3,642 research outputs found

    Know Your Enemy: Stealth Configuration-Information Gathering in SDN

    Full text link
    Software Defined Networking (SDN) is a network architecture that aims at providing high flexibility through the separation of the network logic from the forwarding functions. The industry has already widely adopted SDN and researchers thoroughly analyzed its vulnerabilities, proposing solutions to improve its security. However, we believe important security aspects of SDN are still left uninvestigated. In this paper, we raise the concern of the possibility for an attacker to obtain knowledge about an SDN network. In particular, we introduce a novel attack, named Know Your Enemy (KYE), by means of which an attacker can gather vital information about the configuration of the network. This information ranges from the configuration of security tools, such as attack detection thresholds for network scanning, to general network policies like QoS and network virtualization. Additionally, we show that an attacker can perform a KYE attack in a stealthy fashion, i.e., without the risk of being detected. We underline that the vulnerability exploited by the KYE attack is proper of SDN and is not present in legacy networks. To address the KYE attack, we also propose an active defense countermeasure based on network flows obfuscation, which considerably increases the complexity for a successful attack. Our solution offers provable security guarantees that can be tailored to the needs of the specific network under consideratio

    Design and Implementation of Monitoring Schemes for Software-Defined Routing over a Federated Multi-domain SDN Testbed

    Get PDF
    Emerging Software-Defined Networking (SDN) paradigm has been widely affecting most networking fields. However, the real-world SDN application for inter-domain routing management is still limited since the routing exchange among wide-area networks is quite complicate due to the extreme scale of global Internet connectivity. Several SDN-leveraged routing ideas are being proposed to improve the routing exchange among wide-area networks. Thus, in this paper, an on-going experience for experimenting and validating the inter-domain routing proposals over OF@TEIN federated testbed in Asia is shared. By focusing on the design and implementation of monitoring deployment for visibility support, we try to identify practical key points and provide improved monitoring for validating the performance and anomaly of the exchange. Other design considerations are also discussed together with possible future research directions
    • …
    corecore