Controlling Your Neighbour's Bandwidth for Fun and for Profit

We carry out a systematic study of the attack-resilience of flow-rule replacement strategies for switch caches in Software-Defined Networks. Flow Rules are inserted into the switch at the request of the network hosts to direct traffic- replacing older rules when the switch flow table is full. Malicious hosts can leverage the flow rule replacement strategy to launch cache flushing attacks. This results in substantially reducing the network throughput of their neighbours forcing their traffic to slow down dramatically. We describe and evaluate the attack on the First-In-First-Out strategy- the defacto SDN flow-rule replacement strategy.