Advertisement

Analysis and Evaluation of OpenFlow Message Usage for Security Applications

  • Sebastian SeeberEmail author
  • Gabi Dreo Rodosek
  • Gaëtan Hurel
  • Rémi Badonnel
Conference paper
Part of the Lecture Notes in Computer Science book series (LNCS, volume 9701)

Abstract

With the advances in cloud computing and virtualization technologies, Software-Defined Networking (SDN) has become a fertile ground for building network applications regarding management and security using the OpenFlow protocol giving access to the forwarding plane. This paper presents an analysis and evaluation of OpenFlow message usage for supporting network security applications. After describing the considered security attacks, we present mitigation and defence strategies that are currently used in SDN environments to tackle them. We then analyze the dependencies of these mechanisms to OpenFlow messages that support their instantiation. Finally, we conduct series of experiments on software and hardware OpenFlow switches in order to validate our analysis and quantify the limits of current security mechanisms with different OpenFlow implementations.

Notes

Acknowledgment

The authors wish to thank the member of the Chair for Communication Systems and Internet Services at the Universität der Bundeswehr München, headed by Prof. Dr. Gabi Dreo Rodosek, for helpful discussions and valuable comments for this paper. This work was partly funded by FLAMINGO, a Network of Excellence project (ICT-318488) supported by the European Commission under its Seventh Framework Programme.

References

  1. 1.
    Akamai - Q4 2014 State of the Internet - Security Report. http://www.stateoftheinternet.com/resources-web-security-2014-q4-internet-security-report.html. Accessed on 04 Feb 2016
  2. 2.
    Arbor Networks - Worldwide Infrastructure Security Report 2014. http://pages.arbornetworks.com/rs/arbor/images/WISR2014.pdf
  3. 3.
    US-CERT Alert (TA14-017A) UDP-Based Amplification Attacks. https://www.us-cert.gov/ncas/alerts/TA14-017A. Accessed on 04 Feb 2016
  4. 4.
    Open vSwitch Community: Open vswitch. http://openvswitch.org/. Accessed on 04 Feb 2016
  5. 5.
    Ryu SDN Framework Community: Ryu sdn controller. http://osrg.github.io/ryu/. Accessed on 04 Feb 2016
  6. 6.
    Braga, R., Mota, E., Passito, A.: Lightweight ddos flooding attack detection using nox/openflow. In: 2010 IEEE 35th Conference on Local Computer Networks (LCN), pp. 408–415. IEEE (2010)Google Scholar
  7. 7.
    DEF CON Communications, Inc.: Defcon pcap traces. https://www.defcon.org/html/links/dc-torrent.html. Accessed on 04 Feb 2016
  8. 8.
    Defense4All: Defense4all module. https://wiki.opendaylight.org/view/Project_Proposals:Defense4All. Accessed on 04 Feb 2016
  9. 9.
    Feamster, N.: Outsourcing home network security. In: Proceedings of the 2010 ACM SIGCOMM Workshop on Home Networks, pp. 37–42. ACM (2010)Google Scholar
  10. 10.
    François, J., Dolberg, L., Festor, O., Engel, T.: Network security through software defined networking: a survey. In: IIT Real-Time Communications (RTC) Conference-Principles, Systems and Applications of IP Telecommunications (IPTComm). ACM (2014)Google Scholar
  11. 11.
    Giotis, K., Argyropoulos, C., Androulidakis, G., Kalogeras, D., Maglaris, V.: Combining openflow and sflow for an effective and scalable anomaly detection and mitigation mechanism on sdn environments. Comput. Netw. 62, 122–136 (2014)CrossRefGoogle Scholar
  12. 12.
    Hansman, S., Hunt, R.: A taxonomy of network and computer attacks. Comput. Secur. 24(1), 31–43 (2005)CrossRefGoogle Scholar
  13. 13.
    Jafarian, J.H., Al-Shaer, E., Duan, Q.: Openflow random host mutation: transparent moving target defense using software defined networking. In: Proceedings of the First Workshop on Hot Topics in Software Defined Networks, pp. 127–132. ACM (2012)Google Scholar
  14. 14.
    Jajodia, S., Ghosh, A.K., Swarup, V., Wang, C., Wang, X.S.: Moving Target Defense: Creating Asymmetric Uncertainty for Cyber Threats, vol. 54. Springer Science & Business Media, New York (2011)CrossRefGoogle Scholar
  15. 15.
    Kampanakis, P., Perros, H., Beyene, T.: Sdn-based solutions for moving target defense network protection. In: 2014 IEEE 15th International Symposium on A World of Wireless, Mobile and Multimedia Networks (WoWMoM), pp. 1–6, June 2014Google Scholar
  16. 16.
    Kreutz, D., Ramos, F., Verissimo, P.: Towards secure and dependable software-defined networks. In: Proceedings of the Second ACM SIGCOMM Workshop on Hot Topics in Software Defined Networking, pp. 55–60. ACM (2013)Google Scholar
  17. 17.
    Lara, A., Kolasani, A., Ramamurthy, B.: Network innovation using openflow: A survey. IEEE Commun. Surv. Tutorials 16(1), 493–512 (2014)CrossRefGoogle Scholar
  18. 18.
    OpenDaylight: Sdn controller opendaylight. https://www.opendaylight.org/. Accessed on 04 Feb 2016
  19. 19.
    Sahay, R., Blanc, G., Zhang, Z., Debar, H.: Towards autonomic ddos mitigationusing software-defined networking. In: 2015 Network and Distributed SystemSecurity Symposium (NDSS 2015), pp. 1–6, February 2015Google Scholar
  20. 20.
    Schehlmann, L., Abt, S., Baier, H.: Blessing or curse? revisiting security aspects of software-defined networking. In: 2014 10th International Conference on Network and Service Management (CNSM), pp. 382–387. IEEE (2014)Google Scholar
  21. 21.
    Scott-Hayward, S., O’Callaghan, G., Sezer, S.: Sdn security: A survey. In: 2013 IEEE SDN for Future Networks and Services (SDN4FNS), pp. 1–7. IEEE (2013)Google Scholar
  22. 22.
    Shishira, S., Pai, V., Manamohan, K.: Current trends in detection and mitigation of denial of service attacks-a survey. Int. J. Comput. Appl. (2014)Google Scholar
  23. 23.
    Vizváry, M., Vykopal, J.: Future of DDoS attacks mitigation in software defined networks. In: Sperotto, A., Doyen, G., Latré, S., Charalambides, M., Stiller, B. (eds.) AIMS 2014. LNCS, vol. 8508, pp. 123–127. Springer, Heidelberg (2014)Google Scholar
  24. 24.
    Zaalouk, A., Khondoker, R., Marx, R., Bayarou, K.: Orchsec: An orchestrator-based architecture for enhancing network-security using network monitoring and sdn control functions. In: 2014 IEEE Network Operations and Management Symposium (NOMS), pp. 1–9. IEEE (2014)Google Scholar
  25. 25.
    Zargar, S., Joshi, J., Tipper, D.: A survey of defense mechanisms against distributed denial of service (ddos) flooding attacks. IEEE Commun. Surv. Tutorials 15(4), 2046–2069 (2013)CrossRefGoogle Scholar

Copyright information

© IFIP International Federation for Information Processing 2016

Authors and Affiliations

  • Sebastian Seeber
    • 1
    Email author
  • Gabi Dreo Rodosek
    • 1
  • Gaëtan Hurel
    • 2
  • Rémi Badonnel
    • 2
  1. 1.Department of Computer ScienceUniversität der Bundeswehr MünchenNeubibergGermany
  2. 2.Inria Nancy Grand-EstUniversité de LorraineVillers-les-nancyFrance

Personalised recommendations