论文信息 - Spook in Your Network: Attacking an SDN with a Compromised OpenFlow Switch

Spook in Your Network: Attacking an SDN with a Compromised OpenFlow Switch

Software defined networking (SDN) and OpenFlow as one of its key technologies have received a lot of attention from the networking community. While SDN enables complex network applications and easier network management, the paradigm change comes along with new security threats. In this paper, we analyze attacks against a software-defined network in a scenario where the attacker has been able to compromise one or more OpenFlow-capable switches. We find out that such attacker can in suitable environments perform a wide range of attacks, including man-in-the-middle attacks against control-plane traffic, by using only the standard OpenFlow functionality of the switch. Furthermore, we show that in certain scenarios it is nearly impossible to detect that some switch has been compromised. We conclude that while the existing security mechanisms, such as TLS, give protection against many of the presented attacks, the threats should not be overlooked when moving to SDN and OpenFlow.

[1] Vitaly Shmatikov,et al. The most dangerous code in the world: validating SSL certificates in non-browser software , 2012, CCS.

[2] Mabry Tyson,et al. A security enforcement kernel for OpenFlow networks , 2012, HotSDN '12.

[3] Nick McKeown,et al. OpenFlow: enabling innovation in campus networks , 2008, CCRV.

[4] Guofei Gu,et al. Attacking software-defined networks: a first feasibility study , 2013, HotSDN '13.

[5] Tuomas Aura,et al. Denial-of-Service Attacks in Bloom-Filter-Based Forwarding , 2014, IEEE/ACM Transactions on Networking.

[6] Kevin Benton,et al. OpenFlow vulnerability assessment , 2013, HotSDN '13.

[7] Paul Smith,et al. OpenFlow: A security analysis , 2013, 2013 21st IEEE International Conference on Network Protocols (ICNP).

[8] Brighten Godfrey,et al. VeriFlow: verifying network-wide invariants in real time , 2012, HotSDN '12.

[9] Mabry Tyson,et al. FRESCO: Modular Composable Security Services for Software-Defined Networks , 2013, NDSS.

[10] Jörg Ott,et al. Forwarding anomalies in Bloom filter-based multicast , 2011, 2011 Proceedings IEEE INFOCOM.

[11] Jukka Manner,et al. A Survey of Ethernet LAN Security , 2013, IEEE Communications Surveys & Tutorials.

[12] Martín Casado,et al. Onix: A Distributed Control Platform for Large-scale Production Networks , 2010, OSDI.

[13] Fernando M. V. Ramos,et al. Towards secure and dependable software-defined networks , 2013, HotSDN '13.