In traditional networks, switches and routers are very expensive, complex, and inflexible because forwarding and handling of packets are in the same device. However, Software Defined Networking (SDN) makes networks design more flexible, cheaper, and programmable because it separates the control plane from the data plane. SDN gives administrators of networks more flexibility to handle the whole network by using one device which is the controller. Unfortunately, SDN faces a lot of security problems that may severely affect the network operations if not properly addressed.
Threat vectors may target main components of SDN such as the control plane, the data plane, and/or the application. Threats may also target the communication among these components. Among the threats that can cause significant damages include attacks on the control plane and communication between the controller and other networks components by exploiting the vulnerabilities in the controller or communication protocols.
Controllers of SDN and their communications may be subjected to different types of attacks. DDoS attacks on the SDN controller can bring the network down. In this thesis, we have studied various form of DDoS attacks against the controller of SDN. We conducted a comparative study of a set of methods for detecting DDoS attacks on the SDN controller and identifying compromised switch interfaces. These methods are sequential probability ratio test (SPRT), count-based detection (CD), percentage-based detection (PD), and entropy-based detection (ED). We implemented the detection methods and evaluated the performance of the methods using publicly available DARPA datasets. Finally, we found that SPRT is the only one that has the highest accuracy and F score and detect almost all DDoS attacks without producing false positive and false negative.