Abstract
The emerging Software-Defined Networking (SDN) is being adopted by data centers and cloud service providers to enable flexible control. Meanwhile, the current SDN design brings new vulnerabilities. In this paper, we explore a stealthy data plane based attack that uses a minimum rate of attack packet to disrupt SDN. To achieve this, we propose the LOFT attack that computes the lower bound of attack rate to overflow flow tables based on the inferred network configurations. Particularly, each attack packet always triggers or maintains consumption of one flow rule. LOFT can ensure the attack effect with various network configurations while reducing the possibility of being captured. We demonstrate its feasibility and effectiveness in a real SDN testbed consisting of commercial hardware switches. The experiment results show that LOFT can incur significant network performance degradation and potential network DoS at an attack rate of only tens of Kbps.
This is a preview of subscription content, log in via an institution to check access.
Access this chapter
Tax calculation will be finalised at checkout
Purchases are for personal use only
Notes
- 1.
According to our observation, idle timeout is usually not set to a large value. Normally, 500 s is large enough to serve as the upper bound (see Table 1 in Sect. ).
- 2.
As we discussed in Sect. 4, SDN does not set hard timeout values larger than idle timeout values.
- 3.
The performance is not given by EdgeCore but measured in our experiments.
- 4.
We note that lots of benign traffic will be sent to the controller when the table is overflowed and thus the packet-in rate will significantly increase. However, the attack has successfully caused remarkable damage when it has some obvious features.
- 5.
The defenses will be enabled only when there are lots of packet-in packets per second. However, our attack does not trigger high-rate packet-in packets before overflowing the flow table.
References
Jain, S., et al.: B4: experience with a globally-deployed software defined WAN. In: SIGCOMM. ACM (2013)
Microsoft Azure and Software Defined Networking. https://technet.microsoft.com/en-us/windows-server-docs/networking/sdn/azure_and_sdn
Jia, S., et al.: Competitive analysis for online scheduling in software-defined optical WAN. In: INFOCOM, pp. 1–9. IEEE (2017)
Jang, R.H., et al.: Rflow\(^+\): an SDN-based WLAN monitoring and management framework. In: INFOCOM, pp. 1–9. IEEE (2017)
Sonchack, J., et al.: Enabling practical software-defined networking security applications with OFX. In: NDSS (2016)
Katta, N., et al.: Infinite cacheflow in software-defined networks. In: HotSDN, pp. 175–180. ACM (2014)
Cisco Plug-in for OpenFlow Configuration Guide 1.3. http://www.cisco.com/c/en/us/td/docs/switches/datacenter/nexus/openflow/b_openflow_agent_nxos_1_3.pdf
IBM Networking OS? 7.4 ISCLI-Industry Standard CLI for the RackSwitch G8264. http://www-01.ibm.com/support/docview.wss?uid=isg3T7000580&aid=1
OpenFlow Switch Specification v1.3.4. https://www.opennetworking.org
Qian, Y., et al.: Openflow flow table overflow attacks and countermeasures. In: European Conference on Networks and Communications, pp. 205–209. IEEE (2016)
Dhawan, M., et al.: SPHINX: detecting security attacks in software-defined networks. In: NDSS (2015)
Klöti, R., et al.: OpenFlow: a security analysis. In: ICNP, pp. 1–6. IEEE (2013)
Shang, G., et al.: Flooddefender: protecting data and control plane resources under SDN-aimed DoS attacks. In: INFOCOM, pp. 1–9. IEEE (2017)
Wang, H., et al.: Floodguard: a DoS attack prevention extension in software-defined networks. In: DSN, pp. 239–250. IEEE (2015)
Shin, S., Gu, G.: Attacking software-defined networks: a first feasibility study. In: HotSDN, pp. 165–166. ACM (2013)
McKeown, N., et al.: OpenFlow: enabling innovation in campus networks. ACM SIGCOMM Comput. Commun. Rev. 38(2), 69–74 (2008)
Box, J.F.: Guinness, Gosset, Fisher, and small samples. Stat. Sci. 2, 45–52 (1987)
Floodlight SDN Controller. http://www.projectfloodlight.org/floodlight/
Floodlight Forwarding Application. https://github.com/floodlight/floodlight/tree/master/src/main/java/net/floodlightcontroller/forwarding
AS4610-54T Data Center Switch. http://www.edge-core.com
iperf. https://iperf.fr/
Qiao, S., et al.: Taming the flow table overflow in OpenFlow switch. In: SIGCOMM, pp. 591–592. ACM (2016)
Zhu, H., et al.: MDTC: an efficient approach to TCAM-based multidimensional table compression. In: IFIP Networking, 2015, pp. 1–9. IEEE (2015)
Cui, H., et al.: On the fingerprinting of software-defined networks. IEEE Trans. Inf. Forensics Secur. 11(10), 2160–2173 (2016)
Achleitner, S., et al.: Adversarial network forensics in software defined networking. In: SIGCOMM SOSR, pp. 1–13. ACM (2017)
Liu, S., et al.: Flow reconnaissance via timing attacks on SDN switches. In: ICDCS, pp. 1–11. IEEE (2017)
Sonchack, J., et al.: Timing-based reconnaissance and defense in software-defined networks. In: ACSAC, pp. 89–100. ACM (2016)
Leng, J., et al.: An inference attack model for flow table capacity and usage: exploiting the vulnerability of flow table overflow in software-defined network. arXiv preprint arXiv:1504.03095 (2015)
Antikainen, M., Aura, T., Särelä, M.: Spook in your network: attacking an SDN with a compromised OpenFlow switch. In: Bernsmed, K., Fischer-Hübner, S. (eds.) NordSec 2014. LNCS, vol. 8788, pp. 229–244. Springer, Cham (2014). https://doi.org/10.1007/978-3-319-11599-3_14
Röpke, C., Holz, T.: SDN rootkits: subverting network operating systems of software-defined networks. In: Bos, H., Monrose, F., Blanc, G. (eds.) RAID 2015. LNCS, vol. 9404, pp. 339–356. Springer, Cham (2015). https://doi.org/10.1007/978-3-319-26362-5_16
Wen, X., et al.: SDNShield: reconciliating configurable application permissions for SDN app markets. In: DSN, pp. 121–132. IEEE (2016)
Porras, P.A., et al.: Securing the software defined network control layer. In: NDSS (2015)
Porras, P., et al.: A security enforcement kernel for OpenFlow networks. In: HotSDN, pp. 121–126. ACM (2012)
Khurshid, A., et al.: Veriflow: verifying network-wide invariants in real time. In: NSDI 2013, pp.15–27 (2013)
Shin, S., et al.: Avant-guard: scalable and vigilant switch flow management in software-defined networks. In: CCS, pp. 413–424. ACM (2013)
Hong, S., et al.: Poisoning network visibility in software-defined networks: new attacks and countermeasures. In: NDSS (2015)
Acknowledgment
The research is partially supported by the National Natural Science Foundation of China under Grant 61572278 and 61625203, the National Key Research and Development Program of China under Grant 2016YFB0800102 and 2016YFC0901605, and U.S. Office of Naval Research under Grant N00014-16-1-3214 and N00014-16-1-3216.
Author information
Authors and Affiliations
Corresponding author
Editor information
Editors and Affiliations
Rights and permissions
Copyright information
© 2018 ICST Institute for Computer Sciences, Social Informatics and Telecommunications Engineering
About this paper
Cite this paper
Cao, J., Xu, M., Li, Q., Sun, K., Yang, Y., Zheng, J. (2018). Disrupting SDN via the Data Plane: A Low-Rate Flow Table Overflow Attack. In: Lin, X., Ghorbani, A., Ren, K., Zhu, S., Zhang, A. (eds) Security and Privacy in Communication Networks. SecureComm 2017. Lecture Notes of the Institute for Computer Sciences, Social Informatics and Telecommunications Engineering, vol 238. Springer, Cham. https://doi.org/10.1007/978-3-319-78813-5_18
Download citation
DOI: https://doi.org/10.1007/978-3-319-78813-5_18
Published:
Publisher Name: Springer, Cham
Print ISBN: 978-3-319-78812-8
Online ISBN: 978-3-319-78813-5
eBook Packages: Computer ScienceComputer Science (R0)