Low-rate flow table overflow attack defense system based on two-level threshold in software-defined networks

• Published in: Expert systems with applications Vol. 293; p. 128685
• Main Authors: Tang, Dan, Zuo, Chenguang, Li, Xinmeng, Tan, Pei, Zhang, Dongshuo, Qin, Zheng
• Format: Journal Article
• Language: English
• Published: Elsevier Ltd 01.12.2025
• Subjects: Attack detection and mitigation; Flow table; Overflow attack; Software defined network; Two-level threshold; Overflow attack; Attack detection and mitigation; Flow table; Two-level threshold; Software defined network
• ISSN: 0957-4174
• DOI: 10.1016/j.eswa.2025.128685

Software-defined networks (SDN) separate traffic management and packet forwarding, allowing for network programmability. SDN has grown more vulnerable to network attacks as a result of its growing use in many facets of social production. Low-rate flow table overflow is a form of attack that targets SDN networks. A significant quantity of flow entries are put in the flow table as a result of sending fake malicious packets to the switch flow table. We provide a two-level threshold (DMS-BTT) based protection solution to counter this threat. DMS-BTT employs the Catboost method to detect LFTO attacks and identify malicious flows by extracting properties from the flow table and flow rules. The system sets two levels of thresholds for flow table utilization depending on the urgency of the flow table subject to LFTO attacks, corresponding to the malicious flow eviction mode and the flow table overflow prevention mode of the attack mitigation module. Finally, we conducted comprehensive experiments to verify that DMS-BTT can effectively mitigate LFTO attacks with low system overhead and limit the proportion of attack flows in total traffic to less than 10 %.