Kloth, SeanSeanKlothLopes Rettore, Paulo HenriquePaulo HenriqueLopes RettoreZißner, PhilippPhilippZißnerSantos, Bruno P.Bruno P.SantosSevenich, PeterPeterSevenich2025-05-262025-05-262024https://publica.fraunhofer.de/handle/publica/48797710.1109/ICMCIS61231.2024.105409522-s2.0-85195660793This study investigates the robustness of a Software-defined Networking (SDN) controller when confronted with a Distributed Denial-of-Service (DDOS) attack in a tactical environment. A proactive defense mechanism is introduced to detect and respond to a flooding of 'packet-in' requests, triggering a response once the network features indicate an anomaly. The methodology consists of two components: the Cyber Defense Agent (CDA), consisting of monitoring, feature engineering, detection, and responses, and the Cyber Attack Agent (CAA), including the preparation, execution, and evaluation of the attack. The CDA monitors all the IP flows from the SDN controller and processes four main features such as the average number of 'packet-in' requests, the response time to these requests, the entropy of IP addresses and ports for source and destination, and 'packet-in' requests per switch to identify compromised switches. All the components were emulated and tested, collecting quantitative evidence to demonstrate the effectiveness of both agents.enfalseCyber securityResilienceSoftware-defined NetworkingTactical networksconference paper