Exploiting the Vulnerability of Flow Table Overflow in Software-Defined Network: Attack Model, Evaluation, and Defense

As the most competitive solution for next-generation network, SDN and its dominant implementation OpenFlow are attracting more and more interests. But besides convenience and flexibility, SDN/OpenFlow also introduces new kinds of limitations and security issues. Of these limitations, the most obvious and maybe the most neglected one is the flow table capacity of SDN/OpenFlow switches. In this paper, we proposed a novel inference attack targeting at SDN/OpenFlow network, which is motivated by the limited flow table capacities of SDN/OpenFlow switches and the following measurable network performance decrease resulting from frequent interactions between data and control plane when the flow table is full. To the best of our knowledge, this is the first proposed inference attack model of this kind for SDN/OpenFlow. We implemented an inference attack framework according to our model and examined its efficiency and accuracy. The evaluation results demonstrate that our framework can infer the network parameters (flow table capacity and usage) with an accuracy of 80% or higher. We also proposed two possible defense strategies for the discovered vulnerability, including routing aggregation algorithm and multilevel flow table architecture. These findings give us a deeper understanding of SDN/OpenFlow limitations and serve as guidelines to future improvements of SDN/OpenFlow.

[1]  Ejaz Ahmed,et al.  Securing software defined networks: taxonomy, requirements, and open issues , 2015, IEEE Communications Magazine.

[2]  Brighten Godfrey,et al.  VeriFlow: verifying network-wide invariants in real time , 2012, HotSDN '12.

[3]  Liusheng Huang,et al.  On the effect of flow table size and controller capacity on SDN network throughput , 2017, 2017 IEEE International Conference on Communications (ICC).

[4]  Yi-Bing Lin,et al.  A multi-RAT bandwidth aggregation mechanism with software-defined networking , 2016, J. Netw. Comput. Appl..

[5]  Sakir Sezer,et al.  Queen ' s University Belfast-Research Portal Are We Ready for SDN ? Implementation Challenges for Software-Defined Networks , 2016 .

[6]  Alex C. Snoeren,et al.  Inside the Social Network's (Datacenter) Network , 2015, Comput. Commun. Rev..

[7]  Nikita Borisov,et al.  Website Detection Using Remote Traffic Analysis , 2011, Privacy Enhancing Technologies.

[8]  Jim Esch,et al.  Software-Defined Networking: A Comprehensive Survey , 2015, Proc. IEEE.

[9]  Sakir Sezer,et al.  Sdn Security: A Survey , 2013, 2013 IEEE SDN for Future Networks and Services (SDN4FNS).

[10]  Guofei Gu,et al.  Attacking software-defined networks: a first feasibility study , 2013, HotSDN '13.

[11]  Teemu Koponen,et al.  Flow caching for high entropy packet fields , 2015, SIGCOMM 2015.

[12]  Paul Smith,et al.  OpenFlow: A security analysis , 2013, 2013 21st IEEE International Conference on Network Protocols (ICNP).

[13]  Michael Brooks,et al.  A Man-in-the-Middle attack against OpenDayLight SDN controller , 2015, RIIT.

[14]  Mabry Tyson,et al.  A security enforcement kernel for OpenFlow networks , 2012, HotSDN '12.

[15]  Wenjuan Li,et al.  A survey on OpenFlow-based Software Defined Networks: Security challenges and countermeasures , 2016, J. Netw. Comput. Appl..

[16]  Bo Yan,et al.  CAB: a reactive wildcard rule caching system for software-defined networks , 2014, HotSDN.

[17]  Lei Shu,et al.  An energy-efficient SDN based sleep scheduling algorithm for WSNs , 2016, J. Netw. Comput. Appl..

[18]  Subhasis Banerjee,et al.  Compact TCAM: Flow Entry Compaction in TCAM for Power Aware SDN , 2013, ICDCN.

[19]  Martín Casado,et al.  NOX: towards an operating system for networks , 2008, CCRV.

[20]  David Walker,et al.  Infinite CacheFlow in software-defined networks , 2014, HotSDN.

[21]  José A. B. Fortes,et al.  Cloud Computing Security: What Changes with Software-Defined Networking? , 2014, Secure Cloud Computing.

[22]  Laurent Massoulié,et al.  A Utility Optimization Approach to Network Cache Design , 2019, IEEE/ACM Transactions on Networking.

[23]  Xin Zhao,et al.  On the Aggregatability of Router Forwarding Tables , 2010, 2010 Proceedings IEEE INFOCOM.