Skip to main content
SpringerLink
Log in

Mitigating attacks in software defined networks

  • Published:
Cluster Computing Aims and scope Submit manuscript

Abstract

Future network innovation lies in software defined networking (SDN). This innovative technology has revolutionised the networking world for half a decade and contributes to transform legacy network architectures. This transformation blesses the networking world with improved performance and quality of service. However, security for SDN remains an afterthought. In this paper we present a detailed discussion of some of the attacks possible in SDN and techniques to deal with the attacks. The threat model will consider some significantly vulnerable areas in SDN which can lead to severe network security breaches. In particular, we describe different attacks such as attacks on the Controller, attacks on networking devices, attacks exploiting the communication links between the control plane and the data plane and different types of topology poisoning attacks. We then propose techniques to deal with some of the attacks in SDN. We make use of northbound security application on the Controller and OpenFlow agents in the networking devices for enforcing security policies in the data plane. The security application is used for specification and storage of the security policies and to make decisions on the enforcement of security policies to deal with different types of attacks. We will describe the prototype implementation of our approach using ONOS Controller and demonstrate its effectiveness against different types of attacks.

This is a preview of subscription content, log in via an institution to check access.

Access this article

Log in via an institution

Price excludes VAT (USA)
Tax calculation will be finalised during checkout.

Instant access to the full article PDF.

Institutional subscriptions

Fig. 1
Fig. 2
Fig. 3
Fig. 4
Fig. 5
Fig. 6
Fig. 7
Fig. 8
Fig. 9
Fig. 10

Similar content being viewed by others

References

  1. Zhang, H., Yan, J.: Performance of sdn routing in comparison with legacy routing protocols. In: 2015 International Conference on Cyber-Enabled Distributed Computing and Knowledge Discovery (CyberC), pp. 491–494. IEEE (2015)

  2. Kirkpatrick, K.: Software-defined networking. Commun. ACM 56(9), 16–19 (2013)

    Article  Google Scholar 

  3. Feamster, N., Rexford, J., Zegura, E.: The road to sdn: an intellectual history of programmable networks. ACM SIGCOMM Comput. Commun. Rev. 44(2), 87–98 (2014)

    Article  Google Scholar 

  4. Benton, K., Camp, L.J., Small, C.: Openflow vulnerability assessment. In: Proceedings of the Second ACM SIGCOMM Workshop on Hot Topics in Software Defined Networking, pp. 151–152. ACM (2013)

  5. Kreutz, D., Ramos, F.M., Verissimo, P.: Towards secure and dependable software-defined networks. In: Proceedings of the Second ACM SIGCOMM Workshop on Hot Topics in Software Defined Networking, HotSDN ’13, pp. 55–60. ACM, New York, NY, USA (2013). https://doi.org/10.1145/2491185.2491199

  6. Kreutz, D., Ramos, F.M., Verissimo, P.E., Rothenberg, C.E., Azodolmolky, S., Uhlig, S.: Software-defined networking: a comprehensive survey. Proc. IEEE 103(1), 14–76 (2015)

    Article  Google Scholar 

  7. Scott-Hayward, S., Natarajan, S., Sezer, S.: A survey of security in software defined networks. IEEE Commun. Surv. Tutor. 18(1), 623–654 (2016)

    Article  Google Scholar 

  8. Ahmad, I., Namal, S., Ylianttila, M., Gurtov, A.: Security in software defined networks: a survey. IEEE Commun. Surv. Tutor. 17(4), 2317–2346 (2015)

    Article  Google Scholar 

  9. ONF: The growth of software-defined networking. https://www.opennetworking.org/news-and-events/latest-news/feature-the-growth-of-software-defined-networking/. Accessed 16 Oct 2017

  10. McKeown, N., Anderson, T., Balakrishnan, H., Parulkar, G., Peterson, L., Rexford, J., Shenker, S., Turner, J.: Openflow: enabling innovation in campus networks. ACM SIGCOMM Comput. Commun. Rev. 38(2), 69–74 (2008)

    Article  Google Scholar 

  11. Strassner, J.: Policy-Based Network Management: Solutions for the Next Generation. Morgan Kaufmann, San Francisco (2003)

    Google Scholar 

  12. Porras, P., Shin, S., Yegneswaran, V., Fong, M., Tyson, M., Gu, G.: A security enforcement kernel for openflow networks. In: Proceedings of the First Workshop on Hot topics in Software Defined Networks, pp. 121–126. ACM (2012)

  13. Shin, S., Porras, P.A., Yegneswaran, V., Fong, M.W., Gu, G., Tyson, M.: Fresco: Modular composable security services for software-defined networks. In: NDSS (2013)

  14. Dhawan, M., Poddar, R., Mahajan, K., Mann, V.: Sphinx: Detecting security attacks in software-defined networks. In: NDSS (2015)

  15. Davey, B., Houghton, R.F.: Why not osi? In: IFIP International Conference on the History of Computing, pp. 115–121. Springer, Berlin (2016)

  16. Horing, S., Menard, J., Staehler, R., Yokelson, B.: Stored program controlled network: overview. Bell Syst. Tech. J. 61(7), 1579–1588 (1982)

    Article  Google Scholar 

  17. Casado, M., Garfinkel, T., Akella, A., Freedman, M.J., Boneh, D., McKeown, N., Shenker, S.: Sane: a protection architecture for enterprise networks. In: USENIX Security Symposium, vol. 49, p. 50 (2006)

  18. Casado, M., Freedman, M.J., Pettit, J., Luo, J., McKeown, N., Shenker, S.: Ethane: taking control of the enterprise. In: ACM SIGCOMM Computer Communication Review, vol. 37, pp. 1–12. ACM (2007)

  19. Yang, M., Li, Y., Jin, D., Zeng, L., Wu, X., Vasilakos, A.V.: Software-defined and virtualized future mobile and wireless networks: a survey. Mob. Netw. Appl. 20(1), 4–18 (2015)

    Article  Google Scholar 

  20. Nadeau, T.D., Gray, K.: SDN: software defined networks. “ O’Reilly Media, Inc.” (2013)

  21. Shin, M.K., Nam, K.H., Kim, H.J.: Software-defined networking (sdn): a reference architecture and open apis. In: 2012 International Conference on ICT Convergence (ICTC), pp. 360–361. IEEE (2012)

  22. Lin, P., Bi, J., Wolff, S., Wang, Y., Xu, A., Chen, Z., Hu, H., Lin, Y.: A west-east bridge based sdn inter-domain testbed. IEEE Commun. Mag. 53(2), 190–197 (2015)

    Article  Google Scholar 

  23. Vizarreta, P., Trivedi, K., Helvik, B., Heegaard, P., Kellerer, W., Machuca, C.M.: An empirical study of software reliability in sdn controllers. In: 2017 13th International Conference on Network and Service Management (CNSM), pp. 1–9. IEEE (2017)

  24. Xu, L., Huang, J., Hong, S., Zhang, J., Gu, G.: Attacking the brain: races in the sdn control plane. In: 26th \(\{{\rm USENIX}\}\) Security Symposium (\(\{{\rm USENIX}\}\) Security 17), pp. 451–468 (2017)

  25. Zhang, P.: Towards rule enforcement verification for software defined networks. In: INFOCOM 2017-IEEE Conference on Computer Communications, IEEE, pp. 1–9. IEEE (2017)

  26. Wang, H., Xu, L., Gu, G.: Of-guard: a dos attack prevention extension in software-defined networks. The Open Network Summit (ONS) (2014) (2014)

  27. Shin, S., Gu, G.: Attacking software-defined networks: A first feasibility study. In: Proceedings of the Second ACM SIGCOMM Workshop on Hot Topics in Software Defined Networking, pp. 165–166. ACM (2013)

  28. Hong, S., Xu, L., Wang, H., Gu, G.: Poisoning network visibility in software-defined networks: new attacks and countermeasures. In: NDSS (2015)

  29. Chapman, C., Stolee, K.T.: Exploring regular expression usage and context in python. In: Proceedings of the 25th International Symposium on Software Testing and Analysis, pp. 282–293. ACM (2016)

  30. Clark, D.: Policy Routing in Internet Protocols. Request for Comment rfc-1102. Network Information Center (1989)

  31. Bi, J., Xu, K., Li, X., Williams, M., Wu, J., Ren, G.: A source address validation architecture (sava) testbed and deployment experience (2008)

  32. Dabirsiaghi, A.: Javasnoop: How to Hack Anything in Java. BlackHat Las Vegas (2010)

  33. Schneier, B.: Heartbleed. Schneier on Security. Blog (2014)

  34. Tirumala, A., Qin, F., Dugan, J., Ferguson, J., Gibbs, K.: Iperf (2006)

  35. Shin, S., Yegneswaran, V., Porras, P., Gu, G.: Avant-guard: Scalable and vigilant switch flow management in software-defined networks. In: Proceedings of the 2013 ACM SIGSAC Conference on Computer & Communications Security, pp. 413–424. ACM (2013)

  36. Lee, S., Kim, J., Shin, S., Porras, P., Yegneswaran, V.: Athena: A framework for scalable anomaly detection in software-defined networks. In: 2017 47th Annual IEEE/IFIP International Conference on Dependable Systems and Networks (DSN), pp. 249–260. IEEE (2017)

  37. Al-Zewairi, M., Suleiman, D., Almajali, S.: An experimental software defined security controller for software defined network. In: 2017 Fourth International Conference on Software Defined Systems (SDS), pp. 32–36. IEEE (2017)

  38. El Moussaid, N., Toumanari, A., El Azhari, M.: Security analysis as software-defined security for sdn environment. In: 2017 Fourth International Conference on Software Defined Systems (SDS), pp. 87–92. IEEE (2017)

  39. Estrin, D., Tsudik, G.: Security issues in policy routing. In: 1989 IEEE Symposium on Security and Privacy, 1989. Proceedings, pp. 183–193. IEEE (1989)

  40. Hinrichs, T.L., et al.: Practical declarative network management. In: Proceedings of the 1st ACM Workshop on Research on Enterprise Networking, pp. 1–10. ACM (2009)

  41. Foster, N., et al.: Frenetic: a network programming language. In: ACM SIGPLAN Notices, vol. 46, pp. 279–291. ACM (2011)

  42. Reich, J., et al.: Modular sdn programming with pyretic. Technical Reprot of USENIX (2013)

  43. Voellmy, A., et al.: Maple: simplifying sdn programming using algorithmic policies. In: ACM SIGCOMM Computer Communication Review, vol. 43, pp. 87–98. ACM (2013)

  44. Voellmy, A., Hudak, P.: Nettle: Taking the sting out of programming network routers. In: Practical Aspects of Declarative Languages, pp. 235–249. Springer, Berlin (2011)

  45. Karmakar, K.K., Varadharajan, V., Tupakula, U.: Mitigating attacks in software defined network (sdn). In: 2017 Fourth International Conference on Software Defined Systems (SDS), pp. 112–117. IEEE (2017)

Download references

Author information

Authors and Affiliations

  1. Advanced Cyber Security Engineering Research Centre, University of Newcastle, Callaghan, NSW, 2308, Australia

    Kallol Krishna Karmakar

  2. Global Innovation Chair in Cybersecurity and Director, Advanced Cyber Security Engineering Research Centre, University of Newcastle, Callaghan, NSW, 2308, Australia

    Vijay Varadharajan

  3. School of Electrical Engineering and Computing, University of Newcastle, Callaghan, NSW, 2308, Australia

    Uday Tupakula

Authors
  1. Kallol Krishna Karmakar
    View author publications

    You can also search for this author in PubMed Google Scholar

  2. Vijay Varadharajan
    View author publications

    You can also search for this author in PubMed Google Scholar

  3. Uday Tupakula
    View author publications

    You can also search for this author in PubMed Google Scholar

Corresponding author

Correspondence to Kallol Krishna Karmakar.

Rights and permissions

Reprints and permissions

About this article

Check for updates. Verify currency and authenticity via CrossMark

Cite this article

Karmakar, K.K., Varadharajan, V. & Tupakula, U. Mitigating attacks in software defined networks. Cluster Comput 22, 1143–1157 (2019). https://doi.org/10.1007/s10586-018-02900-2

Download citation

  • Received:

  • Revised:

  • Accepted:

  • Published:

  • Issue Date:

  • DOI: https://doi.org/10.1007/s10586-018-02900-2

Keywords

Search

Navigation