Skip to main content
SpringerLink
Log in

Misreporting Attacks Against Load Balancers in Software-Defined Networking

  • Published:
Mobile Networks and Applications Aims and scope Submit manuscript

Abstract

Load balancers enable efficient use of network resources by distributing traffic fairly across them. In software-defined networking (SDN), load balancing is most often realized by a controller application that solicits traffic load reports from network switches and enforces load balancing decisions through flow rules. This separation between the control and data planes in SDNs creates an opportunity for an adversary at a compromised switch to misreport traffic loads to influence load balancing. In this paper, we evaluate the ability of such an adversary to control the volume of traffic flowing through a compromised switch by misreporting traffic loads. We take a probabilistic approach to model the attack and develop algorithms for misreporting that allow an adversary to tune attack parameters toward specific adversarial goals. We validate the algorithms with a virtual network testbed, finding that through misreporting the adversary can control traffic flow to a high degree by drawing a target amount of load (e.g., + 200%) to within a 2% to 10% error of that target. This is yet another example of how depending on untrustworthy reporting in making control decisions can lead to fundamental security failures.

This is a preview of subscription content, log in via an institution to check access.

Access this article

Log in via an institution

Price excludes VAT (USA)
Tax calculation will be finalised during checkout.

Instant access to the full article PDF.

Institutional subscriptions

Fig. 1
Fig. 2
Fig. 3
Fig. 4
Fig. 5
Fig. 6
Fig. 7
Fig. 8

Similar content being viewed by others

Notes

  1. We leave to future work analyzing more specialized variants of these algorithms.

  2. Note that switches may have multiple pool members (ports), but here we just consider a single pool member per switch and use switch and pool member interchangeably.

References

  1. Project floodlight (2011) http://www.projectfloodlight.org/floodlight/. [Online; accessed 19-October-2018]

  2. Opendaylight project (2013) https://www.opendaylight.org/. [Online; accessed 19-October-2018]

  3. Aslam S, Shah MA (2015) Load balancing algorithms in cloud computing: a survey of modern techniques. In: 2015 National Software Engineering Conference (NSEC). IEEE, Rawalpindi, Pakistan, pp 30–35

  4. Handigol N, Seetharaman S, Flajslik M, McKeown N, Johari R (2009) Plug-n-serve: Load-balancing web traffic using openflow. ACM Sigcomm Demo 4(5):6

    Google Scholar 

  5. Li J, Chang X, Ren Y, Zhang Z, Wang G (2014) An effective path load balancing mechanism based on SDN. In: 2014 IEEE 13th International Conference on Trust, Security and Privacy in Computing and Communications. IEEE, Beijing, China, pp 527–533

  6. Mesbahi M, Rahmani AM (2016) Load balancing in cloud computing: a state of the art survey. Int J Modern Educ Comput Sci 8(3):64

    Article  Google Scholar 

  7. Qilin M, Weikang S (2015) A load balancing method based on SDN. In: 2015 Seventh International Conference on Measuring Technology and Mechatronics Automation. IEEE, Nanchang, China, pp 18–21

  8. Zhang J, Yu FR, Wang S, Huang T, Liu Z, Liu Y (2018) Load balancing in data center networks: A survey. IEEE Commun Surv Tutorials 20(3):2324–2352

    Article  Google Scholar 

  9. Guo Z, Su M, Xu Y, Duan Z, Wang L, Hui S, Chao HJ (2014) Improving the performance of load balancing in software-defined networks through load variance-based synchronization. Comput Netw 68:95–109

    Article  Google Scholar 

  10. Neghabi AA, Jafari Navimipour N, Hosseinzadeh M, Rezaee A (2018) Load balancing mechanisms in the software defined networks: A systematic and comprehensive review of the literature. IEEE Access 6:14159–14178. https://doi.org/10.1109/ACCESS.2018.2805842

    Article  Google Scholar 

  11. Benson T, Akella A, Maltz DA (2010) Network traffic characteristics of data centers in the wild. In: Proceedings of the 10th ACM SIGCOMM conference on Internet measurement. ACM, New York, NY, pp 267–280

  12. Rao A, Legout A, Lim Ys, Towsley D, Barakat C, Dabbous W (2011) Network characteristics of video streaming traffic. In: Proceedings of the Seventh COnference on emerging Networking EXperiments and Technologies. ACM, New York, NY, pp 1–12

  13. Hong S, Xu L, Wang H, Gu G (2015) Poisoning network visibility in software-defined networks: New attacks and countermeasures. NDSS 15:8–11

    Google Scholar 

  14. Khan S, Gani A, Wahab AWA, Guizani M, Khan MK (2016) Topology discovery in software defined networks: Threats, taxonomy, and state-of-the-art. IEEE Commun Surv Tutorials 19(1):303–324

    Article  Google Scholar 

  15. Yoon C, Lee S, Kang H, Park T, Shin S, Yegneswaran V, Porras P, Gu G (2017) Flow wars: Systemizing the attack surface and defenses in software-defined networks. IEEE/ACM Trans Netw (TON) 25(6):3514–3530

    Article  Google Scholar 

  16. Kang N, Ghobadi M, Reumann J, Shraer A, Rexford J (2014) Niagara: scalable load balancing on commodity switches. Tech Rep, Technical Report (TR-973–14), Princeton

  17. Wang R, Butnariu D, Rexford J et al (2011) Openflow based server load balancing gone wild. Hot-ICE 11:12–12

    Google Scholar 

  18. Mahmood A, Rashid I (2011) Comparison of load balancing algorithms for clustered web servers. In: ICIMU 2011: proceedings of the 5th international Conference on Information Technology & Multimedia. IEEE, Kuala Lumpur, Malaysia, pp 1–6

  19. Zhou Y, Zhu M, Xiao L, Ruan L, Duan W, Li D, Liu R, Zhu M (2014) A load balancing strategy of SDN controller based on distributed decision. In: 2014 IEEE 13th International Conference on Trust, Security and Privacy in Computing and Communications. IEEE, Beijing, China, pp 851–856

  20. Arau´jo JT, Saino L, Buytenhek L, Landa R (2018) Balancing on the edge: Transport affinity without network state. In: 15th USENIX Symposium on Networked Systems Design and Implementation (NSDI 18), pp. 111–124

  21. The netfilter.org project (1998). URL https://www.netfilter.org/

  22. Eisenbud DE, Yi C, Contavalli C, Smith C, Kononov R, Mann-Hielscher E, Cilingiroglu A, Cheyney B, Shang W, Hosein JD (2016) Maglev: A fast and reliable software network load balancer. In: 13th USENIX Symposium on Networked Systems Design and Implementation ({NSDI} 16), pp. 523–535

  23. Patel P, Bansal D, Yuan L, Murthy A, Greenberg A, Maltz DA, Kern R, Kumar H, Zikos M, Wu H et al (2013) Ananta: Cloud scale load balancing. ACM SIGCOMM Comput Commun Rev 43(4):207–218

    Article  Google Scholar 

  24. Openflow switch specification (2015) https://www.opennetworking.org/software-defined-standards/specifications/. [Online; accessed 19-October- 2018]

  25. Raghavan B, Vishwanath K, Ramabhadran S, Yocum K, Snoeren AC (2007) Cloud control with distributed rate limiting. In: ACM SIGCOMM Computer Communication Review, vol. 37. ACM, New York, NY, pp 337–348

  26. Feghhi S, Leith DJ (2016) A web traffic analysis attack using only timing information. IEEE Trans Inf Forensics Secur 11(8):1747–1759

    Article  Google Scholar 

  27. Aslan M, Matrawy A (2016) On the impact of network state collection on the performance of sdn applications. IEEE Commun Lett 20(1):5–8

    Article  Google Scholar 

  28. Arbettu RK, Khondoker R, Bayarou K, Weber F (2016) Security analysis of opendaylight, onos, rosemary and ryu sdn controllers. In: 2016 17th International Telecommunications Network Strategy and Planning Symposium (Networks). IEEE, Montreal, QC, pp 37–44. https://doi.org/10.1109/NETWKS.2016.7751150

  29. Benzekki K, El Fergougui A, Elbelrhiti Elalaoui A (2016) Software-defined networking (sdn): a survey. Secur Commun Netw 9(18):5803–5833

    Article  Google Scholar 

  30. Dargahi T, Caponi A, Ambrosin M, Bianchi G, Conti M (2017) A survey on the security of stateful sdn data planes. IEEE Commun Surv Tutorials 19(3):1701–1725

    Article  Google Scholar 

  31. Scott-Hayward S, O’Callaghan G, Sezer S (2013) SDN security: a survey. In: 2013 IEEE SDN For Future Networks and Services (SDN4FNS). IEEE, Trento, Italy, pp 1–7

  32. Thimmaraju K, Schiff L, Schmid S (2017) Outsmarting network security with sdn teleportation. In: 2017 IEEE European Symposium on Security and Privacy (EuroS&P). IEEE, Paris, France, pp 563–578

  33. Pfaff B, Pettit J, Koponen T, Jackson E, Zhou A, Rajahalme J, Gross J, Wang A, Stringer J, Shelar P et al (2015) The design and implementation of open vSwitch. In: 12th USENIX Symposium on Networked Systems Design and Implementation (NSDI 15). USENIX Association, Oakland, CA, pp 117–130

  34. Thimmaraju K, Shastry B, Fiebig T, Hetzelt F, Seifert JP, Feldmann A, Schmid S (2018) Taking control of sdn-based cloud systems via the data plane. In: Proceedings of the Symposium on SDN Research. ACM, New York, NY, pp 1–15

  35. Chica JCC, Imbachi JC, Vega JFB (2020) Security in sdn: A comprehensive survey. J Netw Comput Appl 159:102595

    Article  Google Scholar 

  36. Benson T, Anand A, Akella A, Zhang M (2009) Understanding data center traffic characteristics. In: Proceedings of the 1st ACM workshop on Research on enterprise networking, pp. 65–72. ACM

  37. Burke Q, McDaniel P, Porta TL, Yu M, He T (2020) Misreporting attacks in software-defined networking. In: EAI SecureComm 2020 – 16th EAI International Conference on Security and Privacy in Communication Networks. EAI, pp 1519–1528

  38. Achleitner S, La Porta T, Jaeger T, McDaniel P (2017) Adversarial network forensics in software defined networking. In: Proceedings of the Symposium on SDN Research, SOSR ’17. ACM, New York, NY, USA, pp 8–20. https://doi.org/10.1145/3050220.3050223

  39. Kampanakis P, Perros H, Beyene T (2014) SDN-based solutions for moving target defense network protection. In: Proceeding of IEEE International Symposium on a World of Wireless, Mobile and Multimedia Networks 2014. IEEE, Sydney, NSW, pp 1–6

  40. De Oliveira RLS, Schweitzer CM, Shinoda AA, Prete LR (2014) Using mininet for emulation and prototyping software-defined networks. In: 2014 IEEE Colombian Conference on Communications and Computing (COLCOM). IEEE, Bogota, Colombia, pp 1–6

  41. Qian H, Medhi D (2011) Server operational cost optimization for cloud computing service providers over a time horizon. In: Hot-ICE. USENIX Association, Boston, MA

  42. Curtis AR, Mogul JC, Tourrilhes J, Yalagandula P, Sharma P, Banerjee S (2011) Devoflow: scaling flow management for high-performance networks. In: ACM SIGCOMM Computer Communication Review, vol 41. ACM, New York, NY, pp 254–265

  43. Greenberg A, Hamilton JR, Jain N, Kandula S, Kim C, Lahiri P, Maltz DA, Patel P, Sengupta S (2009) Vl2: a scalable and flexible data center network. In: ACM SIGCOMM computer communication review, vol 39. ACM, New York, NY, pp 51–62

  44. Chandrasekaran SS (2017) Understanding traffic characteristics in a server to server data center network. Thesis, Rochester Institute of Technology

  45. Aweya J, Ouellette M, Montuno DY, Doray B, Felske K (2002) An adaptive load balancing scheme for web servers. Int J Network Manage 12(1):3–39

    Article  Google Scholar 

  46. Ahmed M, Mahmood AN, Hu J (2016) A survey of network anomaly detection techniques. J Netw Comput Appl 60:19–31

    Article  Google Scholar 

  47. Caberera J, Ravichandran B, Mehra RK (2000) Statistical traffic modeling for network intrusion detection. In: Proceedings 8th International Symposium on Modeling, Analysis and Simulation of Computer and Telecommunication Systems (Cat. No. PR00728). IEEE, San Francisco, CA, pp 466–473

  48. Dhawan M, Poddar R, Mahajan K, Mann V (2015) Sphinx: detecting security attacks in software-defined networks. Ndss 15:8–11

    Google Scholar 

  49. Kamisin´ski A, Fung C (2015) Flowmon: detecting malicious switches in software-defined networks. In: Proceedings of the 2015 Workshop on Automated Decision Making for Active Cyber Defense. ACM, New York, NY, pp 39–45

  50. Zhang Y (2013) An adaptive flow counting method for anomaly detection in SDN. In: Proceedings of the ninth ACM conference on Emerging networking experiments and technologies. ACM, New York, NY, pp 25–30

  51. Dridi L, Zhani MF (2016) SDN-guard: Dos attacks mitigation in sdn networks. In: 2016 5th IEEE International Conference on Cloud Networking (Cloudnet). IEEE, Pisa, Italy, pp 212–217

  52. Achleitner S, Burke Q, McDaniel P, Jaeger T, Porta TL, Krishnamurthy S (2019) MLSNet: A Policy Complying Multilevel Security Framework for Software Defined Networking. Tech. Rep. INSR-500-TR-0500–2019, Institute of Networking and Security Research, Department of Computer Science and Engineering, Pennsylvania State University, University Park, PA, USA. http://patrickmcdaniel.org/papers-ct.html

  53. Yu M, He T, McDaniel P, Burke QK (2020) Flow table security in SDN: adversarial reconnaissance and intelligent attacks. In: IEEE INFOCOM 2020-IEEE Conference on Computer Communications. IEEE, Toronto, ON, pp 1519–1528

  54. Kang MS, Gligor VD, Sekar V et al (2016) Spiffy: Inducing cost-detectability tradeoffs for persistent link-flooding attacks. NDSS 1:53–55

    Google Scholar 

  55. Yu H, Shen Z, Miao C, Leung C, Niyato D (2010) A survey of trust and reputation management systems in wireless communications. Proc IEEE 98(10):1755–1772

    Article  Google Scholar 

  56. Tan S, Li X, Dong Q (2015) Trust based routing mechanism for securing oslr-based manet. Ad Hoc Netw 30:84–98

    Article  Google Scholar 

  57. Zhang J (2011) A survey on trust management for VANETs. In: 2011 IEEE International Conference on Advanced Information Networking and Applications. IEEE, Biopolis, Singapore, pp 105–112

  58. Lopez J, Roman R, Agudo I, Fernandez-Gago C (2010) Trust management systems for wireless sensor networks: Best practices. Comput Commun 33(9):1086–1093

    Article  Google Scholar 

  59. Buchegger S, Le Boudec JY (2002) Performance analysis of the confidant protocol. In: Proceedings of the 3rd ACM international symposium on Mobile ad hoc networking & computing. ACM, New York, NY, pp 226–236

  60. Aliyu AL, Bull P, Abdallah A (2017) A trust management framework for network applications within an SDN environment. In: 2017 31st International Conference on Advanced Information Networking and Applications Workshops (WAINA). IEEE, Taipei, Taiwan, pp 93–98

  61. Betg´e-Brezetz S, Kamga GB, Tazi M (2015) Trust support for SDN controllers and virtualized network applications. In: Proceedings of the 2015 1st IEEE Conference on Network Softwarization (NetSoft). IEEE, London, UK, pp 1–5

Download references

Funding

This research was sponsored by the U.S. Army Combat Capabilities Development Command Army Research Laboratory and was accomplished under Cooperative Agreement Number W911NF-13–2-0045 (ARL Cyber Security CRA). The views and conclusions contained in this document are those of the authors and should not be interpreted as representing the official policies, either expressed or implied, of the Combat Capabilities Development Command Army Research Laboratory or the U.S. Government. The U.S. Government is authorized to reproduce and distribute reprints for Government purposes notwithstanding any copyright notation here on. This work was also supported in part by the National Science Foundation under award CNS-1946022.

Author information

Authors and Affiliations

  1. Pennsylvania State University State College, State College, PA, USA

    Quinn Burke, Patrick McDaniel, Thomas La Porta, Mingli Yu & Ting He

Authors
  1. Quinn Burke
    View author publications

    You can also search for this author in PubMed Google Scholar

  2. Patrick McDaniel
    View author publications

    You can also search for this author in PubMed Google Scholar

  3. Thomas La Porta
    View author publications

    You can also search for this author in PubMed Google Scholar

  4. Mingli Yu
    View author publications

    You can also search for this author in PubMed Google Scholar

  5. Ting He
    View author publications

    You can also search for this author in PubMed Google Scholar

Corresponding author

Correspondence to Quinn Burke.

Additional information

Publisher's Note

Springer Nature remains neutral with regard to jurisdictional claims in published maps and institutional affiliations.

Rights and permissions

Springer Nature or its licensor (e.g. a society or other partner) holds exclusive rights to this article under a publishing agreement with the author(s) or other rightsholder(s); author self-archiving of the accepted manuscript version of this article is solely governed by the terms of such publishing agreement and applicable law.

Reprints and permissions

About this article

Check for updates. Verify currency and authenticity via CrossMark

Cite this article

Burke, Q., McDaniel, P., La Porta, T. et al. Misreporting Attacks Against Load Balancers in Software-Defined Networking. Mobile Netw Appl (2024). https://doi.org/10.1007/s11036-023-02156-0

Download citation

  • Accepted:

  • Published:

  • DOI: https://doi.org/10.1007/s11036-023-02156-0

Keywords

Search

Navigation