The rapidly evolving landscape of network security, particularly in Software Defined Networks (SDNs), presents a critical need for efficient and adaptive DDoS attack detection methods, especially in the face of TCP SYN DDoS attacks. These attacks pose significant threats to network resources and service availability. Current state-of-the-art solutions, predominantly based on Shannon entropy, have inherent limitations, that give equal weightage to all frequency probability. This inherent assumption often leads to inadequate detection in complex and dynamic network environments, where attack patterns are increasingly sophisticated and variable. In this paper, we present a novel framework called SYNTROPY that is designed to detect TCP SYN DDoS attacks in SDN environments. The proposed SYNTROPY framework leverages Rényi entropy to effectively generalize the measurement of uncertainty in the network traffic. Unlike Shannon entropy, Rényi entropy offers the flexibility to adjust sensitivity to varying network conditions and attack patterns, thereby enhancing detection accuracy. It filters benign, flash, and suspicious traffic and employs a min–max threshold to identify attack patterns accurately. Our framework is implemented using the Ryu Controller, thus enabling seamless integration with SDN systems. The experiment is conducted to evaluate the SYNTROPY performance using the CAIDA UCSD DDoS 2007 Attack Dataset. The comparative analysis demonstrates that SYNTROPY performs better across various metrics than state-of-the-art solutions. It includes a 40% reduction in average CPU load, 59% enhancement in average detection time, 13% increase in true positives rate, 34% decrease in false negatives rate, 10% recall improvement, and 8% higher F1-Score. These promising results showcase the potential of SYNTROPY as a robust and effective solution for addressing TCP SYN DDoS attacks in SDNs.

Software-defined networking (SDN), enabled by high-performance programmable switches, offers a new avenue to counter cyber attacks. Programmable switches offer the ability to customize and conduct in-depth packet analysis, thus providing efficient and timely responses to DDoS attacks. However, implementing sophisticated DDoS detection may be a challenge in programmable switches because the p4 language does not support floating-point arithmetic, logarithmic functions, or loops. Furthermore, the limited SRAM and TCAM memory on programmable switches makes storing the network connection state difficult. Hence, effective deployment of DDoS detection techniques remains challenging due to these limitations and the rising complexity of the attacks. Many researchers proposed the DDoS detection solution directly on a programmable switch, ignoring the pressing need for a distributed solution. Therefore, this paper presents an innovative, decentralized traffic analysis framework called SPARQ that optimally utilizes the data and control planes. SPARQ is based on Rényi entropy that filters TCP SYN DDoS attacks. It leverages the programming ability of data planes for traffic classification and utilizes the control plane to calculate the metrics and acyclic redundancy checks within the traffic. Moreover, SPARQ uses quartile ranges to track packet inter-arrival time so that abnormal traffic patterns can be identified. We implement SPARQ in a BMv2 switch using the p4runtime controller, enabling seamless integration with SDN systems. We compare the performance of SPARQ with state-of-the-art solutions using the CAIDA dataset. The comparative analysis demonstrates that SPARQ provides a 20.59% reduction in CPU load, an average detection time shorter than 88%, and a 17.8% improvement in true positive rate (TPR).