Table 1 Startegy used and limitation of existing defense mechanism based on their categories: traffic management and access control.
Category | Approach | Description | Key limitations |
|---|---|---|---|
Traffic Management | Connection Management (Shin et al.3) | utilized connection management and trigger activation to prevent unauthorized access ahead of time. | Their method does not differentiate between individual switch levels, which causes legitimate traffic to be unnecessarily blocked. |
FloodGuard (Wang et al.4) | presented FloodGuard that includes proactive flow rule installation and packet migration for dynamic traffic control. | Although this technique is effective, it applies rate-limited packet processing indiscriminately and could thus degrade service quality to legitimate users due to huge volumes of traffic. | |
FlowFense (Piedrahita et al.5) | proposed FlowFense which constrains bandwidth upon detection of congestion. | This method has the potential to penalize any traffic passing through affected pathways, even legitimate traffic. | |
SDN-Guard (Dridi et al.6) | proposed SDN-Guard, which dynamically reroutes traffic and adjusts flow timeouts to mitigate threats. | However, it lacks detailed flow-specific analysis, causing unnecessary rerouting in unaffected network segments. | |
Access Control | Flow Tracking (Wang et al.7) | focused on stringent access controls and network flow tracking to enhance security. | Though, their approach requires frequent updates and can delay legitimate traffic. |
Peer Support (Yuan et al.8) | utilized a peer support strategy to redistribute processing loads and manage flow table resources. | But, this technique overlooks the attack’s origin, leading to potential inefficiencies in resource distribution. | |
ArOMA (Sahay et al.9) | proposed ArOMA, which facilitates automated mitigation actions between customers and ISP controllers. | However, this centralized policy generation can lead to delays and create a single point of failure. | |
C2C Protocols (Hameed et al.10) | advocated for Controller-to-Controller communication protocols to expedite attack information distribution for swift, collaborative defense. | However, this method may neglect the detailed data provided by individual switch flow tables, potentially causing inefficiencies in response times and mitigation efforts. | |
SGS Framework (Wang et al.11) | introduced the SGS framework for workload distribution and targeted traffic management. | But, it could potentially simplify DDoS threat responses by not fully utilizing flow table data. |
