Exploiting pitfalls in software-defined networking implementation

The centralised control provided by Software- Defined Networking allows an increase in network security as all traffic can be vetted before leaving the attachment switch. Nevertheless, as in any complex system, there are implementation and policy compromises which lead to security vulnerabilities. This paper exploits such vulnerabilities to implement a suite of attacks, consisting of Address Resolution Protocol (ARP) cache poisoning, Man in the Middle, a firewall and access control bypassing port scan called a Phantom Host Scan, and a Distributed Denial of Service attack called a Phantom Storm which induces the participation of legitimate hosts. These attacks were successfully implemented in a Floodlight controlled network.

[1]  Ejaz Ahmed,et al.  Securing software defined networks: taxonomy, requirements, and open issues , 2015, IEEE Communications Magazine.

[2]  Kevin Benton,et al.  OpenFlow vulnerability assessment , 2013, HotSDN '13.

[3]  Younghee Park,et al.  Watermarking for detecting freeloader misbehavior in software-defined networks , 2016, 2016 International Conference on Computing, Networking and Communications (ICNC).

[4]  Paul Smith,et al.  OpenFlow: A security analysis , 2013, 2013 21st IEEE International Conference on Network Protocols (ICNP).

[5]  Lei Xu,et al.  FloodGuard: A DoS Attack Prevention Extension in Software-Defined Networks , 2015, 2015 45th Annual IEEE/IFIP International Conference on Dependable Systems and Networks.

[6]  Nick McKeown,et al.  OpenFlow: enabling innovation in campus networks , 2008, CCRV.

[7]  Ananth Balashankar,et al.  Software Defined Networking , 2019, 2019 19th International Conference on Sciences and Techniques of Automatic Control and Computer Engineering (STA).

[8]  Keith Kirkpatrick,et al.  Software-defined networking , 2013, CACM.

[9]  Vinod Yegneswaran,et al.  AVANT-GUARD: scalable and vigilant switch flow management in software-defined networks , 2013, CCS.

[10]  Vijay Mann,et al.  SPHINX: Detecting Security Attacks in Software-Defined Networks , 2015, NDSS.

[11]  Ismael Jannoud,et al.  On preventing ARP poisoning attack utilizing Software Defined Network (SDN) paradigm , 2015, 2015 IEEE Jordan Conference on Applied Electrical Engineering and Computing Technologies (AEECT).

[12]  Douglas Crockford,et al.  The application/json Media Type for JavaScript Object Notation (JSON) , 2006, RFC.

[13]  Andrei V. Gurtov,et al.  Security in Software Defined Networks: A Survey , 2015, IEEE Communications Surveys & Tutorials.

[14]  Sakir Sezer,et al.  A Survey of Security in Software Defined Networks , 2016, IEEE Communications Surveys & Tutorials.

[15]  Guofei Gu,et al.  Attacking software-defined networks: a first feasibility study , 2013, HotSDN '13.

[16]  Lei Xu,et al.  Poisoning Network Visibility in Software-Defined Networks: New Attacks and Countermeasures , 2015, NDSS.

[17]  Kim-Kwang Raymond Choo,et al.  Security, Privacy, and Anonymity in Computation, Communication, and Storage , 2017, Lecture Notes in Computer Science.

[18]  Nick McKeown,et al.  A network in a laptop: rapid prototyping for software-defined networks , 2010, Hotnets-IX.

[19]  Christian Esteve Rothenberg,et al.  IntelFlow : Towards adding Cyber Threat Intelligence to Software Defined Networks , 2015 .

[20]  Marius Portmann,et al.  The (in)security of Topology Discovery in Software Defined Networks , 2015, 2015 IEEE 40th Conference on Local Computer Networks (LCN).

[21]  Adam Shostack,et al.  Experiences Threat Modeling at Microsoft , 2008, MODSEC@MoDELS.

[22]  Mauro Conti,et al.  LineSwitch: Efficiently Managing Switch Flow in Software-Defined Networking while Effectively Tackling DoS Attacks , 2015, AsiaCCS.

[23]  K. Shadan,et al.  Available online: , 2012 .

[24]  Jon Postel,et al.  DOD standard transmission control protocol , 1980, CCRV.

[25]  Sakir Sezer,et al.  Sdn Security: A Survey , 2013, 2013 IEEE SDN for Future Networks and Services (SDN4FNS).

[26]  Fernando M. V. Ramos,et al.  Towards secure and dependable software-defined networks , 2013, HotSDN '13.