Link Discovery Attacks in Software-Defined Networks: Topology Poisoning and Impact Analysis

Software Defined Networking (SDN) has become a popular technology that offers advantages of programmable and flexible network management over the legacy practice. The centralized SDN controller is an important enabler of these benefits. One of the most crucial tasks of the SDN controller is link discovery as it provides topology of the network essential for the controller to direct or create rule forwarding and routing mechanisms. Much research on SDN security has been studied but only recently that security of OpenFlow link discovery protocols and topology poisoning have been addressed. Existing work includes link fabrication attacks via compromised hosts and defense systems with authentication. This paper discusses SDN link discovery process and its vulnerability to link discovery attacks including new attacks via compromised switches. We present a simple but effective defense mechanism using active ports that can detect both host-based and switchbased link discovery attacks. Finally, the paper presents an analytical and empirical analysis of the impacts of topology attacks on routing. The paper discusses attack details, proposed methods and results of these analyses. 

[1]  Tao Wan,et al.  Comparative Analysis of Control Plane Security of SDN and Conventional Networks , 2017, IEEE Communications Surveys & Tutorials.

[2]  Myungsik Yoo,et al.  Analysis of link discovery service attacks in SDN controller , 2017, 2017 International Conference on Information Networking (ICOIN).

[3]  Manoj Singh Gaur,et al.  SLDP: A secure and lightweight link discovery protocol for software defined networking , 2019, Comput. Networks.

[4]  Ghizlane Orhanou,et al.  Design and Implementation of a New Security Plane for Hybrid Distributed SDNs , 2019, J. Commun..

[5]  Lei Xu,et al.  Effective Topology Tampering Attacks and Defenses in Software-Defined Networks , 2018, 2018 48th Annual IEEE/IFIP International Conference on Dependable Systems and Networks (DSN).

[6]  Lingyu Wang,et al.  Stealthy Probing-Based Verification (SPV): An Active Approach to Defending Software Defined Networks Against Topology Poisoning Attacks , 2018, ESORICS.

[7]  Lei Xu,et al.  Poisoning Network Visibility in Software-Defined Networks: New Attacks and Countermeasures , 2015, NDSS.

[8]  Mohsen Guizani,et al.  Topology Discovery in Software Defined Networks: Threats, Taxonomy, and State-of-the-Art , 2017, IEEE Communications Surveys & Tutorials.

[9]  Christian Esteve Rothenberg,et al.  Mininet-WiFi: Emulating software-defined wireless networks , 2015, 2015 11th International Conference on Network and Service Management (CNSM).

[10]  Guofei Gu,et al.  Attacking software-defined networks: a first feasibility study , 2013, HotSDN '13.

[11]  Mario A. R. Dantas,et al.  An approach for SDN traffic monitoring based on big data techniques , 2019, J. Netw. Comput. Appl..

[12]  Guy Pujolle,et al.  sOFTDP: Secure and Efficient Topology Discovery Protocol for SDN , 2017, ArXiv.

[13]  Vijay Mann,et al.  SPHINX: Detecting Security Attacks in Software-Defined Networks , 2015, NDSS.

[14]  Victor Cionca,et al.  Detecting Link Fabrication Attacks in Software-Defined Networks , 2017, 2017 26th International Conference on Computer Communication and Networks (ICCCN).

[15]  Fernando M. V. Ramos,et al.  Software-Defined Networking: A Comprehensive Survey , 2014, Proceedings of the IEEE.

[16]  Athanasios V. Vasilakos,et al.  Security in Software-Defined Networking: Threats and Countermeasures , 2016, Mobile Networks and Applications.

[17]  Guy Pujolle,et al.  Limitations of openflow topology discovery protocol , 2017, 2017 16th Annual Mediterranean Ad Hoc Networking Workshop (Med-Hoc-Net).

[18]  Marius Portmann,et al.  The (in)security of Topology Discovery in Software Defined Networks , 2015, 2015 IEEE 40th Conference on Local Computer Networks (LCN).