BEADS: Automated Attack Discovery in OpenFlow-Based SDN Systems

Conference paper
Part of the Lecture Notes in Computer Science book series (LNCS, volume 10453)


We create BEADS, a framework to automatically generate test scenarios and find attacks in SDN systems. The scenarios capture attacks caused by malicious switches that do not obey the OpenFlow protocol and malicious hosts that do not obey the ARP protocol. We generated and tested almost 19,000 scenarios that consist of sending malformed messages or not properly delivering them, and found 831 unique bugs across four well-known SDN controllers: Ryu, POX, Floodlight, and ONOS. We classify these bugs into 28 categories based on their impact; 10 of these categories are new, not previously reported. We demonstrate how an attacker can leverage several of these bugs by manually creating 4 representative attacks that impact high-level network goals such as availability and network topology.



We thank William Streilein and James Landry for their support of this work as well as our shepherd, Guofei Gu, and anonymous reviewers for their helpful comments on this paper. This material is based in part upon work supported by the National Science Foundation under Grant Numbers CNS-1654137 and CNS-1319924. This work is sponsored by the Department of Defense under Air Force Contract #FA8721-05-C-0002. Opinions, interpretations, conclusions and recommendations are those of the author and are not necessarily endorsed by the United States Government.

Supplementary material

440190_1_En_14_MOESM1_ESM.txt (1 kb)
Supplementary material 1 (txt 1 KB)


  1. 1.
    Al-Shaer, E., Al-Haj, S.: FlowChecker: Configuration analysis and verification of federated OpenFlow infrastructures. In: Proceedings of ACM SafeConfig, pp. 37–44 (2010)Google Scholar
  2. 2.
    Al-Shaer, E., Marrero, W., El-Atawy, A., Elbadawi, K.: Network configuration in a box: towards end-to-end verification of network reachability and security. In: Proceedings of ICNP, pp. 123–132 (2009)Google Scholar
  3. 3.
    Ambrosin, M., Conti, M., De Gaspari, F., Poovendran, R.: LineSwitch: efficiently managing switch flow in software-defined networking while effectively tackling DoS attacks. In: Proceedings of ASIA CCS, pp. 639–644 (2015)Google Scholar
  4. 4.
    Benton, K., Camp, L.J., Small, C.: OpenFlow vulnerability assessment. In: Proceedings of HotSDN, pp. 151–152 (2013)Google Scholar
  5. 5.
    Berde, P., Gerola, M., Hart, J., Higuchi, Y., Kobayashi, M., Koide, T., Lantz, B., O’Connor, B., Radoslavov, P., Snow, W., et al.: ONOS: towards an open, distributed SDN OS. In: Proceedings of HotSDN, pp. 1–6 (2014)Google Scholar
  6. 6.
    Canini, M., Venzano, D., Peresini, P., Kostic, D., Rexford, J.: A NICE way to test OpenFlow applications. In: Proceedings of NSDI (2012)Google Scholar
  7. 7.
    Dhawan, M., Poddar, R., Mahajan, K., Mann, V.: SPHINX: detecting security attacks in software-defined networks. In: Proceedings of NDSS (2015)Google Scholar
  8. 8.
    Floodlight Project: Github - floodlight/oftest: Openflow switch test framework (2016).
  9. 9.
    Foster, N., Harrison, R., Freedman, M.J., Monsanto, C., Rexford, J., Story, A., Walker, D.: Frenetic: a network programming language. ACM SIGPLAN Not. 46, 279–291 (2011)CrossRefzbMATHGoogle Scholar
  10. 10.
    Hong, S., Xu, L., Wang, H., Gu, G.: Poisoning network visibility in software-defined networks: new attacks and countermeasures. In: Proceedings of NDSS, pp. 8–11 (2015)Google Scholar
  11. 11.
    Jafarian, J.H., Al-Shaer, E., Duan, Q.: OpenFlow random host mutation: transparent moving target defense using software defined networking. In: Proceedings of HotSDN, pp. 127–132 (2012)Google Scholar
  12. 12.
    Jero, S., Lee, H., Nita-Rotaru, C.: Leveraging state information for automated attack discovery in transport protocol implementations. In: 45th IEEE/IFIPDSN, pp. 1–12. IEEE Computer Society (2015)Google Scholar
  13. 13.
    Kampanakis, P., Perros, H., Beyene, T.: SDN-based solutions for moving target defense network protection. In: Proceedings of WoWMoM (2014)Google Scholar
  14. 14.
    Kang, M.S., Gligor, V.D., Sekar, V.: SPIFFY: inducing cost-detectability tradeoffs for persistent link-flooding attacks. In: Proceedings of NDSS (2016)Google Scholar
  15. 15.
    Katta, N.P., Rexford, J., Walker, D.: Logic programming for software-defined networks. In: Workshop on Cross-Model Design and Validation (XLDI), vol. 412 (2012)Google Scholar
  16. 16.
    Kazemian, P., Chang, M., Zeng, H., Varghese, G., McKeown, N., Whyte, S.: Real time network policy checking using header space analysis. In: Proceedings of NSDI, pp. 99–111 (2013)Google Scholar
  17. 17.
    Kazemian, P., Varghese, G., McKeown, N.: Header space analysis: static checking for networks. In: Proceedings of NSDI, pp. 113–126 (2012)Google Scholar
  18. 18.
    Khurshid, A., Zhou, W., Caesar, M., Godfrey, P.B.: Veriflow: verifying network-wide invariants in real time. In: Proceedings of NSDI (2013)Google Scholar
  19. 19.
    Kotani, D., Okabe, Y.: A packet-in message filtering mechanism for protection of control plane in OpenFlow networks. In: Proceedings of ANCS, pp. 29–40 (2014)Google Scholar
  20. 20.
    Kuzniar, M., Canini, M., Kostic, D.: OFTEN testing OpenFlow networks. In: European Workshop on Software Defined Networking (EWSDN), pp. 54–60 (2012)Google Scholar
  21. 21.
    Lantz, B., Heller, B., McKeown, N.: A network in a laptop: rapid prototyping for software-defined networks. In: Proceedings of HotNets (2010)Google Scholar
  22. 22.
    Leavitt, N.: Internet security under attack: the undermining of digital certificates. Computer 44(12), 17–20 (2011)CrossRefGoogle Scholar
  23. 23.
    Lee, H., Seibert, J., Hoque, E., Killian, C., Nita-Rotaru, C.: Turret: a platform for finding attacks in unmodified implementations of intrusion tolerant systems. In: IEEE ICDCS (2014)Google Scholar
  24. 24.
    Lee, S., Yoon, C., Lee, C., Shin, S., Yegneswaran, V., Porras, P.: DELTA: a security assessment framework for software-defined networks. In: Network and Distributed System Security Symposium. Internet Society (2017)Google Scholar
  25. 25.
    Lim, S., Ha, J.I., Kim, H., Kim, Y., Yang, S.: A SDN-oriented DDoS blocking scheme for botnet-based attacks. In: Proceedings of ICUFN, pp. 63–68 (2014)Google Scholar
  26. 26.
    Marlinspike, M.: New tricks for defeating SSL in practice. BlackHat DC, February 2009Google Scholar
  27. 27.
    McCauley, M.: About POX (2013).
  28. 28.
    Mekky, H., Hao, F., Mukherjee, S., Zhang, Z.L., Lakshman, T.: Application-aware data plane processing in SDN. In: Proceedings of HotSDN, pp. 13–18 (2014)Google Scholar
  29. 29.
    Natarajan, S.: Github - snrism/florence-dev: Sdn security test framework (2016).
  30. 30.
    Nelson, T., Ferguson, A.D., Scheer, M.J., Krishnamurthi, S.: Tierless programming and reasoning for software-defined networks. In: Proceedings of NSDI, pp. 519–531 (2014)Google Scholar
  31. 31.
    Open Networking Foundation: OpenFlow switch specification (1.0) (2009)Google Scholar
  32. 32.
    Open Networking Foundation: Conformance test specification for OpenFlow switch specification 1.0.1 (2013).
  33. 33.
    Open Networking Foundation: OpenFlow switch specification (1.5.0) (2014)Google Scholar
  34. 34.
    Open Networking Foundation: Conformance test specification for OpenFlow switch specification 1.3.4 - basic single table conformance test profile (2015).
  35. 35.
    Pickett, G.: Abusing software defined networks. In: Defcon (2014)Google Scholar
  36. 36.
    Pickett, G.: Staying persistent in software defined networks. In: BlackHat (2015)Google Scholar
  37. 37.
    Plummer, D.: Ethernet address resolution protocol: Or converting network protocol addresses to 48.bit ethernet address for transmission on ethernet hardware. RFC 826 (1982)Google Scholar
  38. 38.
    Porras, P., Cheung, S., Fong, M., Skinner, K., Yegneswaran, V.: Securing the software-defined network control layer. In: Proceedings of NDSS (2015)Google Scholar
  39. 39.
    Project Floodlight: Floodlight OpenFlow Controller (2016)Google Scholar
  40. 40.
    Reitblatt, M., Foster, N., Rexford, J., Schlesinger, C., Walker, D.: Abstractions for network update. In: Proceedings of ACM SIGCOMM, pp. 323–334 (2012)Google Scholar
  41. 41.
    Scott, C., Wundsam, A., Raghavan, B., Panda, A., Or, A., Lai, J., Huang, E., Liu, Z., El-Hassany, A., Whitlock, S., Acharya, H., Zarifis, K., Shenker, S.: Troubleshooting blackbox SDN control software with minimal causal sequences. In: Proceedings of SIGCOMM, pp. 395–406. ACM (2014)Google Scholar
  42. 42.
    Shin, S., Gu, G.: Attacking software-defined networks: a first feasibility study. In: Proceedings of HotSDN, pp. 165–166 (2013)Google Scholar
  43. 43.
    Shin, S., Porras, P., Yegneswaran, V., Gu, G.: A framework for integrating security services into software-defined networks. In: Proceedings of Open Networking Summit (2013)Google Scholar
  44. 44.
    Shin, S., Yegneswaran, V., Porras, P., Gu, G.: Avant-guard: scalable and vigilant switch flow management in software-defined networks. In: Proceedings of CCS, pp. 413–424 (2013)Google Scholar
  45. 45.
    The Ryu Project: Ryu SDN framework using OpenFlow 1.3. Website (2014).

Copyright information

© Springer International Publishing AG 2017

Authors and Affiliations

  1. 1.Purdue UniversityWest LafayetteUSA
  2. 2.Northeastern UniversityBostonUSA
  3. 3.MIT Lincoln LaboratoryLexingtonUSA

Personalised recommendations