Attacking distributed software-defined networks by leveraging network state consistency

Abstract Distributed Software-Defined Networks (SDNs) aim to maintain a consistent network state across members of the distributed control plane. This paper introduces a novel variation to the packet-in flood designed to target distributed SDNs that synchronise the network state in a strongly consistent manner. The Event Flooding Attack (EFA) takes advantage of the characteristics of a strong consistency model to enable an attacker to distribute the adverse effect of a DoS attack across a cluster, as well as engineer inconsistency between the true network state and the control plane’s view of this state. The impact of the attack is evaluated through experiments using an OpenDaylight cluster. It has been demonstrated on the testbed used in this work that an attacker can increase CPU consumption on all cluster nodes and cause inconsistency for a period of  ≈ 55 s when 500 events are flooded at a frequency of 1/ms, while the same can be achieved for a period of  ≈ 770 s when 2000 events are flooded at the same frequency. The impact of the attack is further demonstrated through it’s collaboration with, and simplification of, an existing host impersonation attack.

[1]  William Koch,et al.  Identifier Binding Attacks and Defenses in Software-Defined Networks , 2017, USENIX Security Symposium.

[2]  Vinod Yegneswaran,et al.  AVANT-GUARD: scalable and vigilant switch flow management in software-defined networks , 2013, CCS.

[3]  Yashar Ganjali,et al.  HyperFlow: A Distributed Control Plane for OpenFlow , 2010, INM/WREN.

[4]  F. R. Yu,et al.  Effective software-defined networking controller scheduling method to mitigate DDoS attacks , 2017 .

[5]  Hu Aiqun,et al.  FloodDefender: Protecting data and control plane resources under SDN-aimed DoS attacks , 2017, IEEE INFOCOM 2017 - IEEE Conference on Computer Communications.

[6]  Markku Antikainen,et al.  Denial-of-service attacks in OpenFlow SDN networks , 2015, 2015 IFIP/IEEE International Symposium on Integrated Network Management (IM).

[7]  Scott Shenker,et al.  SCL: Simplifying Distributed SDN Control Planes , 2017, NSDI.

[8]  Sunhee Yang,et al.  IRIS-HiSA: Highly Scalable and Available Carrier-Grade SDN Controller Cluster , 2017, Mobile Networks and Applications.

[9]  Nick McKeown,et al.  OpenFlow: enabling innovation in campus networks , 2008, CCRV.

[10]  Chuang Lin,et al.  On Denial of Service Attacks in Software Defined Networks , 2016, IEEE Network.

[11]  Anne-Marie Kermarrec,et al.  Gossiping in distributed systems , 2007, OPSR.

[12]  David A. Maltz,et al.  Network traffic characteristics of data centers in the wild , 2010, IMC '10.

[13]  Keith Kirkpatrick,et al.  Software-defined networking , 2013, CACM.

[14]  Jun Bi,et al.  FloodShield: Securing the SDN Infrastructure Against Denial-of-Service Attacks , 2018, 2018 17th IEEE International Conference On Trust, Security And Privacy In Computing And Communications/ 12th IEEE International Conference On Big Data Science And Engineering (TrustCom/BigDataSE).

[15]  John K. Ousterhout,et al.  In Search of an Understandable Consensus Algorithm , 2014, USENIX ATC.

[16]  Pavlin Radoslavov,et al.  ONOS: towards an open, distributed SDN OS , 2014, HotSDN.

[17]  Lei Xu,et al.  FloodGuard: A DoS Attack Prevention Extension in Software-Defined Networks , 2015, 2015 45th Annual IEEE/IFIP International Conference on Dependable Systems and Networks.

[18]  Anja Feldmann,et al.  Logically centralized?: state distribution trade-offs in software defined networks , 2012, HotSDN '12.

[19]  Mathieu Bouet,et al.  DISCO: Distributed multi-domain SDN controllers , 2013, 2014 IEEE Network Operations and Management Symposium (NOMS).

[20]  Victor Cionca,et al.  Exploiting pitfalls in software-defined networking implementation , 2016, 2016 International Conference On Cyber Security And Protection Of Digital Services (Cyber Security).

[21]  Marko Vukolic,et al.  Consistency in Non-Transactional Distributed Storage Systems , 2015, ACM Comput. Surv..

[22]  Martín Casado,et al.  Onix: A Distributed Control Platform for Large-scale Production Networks , 2010, OSDI.

[23]  Chao Yang,et al.  Who is peeping at your passwords at Starbucks? — To catch an evil twin access point , 2010, 2010 IEEE/IFIP International Conference on Dependable Systems & Networks (DSN).

[24]  F. Richard Yu,et al.  Software-Defined Networking (SDN) and Distributed Denial of Service (DDoS) Attacks in Cloud Computing Environments: A Survey, Some Research Issues, and Challenges , 2016, IEEE Communications Surveys & Tutorials.

[25]  Sangheon Pack,et al.  On performance of OpenDaylight clustering , 2016, 2016 IEEE NetSoft Conference and Workshops (NetSoft).

[26]  Andrea Bianco,et al.  The Role of Inter-Controller Traffic for Placement of Distributed SDN Controllers , 2016, Comput. Commun..

[27]  Lei Xu,et al.  Poisoning Network Visibility in Software-Defined Networks: New Attacks and Countermeasures , 2015, NDSS.

[28]  Guofei Gu,et al.  Attacking software-defined networks: a first feasibility study , 2013, HotSDN '13.

[29]  Jan Medved,et al.  OpenDaylight: Towards a Model-Driven SDN Controller architecture , 2014, Proceeding of IEEE International Symposium on a World of Wireless, Mobile and Multimedia Networks 2014.

[30]  Mauro Conti,et al.  LineSwitch: Efficiently Managing Switch Flow in Software-Defined Networking while Effectively Tackling DoS Attacks , 2015, AsiaCCS.

[31]  F. Richard Yu,et al.  Distributed denial of service attacks in software-defined networking with cloud computing , 2015, IEEE Communications Magazine.

[32]  Huseyin Polat,et al.  The effects of DoS attacks on ODL and POX SDN controllers , 2017, 2017 8th International Conference on Information Technology (ICIT).