417 research outputs found
LineSwitch: Efficiently Managing Switch Flow in Software-Defined Networking while Effectively Tackling DoS Attacks
Software Defined Networking (SDN) is a new networking architecture which aims
to provide better decoupling between network control (control plane) and data
forwarding functionalities (data plane). This separation introduces several
benefits, such as a directly programmable and (virtually) centralized network
control. However, researchers showed that the required communication channel
between the control and data plane of SDN creates a potential bottleneck in the
system, introducing new vulnerabilities. Indeed, this behavior could be
exploited to mount powerful attacks, such as the control plane saturation
attack, that can severely hinder the performance of the whole network.
In this paper we present LineSwitch, an efficient and effective solution
against control plane saturation attack. LineSwitch combines SYN proxy
techniques and probabilistic blacklisting of network traffic. We implemented
LineSwitch as an extension of OpenFlow, the current reference implementation of
SDN, and evaluate our solution considering different traffic scenarios (with
and without attack). The results of our preliminary experiments confirm that,
compared to the state-of-the-art, LineSwitch reduces the time overhead up to
30%, while ensuring the same level of protection.Comment: In Proceedings of the 10th ACM Symposium on Information, Computer and
Communications Security (ASIACCS 2015). To appea
Outsmarting Network Security with SDN Teleportation
Software-defined networking is considered a promising new paradigm, enabling
more reliable and formally verifiable communication networks. However, this
paper shows that the separation of the control plane from the data plane, which
lies at the heart of Software-Defined Networks (SDNs), introduces a new
vulnerability which we call \emph{teleportation}. An attacker (e.g., a
malicious switch in the data plane or a host connected to the network) can use
teleportation to transmit information via the control plane and bypass critical
network functions in the data plane (e.g., a firewall), and to violate security
policies as well as logical and even physical separations. This paper
characterizes the design space for teleportation attacks theoretically, and
then identifies four different teleportation techniques. We demonstrate and
discuss how these techniques can be exploited for different attacks (e.g.,
exfiltrating confidential data at high rates), and also initiate the discussion
of possible countermeasures. Generally, and given today's trend toward more
intent-based networking, we believe that our findings are relevant beyond the
use cases considered in this paper.Comment: Accepted in EuroSP'1
Scenario based security evaluation: Generic OpenFlow network
Demand for network programmability was recognized when development of protocolsslowed down due to network inflexibilities in 1980s. Research speeded up andmany proposals were made to solve architectural issues during 2000s. Academicworld put up an initiative to build up new programmable network architecturelater 2000s. OpenFlow was born.In modern public network infrastructures the security of the network architectureis crucial to archive data confidentiality, integrity and authenticity, yet high availability.Many studies have shown that there are many security vulnerabilities andissues on current OpenFlow implementations and even in OpenFlow specificationitself. Many proposals have been made to enhance these known issues. In thisresearch, the scenario based security evaluation of the generic OpenFlow networkarchitecture was carried out using technology publications and literature. Thesecurity evaluation framework was used in security assessment.Proposed risk mitigation patterns were found to be effective on most of the casesfor all 13 identified and evaluated scenarios. Lack of mandatory encryption andauthentication in OpenFlow control channel were most critical risks on generallevel. OpenFlow specification should provide clear guidance how this should beimplemented to guarantee inter-operability between different vendors. Short termsolution is to use IPSec. Second critical issue was that bugs and vulnerabilitiesin OpenFlow controller and switch software are causing major risks for security.Proper quality assurance process, testing methods and evaluation are needed toenhance security on all phases of the software production.Current OpenFlow implementations are suffering poor security. Tolerable levelcan be reached by utilizing small enhancements. There are still many areas whichneed to be researched to archive solid foundation for software defined networks ofthe future
Routing-Verification-as-a-Service (RVaaS): Trustworthy Routing Despite Insecure Providers
Computer networks today typically do not provide any mechanisms to the users
to learn, in a reliable manner, which paths have (and have not) been taken by
their packets. Rather, it seems inevitable that as soon as a packet leaves the
network card, the user is forced to trust the network provider to forward the
packets as expected or agreed upon. This can be undesirable, especially in the
light of today's trend toward more programmable networks: after a successful
cyber attack on the network management system or Software-Defined Network (SDN)
control plane, an adversary in principle has complete control over the network.
This paper presents a low-cost and efficient solution to detect misbehaviors
and ensure trustworthy routing over untrusted or insecure providers, in
particular providers whose management system or control plane has been
compromised (e.g., using a cyber attack). We propose
Routing-Verification-as-a-Service (RVaaS): RVaaS offers clients a flexible
interface to query information relevant to their traffic, while respecting the
autonomy of the network provider. RVaaS leverages key features of
OpenFlow-based SDNs to combine (passive and active) configuration monitoring,
logical data plane verification and actual in-band tests, in a novel manner
The Challenges in SDN/ML Based Network Security : A Survey
Machine Learning is gaining popularity in the network security domain as many
more network-enabled devices get connected, as malicious activities become
stealthier, and as new technologies like Software Defined Networking (SDN)
emerge. Sitting at the application layer and communicating with the control
layer, machine learning based SDN security models exercise a huge influence on
the routing/switching of the entire SDN. Compromising the models is
consequently a very desirable goal. Previous surveys have been done on either
adversarial machine learning or the general vulnerabilities of SDNs but not
both. Through examination of the latest ML-based SDN security applications and
a good look at ML/SDN specific vulnerabilities accompanied by common attack
methods on ML, this paper serves as a unique survey, making a case for more
secure development processes of ML-based SDN security applications.Comment: 8 pages. arXiv admin note: substantial text overlap with
arXiv:1705.0056
- …