Control Plane Reflection Attacks in SDNs: New Attacks and Countermeasures

  • Menghao Zhang
  • Guanyu Li
  • Lei Xu
  • Jun BiEmail author
  • Guofei Gu
  • Jiasong Bai
Conference paper
Part of the Lecture Notes in Computer Science book series (LNCS, volume 11050)


Software-Defined Networking (SDN) continues to be deployed spanning from enterprise data centers to cloud computing with emerging of various SDN-enabled hardware switches. In this paper, we present Control Plane Reflection Attacks to exploit the limited processing capability of SDN-enabled hardware switches. The reflection attacks adopt direct and indirect data plane events to force the control plane to issue massive expensive control messages towards SDN switches. Moreover, we propose a two-phase probing-triggering attack strategy to make the reflection attacks much more efficient, stealthy and powerful. Experiments on a testbed with physical OpenFlow switches demonstrate that the attacks can lead to catastrophic results such as hurting establishment of new flows and even disruption of connections between SDN controller and switches. To mitigate such attacks, we propose a novel defense framework called SWGuard. In particular, SWGuard detects anomalies of downlink messages and prioritizes these messages based on a novel monitoring granularity, i.e., host-application pair (HAP). Implementations and evaluations demonstrate that SWGuard can effectively reduce the latency for legitimate hosts and applications under Control Plane Reflection Attacks with only minor overheads.


Software-Defined Networking Timing-based side channel attacks Denial of service attacks 



This material is based upon work supported by National Key R&D Program of China (2017YFB0801701), the National Science Foundation of China (No.61472213) and CERNET Innovation Project (NGII20160123). It is also based upon work supported in part by the National Science Foundation (NSF) under Grant No. 1617985, 1642129, 1700544, and 1740791. Jun Bi is the corresponding author. We also thank Yi Qiao, Chen Sun, Yongbin Li and Kai Gao from Tsinghua University for joining the discussion of this paper.


  1. 1.
    Bai, W., et al.: Information-agnostic flow scheduling for commodity data centers. In: NSDI, pp. 455–468. USENIX Association, Oakland (2015).
  2. 2.
    Bosshart, P., et al.: P4: programming protocol-independent packet processors. SIGCOMM CCR 44(3), 87–95 (2014)CrossRefGoogle Scholar
  3. 3.
    Braga, R., et al.: Lightweight DDoS flooding attack detection using NOX/OpenFlow. In: LCN, pp. 408–415. IEEE (2010)Google Scholar
  4. 4.
    Casado, M., et al.: Ethane: taking control of the enterprise. In: SIGCOMM, vol. 37, pp. 1–12. ACM (2007)Google Scholar
  5. 5.
    Chen, H., Benson, T.: The case for making tight control plane latency guarantees in SDN switches. In: SOSR, pp. 150–156. ACM (2017)Google Scholar
  6. 6.
    Floodlight Community: Floodlight, August 2017.
  7. 7.
    Open vSwitch Community: Open vSwitch, August 2017.
  8. 8.
    Curtis, A.R.: DevoFlow: scaling flow management for high-performance networks. SIGCOMM 41(4), 254–265 (2011)CrossRefGoogle Scholar
  9. 9.
    Gao, S., et al.: FloodDefender: protecting data and control plane resources under SDN-aimed DoS attacks. In: INFOCOM, pp. 1–9 (2017)Google Scholar
  10. 10.
    Ghorbani, S., et al.: DRILL: micro load balancing for low-latency data center networks. In: SOGCOMM, pp. 225–238. ACM (2017)Google Scholar
  11. 11.
    Hassas Yeganeh, S., Ganjali, Y.: Kandoo: a framework for efficient and scalable offloading of control applications. In: HotSDN, pp. 19–24. ACM (2012)Google Scholar
  12. 12.
    He, K., et al.: Mazu: taming latency in software defined networks. Technical report, University of Wisconsin-Madison (2014)Google Scholar
  13. 13.
    He, K., et al.: Measuring control plane latency in SDN-enabled switches. In: SOSR, p. 25. ACM (2015)Google Scholar
  14. 14.
    Jin, X., et al.: SoftCell: scalable and flexible cellular core network architecture. In: CoNEXT, pp. 163–174. ACM (2013)Google Scholar
  15. 15.
    Jin, X., et al.: Dynamic scheduling of network updates. In: SIGCOMM, vol. 44, pp. 539–550. ACM (2014)Google Scholar
  16. 16.
    Katta, N., et al.: CacheFlow: dependency-aware rule-caching for software-defined networks. In: SOSR, p. 6. ACM (2016)Google Scholar
  17. 17.
    Koponen, T., et al.: Onix: a distributed control platform for large-scale production networks. In: OSDI, vol. 10, pp. 1–6 (2010)Google Scholar
  18. 18.
    Lazaris, A., et al.: Tango: simplifying SDN control with automatic switch property inference, abstraction, and optimization. In: CoNEXT, pp. 199–212. ACM (2014)Google Scholar
  19. 19.
    Leng, J., et al.: An inference attack model for flow table capacity and usage: exploiting the vulnerability of flow table overflow in software-defined network. arXiv preprint arXiv:1504.03095 (2015)
  20. 20.
    Li, Y., et al.: Flowinsight: decoupling visibility from operability in SDN data plane. SIGCOMM Demo 44(4), 137–138 (2015)CrossRefGoogle Scholar
  21. 21.
    Liu, S., et al.: Flow reconnaissance via timing attacks on SDN switches. In: ICDCS, pp. 196–206. IEEE (2017)Google Scholar
  22. 22.
    Liu, Z., et al.: One sketch to rule them all: rethinking network flow monitoring with UnivMon. In: SIGCOMM, pp. 101–114. ACM (2016)Google Scholar
  23. 23.
    McKeown, N.: OpenFlow: enabling innovation in campus networks. SIGCOMM CCR 38(2), 69–74 (2008)CrossRefGoogle Scholar
  24. 24.
    Pica8: Flow scalability per broadcom chipset, March 2018.
  25. 25.
    Postel, J.: Transmission control protocol (1981)Google Scholar
  26. 26.
    Postel, J., et al.: RFC 792: Internet control message protocol. InterNet Network Working Group (1981)Google Scholar
  27. 27.
    Shin, S., et al.: AVANT-GUARD: scalable and vigilant switch flow management in software-defined networks. In: CCS, pp. 413–424. ACM (2013)Google Scholar
  28. 28.
    Shin, S., Gu, G.: Attacking software-defined networks: a first feasibility study. In: HotSDN, pp. 165–166. ACM (2013)Google Scholar
  29. 29.
    Sonchack, J., et al.: Timing-based reconnaissance and defense in software-defined networks. In: ACSAC, pp. 89–100. ACM (2016)Google Scholar
  30. 30.
    Tootoonchian, A., Ganjali, Y.: HyperFlow: a distributed control plane for OpenFlow. In: Proceedings of the 2010 Internet Network Management Conference on Research on Enterprise Networking, p. 3 (2010)Google Scholar
  31. 31.
    Wang, A., et al.: Scotch: elastically scaling up SDN control-plane using vSwitch based overlay. In: CoNEXT, pp. 403–414. ACM (2014)Google Scholar
  32. 32.
    Wang, H., et al.: FloodGuard: a DoS attack prevention extension in software-defined networks. In: DSN, pp. 239–250. IEEE (2015)Google Scholar
  33. 33.
    Xu, H., et al.: Real-time update with joint optimization of route selection and update scheduling for SDNs. In: ICNP, pp. 1–10. IEEE (2016)Google Scholar
  34. 34.
    Xu, Y., Liu, Y.: DDoS attack detection under SDN context. In: INFOCOM, pp. 1–9. IEEE (2016)Google Scholar
  35. 35.
    Zhang, M., et al.: FTGuard: a priority-aware strategy against the flow table overflow attack in SDN. In: SIGCOMM Demo, pp. 141–143. ACM (2017)Google Scholar
  36. 36.
    Zhang, M., et al.: Control plane reflection attacks in SDNs: new attacks and countermeasures. Technical report, June 2018.

Copyright information

© Springer Nature Switzerland AG 2018

Authors and Affiliations

  • Menghao Zhang
    • 1
    • 2
    • 3
  • Guanyu Li
    • 1
    • 2
    • 3
  • Lei Xu
    • 4
  • Jun Bi
    • 1
    • 2
    • 3
    Email author
  • Guofei Gu
    • 4
  • Jiasong Bai
    • 1
    • 2
    • 3
  1. 1.Institute for Network Sciences and CyberspaceTsinghua UniversityBeijingChina
  2. 2.Department of Computer Science and TechnologyTsinghua UniversityBeijingChina
  3. 3.Beijing National Research Center for Information Science and Technology (BNRist)BeijingChina
  4. 4.SUCCESS LABTexas A&M UniversityCollege StationUSA

Personalised recommendations