3,642 research outputs found
Know Your Enemy: Stealth Configuration-Information Gathering in SDN
Software Defined Networking (SDN) is a network architecture that aims at
providing high flexibility through the separation of the network logic from the
forwarding functions. The industry has already widely adopted SDN and
researchers thoroughly analyzed its vulnerabilities, proposing solutions to
improve its security. However, we believe important security aspects of SDN are
still left uninvestigated. In this paper, we raise the concern of the
possibility for an attacker to obtain knowledge about an SDN network. In
particular, we introduce a novel attack, named Know Your Enemy (KYE), by means
of which an attacker can gather vital information about the configuration of
the network. This information ranges from the configuration of security tools,
such as attack detection thresholds for network scanning, to general network
policies like QoS and network virtualization. Additionally, we show that an
attacker can perform a KYE attack in a stealthy fashion, i.e., without the risk
of being detected. We underline that the vulnerability exploited by the KYE
attack is proper of SDN and is not present in legacy networks. To address the
KYE attack, we also propose an active defense countermeasure based on network
flows obfuscation, which considerably increases the complexity for a successful
attack. Our solution offers provable security guarantees that can be tailored
to the needs of the specific network under consideratio
Design and Implementation of Monitoring Schemes for Software-Defined Routing over a Federated Multi-domain SDN Testbed
Emerging Software-Defined Networking (SDN) paradigm has been widely affecting most networking fields. However, the real-world SDN application for inter-domain routing management is still limited since the routing exchange among wide-area networks is quite complicate due to the extreme scale of global Internet connectivity. Several SDN-leveraged routing ideas are being proposed to improve the routing exchange among wide-area networks. Thus, in this paper, an on-going experience for experimenting and validating the inter-domain routing proposals over OF@TEIN federated testbed in Asia is shared. By focusing on the design and implementation of monitoring deployment for visibility support, we try to identify practical key points and provide improved monitoring for validating the performance and anomaly of the exchange. Other design considerations are also discussed together with possible future research directions
- …