ICICS 2016: Information and Communications Security pp 455-465 | Cite as
Novel MITM Attacks on Security Protocols in SDN: A Feasibility Study
Abstract
Software-Defined Networking (SDN) is a new paradigm that offers services and applications great power to manage network. Based on the consideration that the entire network visibility is the foundation of SDN, many attacks emerge in poisoning the network visibility, which lead to severe damage. Meanwhile, many defense approaches are proposed to patch the controller. It is noticed that powerful adversaries can bypass existing approaches to poison topology information and attack security protocols. In this paper, we present a method that the adversary can attack security protocols under existing approaches (e.g. TopoGuard, SPHINX). We also investigate a number of security protocols that may be compromised by our MITM attacks and propose an approach to detect the existence of the adversary. Our evaluation shows that the defense solution can effectively detect the fake link in normal environment. We hope our research can attract more attention on SDN security.
Keywords
SDN Security protocols MITMNotes
Acknowledgments
This work was supported by National 863 Program of China under award No. 2013CB338001.
References
- 1.netfilter. http://www.netfilter.org//
- 2.SSLSniff. https://moxie.org/software/sslsniff/
- 3.Khurshid, A., Zhou, W., Caesar, M., Godfrey, P.B.: VeriFlow: verifying network-wide invariants in real time, vol. 42, pp. 467–472. ACM, New York, September 2012. http://doi.acm.org/10.1145/2377677.2377766
- 4.Dhawan, M., Poddar, R., Mahajan, K., Mann, V.: SPHINX: detecting security attacks in software-defined networks. In: NDSS (2015)Google Scholar
- 5.Jafarian, J.H., Al-Shaer, E., Duan, Q.: OpenFlow random host mutation: transparent moving target defense using software defined networking. In: Proceedings of the First Workshop on Hot Topics in Software Defined Networks (2012)Google Scholar
- 6.Hong, S., Xu, L., Wang, H., Gu, G.: Poisoning network visibility in software-defined nerworks: new attacks and countermeasures. In: NDSS 2015 (2015)Google Scholar
- 7.Kazemian, P., Chang, M., Zeng, H.: Real time nework policy checking using header space analysis. In: NSDI 2013 (2013)Google Scholar
- 8.Kazemian, P., Varghese, G., McKeown, N.: Header space analysis: static checking for nerworks. In: NSDI 2012 (2012)Google Scholar
- 9.Ma, D., Xu, Z., Lin, D.: A moving target defense approach based on POF to thwart blind DDoS attack (2014)Google Scholar
- 10.moxie0: sslstrip. https://github.com/moxie0/sslstrip
- 11.Porras, P.A., Cheung, S., Fong, M.W., Skinner, K., Yegneswaran, V.: Securing the software-defined network control layer. In: Proceedings of the 2015 Network and Distributed System Security Symposium (NDSS), San Diego, California (2015)Google Scholar
- 12.Shin, S., Yegneswaran, V., Porras, P., Gu, G.: AVANT-GUARD: scalable and vigilant switch flow management in software-defined networks. In: CCS 2013 (2013)Google Scholar
- 13.Shin, S., Wang, H., Gu, G.: A first step towards network security virtualization: from concept to prototype. IEEE Trans. Inf. Forensics Secur. 10, 2236–2249 (2015)CrossRefGoogle Scholar
- 14.Hong, S., Xu, L., Wang, H., Gu, G.: Poisoning network visibility in software-defined networks: new attacks and countermeasures. In: NDSS (2015)Google Scholar
- 15.Yoon, C., Park, T., Lee, S., Kang, H., Shin, S., Zhang, Z.: Enabling security functions with SDN: a feasibility study. Comput. Netw. 85, 19–35 (2015)CrossRefGoogle Scholar