论文信息 - Novel MITM Attacks on Security Protocols in SDN: A Feasibility Study

Novel MITM Attacks on Security Protocols in SDN: A Feasibility Study

Software-Defined Networking (SDN) is a new paradigm that offers services and applications great power to manage network. Based on the consideration that the entire network visibility is the foundation of SDN, many attacks emerge in poisoning the network visibility, which lead to severe damage. Meanwhile, many defense approaches are proposed to patch the controller. It is noticed that powerful adversaries can bypass existing approaches to poison topology information and attack security protocols. In this paper, we present a method that the adversary can attack security protocols under existing approaches (e.g. TopoGuard, SPHINX). We also investigate a number of security protocols that may be compromised by our MITM attacks and propose an approach to detect the existence of the adversary. Our evaluation shows that the defense solution can effectively detect the fake link in normal environment. We hope our research can attract more attention on SDN security.

[1] Vinod Yegneswaran,et al. Securing the Software Defined Network Control Layer , 2015, NDSS.

[2] Guofei Gu,et al. A First Step Toward Network Security Virtualization: From Concept To Prototype , 2015, IEEE Transactions on Information Forensics and Security.

[3] Vinod Yegneswaran,et al. AVANT-GUARD: scalable and vigilant switch flow management in software-defined networks , 2013, CCS.

[4] George Varghese,et al. Usenix Association 10th Usenix Symposium on Networked Systems Design and Implementation (nsdi '13) 99 Real Time Network Policy Checking Using Header Space Analysis , 2022 .

[5] Zonghua Zhang,et al. Enabling security functions with SDN: A feasibility study , 2015, Comput. Networks.

[6] Ehab Al-Shaer,et al. Openflow random host mutation: transparent moving target defense using software defined networking , 2012, HotSDN '12.

[7] Vijay Mann,et al. SPHINX: Detecting Security Attacks in Software-Defined Networks , 2015, NDSS.

[8] Brighten Godfrey,et al. VeriFlow: verifying network-wide invariants in real time , 2012, HotSDN '12.

[9] George Varghese,et al. Header Space Analysis: Static Checking for Networks , 2012, NSDI.

[10] Lei Xu,et al. Poisoning Network Visibility in Software-Defined Networks: New Attacks and Countermeasures , 2015, NDSS.