Survey of Attacks and Countermeasures for SDN
|
摘要
Software defined networking(SDN)has attracted significant attention from both academia and industry by its ability to reconfigure network devices with logically centralized applications.However,some critical security issues have also been introduced along with the benefits,which put an obstruction to the deployment of SDN.One root cause of these issues lies in the limited resources and capability of devices involved in the SDN architecture,especially the hardware switches lied in the data plane.In this paper,we analyze the vulnerability of SDN and present two kinds of SDN-targeted attacks:1)data-to-control plane saturation attack which exhausts resources of all SDN components,including control plane,data plane,and the in-between downlink channel and2)control plane reflection attack which only attacks the data plane and gets conducted in a more efficient and hidden way.Finally,we propose the corresponding defense frameworks to mitigate such attacks.
Software defined networking(SDN)has attracted significant attention from both academia and industry by its ability to reconfigure network devices with logically centralized applications.However,some critical security issues have also been introduced along with the benefits,which put an obstruction to the deployment of SDN.One root cause of these issues lies in the limited resources and capability of devices involved in the SDN architecture,especially the hardware switches lied in the data plane.In this paper,we analyze the vulnerability of SDN and present two kinds of SDN-targeted attacks:1)data-to-control plane saturation attack which exhausts resources of all SDN components,including control plane,data plane,and the in-between downlink channel and 2)control plane reflection attack which only attacks the data plane and gets conducted in a more efficient and hidden way.Finally,we propose the corresponding defense frameworks to mitigate such attacks.
Software defined networking(SDN)has attracted significant attention from both academia and industry by its ability to reconfigure network devices with logically centralized applications.However,some critical security issues have also been introduced along with the benefits,which put an obstruction to the deployment of SDN.One root cause of these issues lies in the limited resources and capability of devices involved in the SDN architecture,especially the hardware switches lied in the data plane.In this paper,we analyze the vulnerability of SDN and present two kinds of SDN-targeted attacks:1)data-to-control plane saturation attack which exhausts resources of all SDN components,including control plane,data plane,and the in-between downlink channel and 2)control plane reflection attack which only attacks the data plane and gets conducted in a more efficient and hidden way.Finally,we propose the corresponding defense frameworks to mitigate such attacks.
引文
[1]N.McKeown,T.Anderson,H.Balakrishnan,et al.,“OpenFlow:enabling innovation in campus networks,”ACM SIGCOMM Computer Communication Review,vol.38,no.2,pp.69-74,2008.doi:10.1145/1355734.1355746.
[2]A.K.Nayak,A.Reimers,N.Feamster,and R.Clark,“Resonance:dynamic access control for enterprise networks,”in Proc.1st ACM Workshop on Research on Enterprise Networking,Barcelona,Spain,2009,pp.11-18.doi:10.1145/1592681.1592684.
[3]R.Miao,H.Zeng,C.Kim,J.Lee,and M.Yu,“Silkroad:making stateful layer-4load balancing fast and cheap using switching ASICS,”in Proc.Conference of the ACM Special Interest Group on Data Communication,Los Angeles,USA,2017,pp.15-28.doi:10.1145/3098822.3098824.
[4]A.R.Curtis,J.C.Mogul,J.Tourrilhes,et al.,“Devoflow:scaling flow management for high-performance networks,”ACM SIGCOMM Computer Communication Review,vol.41,no.4,pp.254-265,2011.doi:10.1145/2043164.2018466.
[5]A.Wang,Y.Guo,F.Hao,T.Lakshman,and S.Chen,“Scotch:elastically scaling up SDN control-plane using vswitch based overlay,”in Proc.10th ACM International on Conference on Emerging Networking Experiments and Technologies,Sydney,Australia,2014,pp.403-414.doi:10.1145/2674005.2675002.
[6]X.Jin,H.H.Liu,R.Gandhi,et al.,“Dynamic scheduling of network updates,”in ACM SIGCOMM Computer Communication Review,Chicago,USA,2014,pp.539-550.doi:10.1145/2619239.2626307.
[7]M.Zhang,J.Bi,J.S.Bai,et al.,“FloodShield:securing the SDN infrastructure against denial-of-service attacks,”in 17th IEEE International Conference on Trust,Security and Privacy in Computing and Communications(TrustComm18),New York,USA,2018,pp.687-698.DOI:10.1109/TrustCom/BigDataSE.2018.00101.
[8]M.H.Zhang,G.Y.Li,L.Xu,et al.,“Control plane reflection attacks in SDNs:new attacks and countermeasures,”in 21st International Symposium on Research in Attacks,Intrusions and Defenses(RAID18),Heraklion,Greece,2018,pp.161-183.
[9]J.Sonchack,A.Dubey,A.J.Aviv,J.M.Smith,and E.Keller,“Timing-based reconnaissance and defense in software-defined networks,”in Proc.32nd Annual Conference on Computer Security Applications,Los Angeles,USA,2016,pp.89-100.doi:10.1145/2991079.2991081.
[10]P.Bosshart,D.Daly,G.Gibb,et al.,“P4:programming protocol-independent packet processors,”ACM SIGCOMM Computer Communication Review,vol.44,no.3,pp.87-95,2014.doi:10.1145/2656877.2656890.
[2]A.K.Nayak,A.Reimers,N.Feamster,and R.Clark,“Resonance:dynamic access control for enterprise networks,”in Proc.1st ACM Workshop on Research on Enterprise Networking,Barcelona,Spain,2009,pp.11-18.doi:10.1145/1592681.1592684.
[3]R.Miao,H.Zeng,C.Kim,J.Lee,and M.Yu,“Silkroad:making stateful layer-4load balancing fast and cheap using switching ASICS,”in Proc.Conference of the ACM Special Interest Group on Data Communication,Los Angeles,USA,2017,pp.15-28.doi:10.1145/3098822.3098824.
[4]A.R.Curtis,J.C.Mogul,J.Tourrilhes,et al.,“Devoflow:scaling flow management for high-performance networks,”ACM SIGCOMM Computer Communication Review,vol.41,no.4,pp.254-265,2011.doi:10.1145/2043164.2018466.
[5]A.Wang,Y.Guo,F.Hao,T.Lakshman,and S.Chen,“Scotch:elastically scaling up SDN control-plane using vswitch based overlay,”in Proc.10th ACM International on Conference on Emerging Networking Experiments and Technologies,Sydney,Australia,2014,pp.403-414.doi:10.1145/2674005.2675002.
[6]X.Jin,H.H.Liu,R.Gandhi,et al.,“Dynamic scheduling of network updates,”in ACM SIGCOMM Computer Communication Review,Chicago,USA,2014,pp.539-550.doi:10.1145/2619239.2626307.
[7]M.Zhang,J.Bi,J.S.Bai,et al.,“FloodShield:securing the SDN infrastructure against denial-of-service attacks,”in 17th IEEE International Conference on Trust,Security and Privacy in Computing and Communications(TrustComm18),New York,USA,2018,pp.687-698.DOI:10.1109/TrustCom/BigDataSE.2018.00101.
[8]M.H.Zhang,G.Y.Li,L.Xu,et al.,“Control plane reflection attacks in SDNs:new attacks and countermeasures,”in 21st International Symposium on Research in Attacks,Intrusions and Defenses(RAID18),Heraklion,Greece,2018,pp.161-183.
[9]J.Sonchack,A.Dubey,A.J.Aviv,J.M.Smith,and E.Keller,“Timing-based reconnaissance and defense in software-defined networks,”in Proc.32nd Annual Conference on Computer Security Applications,Los Angeles,USA,2016,pp.89-100.doi:10.1145/2991079.2991081.
[10]P.Bosshart,D.Daly,G.Gibb,et al.,“P4:programming protocol-independent packet processors,”ACM SIGCOMM Computer Communication Review,vol.44,no.3,pp.87-95,2014.doi:10.1145/2656877.2656890.