BEADS: Automated Attack Discovery in OpenFlow-Based SDN Systems

We create BEADS, a framework to automatically generate test scenarios and find attacks in SDN systems. The scenarios capture attacks caused by malicious switches that do not obey the OpenFlow protocol and malicious hosts that do not obey the ARP protocol. We generated and tested almost 19,000 scenarios that consist of sending malformed messages or not properly delivering them, and found 831 unique bugs across four well-known SDN controllers: Ryu, POX, Floodlight, and ONOS. We classify these bugs into 28 categories based on their impact; 10 of these categories are new, not previously reported. We demonstrate how an attacker can leverage several of these bugs by manually creating 4 representative attacks that impact high-level network goals such as availability and network topology.

[1]  Harry G. Perros,et al.  SDN-based solutions for Moving Target Defense network protection , 2014, Proceeding of IEEE International Symposium on a World of Wireless, Mobile and Multimedia Networks 2014.

[2]  Yasuo Okabe,et al.  A packet-in message filtering mechanism for protection of control plane in openflow networks , 2014, 2014 ACM/IEEE Symposium on Architectures for Networking and Communications Systems (ANCS).

[3]  Cristina Nita-Rotaru,et al.  Leveraging State Information for Automated Attack Discovery in Transport Protocol Implementations , 2015, 2015 45th Annual IEEE/IFIP International Conference on Dependable Systems and Networks.

[4]  Lei Xu,et al.  Poisoning Network Visibility in Software-Defined Networks: New Attacks and Countermeasures , 2015, NDSS.

[5]  Vinod Yegneswaran,et al.  Securing the Software Defined Network Control Layer , 2015, NDSS.

[6]  David C. Plummer,et al.  Ethernet Address Resolution Protocol: Or Converting Network Protocol Addresses to 48.bit Ethernet Address for Transmission on Ethernet Hardware , 1982, RFC.

[7]  Cristina Nita-Rotaru,et al.  A platform for finding attacks in unmodified implementations of intrusion tolerant systems , 2013 .

[8]  George Varghese,et al.  Real Time Network Policy Checking Using Header Space Analysis , 2013, NSDI.

[9]  Nick McKeown,et al.  A network in a laptop: rapid prototyping for software-defined networks , 2010, Hotnets-IX.

[10]  Vijay Mann,et al.  SPHINX: Detecting Security Attacks in Software-Defined Networks , 2015, NDSS.

[11]  Ehab Al-Shaer,et al.  Network configuration in a box: towards end-to-end verification of network reachability and security , 2009, 2009 17th IEEE International Conference on Network Protocols.

[12]  Vinod Yegneswaran,et al.  AVANT-GUARD: scalable and vigilant switch flow management in software-defined networks , 2013, CCS.

[13]  David Walker,et al.  Abstractions for network update , 2012, SIGCOMM '12.

[14]  J. Rexford,et al.  Logic Programming for Software-Defined Networks , 2012 .

[15]  Ehab Al-Shaer,et al.  Openflow random host mutation: transparent moving target defense using software defined networking , 2012, HotSDN '12.

[16]  Kevin Benton,et al.  OpenFlow vulnerability assessment , 2013, HotSDN '13.

[17]  Shriram Krishnamurthi,et al.  Tierless Programming and Reasoning for Software-Defined Networks , 2014, NSDI.

[18]  George Varghese,et al.  Header Space Analysis: Static Checking for Networks , 2012, NSDI.

[19]  Vinod Yegneswaran,et al.  DELTA: A Security Assessment Framework for Software-Defined Networks , 2017, NDSS.

[20]  Ehab Al-Shaer,et al.  FlowChecker: configuration analysis and verification of federated openflow infrastructures , 2010, SafeConfig '10.

[21]  Marco Canini,et al.  OFTEN Testing OpenFlow Networks , 2012, 2012 European Workshop on Software Defined Networking.

[22]  Vinod Yegneswaran,et al.  A Framework For Integrating Security Services into Software-Defined Networks , 2013 .

[23]  Cristina Nita-Rotaru,et al.  Turret: A Platform for Automated Attack Finding in Unmodified Distributed System Implementations , 2014, 2014 IEEE 34th International Conference on Distributed Computing Systems.

[24]  Marco Canini,et al.  A NICE Way to Test OpenFlow Applications , 2012, NSDI.

[25]  Brighten Godfrey,et al.  VeriFlow: verifying network-wide invariants in real time , 2012, HotSDN '12.

[26]  Guofei Gu,et al.  Attacking software-defined networks: a first feasibility study , 2013, HotSDN '13.

[27]  David Walker,et al.  Frenetic: a network programming language , 2011, ICFP.

[28]  Pavlin Radoslavov,et al.  ONOS: towards an open, distributed SDN OS , 2014, HotSDN.

[29]  Mauro Conti,et al.  LineSwitch: Efficiently Managing Switch Flow in Software-Defined Networking while Effectively Tackling DoS Attacks , 2015, AsiaCCS.

[30]  H. Kim,et al.  A SDN-oriented DDoS blocking scheme for botnet-based attacks , 2014, 2014 Sixth International Conference on Ubiquitous and Future Networks (ICUFN).

[31]  Vyas Sekar,et al.  SPIFFY: Inducing Cost-Detectability Tradeoffs for Persistent Link-Flooding Attacks , 2016, NDSS.

[32]  Zhi Liu,et al.  Troubleshooting blackbox SDN control software with minimal causal sequences , 2014 .

[33]  Neal Leavitt,et al.  Internet Security under Attack: The Undermining of Digital Certificates , 2011, Computer.

[34]  Fang Hao,et al.  Application-aware data plane processing in SDN , 2014, HotSDN.