Software-defined networks (SDN) offer significant flexibility, scalability, and dynamic management advantages. However, these networks are increasingly vulnerable to high-rate Distributed Denial of Service (DDoS) attacks. This study investigates the susceptibility of SDNs to such threats and presents a novel model, DJRT (Real-Time Detection and Mitigation of DDoS attacks). The model employs a dual strategy for both detection and mitigation. The objective is to detect multiple DDoS attacks causing elephant flow and mitigate them as the framework detects them, thereby enhancing the SDN security and resilience. The DJRT features a custom-developed script, ryu2m.js, for the real-time detection and mitigation, along with the elephant.py script to identify the route through which elephant flow occurs. The framework uses the sFlow flow-statistic tool to monitor the network traffic, and a mininet emulation virtual SDN environment consisting of 27 hosts, 13 openvswitches, and a RYU controller. The mininet dashboard application provides visualization of the topology used, the connection between switches, and visualization of real-time traffic patterns and performance. The framework's effectiveness was evaluated through three distinct scenarios: In the first scenario, regular traffic was assessed without any detection and mitigation, resulting in a top flow of approximately 22 kbps, with baseline performance metric recorded as an sFlow data rate of 61.5 kbps, 12.7 packet per second (pps), 1.78% CPU usage and 50.04% memory usage. The second scenario involved a single UDP DDoS attack occurring alongside regular traffic, leading to a top flow of about 105 mbps (attacker host 24 to victim host 10). This scenario saw a sharp traffic increase, characterized by a data rate of 25 mbps, a 2.32 kpps packet rate, 30.80% CPU usage, and 70.7% memory usage. However, the attack was successfully detected and mitigated. The third scenario included three simultaneous UDP DDoS attacks occurring with regular traffic. For these attacks, the top flows reached approximately 50 mbps (attacker host 21 to victim host 2), 100 mbps (attacker host 14 to victim host 18), and 150 mbps (attacker host 3 to victim host 27). This results in a significant traffic increase, with a data rate of 36.9 mbps and a packet rate of 3.43 kpps, overwhelming the system and causing CPU usage to peak at 96.90% and memory usage at 87.2%.

Nevertheless, these attacks were also successfully detected and mitigated. The DJRT model effectively detects and mitigates both single and multiple high-rate UDP DDoS attacks. The findings emphasize its effectiveness in mitigating congestion caused by attacks, indicating a potential for significant improvements in security and performance within practical SDN applications. Further investigation is necessary to assess the framework's scalability and its implementation in larger SDNs.