Kernel-level LDoS attack detection in SDN networks: an eBPF/XDP framework with dynamic thresholding

Low-rate Denial of Service (LDoS) attacks pose a significant threat to Software-Defined Networks (SDNs) by exploiting TCP congestion control mechanisms and evading traditional detection systems. While existing SDN-based detection approaches have achieved high accuracy rates, they suffer from critical practical limitations that prevent production deployment: excessive control channel overhead, substantial detection delays, high false positive rates, and limited coverage against evolving attack variants. These operational constraints render existing solutions unsuitable for high-speed production networks where real-time response, scalability, and minimal false alarms are essential. This paper presents an eBPF/XDP LDoS detection framework that embeds programs directly on OpenFlow switch data paths for real-time attack detection and mitigation. By performing detection at the kernel level, our approach addresses the fundamental architectural limitations of controller-dependent systems, enabling practical deployment in production environments. The framework employs four lightweight features—Inter-Arrival Time variance, burst rate, payload size variance, and new flow arrival rate—to capture both TCP-targeted attacks and SDN-specific vulnerabilities. An adaptive Exponential Moving Average mechanism with dynamic thresholding continuously recalibrates baseline metrics, ensuring robust detection across varying traffic patterns while minimizing false positives. Evaluation across nine LDoS attack variations demonstrates that the framework achieves near-optimal detection accuracy (99.9 % accuracy, 99.7 % F1-score) while providing dramatic operational improvements that establish it as the first production-ready LDoS detection solution. Comparative analysis against eight state-of-the-art approaches reveals substantial practical advantages: 87 % reduction in false positives (0.07 % vs. 0.484 % for the best existing approach), 95 % faster detection speed (25.06 ms vs. 0.5–13.17 secs), and elimination of detection-phase control channel overhead (zero bytes/sec vs. 1,068–17,791 bytes/sec continuous polling in existing methods). These improvements address the critical barriers that have prevented previous high-accuracy approaches from real-world deployment. The framework maintains minimal operational impact with 0.091 % memory overhead and acceptable CPU utilization, validating its suitability for high-speed production deployment.