Security Threats in the Data Plane of Software-Defined Networks

SDN has enabled extensive network programmability and speedy network innovations by decoupling the control plane from the data plane. However, the separation of the two planes could also be a potential threat to the whole network. Previous approaches pointed out that attackers can launch various attacks from the data plane against SDN, such as DoS attacks, topology poisoning attacks, and side-channel attacks. To address the security issues, we present a comprehensive study of data plane attacks in SDN, and propose FlowKeeper, a common framework to build a robust data plane against different attacks. FlowKeeper enforces port control of the data plane and reduces the workload of the control plane by filtering out illegal packets. Experimental results show that FlowKeeper could be used to efficiently mitigate different kinds of attacks (i.e., DoS and topology poisoning attacks).

[1]  Lei Xu,et al.  Poisoning Network Visibility in Software-Defined Networks: New Attacks and Countermeasures , 2015, NDSS.

[2]  Nick McKeown,et al.  OpenFlow: enabling innovation in campus networks , 2008, CCRV.

[3]  Vinod Yegneswaran,et al.  AVANT-GUARD: scalable and vigilant switch flow management in software-defined networks , 2013, CCS.

[4]  Riccardo Trivisonno,et al.  SDN‐based 5G mobile networks: architecture, functions, procedures and backward compatibility , 2015, Trans. Emerg. Telecommun. Technol..

[5]  Chengchen Hu,et al.  An Inference Attack Model for Flow Table Capacity and Usage: Exploiting the Vulnerability of Flow Table Overflow in Software-Defined Network , 2015, ArXiv.

[6]  Vladimir Vapnik,et al.  Statistical learning theory , 1998 .

[7]  Xinwen Fu,et al.  DSSS-Based Flow Marking Technique for Invisible Traceback , 2007, 2007 IEEE Symposium on Security and Privacy (SP '07).

[8]  Adam J. Aviv,et al.  Timing-based reconnaissance and defense in software-defined networks , 2016, ACSAC.

[9]  Min Zhu,et al.  B4: experience with a globally-deployed software defined wan , 2013, SIGCOMM.

[10]  Guofei Gu,et al.  Attacking software-defined networks: a first feasibility study , 2013, HotSDN '13.

[11]  Paul Smith,et al.  OpenFlow: A security analysis , 2013, 2013 21st IEEE International Conference on Network Protocols (ICNP).

[12]  Chuang Lin,et al.  On Denial of Service Attacks in Software Defined Networks , 2016, IEEE Network.

[13]  Shang Gao,et al.  FloodDefender: Protecting data and control plane resources under SDN-aimed DoS attacks , 2017, INFOCOM.

[14]  Lei Xu,et al.  FloodGuard: A DoS Attack Prevention Extension in Software-Defined Networks , 2015, 2015 45th Annual IEEE/IFIP International Conference on Dependable Systems and Networks.