Stealthy Probing-Based Verification (SPV): An Active Approach to Defending Software Defined Networks Against Topology Poisoning Attacks
作者: Amir Alimohammadifar , Suryadipta Majumdar , Taous Madi , Yosr Jarraya , Makan Pourzandi
DOI: 10.1007/978-3-319-98989-1_23
关键词:
摘要: Since a key advantage of Software Defined Networks (SDN) is providing logically centralized view the network topology, correctness such becomes critical for SDN applications to make right management decisions. However, recently discovered vulnerabilities in OpenFlow Discovery Protocol (OFDP) show that malicious hosts and switches can poison controller consequently lead more severe security attacks, as man-in-the-middle or denial service. Existing solutions mostly rely on passive techniques, which only work known attacking methods. In this paper, we propose novel stealthy probing-based verification approach, namely, SPV, detect fake links regardless methods used fabricate them. Specifically, SPV incrementally verifies legitimate detects by sending probing packets designed be indistinguishable from normal traffic. To illustrate feasibility our implement an emulated environment using Mininet OpenDaylight. We further evaluate applicability performance based real SDN/cloud topology. The experimental results respond near real-time (e.g., less than 120 ms) both environments, makes scalable solution large networks.
springer.com
sci-hub.st 参考文章(28)
Markku Antikainen, Tuomas Aura, Mikko Särelä, Spook in Your Network: Attacking an SDN with a Compromised OpenFlow Switch nordic conference on secure it systems. pp. 229- 244 ,(2014) , 10.1007/978-3-319-11599-3_14
Paul Goransson, Chuck Black, Timothy Culver, None, Software Defined Networks: A Comprehensive Approach ,(2014)
Junyuan Leng, Chengchen Hu, Yadong Zhou, Junjie Zhang, An Inference Attack Model for Flow Table Capacity and Usage: Exploiting the Vulnerability of Flow Table Overflow in Software-Defined Network. arXiv: Networking and Internet Architecture. ,(2015)
Po-Wen Chi, Chien-Ting Kuo, Jing-Wei Guo, Chin-Laung Lei, How to detect a compromised SDN switch ieee conference on network softwarization. pp. 1- 6 ,(2015) , 10.1109/NETSOFT.2015.7116184
Thanh Bui, Markku Antikainen, Tuomas Aura, Analysis of Topology Poisoning Attacks in Software-Defined Networking nordic conference on secure it systems. pp. 87- 102 ,(2015) , 10.1007/978-3-030-35055-0_6
Sungmin Hong, Lei Xu, Haopei Wang, Guofei Gu, None, Poisoning Network Visibility in Software-Defined Networks: New Attacks and Countermeasures. network and distributed system security symposium. ,(2015) , 10.14722/NDSS.2015.23283
Seungwon Shin, Guofei Gu, Attacking software-defined networks: a first feasibility study acm special interest group on data communication. pp. 165- 166 ,(2013) , 10.1145/2491185.2491220
Hyeonwoo Kim, Hongtaek Ju, Efficient method for inferring a firewall policy 2011 13th Asia-Pacific Network Operations and Management Symposium. pp. 1- 8 ,(2011) , 10.1109/APNOMS.2011.6077015
Natasha Gude, Teemu Koponen, Justin Pettit, Ben Pfaff, Martín Casado, Nick McKeown, Scott Shenker, NOX: towards an operating system for networks acm special interest group on data communication. ,vol. 38, pp. 105- 110 ,(2008) , 10.1145/1384609.1384625
Diego Kreutz, Fernando M. V. Ramos, Paulo Esteves Verissimo, Christian Esteve Rothenberg, Siamak Azodolmolky, Steve Uhlig, Software-Defined Networking: A Comprehensive Survey Proceedings of the IEEE. ,vol. 103, pp. 14- 76 ,(2015) , 10.1109/JPROC.2014.2371999