Abstract
Load balancers enable efficient use of network resources by distributing traffic fairly across them. In software-defined networking (SDN), load balancing is most often realized by a controller application that solicits traffic load reports from network switches and enforces load balancing decisions through flow rules. This separation between the control and data planes in SDNs creates an opportunity for an adversary at a compromised switch to misreport traffic loads to influence load balancing. In this paper, we evaluate the ability of such an adversary to control the volume of traffic flowing through a compromised switch by misreporting traffic loads. We use a queuing theoretic approach to model the attack and develop algorithms for misreporting that allow an adversary to tune attack parameters toward specific adversarial goals. We validate the algorithms with a virtual network testbed, finding that through misreporting the adversary can draw nearly all of the load in the subnetwork (+750%, or 85% of the load in the system), or an adversary-desired amount of load (a target load, e.g., +200%) to within 12% error of that target. This is yet another example of how depending on untrustworthy reporting in making control decisions can lead to fundamental security failures.
Access this chapter
Tax calculation will be finalised at checkout
Purchases are for personal use only
Notes
- 1.
We leave to future work analyzing more specialized variants of these algorithms.
- 2.
Note that switches may have multiple pool members (ports), but here we just consider a single pool member per switch and use switch and pool member interchangeably.
References
Project floodlight (2011). http://www.projectfloodlight.org/floodlight/. Accessed 19 Oct 2018
Opendaylight project (2013). https://www.opendaylight.org/. Accessed 19 Oct 2018
OpenFlow switch specification (2015). https://www.opennetworking.org/software-defined-standards/specifications/. Accessed 19 Oct 2018
Arbettu, R.K., Khondoker, R., Bayarou, K., Weber, F.: Security analysis of OpenDaylight, ONOS, Rosemary and Ryu SDN controllers. In: 2016 17th International Telecommunications Network Strategy and Planning Symposium (Networks) (2016)
Aslam, S., Shah, M.A.: Load balancing algorithms in cloud computing: a survey of modern techniques. In: 2015 National Software Engineering Conference (NSEC), pp. 30–35. IEEE (2015)
Aslan, M., Matrawy, A.: On the impact of network state collection on the performance of SDN applications. IEEE Commun. Lett. 20(1), 5–8 (2016)
Aweya, J., Ouellette, M., Montuno, D.Y., Doray, B., Felske, K.: An adaptive load balancing scheme for web servers. Int. J. Network Manage 12(1), 3–39 (2002)
Benson, T., Akella, A., Maltz, D.A.: Network traffic characteristics of data centers in the wild. In: Proceedings of the 10th ACM SIGCOMM Conference on Internet Measurement, pp. 267–280. ACM (2010)
Benson, T., Anand, A., Akella, A., Zhang, M.: Understanding data center traffic characteristics. In: Proceedings of the 1st ACM Workshop on Research on Enterprise Networking, pp. 65–72. ACM (2009)
De Oliveira, R.L.S., Schweitzer, C.M., Shinoda, A.A., Prete, L.R.: Using Mininet for emulation and prototyping software-defined networks. In: 2014 IEEE Colombian Conference on Communications and Computing (COLCOM), pp. 1–6. IEEE (2014)
Dhawan, M., Poddar, R., Mahajan, K., Mann, V.: SPHINX: detecting security attacks in software-defined networks (2015)
Dridi, L., Zhani, M.F.: SDN-Guard: DoS attacks mitigation in SDN networks. In: 2016 5th IEEE International Conference on Cloud Networking (Cloudnet) (2015)
Eisenbud, D.E., et al.: Maglev: A fast and reliable software network load balancer. In: 13th USENIX Symposium on Networked Systems Design and Implementation (NSDI 16), pp. 523–535 (2016)
Feghhi, S., Leith, D.J.: A web traffic analysis attack using only timing information. IEEE Trans. Inf. Forensics Secur. 11(8), 1747–1759 (2016)
Guirguis, M., Bestavros, A., Matta, I., Zhang, Y.: Reduction of quality (RoQ) attacks on dynamic load balancers: vulnerability assessment and design tradeoffs. In: IEEE INFOCOM 2007–26th IEEE International Conference on Computer Communications, pp. 857–865. IEEE (2007)
Hong, S., Xu, L., Wang, H., Gu, G.: Poisoning network visibility in software-defined networks: new attacks and countermeasures (2015)
Hong, S., Xu, L., Wang, H., Gu, G.: Poisoning network visibility in software-defined networks: new attacks and countermeasures (2015)
Kang, M.S., Gligor, V.D., Sekar, V., et al.: SPIFFY: inducing cost-detectability tradeoffs for persistent link-flooding attacks (2016)
Kang, N., Ghobadi, M., Reumann, J., Shraer, A., Rexford, J.: Niagara: scalable load balancing on commodity switches. Technical report, Technical Report (TR-973-14), Princeton (2014)
Khan, S., Gani, A., Wahab, A.W.A., Guizani, M., Khan, M.K.: Topology discovery in software defined networks: threats, taxonomy, and state-of-the-art. IEEE Commun. Surv. Tutorials 19(1), 303–324 (2016)
Lee, S., Kim, J., Shin, S., Porras, P., Yegneswaran, V.: Athena: a framework for scalable anomaly detection in software-defined networks. In: 2017 47th Annual IEEE/IFIP International Conference on Dependable Systems and Networks (DSN), pp. 249–260. IEEE (2017)
Mahmood, A., Rashid, I.: Comparison of load balancing algorithms for clustered web servers. In: ICIMU 2011: Proceedings of the 5th International Conference on Information Technology & Multimedia, pp. 1–6. IEEE (2011)
Mesbahi, M., Rahmani, A.M.: Load balancing in cloud computing: a state of the art survey (2016)
Neghabi, A.A., Jafari Navimipour, N., Hosseinzadeh, M., Rezaee, A.: Load balancing mechanisms in the software defined networks: a systematic and comprehensive review of the literature. IEEE Access 6, 14159–14178 (2018). https://doi.org/10.1109/ACCESS.2018.2805842
Patel, P., et al.: Ananta: cloud scale load balancing. In: ACM SIGCOMM Computer Communication Review, vol. 43, pp. 207–218. ACM (2013)
Qian, H., Medhi, D.: Server operational cost optimization for cloud computing service providers over a time horizon. In: Hot-ICE (2011)
Rao, A., Legout, A., Lim, Y.s., Towsley, D., Barakat, C., Dabbous, W.: Network characteristics of video streaming traffic. In: Proceedings of the Seventh Conference on Emerging Networking Experiments and Technologies, pp. 1–12 (2011)
Scott-Hayward, S., O’Callaghan, G., Sezer, S.: SDN security: a survey. In: 2013 IEEE SDN For Future Networks and Services (SDN4FNS), pp. 1–7. IEEE (2013)
Wang, R., Butnariu, D., Rexford, J., et al.: OpenFlow-based server load balancing gone wild (2011)
Zhang, J., Yu, F.R., Wang, S., Huang, T., Liu, Z., Liu, Y.: Load balancing in data center networks: a survey. IEEE Commun. Surv. Tutorials 20(3), 2324–2352 (2018)
Zhang, Y.: An adaptive flow counting method for anomaly detection in SDN. In: Proceedings of the Ninth ACM Conference on Emerging Networking Experiments and Technologies, pp. 25–30. ACM (2013)
Acknowledgements
This research was sponsored by the U.S. Army Combat Capabilities Development Command Army Research Laboratory and was accomplished under Cooperative Agreement Number W911NF-13-2-0045 (ARL Cyber Security CRA). The views and conclusions contained in this document are those of the authors and should not be interpreted as representing the official policies, either expressed or implied, of the Combat Capabilities Development Command Army Research Laboratory or the U.S. Government. The U.S. Government is authorized to reproduce and distribute reprints for Government purposes notwithstanding any copyright notation here on. This work was also supported in part by the National Science Foundation under award CNS-1946022.
Author information
Authors and Affiliations
Corresponding author
Editor information
Editors and Affiliations
Rights and permissions
Copyright information
© 2020 ICST Institute for Computer Sciences, Social Informatics and Telecommunications Engineering
About this paper
Cite this paper
Burke, Q., McDaniel, P., Porta, T.L., Yu, M., He, T. (2020). Misreporting Attacks in Software-Defined Networking. In: Park, N., Sun, K., Foresti, S., Butler, K., Saxena, N. (eds) Security and Privacy in Communication Networks. SecureComm 2020. Lecture Notes of the Institute for Computer Sciences, Social Informatics and Telecommunications Engineering, vol 335. Springer, Cham. https://doi.org/10.1007/978-3-030-63086-7_16
Download citation
DOI: https://doi.org/10.1007/978-3-030-63086-7_16
Published:
Publisher Name: Springer, Cham
Print ISBN: 978-3-030-63085-0
Online ISBN: 978-3-030-63086-7
eBook Packages: Computer ScienceComputer Science (R0)