Location via proxy:   [ UP ]  
[Report a bug]   [Manage cookies]                
Skip to main content
SpringerLink
Log in

Control Plane Reflection Attacks in SDNs: New Attacks and Countermeasures

  • Conference paper
  • First Online:
Research in Attacks, Intrusions, and Defenses (RAID 2018)

Part of the book series: Lecture Notes in Computer Science ((LNSC,volume 11050))

Abstract

Software-Defined Networking (SDN) continues to be deployed spanning from enterprise data centers to cloud computing with emerging of various SDN-enabled hardware switches. In this paper, we present Control Plane Reflection Attacks to exploit the limited processing capability of SDN-enabled hardware switches. The reflection attacks adopt direct and indirect data plane events to force the control plane to issue massive expensive control messages towards SDN switches. Moreover, we propose a two-phase probing-triggering attack strategy to make the reflection attacks much more efficient, stealthy and powerful. Experiments on a testbed with physical OpenFlow switches demonstrate that the attacks can lead to catastrophic results such as hurting establishment of new flows and even disruption of connections between SDN controller and switches. To mitigate such attacks, we propose a novel defense framework called SWGuard. In particular, SWGuard detects anomalies of downlink messages and prioritizes these messages based on a novel monitoring granularity, i.e., host-application pair (HAP). Implementations and evaluations demonstrate that SWGuard can effectively reduce the latency for legitimate hosts and applications under Control Plane Reflection Attacks with only minor overheads.

This is a preview of subscription content, log in via an institution to check access.

Access this chapter

Log in via an institution
Chapter
USD 29.95
Price excludes VAT (USA)
  • Available as PDF
  • Read on any device
  • Instant download
  • Own it forever
eBook
USD 79.99
Price excludes VAT (USA)
  • Available as EPUB and PDF
  • Read on any device
  • Instant download
  • Own it forever
Softcover Book
USD 99.99
Price excludes VAT (USA)
  • Compact, lightweight edition
  • Dispatched in 3 to 5 business days
  • Free shipping worldwide - see info

Tax calculation will be finalised at checkout

Purchases are for personal use only

Institutional subscriptions

Notes

  1. 1.

    For brevity, we denote the messages from the data plane to the control plane as uplink messages, and the messages vice versa as downlink messages.

  2. 2.

    The latest OpenFlow specification only support 42 header fields, which constrains the field the controller could use to compose different forwarding policies.

  3. 3.

    As R is less than 10 usually, and T is set as a small value in most controllers (e.g. 5 in Floodlight), thus N cannot be a large number.

  4. 4.

    Moving old flow entry to make room for the new flow rule is an important reason to make this operation expensive and time-consuming.

  5. 5.

    300 pps is a pretty secure rate, since a legitimate host could issue packets at thousand of pps under normal circumstance.

  6. 6.

    There may be several hops between the switch and the controller, and the network condition is unpredictable.

  7. 7.

    Since this experiment is conducted on the software environment, the nonlinear jump point is a little different from the previous hardware experimental results.

References

  1. Bai, W., et al.: Information-agnostic flow scheduling for commodity data centers. In: NSDI, pp. 455–468. USENIX Association, Oakland (2015). https://www.usenix.org/conference/nsdi15/technical-sessions/presentation/bai

  2. Bosshart, P., et al.: P4: programming protocol-independent packet processors. SIGCOMM CCR 44(3), 87–95 (2014)

    Article  Google Scholar 

  3. Braga, R., et al.: Lightweight DDoS flooding attack detection using NOX/OpenFlow. In: LCN, pp. 408–415. IEEE (2010)

    Google Scholar 

  4. Casado, M., et al.: Ethane: taking control of the enterprise. In: SIGCOMM, vol. 37, pp. 1–12. ACM (2007)

    Google Scholar 

  5. Chen, H., Benson, T.: The case for making tight control plane latency guarantees in SDN switches. In: SOSR, pp. 150–156. ACM (2017)

    Google Scholar 

  6. Floodlight Community: Floodlight, August 2017. http://www.projectfloodlight.org/floodlight/

  7. Open vSwitch Community: Open vSwitch, August 2017. http://openvswitch.org/

  8. Curtis, A.R.: DevoFlow: scaling flow management for high-performance networks. SIGCOMM 41(4), 254–265 (2011)

    Article  Google Scholar 

  9. Gao, S., et al.: FloodDefender: protecting data and control plane resources under SDN-aimed DoS attacks. In: INFOCOM, pp. 1–9 (2017)

    Google Scholar 

  10. Ghorbani, S., et al.: DRILL: micro load balancing for low-latency data center networks. In: SOGCOMM, pp. 225–238. ACM (2017)

    Google Scholar 

  11. Hassas Yeganeh, S., Ganjali, Y.: Kandoo: a framework for efficient and scalable offloading of control applications. In: HotSDN, pp. 19–24. ACM (2012)

    Google Scholar 

  12. He, K., et al.: Mazu: taming latency in software defined networks. Technical report, University of Wisconsin-Madison (2014)

    Google Scholar 

  13. He, K., et al.: Measuring control plane latency in SDN-enabled switches. In: SOSR, p. 25. ACM (2015)

    Google Scholar 

  14. Jin, X., et al.: SoftCell: scalable and flexible cellular core network architecture. In: CoNEXT, pp. 163–174. ACM (2013)

    Google Scholar 

  15. Jin, X., et al.: Dynamic scheduling of network updates. In: SIGCOMM, vol. 44, pp. 539–550. ACM (2014)

    Google Scholar 

  16. Katta, N., et al.: CacheFlow: dependency-aware rule-caching for software-defined networks. In: SOSR, p. 6. ACM (2016)

    Google Scholar 

  17. Koponen, T., et al.: Onix: a distributed control platform for large-scale production networks. In: OSDI, vol. 10, pp. 1–6 (2010)

    Google Scholar 

  18. Lazaris, A., et al.: Tango: simplifying SDN control with automatic switch property inference, abstraction, and optimization. In: CoNEXT, pp. 199–212. ACM (2014)

    Google Scholar 

  19. Leng, J., et al.: An inference attack model for flow table capacity and usage: exploiting the vulnerability of flow table overflow in software-defined network. arXiv preprint arXiv:1504.03095 (2015)

  20. Li, Y., et al.: Flowinsight: decoupling visibility from operability in SDN data plane. SIGCOMM Demo 44(4), 137–138 (2015)

    Article  Google Scholar 

  21. Liu, S., et al.: Flow reconnaissance via timing attacks on SDN switches. In: ICDCS, pp. 196–206. IEEE (2017)

    Google Scholar 

  22. Liu, Z., et al.: One sketch to rule them all: rethinking network flow monitoring with UnivMon. In: SIGCOMM, pp. 101–114. ACM (2016)

    Google Scholar 

  23. McKeown, N.: OpenFlow: enabling innovation in campus networks. SIGCOMM CCR 38(2), 69–74 (2008)

    Article  Google Scholar 

  24. Pica8: Flow scalability per broadcom chipset, March 2018. https://docs.pica8.com/display/picos2102cg/Flow+Scalability+per+Broadcom+Chipset

  25. Postel, J.: Transmission control protocol (1981)

    Google Scholar 

  26. Postel, J., et al.: RFC 792: Internet control message protocol. InterNet Network Working Group (1981)

    Google Scholar 

  27. Shin, S., et al.: AVANT-GUARD: scalable and vigilant switch flow management in software-defined networks. In: CCS, pp. 413–424. ACM (2013)

    Google Scholar 

  28. Shin, S., Gu, G.: Attacking software-defined networks: a first feasibility study. In: HotSDN, pp. 165–166. ACM (2013)

    Google Scholar 

  29. Sonchack, J., et al.: Timing-based reconnaissance and defense in software-defined networks. In: ACSAC, pp. 89–100. ACM (2016)

    Google Scholar 

  30. Tootoonchian, A., Ganjali, Y.: HyperFlow: a distributed control plane for OpenFlow. In: Proceedings of the 2010 Internet Network Management Conference on Research on Enterprise Networking, p. 3 (2010)

    Google Scholar 

  31. Wang, A., et al.: Scotch: elastically scaling up SDN control-plane using vSwitch based overlay. In: CoNEXT, pp. 403–414. ACM (2014)

    Google Scholar 

  32. Wang, H., et al.: FloodGuard: a DoS attack prevention extension in software-defined networks. In: DSN, pp. 239–250. IEEE (2015)

    Google Scholar 

  33. Xu, H., et al.: Real-time update with joint optimization of route selection and update scheduling for SDNs. In: ICNP, pp. 1–10. IEEE (2016)

    Google Scholar 

  34. Xu, Y., Liu, Y.: DDoS attack detection under SDN context. In: INFOCOM, pp. 1–9. IEEE (2016)

    Google Scholar 

  35. Zhang, M., et al.: FTGuard: a priority-aware strategy against the flow table overflow attack in SDN. In: SIGCOMM Demo, pp. 141–143. ACM (2017)

    Google Scholar 

  36. Zhang, M., et al.: Control plane reflection attacks in SDNs: new attacks and countermeasures. Technical report, June 2018. https://www.dropbox.com/s/bnwe8apx5w06a85/sdns-attacks-countermeasures-tr.pdf?dl=0

Download references

Acknowledgement

This material is based upon work supported by National Key R&D Program of China (2017YFB0801701), the National Science Foundation of China (No.61472213) and CERNET Innovation Project (NGII20160123). It is also based upon work supported in part by the National Science Foundation (NSF) under Grant No. 1617985, 1642129, 1700544, and 1740791. Jun Bi is the corresponding author. We also thank Yi Qiao, Chen Sun, Yongbin Li and Kai Gao from Tsinghua University for joining the discussion of this paper.

Author information

Authors and Affiliations

  1. Institute for Network Sciences and Cyberspace, Tsinghua University, Beijing, China

    Menghao Zhang, Guanyu Li, Jun Bi & Jiasong Bai

  2. Department of Computer Science and Technology, Tsinghua University, Beijing, China

    Menghao Zhang, Guanyu Li, Jun Bi & Jiasong Bai

  3. Beijing National Research Center for Information Science and Technology (BNRist), Beijing, China

    Menghao Zhang, Guanyu Li, Jun Bi & Jiasong Bai

  4. SUCCESS LAB, Texas A&M University, College Station, USA

    Lei Xu & Guofei Gu

Authors
  1. Menghao Zhang
    View author publications

    You can also search for this author in PubMed Google Scholar

  2. Guanyu Li
    View author publications

    You can also search for this author in PubMed Google Scholar

  3. Lei Xu
    View author publications

    You can also search for this author in PubMed Google Scholar

  4. Jun Bi
    View author publications

    You can also search for this author in PubMed Google Scholar

  5. Guofei Gu
    View author publications

    You can also search for this author in PubMed Google Scholar

  6. Jiasong Bai
    View author publications

    You can also search for this author in PubMed Google Scholar

Corresponding author

Correspondence to Jun Bi .

Editor information

Editors and Affiliations

  1. University of Illinois at Urbana-Champaign, Urbana, IL, USA

    Michael Bailey

  2. Ruhr-Universität Bochum, Bochum, Germany

    Thorsten Holz

  3. Vrije Universiteit Amsterdam, Amsterdam, The Netherlands

    Manolis Stamatogiannakis

  4. Foundation for Research & Technology – Hellas, Heraklion, Crete, Greece

    Sotiris Ioannidis

Rights and permissions

Reprints and permissions

Copyright information

© 2018 Springer Nature Switzerland AG

About this paper

Check for updates. Verify currency and authenticity via CrossMark

Cite this paper

Zhang, M., Li, G., Xu, L., Bi, J., Gu, G., Bai, J. (2018). Control Plane Reflection Attacks in SDNs: New Attacks and Countermeasures. In: Bailey, M., Holz, T., Stamatogiannakis, M., Ioannidis, S. (eds) Research in Attacks, Intrusions, and Defenses. RAID 2018. Lecture Notes in Computer Science(), vol 11050. Springer, Cham. https://doi.org/10.1007/978-3-030-00470-5_8

Download citation

  • DOI: https://doi.org/10.1007/978-3-030-00470-5_8

  • Published:

  • Publisher Name: Springer, Cham

  • Print ISBN: 978-3-030-00469-9

  • Online ISBN: 978-3-030-00470-5

  • eBook Packages: Computer ScienceComputer Science (R0)

Publish with us

Policies and ethics

Search

Navigation