Abstract
Software defined networking (SDN) and OpenFlow as one of its key technologies have received a lot of attention from the networking community. While SDN enables complex network applications and easier network management, the paradigm change comes along with new security threats. In this paper, we analyze attacks against a software-defined network in a scenario where the attacker has been able to compromise one or more OpenFlow-capable switches. We find out that such attacker can in suitable environments perform a wide range of attacks, including man-in-the-middle attacks against control-plane traffic, by using only the standard OpenFlow functionality of the switch. Furthermore, we show that in certain scenarios it is nearly impossible to detect that some switch has been compromised. We conclude that while the existing security mechanisms, such as TLS, give protection against many of the presented attacks, the threats should not be overlooked when moving to SDN and OpenFlow.
Access this chapter
Tax calculation will be finalised at checkout
Purchases are for personal use only
Preview
Unable to display preview. Download preview PDF.
References
Antikainen, M., Aura, T., Särelä, M.: Denial-of-service attacks in Bloom-filter-based forwarding. IEEE/ACM Transactions on Networking (to appear), Preprint online at http://ieeexplore.ieee.org/stamp/stamp.jsp?arnumber=6616021
Benton, K., Camp, L.J., Small, C.: OpenFlow vulnerability assessment. In: Roceedings of the Second ACM SIGCOMM Workshop on Hot Topics in Software Defined Networking, HotSDN 2013, pp. 151–152 (2013), Extended version online at http://homes.soic.indiana.edu/ktbenton/research/openflow_vulnerability_assessment.pdf
Dillon, C., Berkelaa, M.: OpenFlow (D)DoS mitigation. Technical report (February 2014), http://www.delaat.net/rp/2013-2014/p42/report.pdf
Georgiev, M., Iyengar, S., Jana, S.: The most dangerous code in the world: Validating SSL certificates in non-browser software. In: Proceedings of the 2012 ACM Conference on Computer and Communications Security, pp. 38–49 (2012)
Khurshid, A., Zhou, W., Caesar, M., Godfrey, P.: Veriflow: Verifying network-wide invariants in real time. ACM SIGCOMM Computer Communication Review 42 (October 2012)
Kiravuo, T., Särelä, M., Manner, J.: A Survey of Ethernet LAN Security. IEEE Communications Surveys & Tutorials 15, 1477–1491 (2013)
Kloti, R., Kotronis, V., Smith, P.: Openflow: A security analysis. In: NPSec 2013, Eighth Workshop on Secure Network Protocols (October 2013)
Koponen, T., Casado, M., Gude, N., Stribling, J., Poutievski, L., Zhu, M., Ramanathan, R., Iwata, Y., Inoue, H., Hama, T., et al.: Onix: A distributed control platform for large-scale production networks. In: Proceedings of the 9th USENIX Conference on Operating Systems Design and Implementation, OSDI 2010 (2010)
Kreutz, D., Ramos, F.M., Verissimo, P.: Towards secure and dependable software-defined networks. In: Proceedings of the Second ACM SIGCOMM Workshop on Hot Topics in Software Defined Networking, HotSDN 2013, New York, USA, pp. 55–60 (August 2013)
McKeown, N., Anderson, T.: OpenFlow: Enabling innovation in campus networks. ACM SIGCOMM Computer Communication Review 38, 69–74 (2008)
Porras, P., Shin, S., Yegneswaran, V., Fong, M., Tyson, M., Gu, G.: A security enforcement kernel for OpenFlow networks. In: Proceedings of the First Workshop on Hot Topics in Software Defined Networks, HotSDN 2012, p. 121 (2012)
Särelä, M., Rothenberg, C.E., Aura, T., Zahemszky, A., Nikander, P., Ott, J.: Forwarding anomalies in Bloom filter-based multicast. In: IEEE INFOCOM 2011 (April 2011)
Shenker, S., Casado, M., Koponen, T., McKeown, N.: The future of networking, and the past of protocols. Open Networking Summit (ONS) 2011 presentation, http://www.opennetsummit.org/archives/apr12/site/talks/shenker-tue.pdf
Shin, S., Gu, G.: Attacking software-defined networks: a first feasibility study. In: Proceedings of the Second ACM SIGCOMM Workshop on Hot Topics in Software Defined Networking, pp. 165–166 (August 2013)
Shin, S., Porras, P., Yegneswaran, V., Fong, M.: FRESCO: Modular Composable Security Services for Software-Defined Networks. In: NDSS Symposium 2013. Internet Society (February 2013)
The Open Networking Foundation. OpenFlow Switch Specification Version 1.2 (December 2011)
US-CERT. OpenSSL ‘Heartbleed’ vulnerability (CVE-2014-0160). Alert TA14-098A (2014)
Author information
Authors and Affiliations
Corresponding author
Editor information
Editors and Affiliations
Rights and permissions
Copyright information
© 2014 Springer International Publishing Switzerland
About this paper
Cite this paper
Antikainen, M., Aura, T., Särelä, M. (2014). Spook in Your Network: Attacking an SDN with a Compromised OpenFlow Switch. In: Bernsmed, K., Fischer-Hübner, S. (eds) Secure IT Systems. NordSec 2014. Lecture Notes in Computer Science(), vol 8788. Springer, Cham. https://doi.org/10.1007/978-3-319-11599-3_14
Download citation
DOI: https://doi.org/10.1007/978-3-319-11599-3_14
Publisher Name: Springer, Cham
Print ISBN: 978-3-319-11598-6
Online ISBN: 978-3-319-11599-3
eBook Packages: Computer ScienceComputer Science (R0)