved that Bytes per [6] R. AlZoman and M. J. Alenazi, “Exploiting sdn to improve qos of
packet is the only linearly separable feature between attack and smart city networks against link failures,” in 2020 Seventh International
normal samples as can be seen in Fig. 5. Using the feature of Conference on Software Defined Systems (SDS), pp. 100–106, 2020.
[7] W. Meng, K.-K. R. Choo, S. Furnell, A. V. Vasilakos, and C. W.
bytes per packet as a threshold to separate normal and attack Probst, “Towards bayesian-based trust management for insider attacks in
traffics is possible, in the emulation scenario, a 57 bytes/packet healthcare software-defined networks,” IEEE Transactions on Network
have been chosen as a threshold to differentiate between attack and Service Management, vol. 15, no. 2, pp. 761–773, 2018.
[8] Y. A. Qadri, A. Nauman, Y. B. Zikria, A. V. Vasilakos, and S. W.
and normal samples linearly. Kim, “The future of healthcare internet of things: A survey of emerging
By looking at Fig. 6,7, and 8. It is clear that the performance of technologies,” IEEE Communications Surveys Tutorials, vol. 22, no. 2,
the network improved significantly by applying the proposed pp. 1121–1167, 2020.
[9] N.-N. Dao, J. Park, M. Park, and S. Cho, “A feasible method to combat
approach to block the unwanted traffic. A significant increase against ddos attack in sdn network,” in 2015 International Conference
of the system throughput, and reduction of both the delay and on Information Networking (ICOIN), pp. 309–311, 2015.
the packet loss that gives a performance similar to the attack- [10] T. V. Phan, N. K. Bao, and M. Park, “A novel hybrid flow-based
handler with ddos attacks in software-defined networking,” in 2016 Intl
free scenarios proves a smooth and efficient performance of IEEE Conferences on Ubiquitous Intelligence Computing, Advanced and
the proposed TBDC approach. Trusted Computing, Scalable Computing and Communications, Cloud
and Big Data Computing, Internet of People, and Smart World Congress
V. C ONCLUSIONS AND F UTURE W ORK (UIC/ATC/ScalCom/CBDCom/IoP/SmartWorld), pp. 350–357, 2016.
[11] T. Chin, X. Mountrouidou, X. Li, and K. Xiong, “An sdn-supported
In this work we propsed a low complexity mitigation ap- collaborative approach for ddos flooding detection and containment,”
in MILCOM 2015 - 2015 IEEE Military Communications Conference,
proach for DDoS attacks in healthcare systems SDNs. Despite pp. 659–664, 2015.
the existences of various complex mitigation techniques, the [12] M. Tortonesi, J. Michaelis, A. Morelli, N. Suri, and M. A. Baker,
proposed low complexity approach can be used easily and “Spf: An sdn-based middleware solution to mitigate the iot information
explosion,” in 2016 IEEE Symposium on Computers and Communication
efficiently to achieve an attack-free alike performance. In this (ISCC), pp. 435–442, 2016.
work by using a generic healthcare SDN model, we show that [13] N. Ravi and S. M. Shalinie, “Learning-driven detection and mitigation
using a threshold based technique is efficient to mitigate the of ddos attack in iot via sdn-cloud architecture,” IEEE Internet of Things
Journal, vol. 7, no. 4, pp. 3559–3570, 2020.
possible attacks. By analysing the network performance using [14] M. Wang, Y. Lu, and J. Qin, “Source-based defense against ddos attacks
the proposed technique, it showed a significant improvement in sdn based on sflow and som,” IEEE Access, vol. 10, pp. 2097–2116,
in the total system throughput, and reduction in both delay 2022.
[15] U. Mbasuva and G.-A. L. Zodi, “Designing ensemble deep learning in-
and packet loss, which leads to a performance similar to an trusion detection system for ddos attacks in software defined networks,”
attack-free network. For future work, we plan to evaluate in 2022 16th International Conference on Ubiquitous Information Man-
the proposed approach for different/more diverse network agement and Communication (IMCOM), pp. 1–8, 2022.
[16] B. Wang, Y. Zheng, W. Lou, and Y. T. Hou, “Ddos attack protection in
topologies, as we presented a small network topology of a the era of cloud computing and software-defined networking,” Computer
healthcare system to evaluate the behavior of our proposed Networks, vol. 81, pp. 308–319, 2015.
solution. We also plan to extend the system implementation [17] A. Zaalouk, R. Khondoker, R. Marx, and K. Bayarou, “Orchsec: An
orchestrator-based architecture for enhancing network-security using
and emulations with dynamic traffic rerouting in the presence network monitoring and sdn control functions,” in 2014 IEEE Network
of DDoS attacks, and present and intrusion detection system Operations and Management Symposium (NOMS), pp. 1–9, 2014.
using machine learning techniques. [18] N. M. Yungaicela-Naula, C. Vargas-Rosales, and J. A. Perez-Diaz,
“Sdn-based architecture for transport and application layer ddos attack
detection by using machine and deep learning,” IEEE Access, vol. 9,
VI. ACKNOWLEDGMENT pp. 108495–108512, 2021.
[19] X. GU, H. WANG, T. NI, and H. DING, “Detection of application-
The authors would like to thank the Deanship of Scientific layer ddos attack based on time series analysis,” Journal of Computer
Research and the Ressearch Services and Support Unit (RSSU) Applications, vol. 33, no. 8, pp. 2228–2231, 2013.
[20] M. Revathi, V. V. Ramalingam, and B. Amutha, “A machine learning
at King Saud University for their support in this paper. based detection and mitigation of the ddos attack by using sdn controller
framework,” Wireless Personal Communications, 2021.
R EFERENCES [21] R. M. AlZoman and M. J. F. Alenazi, “A comparative study of traffic
classification techniques for smart city networks,” Sensors, vol. 21,
[1] M. Jarschel, T. Zinner, T. Hossfeld, P. Tran-Gia, and W. Kellerer, no. 14, p. 4677, 2021.
“Interfaces, attributes, and use cases: A compass for sdn,” IEEE Com-
munications Magazine, vol. 52, pp. 210–217, June 2014.