AN INTELLIGENT SOFTWARE DEFINED NETWORKING CONTROLLER COMPONENT TO DETECT AND MITIGATE DENIAL OF SERVICE ATTACKS

Despite many advantages of software defined networking (SDN) such as manageability, scalability, and performance, it has inherent security threats. In particular, denial of service (DoS) attacks are major threats to SDN. The controller’s processing and communication abilities are overwhelmed by DoS attacks. The capacity of the flow tables in the switching device is exhausted due to excess flows created by the controller because of malicious packets. DoS attacks on the controller cause the network performance to drop to a critical level. In this paper, a new SDN controller component was proposed to detect and mitigate DoS attacks in the SDN controller. POX layer three controller component was used for underlying a testbed for PacketIn messages. Any packet from the host was incremented to measure the rate of packet according to its device identification and its input port number. Considering the rate of packets received by the controller and threshold set, malicious packets could be detected and mitigated easily. A developed controller component was tested in a Mininet simulation environment with an hping3 tool to build artificial DoS attacks. Using the enhanced controller component, DoS packets were prevented from accessing the controller and thus, the data plane (switching devices) was prevented from being filled with unwanted flows.


INTRODUCTION
The idea of Software Defined Networking (SDN) was developed by Stanford University based on the OpenFlow protocol (Kreutz et al., 2015). With its architecture, SDN provides, allows, controls, changes, and manages a network via a central controller. It also separates the control and data planes that are combined in the traditional network structure and brings a new approach for computer networks. In SDN, the management mechanism is distinct from network devices. Thus, network devices become simple and inexpensive devices that simply transfer packets.
The SDN structure consists of control, data, and application planes as shown in Figure 1. These planes are described below: • Control Plane: Responsible for managing transmission devices in the data plane. The SDN controller, which is the brains of the network, is found in this plane. • Data Plane: Consists of communication devices (OpenFlow switching devices). Devices in this plane cannot perform high-level networking processes. This plane is programmed and managed by a control plane (Maugendre, 2015). When a new data packet arrives at the transmission device, the device sends packet header information to the controller for a route request. The controller, which has a dominance over the general network, calculates the flow route and sends the transmission rule required for the route to the transmission devices via a safe channel. Transmission devices, therefore, update their flowcharts and send the packet to the target or drop it (Bholebawa & Dalal, 2016). • Application Plane: Helps the control plane with the security, routing, load-balancing, network structuring, and policy-making to be applied to the network.
With its flexible, programmable and dynamic architecture, SDN is expected to replace the traditional network. This is possible because SDN has the ability to respond to new technologies that require high bandwidth and dynamic management. Such technologies are cloud computing, big data, virtualisation, and mobile. The data forwarding and control functions of the SDN architecture are separated into different planes. SDN has three functional planes: data plane, control plane, and application plane. SDN networking devices, such as switches and routers, are located in the data plane and carry out packet transmissions based on rules determined by the controller (Kim & Feamster, 2013). Switching devices in the data plane send reports to the controller regarding the number of packets received from the controller and the number of packets transferred and dropped periodically. By using switching device reports, the controller can detect switching devices that show malicious behaviour (Stancu et al., 2015). The control mechanism is abstracted from the network devices and moved to the controller that operates as the centre of the network located in the control plane. A controller, which is the brain of SDN, makes decisions on which flow is transmitted by the devices in the data plane and how the flow is organised. The controller also collects information on the states of the entire network from the network devices (Cui et al., 2016). The application plane consists of networking service applications such as security applications, analytics, business applications and others. Applications communicate with devices in the network infrastructure via the controller. Network devices are programmed using application programming interfaces (APIs) referred to as northbound and southbound interfaces . The controller communicates with The SDN structure consists of control, data, and application planes as shown in Figure 1. These planes are described below: • Control Plane: Responsible for managing transmission devices in the data plane. The SDN controller, which is the brains of the network, is found in this plane. • Data Plane: Consists of communication devices (OpenFlow switching devices). Devices in this plane cannot perform high-level networking processes. This plane is programmed and managed by a control plane (Maugendre, 2015). When a new data packet arrives at the transmission device, the device sends packet header information to the controller for a route request. The controller, which has a dominance over the general network, calculates the flow route and sends the transmission rule required for the route to the transmission devices via a safe channel. Transmission devices, therefore, update their flowcharts and send the packet to the target or drop it (Bholebawa & Dalal, 2016). • Application Plane: Helps the control plane with the security, routing, load-balancing, network structuring, and policy-making to be applied to the network. With its flexible, programmable and dynamic architecture, SDN is expected to replace the traditional network. This is possible because SDN has the ability to respond to new technologies that require high bandwidth and dynamic management. Such technologies are cloud computing, big data, virtualisation, and mobile. The data forwarding and control functions of the SDN architecture are separated into different planes. SDN has three functional planes: data plane, control plane, and application plane. SDN networking devices, such as switches and routers, are located in the data plane and carry out packet transmissions based on rules determined by the controller (Kim & Feamster, 2013). Switching the services working on the application plane via the northbound interface. On the other hand, the controller uses the southbound interface to communicate with the data plane devices. The most popular protocol used in this interface is the OpenFlow protocol (Cabaj et al., 2014).
SDN facilitates the implementation of innovative solutions for issues like security and virtualisation via software such as temporospatial-SDN and SDN-WAN (Xia et al., 2015). Moreover, SDN has three unique security threats, which include attacks on the control plane, attacks on the data plane, and attacks on the communication line between the control plane and the data plane. The most dangerous are those against the controller. If the attackers have access to the controller, they can take control of the entire network (Stancu et al., 2015). In addition, Denial of Service (DoS) attacks on the flow table storage capacity on transmission devices also pose a serious threat (Shang et al., 2017). The integrity of the network traffic between the switching device and the controller in SDN can be achieved if the OpenFlow protocol is consistent, accurate, trustworthy, and non-repudiate (Li, Meng, & Kwok, 2016). If the attackers have control over the OpenFlow protocol, they can access the data sent from the controller to the switching device and control the data plane.
The controller may be exposed to DoS attacks via its data plane communication line. The data plane may also be exposed to attacks via the network device flow tables (Scott-Hayward, O'Callaghan, & Sezer, 2013). These attacks are likely to happen in the form of fake traffic. The attackers have access to personal computers (PCs) and servers to create their malicious software in the network without the knowledge of the users. With that kind of network, the attackers can direct high volumes of traffic to the OpenFlow switching device in the data plane. In this case, malicious and legitimate traffics are mixed up and it is difficult to distinguish between these two traffics. If the incoming packets do not match the flow inputs in the OpenFlow switching devices, they are initially transferred to the flow buffer. Then, they are sent to the controller to write a new rule with the PacketIn message. Large amounts of PacketIn messages arrive at the controller in a very short time. In this situation, the controller's resources (memory, processor, bandwidth, etc.) are exhausted and thus, the controller reaches a state where it cannot operate (Padmaja & Vetriselvi, 2016). On the other hand, when new and legitimate packets reach the controller, the latter cannot be accessed, and thus, the SDN architecture collapses. Moreover, the bandwidth of the communication line between the controller and the switching devices under attack is also negatively affected. The performance of the network, therefore, deteriorates significantly (Shu et al., 2016).
In addition, DoS attacks on the flow table for packets from unknown or known sources are sent to the switching device first. The incoming packets are then sent to the controller via switching devices, and the controller writes the rules back to the switching devices (Ali et al., 2015). The flow table capacity of the switching device is filled up with flow rules after a short time. As a result, there is no place for legitimate incoming traffic in the flow table, and new rules cannot be written, thus packets cannot be transferred. Furthermore, because the buffer capacity is exhausted in this situation, all new packets are dropped (Kreutz, Ramos, & Verissimo, 2013). While the SDN is expected to bring about significant change by improving the underlying traditional network in terms of network reconfiguration and management, there are still some drawbacks with regard to network security (Proença et al., 2015).
To overcome the DoS attack problem in SDN network, particularly in controller and switching devices, there is a need for an intelligent mechanism with low complexities. A DoS attack that floods a large number of packets with different Internet protocol (IP) sources addresses the problem in controller and switching devices even worse. The motivation behind this study is to detect and prevent DoS attacks known as flooding attacks at the controller and switching devices in particular. An intelligent SDN controller component is proposed to detect and mitigate DoS attacks using POX controller layer 3 learning (l3_learning) component. POX controller is chosen because it allows an easy way to run OpenFlow/SDN experiments, faster development, and prototyping of new network applications.
The rest of this paper is structured as follows. The next section gives an overview of the previous studies discussing the DoS attacks in SDN network and the summary of their achievement and limitation were also given. Then, the proposed solution is presented in the following section. Performance results, evaluation, and discussion for the experiment are presented in the fourth section. Finally, the proposed solution is concluded in the last section.

RELATED WORKS
Although the new concept of SDN is supposed to improve the conventional understanding, redesigning, and management of the network, several security doors still remain open. There are several forms of attacks by malicious users targeting SDN. DoS attacks are the most frequent and most destructive of such attacks (Imran et al., 2019). Various approaches have been presented for the detection, prevention, and mitigation of the SDN-targeted DoS attacks. However, most of the presented solutions apply to a particular problem in the SDN network due to the structure of SDN architecture. Such a solution by Zhang et al. (2016) and Tian et al. (2019) may be able to protect the control plane, but not the data plane. The following are the literature that discusses the detection and mitigation measures against DoS attacks that are deemed relevant for this work. The summarised advantages and disadvantages of this literature are given in Table 1.
In their study, Shin et al. (2013) sought to respond quickly to the attacks by the AVANT-GUARD. Two new modules called "connection migration" and "actuation trigger" were added to the switching devices. With the new mechanisms introduced, statistics were collected from the switching devices and network-related information was effectively sent to the controller. Based on the available switching devices, detailed information regarding packet routes and network status was obtained using the actuation trigger module.
Using the connection migration module, the flow requests sent to the controller were limited to minimise the load on the communication line between the control plane and the data plane. The modules were created within the scope of AVANT-GUARD software application, which placed less than 1% load on the system. In addition, this module prevented unsuccessful Transmission Control Protocol (TCP) sessions without informing the control plane during the TCP SYN flood attacks. The packet was not sent to the controller for flow requests without the completion of the TCP handshake. However, AVANT-GUARD did not have a comprehensive solution since it only has mitigation for TCP-based flooding attacks. For example, no solution had been developed for protocols such as User Datagram Protocol (UDP) and Internet Control Message Protocol (ICMP) (Shin et al., 2013).
Dridi and Zhani (2016) designed a three-part SDN-Guard architecture. The three parts were: (1) a flow management module that determined the flow routing and value such as timeout; (2) a rule collection module that collected malicious traffic flow inputs and reduced flow table inputs; and (3) a monitoring module that collected the flow's statistics such as a switch, link and others. In addition, the SDN-Guard was in contact with the Intrusion Detection System (IDS). The IDS analysed the PacketIn messages and informed the SDN-Guard of the possibility of a threat. The management module updated the flow routing decisions and the timeout values in the switching device flow table based on the information it gathered from the IDS. The proposed SDN-Guard architecture prevented malicious packets from reaching the controller and overloading of switching devices in the data plane with malicious flows. Nevertheless, it was difficult to differentiate malicious traffic and legitimate traffic, thus some of the malicious traffics were able to reach the controller (Dridi & Zhani, 2016). Wang, Xu, and Gu (2015) developed FloodGuard against attacks where attackers try to exhaust control and data plane resources using PacketIn messages. FloodGuard consisted of a proactive flow rule analyser and packet migration modules. The proactive flow rule was the controller application in the control plane. When packet migration detected an attack, it sent packets that did not match the flow table to the Data Plane Cache (DPC) that was part of it. Based on the changing values, a proactive flow rule was created based on the new destination information and it was sent to the switching device. DPC gradually sent packets that did not match the flow using the "rate-limiting and "round-robin" algorithms. A scalable and effective protection mechanism against DoS attacks targeting data and control aircraft was developed. The module was created within the scope of the FloodGuard system, which caused delay during the decision-making phase and caused unnecessary loading to the controller (Wang et al., 2015). Dao et al. (2016) suggested an Adaptive Suspicious Prevention (ASP) mechanism against DoS attacks that would target the communication line between the controller and the switching device. The key concept of this method was to determine the types of users using the Probabilistic History-Based IP Filtering algorithm. The developed mechanism aimed to analyse user traffic information and to apply policies to the incoming packets based on the type of user. Timeout and action parameters were updated and new policies were determined. Unknown users were handled suspiciously and the users were given short timeout values. Later, they were classified by the IP filtering method. If users were safe, the controller assigned a standard timeout value and updated the flow inputs. When users were found to be suspicious, the controller removed flow inputs and blocked users. The ASP mechanism for malicious packets sent put an additional burden on the switching devices in the data plane. Furthermore, classification of legitimate and malicious traffics caused an additional delay in the network. Thus, the switching devices with limited buffer capacity might fill up with queued packets and caused others to be dropped (Dao et al., 2016). Benton, Camp, and Small (2013) stressed that if the controller was not vigilant when implementing reactive SDN rules with single control points, it could be exposed to DoS attacks with PacketIn messages. The scholars developed attack traffic from different transmissions addressed using the "l2 learning" component of the POX controller and disabled the flow table of the switching device overloading it with unnecessary flows. They recommended that concerning DoS attacks, controller vendors need to emphasise on the importance of rate-limiting and rule-generation activities with the publication of guidelines for developers. Thus, a possible solution and future work could be a mechanism that combines both OpenFlow application analysis and flowtable analysis. The solution should systematically identify the events and traffics that generate PacketIn and Flow-modification messages to warn the developer of potential DoS vulnerabilities (Benton et al., 2013).
Lawal and Nuray (2018) presented a real-time detection of the Distributed Denial of Service (DDoS) attacks on SDN and a control method based on the sFlow mitigation technology. sFlow analysed samples of packets collected from the network traffic and generated handling rules to be sent to the controller in case of attack detection. The threshold was set to 25% to make sure that the wide area network (WAN) bandwidth would not saturate or a service could not be disrupted. The attack was mitigated within a period of ~10 seconds after detection occurred and the traffic went below the threshold line. The previous study only used ICMP ping and ICMP flooding attack packets to evaluate the proposed solution (Lawal & Nuray, 2018).
Tran, Le, and Tran (2018) proposed an ODL-ANTIFLOOD, which consisted of two components including a network application for supporting decisionmaking and a network function for enforcing the detection and mitigation tasks. It also contributed to a multilayer attack detection mechanism and a three-phase mitigation approach to deal with the attacks. The proposed solution could detect attacks after 40 milliseconds on average, and the accuracy of the detection process was around 95%. Moreover, the proposed solution also effectively and efficiently mitigated attacks to reduce Central Processing Unit (CPU) utilisation from high 90% to 20%. An ODL-ANTIFLOOD was a more flexible and adaptive system with a simple and high accurate detection process. It had some drawbacks in detecting multiple destinations (i.e. packets with different IP destination address) attack traffic (Tran et al., 2018). Wright and Ghani (2019) demonstrated the impact of DoS attacks on SDN elements in the NSF GENI network testbed. This work provided a key baseline and set of input data from which to develop further detection and mitigation strategies. The flagship NSF GENI testbed facility was used to evaluate the impact of DoS attacks in a live OpenFlow-based SDN network setting using the hping3 utility. They concluded that memory utilisation eventually began to decrease as the duration of the attack continued. Furthermore, for the more realistic case of randomised source/destination addresses, the shorter packet spacing consumed slightly more memory than the higher spacing packet. In both cases, however, the available (free) memory leaned downwards that increased the attack durations. The testbed did not include multiple attacking hosts, which were connected to each switching device (Wright & Ghani, 2019). Polat, Polat, and Cetin (2020) and Sen, Gupta, and Ahsan (2020) employed machine learning algorithms to detect DDoS attacks on SDN architecture. Polat et al. (2020) used Support Vector Machine (SVM), Naive Bayes (NB), Artificial Neural Network (ANN), and K-Nearest Neighbour (KNN) classification models. A new dataset was created using feature selection methods in the existing dataset to simplify the models, facilitate their interpretation, and provide a shorter training period. The highest accuracy rate of 98.3% was obtained with the KNN classifier. On the other hand, Sen et al. (2020) utilised AdaBoosting algorithm with decision stump as a weak classifier to build the classifier model for the network. The dataset used to build the model included data for legitimate and malicious traffics for six types of protocols such as TCP, UDP, ICMP, ARP, IPv4, and SSH. The highest accuracy rate of 93% was obtained in the dataset with decision stump as a weak classifier. Lawal and Nuray (2018) • Mitigated attacks within 10 seconds after detection occurred.
• Used only ICMP ping and ICMP flooding attack packets to evaluate the solution.
Tran et al.
• A flexible and adaptive system with a simple and high accurate detection process. • Detected attacks after 40 milliseconds on average. • The accuracy of the detection process was about 95%. • Effectively mitigated attacks to CPU utilisation from 90% to 20%.
• Hardly detected multiple destinations attack traffic.

Wright and
Ghani (2019) • Could be used as the baseline and set of input data from which to develop further detection and mitigation strategies.
• The testbed did not include multiple attacking hosts, which were connected to each switching device. Polat et al. (2020) and Sen et al. (2020) • With the KNN and AdaBoosting algorithm, it achieved an accuracy of 98.3% and 93%, respectively. • By using machine learning methods, malicious traffics could be easily classified.
• Added extra delay in detecting DDoS in the network.

PROPOSED SDN CONTROLLER COMPONENT
The POX controller had several components that supported various network behaviours such as the hub, layer two (l2) switching device, and layer three (l3) routing device. No component installed the default flow to a switching device or had a mechanism to control the PacketIn event to prevent DoS attacks from occurring. This was also true with the OpenFlow v1.0 protocol, a protocol that provided a secure communication channel between the switching device and the controller. This protocol did not provide a mechanism for detecting and preventing such types of attacks. Layer 3 learning (l3_learning) component installed a flow table after receiving a PacketIn event. In this study, an improved l3_learning component of the POX Controller was used for underlying a testbed for PacketIn messages. Random source IP address was also used to create a bunch of packets that would cause a misflow in the switching table. The purpose of these attacks as to generate as many packets as possible that would reach the controller, keep the controller occupied, and similarly fill up the switching device with a bunch of unnecessary flow tables.
In order to detect and prevent this form of attack, any packet received by the controller was incremented according to its switching device identification (i.e. DPID) and its input port number. A packet counter was used to monitor the number of packets to reach the controller within a very short time. From a packet counter, the module calculated the rate of packets reaching the controller. Let the rate of packets reaching the controller be known as R. The rate of packets reaching the controller is given in Equation 1 below.
(1) where; = Number of packets reaching the controller = Time used for to reach the controller in seconds In order to prevent the switching devices from saturation and flooding packets to the controller, a threshold value was chosen on the basis controller and switching device saturation. To find the value of optimal threshold, a series of experiments were run to observe the effect of DoS attacks on the controller and switching devices. The optimal threshold was obtained by comparing different rates of incoming packets from legitimate and malicious traffics. In this case, the rate was set to 2kpps (i.e. 2kpps).
Then, the rate of packets reaching controller was compared with a threshold. If the rate of packets exceeded a threshold value (i.e. the controller first deleted all the flow tables on the switching device according to its switching device port/interface. Then, a drop flow table was added to drop all rate of packets reaching the controller be known as R. The rate of packets reachi given in Equation 1 below.

= ∆
Where; = Number of packets reaching the controlle ∆ = − −1 = Time used for to reach the controller i In order to prevent the switching devices from saturation and flooding packets threshold value was chosen on the basis controller and switching device saturation of optimal threshold, a series of experiments were run to observe the effect of controller and switching devices. The optimal threshold was obtained by comparin incoming packets from legitimate and malicious traffics. In this case, the rate wa ℎ = 2kpps).
Then, the rate of packets reaching controller was compared with a threshold. If exceeded a threshold value (i.e. > ℎ), the controller first deleted all the switching device according to its switching device port/interface. Then, a drop flow drop all the packets from a malicious host to prevent them from reaching the con the host would be considered as a malicious host. However, if a threshold valu packet rate (i.e. ℎ > ), an existing l3_learning component was performed to ins ate of packets reaching the controller be known as R. The rate of packets reaching the controller is iven in Equation 1 below.
Where; = Number of packets reaching the controller ∆ = − −1 = Time used for to reach the controller in seconds n order to prevent the switching devices from saturation and flooding packets to the controller, a hreshold value was chosen on the basis controller and switching device saturation. To find the value f optimal threshold, a series of experiments were run to observe the effect of DoS attacks on the ontroller and switching devices. The optimal threshold was obtained by comparing different rates of ncoming packets from legitimate and malicious traffics. In this case, the rate was set to 2kpps (i.e. ℎ = 2kpps).
hen, the rate of packets reaching controller was compared with a threshold. If the rate of packets xceeded a threshold value (i.e. > ℎ), the controller first deleted all the flow tables on the witching device according to its switching device port/interface. Then, a drop flow table was added to rop all the packets from a malicious host to prevent them from reaching the controller. In this case, he host would be considered as a malicious host. However, if a threshold value was greater than acket rate (i.e. ℎ > ), an existing l3_learning component was performed to install a flow table for he destination host according to the learned packet header. In this case, a host would be considered as rate of packets reaching the controller be known given in Equation 1 below.
In order to prevent the switching devices from s threshold value was chosen on the basis controller of optimal threshold, a series of experiments we controller and switching devices. The optimal thre incoming packets from legitimate and malicious ℎ = 2kpps).
Then, the rate of packets reaching controller was exceeded a threshold value (i.e. > ℎ), the switching device according to its switching device drop all the packets from a malicious host to prev the host would be considered as a malicious hos packet rate (i.e. ℎ > ), an existing l3_learning c the destination host according to the learned packe rate of packets reaching the controller be known as R. The rate of pac given in Equation 1 below.

= ∆
Where; = Number of packets reaching th ∆ = − −1 = Time used for to reach the In order to prevent the switching devices from saturation and floodin threshold value was chosen on the basis controller and switching devic of optimal threshold, a series of experiments were run to observe the controller and switching devices. The optimal threshold was obtained b incoming packets from legitimate and malicious traffics. In this case, ℎ = 2kpps).
Then, the rate of packets reaching controller was compared with a th exceeded a threshold value (i.e. > ℎ), the controller first delete switching device according to its switching device port/interface. Then, drop all the packets from a malicious host to prevent them from reachi the host would be considered as a malicious host. However, if a thre packet rate (i.e. ℎ > ), an existing l3_learning component was perfor the destination host according to the learned packet header. In this case, ate of packets reaching the controller be known as R. The rate of packets reaching the controller is iven in Equation 1 below.
Where; = Number of packets reaching the controller ∆ = − −1 = Time used for to reach the controller in seconds n order to prevent the switching devices from saturation and flooding packets to the controller, a hreshold value was chosen on the basis controller and switching device saturation. To find the value f optimal threshold, a series of experiments were run to observe the effect of DoS attacks on the ontroller and switching devices. The optimal threshold was obtained by comparing different rates of ncoming packets from legitimate and malicious traffics. In this case, the rate was set to 2kpps (i.e. ℎ = 2kpps).
hen, the rate of packets reaching controller was compared with a threshold. If the rate of packets xceeded a threshold value (i.e. > ℎ), the controller first deleted all the flow tables on the witching device according to its switching device port/interface. Then, a drop flow table was added to rop all the packets from a malicious host to prevent them from reaching the controller. In this case, he host would be considered as a malicious host. However, if a threshold value was greater than acket rate (i.e. ℎ > ), an existing l3_learning component was performed to install a flow table for he destination host according to the learned packet header. In this case, a host would be considered as of packets reaching the controller be known as R. The rate of packets reaching the controller is n in Equation 1 below.
Where; = Number of packets reaching the controller ∆ = − −1 = Time used for to reach the controller in seconds rder to prevent the switching devices from saturation and flooding packets to the controller, a hold value was chosen on the basis controller and switching device saturation. To find the value ptimal threshold, a series of experiments were run to observe the effect of DoS attacks on the roller and switching devices. The optimal threshold was obtained by comparing different rates of ming packets from legitimate and malicious traffics. In this case, the rate was set to 2kpps (i.e. 2kpps).
, the rate of packets reaching controller was compared with a threshold. If the rate of packets eded a threshold value (i.e. > ℎ), the controller first deleted all the flow tables on the hing device according to its switching device port/interface. Then, a drop flow table was added to all the packets from a malicious host to prevent them from reaching the controller. In this case, ost would be considered as a malicious host. However, if a threshold value was greater than et rate (i.e. ℎ > ), an existing l3_learning component was performed to install a flow table for estination host according to the learned packet header. In this case, a host would be considered as the packets from a malicious host to prevent them from reaching the controller. In this case, the host would be considered as a malicious host. However, if a threshold value was greater than packet rate (i.e. an existing l3_ learning component was performed to install a flow table for the destination host according to the learned packet header. In this case, a host would be considered as a legitimate host because it would be learned according to its behaviour from the switching device port/interface number and DPID. On the other hand, the drop flow table could be removed from the switching device either by hard timeout or soft timeout due to an inactive flow table. In this case, if the attacker continued to flood packets to the controller, the controller and the entire network could be interrupted again. As a result, a timer was set to send a port or flow statistics request (net_stats_req and flow_ stats_req) to check a host whether it continued to flood packets or not. If the received statistic indicated that the host as still overflowing packets, the controller must update the drop flow table. The algorithm was implemented based on the PacketIn event activated by the controller. When no PacketIn event was triggered by the controller, no drop flow tables or other flow tables would be implemented by the controller. The algorithm is displayed in the flow chart shown in Figure 2 and summarised in the pseudo-code of Algorithm 1. Then, the rate of packets reaching controller was comp exceeded a threshold value (i.e. > ℎ), the control switching device according to its switching device port/in drop all the packets from a malicious host to prevent the the host would be considered as a malicious host. How packet rate (i.e. ℎ > ), an existing l3_learning compon the destination host according to the learned packet heade a legitimate host because it would be learned according port/interface number and DPID.
On the other hand, the drop flow table could be remove timeout or soft timeout due to an inactive flow table. In packets to the controller, the controller and the entire netw timer was set to send a port or flow statistics request (n host whether it continued to flood packets or not. If the re overflowing packets, the controller must update the drop based on the PacketIn event activated by the controller. W controller, no drop flow tables or other flow tables wo algorithm is displayed in the flow chart shown in Figu Algorithm 1. A network topology that was used to simulate the present study is shown in Figure 3. The network topology consisted of one remote switch (POX switch) and two OVSKernel switches (s1 and s2), each controlling three hosts. These two switches were wired to a speed of 2Gbps. The connection between the hosts and the switches was set to 100Mbps. Host h100 and h200-Server were used to test the bandwidth using the iPerf command. h100 was used as a client, while h200 was used as a server. Host h1 was used to flood the packet to a switch with a random source IP address. On the other hand, h2, h4, and h5 were used as legitimate hosts. These hosts were regular hosts with hping3 tool built on the Ubuntu 14.04 operating system. Perform l3_learning() A network topology that was used to simulate the present study is shown in Figure 3. The network topology consisted of one remote switch (POX switch) and two OVSKernel switches (s1 and s2), each controlling three hosts. These two switches were wired to a speed of 2Gbps. The connection between the hosts and the switches was set to 100Mbps. Host h100 and h200-Server were used to test the bandwidth using the iPerf command. h100 was used as a client, while h200 was used as a server. Host h1 was used to flood the packet to a switch with a random source IP address. On the other hand, h2, h4, and h5 were used as legitimate hosts. These hosts were regular hosts with hping3 tool built on the Ubuntu 14.04 operating system.

RESULTS AND EVALUATION
The topology was executed in the Mininet simulator. To simulate attacks and evaluate results, the topology consisted of a minimum number of nodes. The switch was connected to the remote POX controller (c0) by loopback address via port 6634 (i.e. 127.0.0.1:6634). DoS attacks were developed on h1 and directly connected to the Open v-switch s1. DoS traffic was generated using hping3 on the network, which was created using the Xterm command when h1 in Mininet was opened. For each experiment, the attacker sent out TCP packets with a data size of 512 bytes within 20 minutes. The rate was around 2,000 packets per second or 4mpbs for 1,000 packets per second. In the following sub-sections, various network efficiency metrics were analysed.

Average Flow Setup Latency
Applications always assume latency is low and constant. A longer time to update increases congestion, and if latency decreases, failure increases over time. The flow setup latency for l3_learning with hping3 was far too high (over 120ms all the time) (Figure 4). However, when an attack was detected and prevented, there was a high decrease in latency. This meant that the controller could add new flow table entries in a shorter time. This would have a great impact on a network that required high performance. sub-sections, various network efficiency metrics were analysed.

Average Flow Setup Latency
Applications always assume latency is low and constant. A longer time to update increases congestion, and if latency decreases, failure increases over time. The flow setup latency for l3_learning with hping3 was far too high (over 120ms all the time) (Figure 4). However, when an attack was detected and prevented, there was a high decrease in latency. This meant that the controller could add new flow table entries in a shorter time. This would have a great impact on a network that required high performance.

OpenFlow Message to Controller and Buffer Overflow
OpenFlow Message to Controller and Buffer Overflow Figure 5 shows the OpenFlow messages sent from the switching device to the controller and the timeline of how many PacketIn messages the controller received. Using l3_learning, the total number of OpenFlow messages that reached the controller were 18,717. While using Improved_l3_learning, the total number of OpenFlow messages that reached the controller were 3,117. When the attack was carried out using l3_learning, numerous messages were sent to the controller and the number of messages were reduced after t = 65 sec. As a result of this attack, the Open vSwitch was unable to keep up with the speed of the incoming packets and resulted in a buffer overflow exception in the POX controller as shown in Figure 6. Moreover, this resulted in the switching device to drop certain packets, including those from genuine users. Thus, some of the packets would also not reach the controller so that the new flow tables could be added. Using Improved_l3_learning, the number of PacketIn messages were reduced by adding a drop-flow table for a host that generated an attack. In this way, several advantages were achieved, such as avoiding buffer overflow and preventing malicious request messages sent to the controller. messages were reduced after t = 65 sec. As a result of this attack, the Open vSwitch was unable to keep up with the speed of the incoming packets and resulted in a buffer overflow exception in the POX controller as shown in Figure 6. Moreover, this resulted in the switching device to drop certain packets, including those from genuine users. Thus, some of the packets would also not reach the controller so that the new flow tables could be added. Using Improved_l3_learning, the number of PacketIn messages were reduced by adding a drop-flow table for a host that generated an attack. In this way, several advantages were achieved, such as avoiding buffer overflow and preventing malicious request messages sent to the controller.  The buffer overflow exception could also be illustrated with the TCP Zero Window as shown on the Wireshark result in Figure 7. The TCP Zero Window was obtained from the OpenFlow connection between the controller and the switching device. The amount of information that a computer could receive during a TCP session was defined as the size of the TCP Window. When the window size of the computer remained at zero for a given time, it was known as TCP Zero Window. This meant that the switching device could not receive more information, and the transmission of the TCP was stopped until the information was processed in its switching buffer.  The buffer overflow exception could also be illustrated with the TCP Zero Window as shown on the Wireshark result in Figure 7. The TCP Zero Window was obtained from the OpenFlow connection between the controller and the switching device. The amount of information that a computer could receive during a TCP session was defined as the size of the TCP Window. When the window size of the computer remained at zero for a given time, it was known as TCP Zero Window. This meant that the switching device could not receive more information, and the transmission of the TCP was stopped until the information was processed in its switching buffer.  The buffer overflow exception could also be illustrated with the TCP Zero Window as shown on the Wireshark result in Figure 7. The TCP Zero Window was obtained from the OpenFlow connection between the controller and the switching device. The amount of information that a computer could receive during a TCP session was defined as the size of the TCP Window. When the window size of the computer remained at zero for a given time, it was known as TCP Zero Window. This meant that the switching device could not receive more information, and the transmission of the TCP was stopped until the information was processed in its switching buffer.

Flow Misses to Controller
As explained above, before the switching device turned to a buffer overflow exception, flow misses reached a maximum of 375 packets per second as shown in Figure 8. Due to the buffer overflow exception in the switching device, the rate of flow misses was reduced when the l3_learning component was used. However, with Improved_l3_learning, the rate of flow misses was detected earlier and reduced. Since no buffer overflow occurred during the use of the Improved_l3_learning component of the POX controller, the number of flow misses was low for the whole simulation.

Flow Modification from Controller
Due to the large number of new flows sent to the switching devices, a large number of flow rules were needed to be stored. As a consequence, the size of the switching table could be quickly flooded by DoS attacks easily. With the improved component, it was seen that the amount of flow modification

Flow Misses to Controller
As explained above, before the switching device turned to a buffer overflow exception, flow misses reached a maximum of 375 packets per second as shown in Figure 8. Due to the buffer overflow exception in the switching device, the rate of flow misses was reduced when the l3_learning component was used. However, with Improved_l3_learning, the rate of flow misses was detected earlier and reduced. Since no buffer overflow occurred during the use of the Improved_l3_learning component of the POX controller, the number of flow misses was low for the whole simulation.

Flow Modification from Controller
Due to the large number of new flows sent to the switching devices, a large number of flow rules were needed to be stored. As a consequence, the size of the switching table could be quickly flooded by DoS attacks easily. With the improved component, it was seen that the amount of flow modification messages from the controller to the switching device were reduced to normal as if there was no attack (Figure 9). The number of flow modification messages from the controller reached a maximum of 1,304 per second and 457 per second on average, which meant that the flow entries would be inserted into the switching devices. This resulted in unwanted flow table entries in the switching table. messages from the controller to the switching device were reduced to normal as if there was no attack (Figure 9). The number of flow modification messages from the controller reached a maximum of 1,304 per second and 457 per second on average, which meant that the flow entries would be inserted into the switching devices. This resulted in unwanted flow table entries in the switching table. However, with the enhanced solution, the flow modification messages reached a limit of 12 per second. As a result, and on average, excessive and unnecessary flow table entries were reduced to 0.

Maximum and Average Flow Table Entries
The number of rules stored in the switching device flow table was a very significant switching parameter since the switching device performance decreased when the number of rules in the flow table was higher. The attacker produced more than 2,000 packets per second with a random source IP address. In this case, the flow miss would be too high and this resulted in too many PacketIn messages sent to the controller requesting for the flow table modification. As shown in Figures 10 and 11, the number of rules grew over time with and without DoS attacks in the l3_learning component and the Improved_l3_learning component. The maximum and average number of

Maximum and Average Flow Table Entries
The number of rules stored in the switching device flow table was a very significant switching parameter since the switching device performance decreased when the number of rules in the flow table was higher. The attacker produced more than 2,000 packets per second with a random source IP address. In this case, the flow miss would be too high and this resulted in too many PacketIn messages sent to the controller requesting for the flow table modification. As shown in Figures 10 and 11

CPU utilisation on Data Plane
CPU usage was measured when the controller was under DoS attack with the l3_learning and Improved_l3_learning components as shown in Figure 12. The DoS attack using the hping3 command had a significant impact on the increased use of the CPU. The data plane suffered from a drastic 66% rise in CPU usage. This rise in the CPU usage was due to a large number of switching device processes and packets stored in the buffer before being sent to the controller. Using the Improved_l3_learning, the increase in CPU utilization could be reduced to normal (i.e. 0% to 6%) because the data plane did not need to buffer packets and transfer them to the controller. Instead, it dropped all the attack traffic from the switching device. Before the detection and mitigation of attacks, the CPU usage was so high. Nevertheless, the proposed approach was able to prevent attacks and thus minimise excessive use of the CPU to standard.

Throughput
Source to destination bandwidth, i.e. the number of packets sent from source h100, was also measured and received at destination h200 within 6 minutes.

Throughput
Source to destination bandwidth, i.e. the number of packets sent from source h100, was also measured and received at destination h200 within 6 minutes. Before the attack, there was almost no packet loss as the bandwidth of the packets sent was equal to the packets received as shown in Figure 13. However, during the attack, with the l3_learning component, there was no route to the destination as shown in Figure 14. This was because the controller was unable to implement a new flow rule in the Before the attack, there was almost no packet loss as the bandwidth of the packets sent was equal to the packets received as shown in Figure 13. However, during the attack, with the l3_learning component, there was no route to the destination as shown in Figure 14. This was because the controller was unable to implement a new flow rule in the switching devices. With the Improved_l3_learning component, the controller was able to install new flow rules. Thus, the source host was able to communicate with the destination host. The bandwidth obtained was approximately the same as when there were no DoS attacks (by using regular ping).

CONCLUSION
This study aimed at detecting and mitigating a DoS attack on the SDN controller using the POX controller rate limiter packets. In addition, the effect of the DoS attack on the controller, switching devices, and bandwidth of the communicating hosts were analysed. With rapid development and prototyping, the Python-based POX controller was selected as the SDN controller platform using the l3_learning component. The proposed solution was tested in the Mininet simulation environment using the hping3 tool to build artificial DoS attacks. With this type of attack, the malicious host generated more than 2,000 packets/sec, resulting in an average of 121.4 ms of flow latency, an average of 28 of OF-messages and flow miss messages to the controller, an average of 457 flow modification messages, an average of 4,817 flow table entries, and an average of 51% CPU utilisation. As compared to the improved component, the results showed that an improvement of average flow latency of 56 ms, an average of OF-messages and flow miss messages to the controller of 4, an average of 0 unnecessary flow modification messages, an average of 7 flow table entries, and an average of 1% in CPU utilisation.
In addition, the bandwidths between the two hosts were measured under the same conditions. During the attack with the l3_learning component, the result showed that a route from h100 to h200 could not be established (i.e. "No route to the host"). This was because the switching devices were full of unnecessary flow table entries that prevented any other flow tables from being added. As a result, every packet from h100 to h200 did not reach the destination and were dropped. However, with the improved component, a route from h100 to h200 was established and the observed bandwidth was approximately equal to 80 Mbps, which was almost the same as if there were no attacks on the network. The proposed solution was thus able to detect and mitigate malicious packets to reach the controller and thus prevented the data plane (switching devices) from being filled with excessive and unnecessary flow tables' entries and the bandwidth between the two hosts were recovered to normal.
A proposed controller component focuses on the detection and prevention of flooding (DoS) attacks on the controller and data planes. However, any malicious attacks that occurred at OF channel such as packets replication and man-in-the-middle attack are out of this scope. In the future, a possible alternative solution could be developed to combine OF channel events analysis module to systematically identify malicious events and traffic on OF channel.