Skip to main content
SpringerLink
Log in

Spook in Your Network: Attacking an SDN with a Compromised OpenFlow Switch

  • Conference paper
Secure IT Systems (NordSec 2014)

Part of the book series: Lecture Notes in Computer Science ((LNSC,volume 8788))

Included in the following conference series:

Abstract

Software defined networking (SDN) and OpenFlow as one of its key technologies have received a lot of attention from the networking community. While SDN enables complex network applications and easier network management, the paradigm change comes along with new security threats. In this paper, we analyze attacks against a software-defined network in a scenario where the attacker has been able to compromise one or more OpenFlow-capable switches. We find out that such attacker can in suitable environments perform a wide range of attacks, including man-in-the-middle attacks against control-plane traffic, by using only the standard OpenFlow functionality of the switch. Furthermore, we show that in certain scenarios it is nearly impossible to detect that some switch has been compromised. We conclude that while the existing security mechanisms, such as TLS, give protection against many of the presented attacks, the threats should not be overlooked when moving to SDN and OpenFlow.

This is a preview of subscription content, log in via an institution to check access.

Access this chapter

Log in via an institution
Chapter
USD 29.95
Price excludes VAT (USA)
  • Available as PDF
  • Read on any device
  • Instant download
  • Own it forever
eBook
USD 39.99
Price excludes VAT (USA)
  • Available as PDF
  • Read on any device
  • Instant download
  • Own it forever
Softcover Book
USD 54.99
Price excludes VAT (USA)
  • Compact, lightweight edition
  • Dispatched in 3 to 5 business days
  • Free shipping worldwide - see info

Tax calculation will be finalised at checkout

Purchases are for personal use only

Institutional subscriptions

Preview

Unable to display preview. Download preview PDF.

Unable to display preview. Download preview PDF.

References

  1. Antikainen, M., Aura, T., Särelä, M.: Denial-of-service attacks in Bloom-filter-based forwarding. IEEE/ACM Transactions on Networking (to appear), Preprint online at http://ieeexplore.ieee.org/stamp/stamp.jsp?arnumber=6616021

  2. Benton, K., Camp, L.J., Small, C.: OpenFlow vulnerability assessment. In: Roceedings of the Second ACM SIGCOMM Workshop on Hot Topics in Software Defined Networking, HotSDN 2013, pp. 151–152 (2013), Extended version online at http://homes.soic.indiana.edu/ktbenton/research/openflow_vulnerability_assessment.pdf

  3. Dillon, C., Berkelaa, M.: OpenFlow (D)DoS mitigation. Technical report (February 2014), http://www.delaat.net/rp/2013-2014/p42/report.pdf

  4. Georgiev, M., Iyengar, S., Jana, S.: The most dangerous code in the world: Validating SSL certificates in non-browser software. In: Proceedings of the 2012 ACM Conference on Computer and Communications Security, pp. 38–49 (2012)

    Google Scholar 

  5. Khurshid, A., Zhou, W., Caesar, M., Godfrey, P.: Veriflow: Verifying network-wide invariants in real time. ACM SIGCOMM Computer Communication Review 42 (October 2012)

    Google Scholar 

  6. Kiravuo, T., Särelä, M., Manner, J.: A Survey of Ethernet LAN Security. IEEE Communications Surveys & Tutorials 15, 1477–1491 (2013)

    Article  Google Scholar 

  7. Kloti, R., Kotronis, V., Smith, P.: Openflow: A security analysis. In: NPSec 2013, Eighth Workshop on Secure Network Protocols (October 2013)

    Google Scholar 

  8. Koponen, T., Casado, M., Gude, N., Stribling, J., Poutievski, L., Zhu, M., Ramanathan, R., Iwata, Y., Inoue, H., Hama, T., et al.: Onix: A distributed control platform for large-scale production networks. In: Proceedings of the 9th USENIX Conference on Operating Systems Design and Implementation, OSDI 2010 (2010)

    Google Scholar 

  9. Kreutz, D., Ramos, F.M., Verissimo, P.: Towards secure and dependable software-defined networks. In: Proceedings of the Second ACM SIGCOMM Workshop on Hot Topics in Software Defined Networking, HotSDN 2013, New York, USA, pp. 55–60 (August 2013)

    Google Scholar 

  10. McKeown, N., Anderson, T.: OpenFlow: Enabling innovation in campus networks. ACM SIGCOMM Computer Communication Review 38, 69–74 (2008)

    Article  Google Scholar 

  11. Porras, P., Shin, S., Yegneswaran, V., Fong, M., Tyson, M., Gu, G.: A security enforcement kernel for OpenFlow networks. In: Proceedings of the First Workshop on Hot Topics in Software Defined Networks, HotSDN 2012, p. 121 (2012)

    Google Scholar 

  12. Särelä, M., Rothenberg, C.E., Aura, T., Zahemszky, A., Nikander, P., Ott, J.: Forwarding anomalies in Bloom filter-based multicast. In: IEEE INFOCOM 2011 (April 2011)

    Google Scholar 

  13. Shenker, S., Casado, M., Koponen, T., McKeown, N.: The future of networking, and the past of protocols. Open Networking Summit (ONS) 2011 presentation, http://www.opennetsummit.org/archives/apr12/site/talks/shenker-tue.pdf

  14. Shin, S., Gu, G.: Attacking software-defined networks: a first feasibility study. In: Proceedings of the Second ACM SIGCOMM Workshop on Hot Topics in Software Defined Networking, pp. 165–166 (August 2013)

    Google Scholar 

  15. Shin, S., Porras, P., Yegneswaran, V., Fong, M.: FRESCO: Modular Composable Security Services for Software-Defined Networks. In: NDSS Symposium 2013. Internet Society (February 2013)

    Google Scholar 

  16. The Open Networking Foundation. OpenFlow Switch Specification Version 1.2 (December 2011)

    Google Scholar 

  17. US-CERT. OpenSSL ‘Heartbleed’ vulnerability (CVE-2014-0160). Alert TA14-098A (2014)

    Google Scholar 

Download references

Author information

Authors and Affiliations

  1. Department of Computer Science and Engineering, Aalto University, Finland, Esbo

    Markku Antikainen & Tuomas Aura

  2. Department of Electrical Engineering, Aalto University, Finland, Esbo

    Mikko Särelä

Authors
  1. Markku Antikainen
    View author publications

    You can also search for this author in PubMed Google Scholar

  2. Tuomas Aura
    View author publications

    You can also search for this author in PubMed Google Scholar

  3. Mikko Särelä
    View author publications

    You can also search for this author in PubMed Google Scholar

Corresponding author

Correspondence to Markku Antikainen .

Editor information

Editors and Affiliations

  1. SINTEF ICT, Trondheim, Norway

    Karin Bernsmed

  2. Karlstad University, Karlstad, Sweden

    Simone Fischer-Hübner

Rights and permissions

Reprints and permissions

Copyright information

© 2014 Springer International Publishing Switzerland

About this paper

Cite this paper

Antikainen, M., Aura, T., Särelä, M. (2014). Spook in Your Network: Attacking an SDN with a Compromised OpenFlow Switch. In: Bernsmed, K., Fischer-Hübner, S. (eds) Secure IT Systems. NordSec 2014. Lecture Notes in Computer Science(), vol 8788. Springer, Cham. https://doi.org/10.1007/978-3-319-11599-3_14

Download citation

  • DOI: https://doi.org/10.1007/978-3-319-11599-3_14

  • Publisher Name: Springer, Cham

  • Print ISBN: 978-3-319-11598-6

  • Online ISBN: 978-3-319-11599-3

  • eBook Packages: Computer ScienceComputer Science (R0)

Publish with us

Policies and ethics

Search

Navigation