SDN-Specific Security Attacks and Defense Mechanisms

Journal Title
Journal ISSN
Volume Title

The rising demand of advanced network infrastructures and services has made the flexibility and scalability of the network architectures and their operations increasingly important. Network operators today have to deal with massive communication traffic, diverse data formats, services types and devices while maintaining the network availability, security and quality of services in the most cost-effective way. Traditional network architectures were not designed to cope with such dynamic scales of demands. They are tightly coupled with sophisticated hardware that do not necessarily offer simple customization. Any change in the traditional network architectures often requires manual re-configuration of network devices, a process that is labor intensive, time-consuming and error-prone. Software-Defined Networking (SDN), an innovative networking paradigm, has revolutionized the implementation of network architectures through software. The programmability of SDN allows rapid modifications, reduced manual configuration, flexible management and simplified scalability with low processing costs. SDN separates the control plane (controller) and the data plane (routers/switches) functions using a protocol (Openflow) that instructs network switches or routers to handle packet forwarding and flow tables in the switches. Network devices are controlled separately from the data they transmit and so is the switching software from the physical hardware. Network switches become simple forwarding devices while the control logic in the centralized controller handles network management, administration and evolution. Thus, SDN allows complex networks to be centrally managed without the need to directly deal with distributed low-level network functions. SDN also helps enhance security with the centralized controller, the global visibility of the network state and run-time manipulation of traffic forwarding rules. The centralized nature of SDN's networking facilitates security policy enforcement in the overall network and mitigates the risks of policy collision. However, as much as SDN provides many benefits, it also poses new serious security challenges. This dissertation addresses SDN specific security issues, particularly of the centralized SDN controller. Since SDN controller is an important enabler of many of SDN's benefits, it is an attractive target for the attackers. Link discovery (or topology discovery) is one of the most critical services of SDN controller to provide topology of the network essential for the controller to manage the network. However, the OpenFlow discovery protocol standard for implementing topology discovery in most controller platforms is insecure. This leads to various link fabrication attacks through compromised hosts. Unlike existing work, this dissertation 1) uncovers a new switch-based link discovery (fabrication) attacks 2) presents a simple defense mechanism using active ports to detect link discovery attacks, and 3) provides analytical and empirical approaches to analyzing the impacts of topology attacks on network routing. Another crucial service of SDN controller is host-tracking service that monitors and keeps track of host locations. The host location attack is simple. Here the host is compromised, and its location information is hijacked and modified. This attack can potentially lead to many devastating consequences including disruption of network traffic and denial of services. There are several types of attacks on SDN host tracking services including host hijacking attack and host impersonation attack. Unlike previous work, this dissertation presents 1) a new port-free host location attack, and 2) a countermeasure to detect and protect further attacks by de-activating the connection between the compromised host and the controller. Finally, unlike the above security concerns that deal with poisoning of SDN services to alter the controller's view of the actual network, the last part of this dissertation addresses an important SDN specific security breach, namely a flow rule attack, where a network switch is compromised and its flow rule, which specifies route of the data transmission of the switch, is modified. This can result in a large negative impact on network routing and communication services. Unlike previous work, this dissertation presents 1) an approach to flow rule attack detection, and 2) two lightweight mitigation techniques, both that can be performed by the SDN's controller. To the best of our knowledge, no mitigation technique for flow rule attacks has been proposed.

Embargo status: Restricted to TTU community only. To view, login with your eRaider (top right). Others may request the author grant access exception by clicking on the PDF link to the left.

Software-Defined Networking (SDN), Security, Link discovery, Defense, Flow rule, Host Tracking