Skip to main content
SpringerLink
Log in

Analysis of Topology Poisoning Attacks in Software-Defined Networking

  • Conference paper
  • First Online:
Secure IT Systems (NordSec 2019)

Part of the book series: Lecture Notes in Computer Science ((LNSC,volume 11875))

Included in the following conference series:

  • 1045 Accesses

Abstract

In software-defined networking (SDN), routing decisions are made by a trusted network controller, which communicates with each forwarding device over a secure control channel. While this architecture avoids many security issues of distributed routing protocols, SDN remains vulnerable to topology poisoning attacks during topology discovery. Faked link information can cause wrong routing decisions by the controller and, thus, enable the attacker to reroute some traffic flows to compromised nodes. This paper provides both qualitative and quantitative analysis of topology poisoning attacks in SDN. We classify the attacks including new variants and analyze how their impact depends on the network topology, routing policy, and attacker location. While most of the literature emphasizes the security of the SDN controller and control channels, we assume them to be secure and aim to understand the ability of a small number of compromised switches to divert traffic flows. This is important because the low-cost, heterogeneous network equipment available for SDN may not be entirely trusted and because targeted attacks often start from the compromise of a single device.

This is a preview of subscription content, log in via an institution to check access.

Access this chapter

Log in via an institution
Chapter
USD 29.95
Price excludes VAT (USA)
  • Available as PDF
  • Read on any device
  • Instant download
  • Own it forever
eBook
USD 39.99
Price excludes VAT (USA)
  • Available as EPUB and PDF
  • Read on any device
  • Instant download
  • Own it forever
Softcover Book
USD 54.99
Price excludes VAT (USA)
  • Compact, lightweight edition
  • Dispatched in 3 to 5 business days
  • Free shipping worldwide - see info

Tax calculation will be finalised at checkout

Purchases are for personal use only

Institutional subscriptions

References

  1. IEEE standard for local and metropolitan area networks- station and media access control connectivity discovery. In: IEEE Std 802.1AB-2009 (Revision of IEEE Std 802.1AB-2005) (2009)

    Google Scholar 

  2. Alharbi, T., Portmann, M., Pakzad, F.: The (in) security of topology discovery in software defined networks. In: IEEE Conference on Local Computer Networks (LCN). IEEE (2015)

    Google Scholar 

  3. Antikainen, M., Aura, T., Särelä, M.: Spook in your network: attacking an SDN with a compromised openflow switch. In: Bernsmed, K., Fischer-Hübner, S. (eds.) NordSec 2014. LNCS, vol. 8788, pp. 229–244. Springer, Cham (2014). https://doi.org/10.1007/978-3-319-11599-3_14

    Chapter  Google Scholar 

  4. Benton, K., Camp, L.J., Small, C.: OpenFlow vulnerability assessment. In: Proceedings of the 2nd ACM SIGCOMM Workshop on Hot Topics in Software Defined Networking. ACM (2013)

    Google Scholar 

  5. Cao, J., et al.: The CrossPath attack: disrupting the SDN control channel via shared links. In: USENIX Security Symposium (2019)

    Google Scholar 

  6. Chi, P.W., Kuo, C.T., Guo, J.W., Lei, C.L.: How to detect a compromised SDN switch. In: IEEE Conference on Network Softwarization (NetSoft). IEEE (2015)

    Google Scholar 

  7. Choo, H., Yoo, S.M., Youn, H.Y.: Processor scheduling and allocation for 3D torus multicomputer systems. IEEE Transactions on Parallel and Distributed Systems (2000)

    Google Scholar 

  8. Delaunay, B.: Sur la sphere vide. Izv. Akad. Nauk SSSR, Otdelenie Matematicheskii i Estestvennyka Nauk (1934)

    Google Scholar 

  9. Dhawan, M., Poddar, R., Mahajan, K., Mann, V.: Sphinx: detecting security attacks in software-defined networks. In: Network and Distributed System Security (NDSS) Symposium. USENIX (2015)

    Google Scholar 

  10. Dijkstra, E.W.: A note on two problems in connexion with graphs. Numerische Mathematik 1, 269–271 (1959)

    Article  MathSciNet  Google Scholar 

  11. Duan, Q., Al-Shaer, E., Jafarian, H.: Efficient random route mutation considering flow and network constraints. In: IEEE Conference on Communications and Network Security (CNS). IEEE (2013)

    Google Scholar 

  12. Duncan, R.: A survey of parallel computer architectures. Computer 23, 5–16 (1990)

    Article  Google Scholar 

  13. Guha, A., Reitblatt, M., Foster, N.: Machine-verified network controllers. In: ACM SIGPLAN Notices. ACM (2013)

    Article  Google Scholar 

  14. Hong, S., Xu, L., Wang, H., Gu, G.: Poisoning network visibility in software-defined networks: new attacks and countermeasures. In: Network and Distributed System Security (NDSS) Symposium. USENIX (2015)

    Google Scholar 

  15. Huston, G., Rossi, M., Armitage, G.: Securing BGP – a literature survey. Communications Surveys Tutorials, IEEE (2011)

    Article  Google Scholar 

  16. Jero, S., Koch, W., Skowyra, R., Okhravi, H., Nita-Rotaru, C., Bigelow, D.: Identifier binding attacks and defenses in software-defined networks. In: USENIX Security Symposium (2017)

    Google Scholar 

  17. Kazemian, P., Chan, M., Zeng, H., Varghese, G., McKeown, N., Whyte, S.: Real time network policy checking using header space analysis. In: NSDI. USENIX (2013)

    Google Scholar 

  18. Khurshid, A., Zhou, W., Caesar, M., Godfrey, P.: Veriflow: verifying network-wide invariants in real time. ACM SIGCOMM Comput. Commun. Rev. 13, 15–27 (2012)

    Google Scholar 

  19. Koponen, T., et al.: Onix: A distributed control platform for large-scale production networks. In: OSDI. USENIX (2010)

    Google Scholar 

  20. Kreutz, D., Ramos, F., Esteves Verissimo, P., Esteve Rothenberg, C., Azodolmolky, S., Uhlig, S.: Software-defined networking: a comprehensive survey. In: Proceedings of the IEEE (2015)

    Google Scholar 

  21. Kreutz, D., Ramos, F., Verissimo, P.: Towards secure and dependable software-defined networks. In: ACM SIGCOMM Workshop on Hot Topics in Software Defined Networking. ACM (2013)

    Google Scholar 

  22. McKeown, N., et al.: OpenFlow: enabling innovation in campus networks. ACM SIGCOMM Comput. Commun. Rev. 38, 69–74 (2008)

    Article  Google Scholar 

  23. Mizrak, A.T., Cheng, Y.C., Marzullo, K., Savage, S.: Fatih: detecting and isolating malicious routers. In: IEEE International Conference on Dependable Systems and Networks. IEEE (2005)

    Google Scholar 

  24. Papadimitratos, P., Haas, Z.: Secure link state routing for mobile ad hoc networks. In: Symposium on Applications and the Internet Workshops (2003)

    Google Scholar 

  25. Porras, P., Shin, S., Yegneswaran, V., Fong, M., Tyson, M., Gu, G.: A security enforcement kernel for OpenFlow networks. In: ACM Workshop on Hot Topics in Software Defined Networks. ACM (2012)

    Google Scholar 

  26. Porras, P., Cheung, S., Fong, M., Skinner, K., Yegneswaran, V.: Securing the software-defined network control layer. In: Network and Distributed System Security (NDSS) Symposium. USENIX (2015)

    Google Scholar 

  27. Röpke, C., Holz, T.: SDN rootkits: subverting network operating systems of software-defined networks. In: Bos, H., Monrose, F., Blanc, G. (eds.) RAID 2015. LNCS, vol. 9404, pp. 339–356. Springer, Cham (2015). https://doi.org/10.1007/978-3-319-26362-5_16

    Chapter  Google Scholar 

  28. Shin, S., Porras, P.A., Yegneswaran, V., Fong, M.W., Gu, G., Tyson, M.: FRESCO: modular composable security services for software-defined networks. In: Network and Distributed System Security (NDSS) Symposium. USENIX (2013)

    Google Scholar 

  29. Wang, F., Vetter, B., Wu, S.F.: Secure routing protocols: Theory and practice. North Carolina State University, Technical report (1997)

    Google Scholar 

  30. Wen, X., et al.: SDNShield: reconciliating configurable application permissions for SDN app markets. In: IEEE/IFIP International Conference on Dependable Systems and Networks. IEEE (2016)

    Google Scholar 

Download references

Author information

Authors and Affiliations

  1. Aalto University, Espoo, Finland

    Thanh Bui, Markku Antikainen & Tuomas Aura

Authors
  1. Thanh Bui
    View author publications

    You can also search for this author in PubMed Google Scholar

  2. Markku Antikainen
    View author publications

    You can also search for this author in PubMed Google Scholar

  3. Tuomas Aura
    View author publications

    You can also search for this author in PubMed Google Scholar

Corresponding author

Correspondence to Thanh Bui .

Editor information

Editors and Affiliations

  1. Aarhus University, Aarhus, Denmark

    Aslan Askarov

  2. Aalborg University, Aalborg, Denmark

    René Rydhof Hansen

  3. IT University of Copenhagen, Copenhagen, Denmark

    Willard Rafnsson

Rights and permissions

Reprints and permissions

Copyright information

© 2019 Springer Nature Switzerland AG

About this paper

Check for updates. Verify currency and authenticity via CrossMark

Cite this paper

Bui, T., Antikainen, M., Aura, T. (2019). Analysis of Topology Poisoning Attacks in Software-Defined Networking. In: Askarov, A., Hansen, R., Rafnsson, W. (eds) Secure IT Systems. NordSec 2019. Lecture Notes in Computer Science(), vol 11875. Springer, Cham. https://doi.org/10.1007/978-3-030-35055-0_6

Download citation

  • DOI: https://doi.org/10.1007/978-3-030-35055-0_6

  • Published:

  • Publisher Name: Springer, Cham

  • Print ISBN: 978-3-030-35054-3

  • Online ISBN: 978-3-030-35055-0

  • eBook Packages: Computer ScienceComputer Science (R0)

Publish with us

Policies and ethics

Search

Navigation