Security Threats in the Data Plane of Software-Defined Networks

SDN has enabled extensive network programmability and speedy network innovations by decoupling the control plane from the data plane. However, the separation of the two planes could also be a potential threat to the whole network. Previous approaches pointed out that attackers can launch various attacks from the data plane against SDN, such as DoS attacks, topology poisoning attacks, and side-channel attacks. To address the security issues, we present a comprehensive study of data plane attacks in SDN, and propose FlowKeeper, a common framework to build a robust data plane against different attacks. FlowKeeper enforces port control of the data plane and reduces the workload of the control plane by filtering out illegal packets. Experimental results show that FlowKeeper could be used to efficiently mitigate different kinds of attacks (i.e., DoS and topology poisoning attacks).