Introduction
The SDN paradigm creates a separation between data plane processing and control flow processing.
- data plan processing
- forwards packets
- control flow processing
- determine how to populate forwarding tables
The OpenFlow protocol acts as an API between network switches and a logically centralized decision maker, called the OpenFlow controller. In this model,
- Network switch
- cache data flow rules
- when a switch receive a packet and does not know how to forward it according to its cached rules, the switch sends an "elevation" request containing the original packet and a request for guidance to the controller
- OpenFlow Controller
- examines the packet and sends a set of rules that the switch should add to the data plane cache for use in forwarding packets.
Vulnerability
DDos Attack on the controller
- DDos Attack on the controller [1]
- Since the switches will send all the packets it cannot handle to the controller
- There is no need for an attacker to catch the IP address or location of the controller through scanning before launching an attack. The attackers can send some specific attack packets and abnormal packets to SDN networks, all switches will automatically forward these packets to their controller.
- Attackers send packets to probe whether the target is SDN architecture [1]
- Every flow entry in the flow table of a switch contains three items, i.e., rule, action and stats.
- The attacker can make a new or abnormal packet from carefully selected IP, Port, MAC etc., and then send it to the switch.
- Generally, there is no rule in the switch matching the fresh packet sent for the first time. The packet will be uploaded to the controller, and then the controller will broadcast this packet's information to all the network interface to find its route.
- Once getting the route, the controller will issue corresponding rules to the switch's flow table. Otherwise, the controller will make a rule to switch to drop these packets. This whole response will take a long time.
- Then the attacker will send a group of packets with the same information for a second time to the switch, if the response time is much shorter than that of the first time, the network can be determined to be SDN architecture.
- An attacker may launch Blind DDoS directly on the network which claims to be SDN network architecture or switch the attackers has already known is SDN system by scanning.
Tools
- Mininet [2]
- can be used to create a network of OpenFlow switches that are connected according to your plan.
Reference
[1] Defending Blind DDoS Attack on SDN Based on Moving Target Defense, by Duohe Ma, Zhen Xu and Dongdai Liu, in SecureCOMM14
[2] OpenFlow random host mutation: Transparent moving target defense using software defined networking, by J. H. Jafarian, in HotSDN 2012
[2] OpenFlow random host mutation: Transparent moving target defense using software defined networking, by J. H. Jafarian, in HotSDN 2012
No comments:
Post a Comment