Comprehensive Analysis of DDoS Anomaly Detection in Software-Defined Networks

Software-Defined Networking (SDN) offers significant advantages for modern networks, including flexibility, centralized control, and reduced dependency on vendor-specific hardware. However, these benefits introduce security vulnerabilities, particularly from Distributed Denial-of-Service (DDoS) attacks, which represent some of the most disruptive threats to SDN environments. A review of the literature shows that while various techniques have been proposed to counteract DDoS threats, many studies have focused on single detection methods, with only a few utilizing multiple approaches. This fragmented focus limits a comprehensive approach to addressing DDoS threats across the SDN layers. To bridge this gap, this paper presents the first comprehensive review of DDoS anomaly detection in SDN, examining over 165 primary research articles published between 2020 and 2024. A novel taxonomy of DDoS attacks is introduced, categorizing them by distinct characteristics, and mapping each attack type to relevant detection methods within specific SDN layers. The survey provides a layer-by-layer analysis of DDoS detection techniques, covering the application, control, and infrastructure layers, and offers a structured overview that clarifies the applicability and effectiveness of each method. The paper concludes by synthesizing key findings, identifying unresolved challenges, and outlining future research directions to advance DDoS detection mechanisms in SDN. This roadmap is designed to guide researchers in addressing security vulnerabilities and enhancing SDN resilience against evolving DDoS threats.