SDN Security: Information Disclosure and Flow Table Overflow Attacks

In this paper, we study some of the security pitfalls present in the OpenFlow protocol, which plays a central role in Software Defined Networks. Specifically, we introduce information disclosure attacks capable of identifying idle and hard timeout values, and the number of free entries in the flow tables at SDN switches. We then leverage this information to mount Denial of Service (DoS) attacks using a small number of packets and without flooding the SDN network, making it harder to detect. Experimental results indicate that mounting the proposed attack leads to delays and packet losses for legitimate flows. We further propose solutions to detect and mitigate similar attacks.

[1]  Fernando M. V. Ramos,et al.  Towards secure and dependable software-defined networks , 2013, HotSDN '13.

[2]  Paul Smith,et al.  OpenFlow: A security analysis , 2013, 2013 21st IEEE International Conference on Network Protocols (ICNP).

[3]  Guofei Gu,et al.  A First Step Toward Network Security Virtualization: From Concept To Prototype , 2015, IEEE Transactions on Information Forensics and Security.

[4]  Fang Hao,et al.  Towards an elastic distributed SDN controller , 2013, HotSDN '13.

[5]  Mabry Tyson,et al.  FRESCO: Modular Composable Security Services for Software-Defined Networks , 2013, NDSS.

[6]  Vinod Yegneswaran,et al.  AVANT-GUARD: scalable and vigilant switch flow management in software-defined networks , 2013, CCS.

[7]  Phuoc Tran-Gia,et al.  SDN-Based Application-Aware Networking on the Example of YouTube Video Streaming , 2013, 2013 Second European Workshop on Software Defined Networks.

[8]  Syed Ali Khayam,et al.  Revisiting Traffic Anomaly Detection Using Software Defined Networking , 2011, RAID.

[9]  Costin Raiciu,et al.  Enabling fast, dynamic network processing with clickOS , 2013, HotSDN.

[10]  David Hausheer,et al.  An SDN-Based CDN/ISP Collaboration Architecture for Managing High-Volume Flows , 2015, IEEE Transactions on Network and Service Management.

[11]  Guofei Gu,et al.  Attacking software-defined networks: a first feasibility study , 2013, HotSDN '13.

[12]  Tao Jin,et al.  Application-awareness in SDN , 2013, SIGCOMM.

[13]  Mohamed Ahmed,et al.  Enabling dynamic network processing with clickOS , 2012, SIGCOMM.

[14]  Zonghua Zhang,et al.  Enabling security functions with SDN: A feasibility study , 2015, Comput. Networks.

[15]  Yashar Ganjali,et al.  Kandoo: a framework for efficient and scalable offloading of control applications , 2012, HotSDN '12.

[16]  Akihiro Nakao,et al.  GENI: A federated testbed for innovative network experiments , 2014, Comput. Networks.

[17]  Nick McKeown,et al.  OpenFlow: enabling innovation in campus networks , 2008, CCRV.

[18]  Yuliang Lu,et al.  Capability-centric attack model for network security analysis , 2010, 2010 2nd International Conference on Signal Processing Systems.

[19]  Sujata Banerjee,et al.  DevoFlow: scaling flow management for high-performance networks , 2011, SIGCOMM.