][]

Article

Network Security against DDoS attacks using the

Floodlight controller

Seguridad en la Red contra ataques DDoS utilizando el

controlador Floodlight

Eylin Ortega Buelvas ¹

Carlos Martínez Guerra ²

and Jorge Gómez Gómez ³∗

1

Faculty of Engineering, Systems Engineering, Universidad de Córdoba, Montería, 800001, Colombia;

eortegabuelvas76@correo.unicordoba.edu.co; cmartinezguerra93@correo.unicordoba.edu.co;

jeliecergomez@correo.unicordoba.edu.co

∗

Correspondence: jeliecergomez@correo.unicordoba.edu.co

Citation: Ortega, E.; Martínez, C.; Gómez, J. Network Security against DDoS attacks using the Floodlight controller. OnBoard Knowledge

Journal 2025, 1, 1. https://doi.org/10.70554/OBJK2025.v01n02.01

Received: 17/07/2025, Accepted: 20/09/2025, Published: 24/10/2025

DOI: https://doi.org/10.70554/OBJK2025.v01n02.01

Abstract: Nowadays, the Internet has become one of the most widely used platforms for conducting transactions and

managing information worldwide, which highlights the need to strengthen cybersecurity systems against increasing

digital threats. Among the most common attacks are Distributed Denial of Service (DDoS) attacks, which aim to disrupt

the operation of networks, services, or websites by overwhelming them with massive amounts of malicious trafﬁc,

exhausting their resources and preventing legitimate requests from being processed. This project aimed to analyze and

implement a simulation environment to assess service vulnerability to DDoS attacks and propose early detection and

mitigation strategies. A network architecture based on Software Deﬁned Networking (SDN) was designed using the

Floodlight controller, enabling dynamic trafﬁc management and anomaly detection. Controlled attack simulations were

conducted to observe system behavior and evaluate its response capacity. The results demonstrated that integrating the

Floodlight controller signiﬁcantly improves detection and response to trafﬁc saturation events, reducing the likelihood

of critical service disruptions. In conclusion, SDN based environments represent an effective alternative to enhance

cybersecurity in network infrastructures, providing a ﬂexible framework for monitoring, prevention, and mitigation of

DDoS.

Keywords: Cyber attack; DDoS attack; Floodlight; Simulation.

Resumen: En la actualidad, Internet constituye uno de los medios más utilizados para la realización de transacciones y la

gestión de información a nivel mundial, lo que resalta la necesidad de fortalecer la seguridad de los sistemas informáticos

ante el incremento de amenazas cibernéticas. Entre los ataques más frecuentes se encuentran las Denegaciones de Servicio

Distribuidas (DDoS), cuyo propósito es interrumpir el funcionamiento de redes, servicios o sitios web mediante el envío

masivo de tráﬁco malicioso, saturando los recursos del sistema e impidiendo la atención de so-licitudes legítimas. El

objetivo de este proyecto fue analizar e implementar un entorno de simu-lación que permitiera evaluar la vulnerabilidad

de los servicios ante ataques DDoS y proponer estrategias de detección y mitigación temprana. Para ello, se diseñó una

arquitectura de red basada en Software Deﬁned Networking (SDN) empleando el controlador Floodlight, que facilita

OnBoard Knowledge Journal 2025, 1, 1.

https://revistasescuelanaval.com/obk/

Licensed by Escuela Naval de Cadetes "Almirante Padilla", COL.

This article is freely accessible and distributed under the terms and conditions

of Creative Commons Attribution (https://creativecommons.org/licenses/by/4.0/).

OnBoard Knowledge Journal 2025, 1, 1

2 of 12

la administración dinámica del tráﬁco y la identiﬁcación de patrones anómalos. Se realizaron pruebas controladas de

ataques simulados para observar el comportamiento del sistema y medir su capacidad de respuesta. Los resultados

evidenciaron que la integración del controlador Floodlight permite mejorar signiﬁcativamente la detección y respuesta

ante eventos de saturación de tráﬁco, reduciendo la probabilidad de interrupciones críticas. En conclusión, la utilización

de entornos SDN constituye una alternativa eﬁcaz para fortalecer la ciberseguridad en infraestruc-turas de red, brindando

un marco adaptable para el monitoreo, la prevención y la mitigación de ataques DDoS.

Palabras clave: Ataque cibernético; Ataque DDoS; Floodlight; Simulación.

1. Introduction

In the current context, the Internet has become a key platform for transactions and service delivery at

a global scale, which highlights the importance of protecting computer systems against cyber threats such

as Distributed Denial of Service (DDoS) attacks. These attacks aim to saturate the resources of networks or

applications through massive volumes of malicious trafﬁc, thereby affecting the availability and performance

of legitimate services [6].

Software-Deﬁned Networking (SDN) has emerged as an effective approach to mitigate such attacks by

centralizing trafﬁc management and enabling rapid responses to anomalous behavior [2]. Controllers such as

Floodlight are particularly relevant due to their ability to monitor network trafﬁc, enforce dynamic rules, and

ﬁlter malicious ﬂows, thus enhancing overall network security. Additionally, the use of simulation tools such

as Mininet is essential for testing mitigation strategies in controlled environments, allowing vulnerabilities to

be identiﬁed and system behavior to be evaluated under realistic attack scenarios.

Numerous studies have addressed DDoS attack mitigation in SDN environments from different per-

spectives. According to [4], SDN represents a paradigm shift in communication networks by separating the

control and data planes and relying on a centralized controller that enables ﬂexible and adaptive network

management. That work proposes a defense mechanism against HTTP ﬂooding attacks based on a dual strat-

egy combining proactive and reactive techniques, implemented in a Mininet-based simulated environment.

The experimental results demonstrate that such mechanisms can provide an additional layer of security while

preserving quality of service.

From a broader perspective, the use of SDN controllers has become a fundamental strategy for pro-

tection against DDoS attacks, particularly in scenarios involving Internet of Things (IoT) devices. In this

context, controllers centralize network intelligence and allow precise trafﬁc monitoring, facilitating the

rapid identiﬁcation of abnormal patterns associated with DDoS attacks and the application of immediate

countermeasures, such as blocking suspicious IP addresses or limiting bandwidth. This approach has been

shown to improve detection and response capabilities in controlled environments, thereby minimizing the

impact of attacks on affected servers.

According to [8], effective mitigation of DDoS attacks requires centralized network administration and

the application of real-time defense strategies. By implementing a centralized SDN controller, it becomes

possible to continuously monitor trafﬁc, detect attack patterns, and make rapid decisions to isolate malicious

connections while maintaining service availability for legitimate users. Recent studies further demonstrate

that SDN-based approaches optimize network resource utilization and reduce response times through the

use of simulated attack scenarios in controlled environments, as achieved with tools such as NeSSi2.

Similarly, [1] propose effective DDoS mitigation solutions based on robust ﬁrewall conﬁgurations and

software modules such as IPTables and MOD_EVASIVE. When integrated into SDN control systems, these

mechanisms can signiﬁcantly reduce the load of malicious packets on servers by automatically blocking

suspicious sources and enforcing request-limiting policies. Such strategies have been reported to reduce the

impact of DDoS attacks on network infrastructure by up to 80%.

In this context, the present study focuses on the implementation of the Floodlight controller within

simulated environments to strengthen detection and response strategies against DDoS attacks. Emphasis is

OnBoard Knowledge Journal 2025, 1, 1

3 of 12

placed on the role of simulation platforms in evaluating and improving the defensive capabilities of network

infrastructures, contributing to the development of more resilient and adaptive cybersecurity solutions.

This paper is structured as follows: Section 2 presents the main contributions of the study. Section 3

introduces the theoretical framework related to DDoS attacks and Software-Deﬁned Networking. Section 4

describes the materials, tools, and experimental methodology employed. Section 5 reports and analyzes the

results obtained from the simulated attack and mitigation scenarios. Finally, Section 6 summarizes the main

ﬁndings and outlines future research directions.

2. Contributions

This research presents the following contributions:

i.

A Software-Deﬁned Networking (SDN) architecture based on the Floodlight controller is designed

and implemented to analyze and mitigate Distributed Denial of Service (DDoS) attacks within a

controlled simulation environment.

ii.

iii.

iv.

A simulation-based experimental methodology using Mininet is established to reproduce both normal

trafﬁc conditions and DDoS attack scenarios, enabling systematic evaluation of network behavior

under trafﬁc saturation.

The effectiveness of centralized trafﬁc monitoring and dynamic rule enforcement through the Flood-

light controller is demonstrated, showing signiﬁcant improvements in the detection and mitigation of

anomalous trafﬁc patterns associated with DDoS attacks.

Experimental results provide evidence that SDN-based solutions enhance network resilience and

service availability by reducing resource exhaustion and packet loss during attack conditions.

3. Related Works

3.1. Deﬁnition and Types of DDoS Attacks

According to [9], Distributed Denial of Service (DDoS) attacks have the main objective of interrupting

the normal operation of a system, network, or service by overloading its resources with an excessive volume

of trafﬁc. These attacks are classiﬁed into three main categories: volumetric, which generate a large volume

of data to overload the system; protocol-based, which exploit weaknesses in network protocols to exhaust

resources; and application-layer attacks, which directly affect applications or services such as web servers

through disguised malicious requests. Each of these types uses different methods and metrics to measure its

impact, such as bits per second (bps) or requests per second (rps).

3.2. Impact on Networks and Systems

DDoS attacks can cause signiﬁcant consequences, such as the interruption of essential services, economic

losses due to the inaccessibility of resources, and damage to the reputation of organizations. Their growth has

been exponential, with an increasing number of devices connected to the network becoming targets or tools

within botnets, which increases both their frequency and magnitude. Among the motivations for carrying

out this type of attack are ﬁnancial gain and personal interests [9].

3.3. Architecture and Principles of SDN

SDN separates the control plane (where network decisions are made) from the data plane (responsible for

packet forwarding), centralizing network intelligence in a software controller. This facilitates the conﬁguration

and management of the network through programming, improving scalability and ﬂexibility. The SDN

architecture includes three main layers:

•

Infrastructure layer: Contains devices such as switches and routers that execute the controller’s instruc-

tions.

•

Control layer: Where the SDN controller operates, managing forwarding decisions.

Application layer: Integrates services and applications through speciﬁc interfaces (Northbound APIs).

OnBoard Knowledge Journal 2025, 1, 1

4 of 12

This model allows networks to be conﬁgured and managed dynamically and openly, eliminating the

limitations of traditional hardware-based approaches.

3.4. Advantages of SDN in Network Management

According to [10], SDN provides key advantages in network management, such as centralization, which

allows efﬁcient control from a single point; ﬂexibility to adapt the network to new services; automation,

which minimizes human errors and speeds up conﬁgurations; and scalability, facilitating the incorporation of

new devices through open standards such as OpenFlow. These characteristics make SDN ideal for dynamic

environments such as data centers.

3.5. Role of SDN Controllers in Network Security

The SDN controller is fundamental to network security, as it centralizes policy management, detects

and mitigates threats, and constantly monitors the state of the network to respond to attacks in real time. In

addition, it facilitates the integration of advanced security systems such as ﬁrewalls and IDS/IPS. However,

as a critical point, it requires robust protection measures such as encryption, authentication, and forensic

analysis to prevent vulnerabilities [10].

3.6. Floodlight: Characteristics and Functionalities

Floodlight is a Software-Deﬁned Networking (SDN) controller based on the OpenFlow protocol, devel-

oped in the Java programming language. This controller stands out for its compatibility with a wide range of

devices, both physical and virtual switches, and for offering tools that facilitate the management of complex

network topologies. Among its main functionalities are the creation of access control rules, remote device

monitoring, and real-time visualization of the network status. In addition, Floodlight allows administrators

to conﬁgure the network easily, ensuring high performance, fault tolerance, and robust security options such

as user authentication, authorization, and anomaly detection [10].

3.7. Security Modules in Floodlight

This controller can include several security functionalities designed to protect SDN networks. Its

architecture allows the implementation of access rules through Access Control Lists (ACLs) as well as trafﬁc

segmentation policies through VLANs. It also supports advanced functions such as anomaly detection in

trafﬁc, fault recovery, and authentication and authorization tools to guarantee secure access to the controller

and connected devices. These modules make Floodlight an effective solution for managing networks in a

centralized manner with high levels of security [7].

3.8. Floodlight Compatibility with Simulation Environments

It is widely used in simulation environments thanks to its integration with tools such as Mininet and

MiniEdit, which allow the design and testing of SDN networks without the need for physical hardware. Its

ability to operate on virtualized platforms such as VirtualBox, along with its support for OpenFlow, makes it

ideal for educational and experimental environments. These characteristics allow users to emulate complex

networks, verify host connectivity, analyze packet trafﬁc, and optimize performance before implementing

them in a physical environment [7].

3.9. Mininet for the Creation of Virtual Topologies

It is a widely used network simulation tool for emulating virtual topologies (Fig 1). It allows the creation

of hosts, switches, controllers, and virtual links on a physical machine, making use of optimized resources.

One of its main features is the ability to design customized topologies through Python scripts or via the

graphical interface Miniedit. In addition, Mininet supports OpenFlow compatible switches, making it an ideal

platform for testing SDN architectures. It is a scalable, realistic, and easy-to-use solution for experimenting

with complex networks without the need for physical hardware [5].

OnBoard Knowledge Journal 2025, 1, 1

5 of 12

Figure 1. Creation of a topology.

Source: The authors.

3.10. Use of ICMP Tools such as Ping for Connectivity Testing

Ping is a fundamental tool that uses the Internet Control Message Protocol (ICMP) to verify connectivity

between devices in a network (Fig 2. In simulations performed with Mininet, it allows veriﬁcation that nodes

are properly interconnected. In addition, it measures packet latency and diagnoses issues such as data loss or

high response time. This simple yet powerful command is essential for validating conﬁgurations in virtual

networks and ensuring their operability [5].

Figure 2. Veriﬁcation of connectivity between h1 and h2.

Source: The authors.

3.11. Simulation of Trafﬁc and Attacks in Controlled Environments

Mininet allows the emulation of network trafﬁc and attack scenarios in a safe and controlled environ-

ment, facilitating the evaluation of security conﬁgurations and network performance. For example, it is

possible to generate trafﬁc between nodes using tools such as iperf to measure bandwidth or to simulate DoS

attacks to analyze network resilience (Fig 3). These simulations are useful for testing security policies, such

as Access Control Lists (ACL) and ﬁrewall conﬁgurations, before their implementation in real networks [5].

Figure 3. Simulation of trafﬁc and attacks.

Source: The authors.

3.12. Monitoring and Analysis of Anomalous Trafﬁc

Monitoring and analyzing anomalous trafﬁc is based on the constant observation of the network to

identify unusual behavior patterns that may indicate a DDoS attack. This strategy uses advanced tools such

as Intrusion Detection Systems (IDS) and packet analysis to identify abnormal data ﬂows. For example,

sudden spikes in trafﬁc volume, suspicious IP addresses, or repeated attempts to access restricted resources

OnBoard Knowledge Journal 2025, 1, 1

6 of 12

are monitored. These indicators allow for the implementation of rapid responses to mitigate the impact, such

as temporarily blocking suspicious addresses or limiting bandwidth [3].

3.13. Filtering of Malicious Packets

This is a mitigation technique that involves inspecting incoming data packets to detect harmful content.

Through the use of ﬁrewalls, Access Control Lists (ACL), and Deep Packet Inspection (DPI) technologies,

suspicious or malicious requests are discarded before they reach the servers. This process includes identifying

attack signatures, malicious IP addresses, and trafﬁc patterns that match known attacks, ensuring that only

legitimate packets gain access to network resources [3].

4. Materials and Methods

4.1. Preparation of the Test Environment

To carry out the DDoS attack mitigation experiment, a controlled environment was created to replicate

the behavior of a real network. This process involved the use of speciﬁc tools such as Mininet for network

simulation, Floodlight as the SDN controller, and a custom script designed to monitor and analyze network

trafﬁc.

First, the Floodlight controller (Fig. 4) was executed, which was responsible for managing the network

workﬂows.

Figure 4. Execution of the Floodlight controller.

Source: The authors.

Second, the script (Fig. 5) responsible for monitoring possible DDoS attacks was run. This script records

and displays detailed statistics in the console, including information about monitored hosts and those that

have been blocked as part of the mitigation measures.

Subsequently, a network topology was conﬁgured, consisting of a central switch connected to seven

hosts (Fig. 6), representing a typical network scenario. Figure 7 graphically illustrates this topology as

visualized in the controller’s web interface.

4.2. DDoS Attack Simulation

Once the test environment conﬁguration was completed, the generation of normal trafﬁc in the network

began (Fig. 8), using the ping command between host1 and host3. As a result, responses were obtained

from host3 along with their statistics, demonstrating that connectivity between both hosts was functioning

correctly.

Finally, to simulate the DDoS attack, the ping command with the -f parameter was used between host2

and host4. In Figure 9, it can be observed that the ﬁrst packets sent are correctly responded to by host4;

OnBoard Knowledge Journal 2025, 1, 1

7 of 12

Figure 5. Execution of the DDoS attack prevention script.

Figure 6. Execution of the topology in Mininet.

Source: The authors.

however, once the massive sending of packets begins, they are represented in the console as dots, highlighting

the intensity of the generated trafﬁc.

5. Results

During the execution of the experimental section, a detailed monitoring of the number of packets sent

over time was carried out, covering the different scenarios considered (Fig. 10). This analysis made it possible

to identify trafﬁc patterns under both normal conditions and during the simulation of a DDoS attack.

Figure 11 shows the packet trafﬁc sent by different hosts over time. The orange line represents the trafﬁc

between hosts 10.0.0.1 and 10.0.0.3, showing a constant increase. Meanwhile, the brown line reﬂects the

rise in packet transmission from host 10.0.0.2 to host 10.0.0.4, which initially corresponds to a normal trafﬁc

environment.

After a few seconds, host 4 begins to receive more than 50,000 packets, indicating an unusual behavior

compared to the other hosts. This abrupt increase stands out in the graph, making the trafﬁc sent to host 3

appear insigniﬁcant in relative terms (Fig. 12).

Once the script in charge of preventing DDoS attacks detects this unusual behavior, it sends the

necessary rules to the controller to block the host generating the massive trafﬁc. This prevents further

resource consumption and mitigates the impact of the attack.

In the ping command statistics, out of the 104,445 packets transmitted over a 12-minute period, 42%

were not received by the host. This packet loss is due both to the impact of the massive trafﬁc and to the

action of the script responsible for blocking the sending host, thus mitigating excessive resource consumption

in the network.

OnBoard Knowledge Journal 2025, 1, 1

8 of 12

Figure 7. Network topology simulated in Mininet.

Source: The authors.

Figure 8. Execution of the ping command between host1 and host3.

Source: The authors.

6. Conclusions

This study evaluated the effectiveness of the Floodlight controller in mitigating DDoS attacks within

environments based on Software-Deﬁned Networks (SDN). The experimental results demonstrated that the

implemented architecture allows the identiﬁcation and blocking of anomalous trafﬁc patterns in real time,

signiﬁcantly reducing resource saturation and packet loss, which in the test scenarios reached up to 42%

before system intervention.

OnBoard Knowledge Journal 2025, 1, 1

9 of 12

Figure 9. Execution of the ping command between host1 and host2 with the -f parameter.

Source: The authors.

Figure 10. Normal packet trafﬁc rate between hosts (IP: 10.0.0.1, 10.0.0.3, 10.0.0.2, and 10.0.0.4) as a function of time.

Source: The authors.

The simulation in Mininet made it possible to analyze network behavior in a controlled manner under

different levels of attack, showing that the automatic response of the controller prevents critical interruptions

and improves service availability. This approach conﬁrms that SDNs represent an efﬁcient and scalable

alternative to strengthen cybersecurity in network infrastructures.

Likewise, the integration of Floodlight with detection and ﬁltering modules proved to be a viable

strategy for implementing adaptive defense policies, adjustable to the dynamic conditions of trafﬁc. It is

OnBoard Knowledge Journal 2025, 1, 1

10 of 12

Figure 11. Exponential increase in packet trafﬁc rate during the DDoS attack.

Source: The authors.

Figure 12. Network statistics after DDoS attack mitigation.

Source: The authors.

recommended to further explore future research lines aimed at incorporating machine learning and predictive

analysis techniques to anticipate malicious behavior and optimize response times to security incidents.

Overall, the ﬁndings of this research provide practical evidence of the capability of SDN controllers to

manage complex environments, offering a solid framework for the development of preventive and mitigation

solutions against DDoS attacks in modern networks.

OnBoard Knowledge Journal 2025, 1, 1

11 of 12

Author Contributions: Eylin Ortega: Software, Visualization, Validation, Formal analysis, Investigation, Resources.

Carlos Martínez: Conceptualization, Methodology, Writing – original draft, Writing – review & editing. Jorge Gómez:

Data curation, Supervision, Project administration, Funding acquisition.

All authors have read and agreed to the published version of the manuscript. Refer to the taxonomía CRediT for term

explanations. Authorship should be limited to those who have contributed substantially to the work reported.

Funding: This research received no external funding.

Institutional Review Board Statement: Not applicable, since the present study does not involvehuman personnel or

animals.

Informed Consent Statement: This study is limited to the use of technological resources, so nohuman personnel or

animals are involved.

Conﬂicts of Interest: Under the authorship of this research, it is declared that there is no conﬂict of interest with the

present research.

References

1. (2016). Evaluación de ataques de denegación de servicio dos y ddos, y mecanismos de protección. GEEKS DECC-

REPORTS, 2(1).

2. Alenezi, M., Al-Haija, Q. A., and Alqaralleh, B. (2023). Intelligent ddos attack detection and mitigation in sdn: A

hybrid machine learning approach. IEEE Access, 11:45678–45691.

3. Clavo Tafur, C. J. (2022). Análisis comparativo de técnicas de mitigación de ataque de ddos en cloud computing.

Trabajo académico.

4. Cortés, J. P. (2016). Defensa proactiva y reactiva ante ataques ddos en un entorno simulado de redes deﬁnidas por

software. Trabajo académico.

5. Guanoluisa Jaramillo, E. D. (2019). Diseño de la arquitectura de una red sdn mediante el protocolo openﬂow con

simulación en el software mininet para la infraestructura de una pymes.

6. Kaur, P. and Singh, A. (2022). A comprehensive survey on ddos attacks and defense mechanisms in cloud and

software-deﬁned networks. Computer Networks, 211:108964.

7. Melendres Del Pezo, S. M. (2023). Propuesta de implementación de una red sdn por medio del controlador ﬂoodlight

y mininet para la institución unidad educativa americano.

8. Molina, L., Cevallos, Y., Machado, G., and Furfaro, A. El enemigo moderno: Ataques ddos en la capa de red y de

aplicación. Publicación académica.

9. Pérez Gómez, P. (2017). Estudio de ataques ddos basados en dns.

10. Ruipérez Cuesta, J. (2021). Seguridad en Redes deﬁnidas por software (SDN). Doctoral dissertation, Universitat Politècnica

de València, Valencia, España.

Authors’ Biography

Eylin Ortega Buelvas Robotics and programming teacher.

Carlos Martínez Guerra Systems Engineer, Backend developer specialized in RESTful APIs

with Laravel and Spring Boot, frontend with Vue.js.

OnBoard Knowledge Journal 2025, 1, 1

12 of 12

Jorge Gómez Gómez Research professor at the Faculty of Systems Engineering.

Disclaimer/Editor’s Note: Statements, opinions, and data contained in all publications are solely those of the individual

authors and contributors and not of the OnBoard Knowledge Journal and/or the editor(s), disclaiming any responsibility

for any injury to persons or property resulting from any ideas, methods, instructions, or products referred to in the

content.