Defending Against SDN Network Topology Poisoning Attacks

被引：0

作者：

Zheng Z. ^{[1
]}

Xu M. ^{[2
]}

Li Q. ^{[1
]}

Zhang Y. ^{[1
]}

机构：

[1] Graduate School at Shenzhen, Tsinghua University, Shenzhen, 518055, Guangdong

[2] Department of Computer Science and Technology, Tsinghua University, Beijing

来源：

Li, Qi (qi.li@sz.tsinghua.edu.cn) | 2018年 / Science Press卷 / 55期

基金：

中国国家自然科学基金;

关键词：

Controller; Network security; Network topology poisoning; Software-defined networking (SDN); Switch;

D O I：

10.7544/issn1000-1239.2018.20160740

中图分类号：

学科分类号：

摘要：

Software-defined networking (SDN) is a new network paradigm. Unlike the conventional network, SDN separates the control plane from the data plane. The function of the data plane is enabled in switches while only the controller provides the functions of the control plane. The controller learns topologies of the whole networks and makes the traffic forwarding decisions. However, recent studies show that there exist some serious vulnerabilities in topology management services of the current SDN controller designs, which mainly exists in host tracking service and link discovery service. Attackers can exploit these vulnerabilities to poison the network topology information in the SDN controllers. What's more, attackers can even make the whole network down. Fortunately, researchers have paid some attention to this serious problem and proposed their defense solution. However, the existing countermeasures can be easily evaded by the attackers. In this paper, we propose an effective approach called SecTopo, to defend against the network topology poisoning attacks. Our evaluation on SecTopo in the Floodlight controller shows that the defense solution can effectively secure network topology with a minor impact on normal operations of OpenFlow controllers. © 2018, Science Press. All right reserved.

引用

页码：207 / 215

页数：8

共 14 条

[1] Hong S., Xu L., Wang H., Et al., Poisoning network visibility in software-defined networks: New attacks and countermeasures, Proc of ISOC NDSS'15, pp. 8-11, (2015)
[2] Li Q., Zhang X., Zheng Q., Et al., LIVE: Lightweight integrity verification and content access control for named data networking, IEEE Trans on Information Forensics and Security, 10, 2, pp. 308-320, (2015)
[3] Kazemian P., Varghese G., McKeown N., Header space analysis: Static checking for networks, Proc of USENIX NSDI'12, pp. 113-126, (2015)
[4] Kazemian P., Chang M.H., Zeng H., Et al., Real time network policy checking using header space analysis, Proc of USENIX NSDI'13, pp. 99-111, (2013)
[5] Khurshid A., Zou X., Zhou W., Et al., VeriFlow: Verifying network-wide invariants in real time, Proc of USENIX NSDI'13, pp. 15-27, (2013)
[6] Voellmy A., Wang J., Yang Y.R., Et al., Maple: Simplifying SDN programming using algorithmic policies, Proc of ACM SIGCOMM'13, pp. 87-98, (2013)
[7] Hu H., Han W., Ahn G.J., Et al., FLOWGUARD: Building robust firewalls for software-defined networks, Proc of ACM SIGCOMM Workshop HotSDN'14, pp. 97-102, (2014)
[8] Porras P., Cheung S., Fong M., Et al., Securing the software-defined network control layer, Proc of ISOC NDSS'15, pp. 1-15, (2015)
[9] Naous J., Walfish M., Nicolosi A., Et al., Verifying and enforcing network paths with ICING, Proc of ACM CoNEXT'11, pp. 1-12, (2011)
[10] Liu X., Li A., Yang X., Et al., Passport: Secure and adoptable source authentication, Proc of USENIX NSDI'08, pp. 365-378, (2008)

← 1 2 →