Detecting and Defending Against Controller-to-Switch Loop Attacks in SDN
ZHANG Yun1,3, JIANG Yong2, ZHENG Jing1,3, PANG Chun-hui1,3, LI Qi1,2
1. Institute for Network Sciences and Cyberspace, Tsinghua University, Beijing 100084, China;
2. Graduate School at Shenzhen, Tsinghua University, Shenzhen, Guangdong 518055, China;
3. Department of Computer Science and Techonlogy, Tsinghua University, Beijing 100084, China
Abstract:Software-Defined Networking (SDN) separates data plane from control plane,which makes it more flexible,opening and programmable,compared with traditional IP networks.However,the separation incurs many security problems.In this paper,we find that we can construct controller-to-switch loop (CSL) attacks by leveraging dedicated rules and well constructed packets.The attacks can effectively exhaust controller resource,which leads to denial of service (DoS).The existing OpenFlow policy verification schemes only focus on detecting data plane loop,and cannot detect such controller-to-switch loops.In order to detect CSL attacks,we proposed a novel policy verification scheme.The scheme constructs a packet forwarding graph by analyzing network update events and packet-out messages,and efficiently identifies the forwarding loops by traversing the graph.In order to evaluate our defense,we implement it in the Floodlight controller,and perform experiments with Mininet.The experimental results show that our defense can precisely detect the loop attacks and effectively throttle them.
[1] Kazemian P,Chang M,Zeng H,et al.Real time network policy checking using header space analysis[A].NSDI'13:Usenix Conference on Networked Systems Design and Implementation[C].Lombard,IL:ACM,2013.99-112.
[2] Mai H,Khurshid A,Agarwal R,et al.Debugging the data plane with anteater[J].ACM Sigcomm Computer Communication Review,2011,41(4):290-301.
[3] Khurshid A,Zhou W,Caesar M,et al.Veriflow:verifying network-wide invariants in real time[J].ACM Sigcomm Computer Communication Review,2012,42(4):467-472.
[4] Al-Shaer E,Al-Haj S.FlowChecker:configuration analysis and verification of federated openflow infrastructures[A].SafeConfig'10:ACM Workshop on Assurable and Usable Security Configuration[C].Chicago:ACM,2010.37-44.
[5] Kazemian P,Varghese G,Mckeown N.Header Space Analysis:Static Checking For Networks[A].NSDI'12:Usenix Conference on Networked Systems Design and Implementation[C].San Jose,CA:ACM,2012.9-9.
[6] Zhou W,Jin D,Croft J,et al.Enforcing customizable consistency properties in software-defined networks[A].NSDI'15:Usenix Conference on Networked Systems Design and Implementation[C].Oakland,CA:ACM,2015.73-85.
[7] Yang H,Lam S S.Real-time verification of network properties using Atomic Predicates[A].ICNP'13:IEEE International Conference on Network Protocols[C].Germany:IEEE,2013.1-11.
[8] Prakash C,Turner Y,Turner Y,et al.PGA:Using Graphs to Express and Automatically Reconcile Network Policies[A].SIGCOMM'15:ACM Conference on Special Interest Group on Data Communication[C].London:ACM,2015.29-42.
[9] Porras P,Shin S,Yegneswaran V,et al.A Security Enforcement Kernel for OpenFlow Networks[A].HotSDN'12:Hot Topics in Software Defined Networking (HotSDN)[C].Helsinki:ACM.2012.121-126.
[10] Monsanto C,Reich J,Foster N,et al.Composing software-defined networks[A].NSDI'13:Networked Systems Design and Implementation[C].Lombard,IL:ACM,2013.1-13
[11] Son S,Shin S,Yegneswaran V,et al.Model checking invariant security properties in OpenFlow[A].ICC'13:IEEE International Conference on Communications[C].Hungary:IEEE,2013.1974-1979.
[12] Hu H,Han W,Ahn G J,et al.FLOWGUARD:building robust firewalls for software-defined networks[A].SIGCOMM'14:ACM Special Interest Group on Data Communication[C].Chicago:ACM,2014.1-3.
[13] Porras P,Cheung S,Fong M,et al.Securing the software defined network control layer[A].NSDI'15:Network and Distributed System Security Symposium[C].Oakland:ACM,2015.
[14] 刘艺,张红旗,杨英杰.基于启发式调度的OpenFlow网络规则一致更新方案[J].电子学报,2017,45(7):1637-1645. LIU Yi,ZHANG Hong-Qi,YANG Ying-Jie.Consistent rule update scheme based on heuristic scheduling for openflow networks[J].Acta Electronica Sinica,2017,45((7):1637-1645.(in Chinese)