Fingerprinting Software-Defined Networks

In this paper, we study the feasibility of fingerprinting of controller-switch interactions in SDN networks by a remote adversary whose aim is to acquire knowledge about specific flow rules that are installed at the switches. This knowledge empowers the adversary with a better understanding of the network's packet-forwarding logic and exposes the network to a number of threats. In our study, we collect measurements from hosts located across the globe using a realistic SDN network comprising of OpenFlow hardware switches. We show that, by leveraging information from the RTT and packet-pair dispersion of the exchanged packets, fingerprinting attacks on SDN networks succeed with overwhelming probability. We also show that these attacks are not restricted to active adversaries, but can be equally mounted by passive adversaries that only monitor traffic exchanged with the SDN network. Finally, we sketch an efficient countermeasure to strengthen SDN networks against fingerprinting.

[1]  Peter Steenkiste,et al.  Evaluation and characterization of available bandwidth probing techniques , 2003, IEEE J. Sel. Areas Commun..

[2]  Paul Hudak,et al.  Maple: simplifying SDN programming using algorithmic policies , 2013, SIGCOMM.

[3]  Athina Markopoulou,et al.  Loss and Delay Measurements of Internet Backbones , 2006, Comput. Commun..

[4]  Aaron Schulman,et al.  Pingin' in the rain , 2011, IMC '11.

[5]  Xin Huang,et al.  Tango: Simplifying SDN Control with Automatic Switch Property Inference, Abstraction, and Optimization , 2014, CoNEXT.

[6]  Srinivasan Keshav A control-theoretic approach to flow control , 1991, SIGCOMM 1991.

[7]  Sujata Banerjee,et al.  DevoFlow: cost-effective flow management for high performance enterprise networks , 2010, Hotnets-IX.

[8]  Parameswaran Ramanathan,et al.  What do packet dispersion techniques measure? , 2001, Proceedings IEEE INFOCOM 2001. Conference on Computer Communications. Twentieth Annual Joint Conference of the IEEE Computer and Communications Society (Cat. No.01CH37213).

[9]  Marcel Dischinger,et al.  Characterizing residential broadband networks , 2007, IMC '07.

[10]  Parameswaran Ramanathan,et al.  Packet-dispersion techniques and a capacity-estimation methodology , 2004, IEEE/ACM Transactions on Networking.

[11]  Yuval Shavitt,et al.  A Measurement Study of the Origins of End-to-End Delay Variations , 2010, PAM.

[12]  Brent Byunghoon Kang,et al.  Rosemary: A Robust, Secure, and High-performance Network Operating System , 2014, CCS.

[13]  Lei Xu,et al.  Poisoning Network Visibility in Software-Defined Networks: New Attacks and Countermeasures , 2015, NDSS.

[14]  Minlan Yu,et al.  SIMPLE-fying middlebox policy enforcement using SDN , 2013, SIGCOMM.

[15]  Lisandro Zambenedetti Granville,et al.  Data Center Network Virtualization: A Survey , 2013, IEEE Communications Surveys & Tutorials.

[16]  Minlan Yu,et al.  Enforcing Network-Wide Policies in the Presence of Dynamic Middlebox Actions using FlowTags , 2014, NSDI.

[17]  Vinod Yegneswaran,et al.  Securing the Software Defined Network Control Layer , 2015, NDSS.

[18]  Krishna P. Gummadi,et al.  Sprobe: A fast technique for measuring bottleneck bandwidth in uncooperative environments , 2002, INFOCOM 2002.

[19]  M. Frans Kaashoek,et al.  A measurement study of available bandwidth estimation tools , 2003, IMC '03.

[20]  Ghassan O. Karame,et al.  PoWerStore: proofs of writing for efficient and robust storage , 2012, CCS.

[21]  Vinod Yegneswaran,et al.  AVANT-GUARD: scalable and vigilant switch flow management in software-defined networks , 2013, CCS.

[22]  Ghassan O. Karame,et al.  On the Security of Bottleneck Bandwidth Estimation Techniques , 2009, SecureComm.

[23]  Guofei Gu,et al.  Attacking software-defined networks: a first feasibility study , 2013, HotSDN '13.

[24]  Ghassan O. Karame,et al.  On the Security of End-to-End Measurements Based on Packet-Pair Dispersions , 2013, IEEE Transactions on Information Forensics and Security.

[25]  Guillaume Urvoy-Keller,et al.  Capacity estimation of ADSL links , 2008, CoNEXT '08.

[26]  Vijay Mann,et al.  SPHINX: Detecting Security Attacks in Software-Defined Networks , 2015, NDSS.

[27]  Xin Jin,et al.  SoftCell: scalable and flexible cellular core network architecture , 2013, CoNEXT.