ZHANG Yun, JIANG Yong, ZHENG Jing, PANG Chun-hui, LI Qi
Software-Defined Networking (SDN) separates data plane from control plane,which makes it more flexible,opening and programmable,compared with traditional IP networks.However,the separation incurs many security problems.In this paper,we find that we can construct controller-to-switch loop (CSL) attacks by leveraging dedicated rules and well constructed packets.The attacks can effectively exhaust controller resource,which leads to denial of service (DoS).The existing OpenFlow policy verification schemes only focus on detecting data plane loop,and cannot detect such controller-to-switch loops.In order to detect CSL attacks,we proposed a novel policy verification scheme.The scheme constructs a packet forwarding graph by analyzing network update events and packet-out messages,and efficiently identifies the forwarding loops by traversing the graph.In order to evaluate our defense,we implement it in the Floodlight controller,and perform experiments with Mininet.The experimental results show that our defense can precisely detect the loop attacks and effectively throttle them.