Novel MITM Attacks on Security Protocols in SDN: A Feasibility Study

  • Xin Wang
  • Neng Gao
  • Lingchen ZhangEmail author
  • Zongbin Liu
  • Lei Wang
Conference paper
Part of the Lecture Notes in Computer Science book series (LNCS, volume 9977)


Software-Defined Networking (SDN) is a new paradigm that offers services and applications great power to manage network. Based on the consideration that the entire network visibility is the foundation of SDN, many attacks emerge in poisoning the network visibility, which lead to severe damage. Meanwhile, many defense approaches are proposed to patch the controller. It is noticed that powerful adversaries can bypass existing approaches to poison topology information and attack security protocols. In this paper, we present a method that the adversary can attack security protocols under existing approaches (e.g. TopoGuard, SPHINX). We also investigate a number of security protocols that may be compromised by our MITM attacks and propose an approach to detect the existence of the adversary. Our evaluation shows that the defense solution can effectively detect the fake link in normal environment. We hope our research can attract more attention on SDN security.


SDN Security protocols MITM 



This work was supported by National 863 Program of China under award No. 2013CB338001.


  1. 1.
  2. 2.
  3. 3.
    Khurshid, A., Zhou, W., Caesar, M., Godfrey, P.B.: VeriFlow: verifying network-wide invariants in real time, vol. 42, pp. 467–472. ACM, New York, September 2012.
  4. 4.
    Dhawan, M., Poddar, R., Mahajan, K., Mann, V.: SPHINX: detecting security attacks in software-defined networks. In: NDSS (2015)Google Scholar
  5. 5.
    Jafarian, J.H., Al-Shaer, E., Duan, Q.: OpenFlow random host mutation: transparent moving target defense using software defined networking. In: Proceedings of the First Workshop on Hot Topics in Software Defined Networks (2012)Google Scholar
  6. 6.
    Hong, S., Xu, L., Wang, H., Gu, G.: Poisoning network visibility in software-defined nerworks: new attacks and countermeasures. In: NDSS 2015 (2015)Google Scholar
  7. 7.
    Kazemian, P., Chang, M., Zeng, H.: Real time nework policy checking using header space analysis. In: NSDI 2013 (2013)Google Scholar
  8. 8.
    Kazemian, P., Varghese, G., McKeown, N.: Header space analysis: static checking for nerworks. In: NSDI 2012 (2012)Google Scholar
  9. 9.
    Ma, D., Xu, Z., Lin, D.: A moving target defense approach based on POF to thwart blind DDoS attack (2014)Google Scholar
  10. 10.
  11. 11.
    Porras, P.A., Cheung, S., Fong, M.W., Skinner, K., Yegneswaran, V.: Securing the software-defined network control layer. In: Proceedings of the 2015 Network and Distributed System Security Symposium (NDSS), San Diego, California (2015)Google Scholar
  12. 12.
    Shin, S., Yegneswaran, V., Porras, P., Gu, G.: AVANT-GUARD: scalable and vigilant switch flow management in software-defined networks. In: CCS 2013 (2013)Google Scholar
  13. 13.
    Shin, S., Wang, H., Gu, G.: A first step towards network security virtualization: from concept to prototype. IEEE Trans. Inf. Forensics Secur. 10, 2236–2249 (2015)CrossRefGoogle Scholar
  14. 14.
    Hong, S., Xu, L., Wang, H., Gu, G.: Poisoning network visibility in software-defined networks: new attacks and countermeasures. In: NDSS (2015)Google Scholar
  15. 15.
    Yoon, C., Park, T., Lee, S., Kang, H., Shin, S., Zhang, Z.: Enabling security functions with SDN: a feasibility study. Comput. Netw. 85, 19–35 (2015)CrossRefGoogle Scholar

Copyright information

© Springer International Publishing AG 2016

Authors and Affiliations

  • Xin Wang
    • 1
    • 2
    • 3
  • Neng Gao
    • 1
    • 2
  • Lingchen Zhang
    • 1
    • 2
    Email author
  • Zongbin Liu
    • 1
    • 2
  • Lei Wang
    • 1
    • 2
  1. 1.State Key Laboratory of Information Security, Institute of Information EngineeringChinese Academy of SciencesBeijingChina
  2. 2.Data Assurance and Communication Security Research CenterChinese Academy of SciencesBeijingChina
  3. 3.University of Chinese Academy of SciencesBeijingChina

Personalised recommendations