Seungwon Shin
Guofei Gu
ABSTRACT
Among the leading reference implementations of the Software Defined Networking (SDN) paradigm is the OpenFlow framework, which decouples the control plane into a centralized application. In this paper, we consider two aspects of OpenFlow that pose security challenges, and we propose two solutions that could address these concerns. The first challenge is the inherent communication bottleneck that arises between the data plane and the control plane, which an adversary could exploit by mounting a "control plane saturation attack" that disrupts network operations. Indeed, even well-mined adversarial models, such as scanning or denial-of-service (DoS) activity, can produce more potent impacts on OpenFlow networks than traditional networks. To address this challenge, we introduce an extension to the OpenFlow data plane called "connection migration", which dramatically reduces the amount of data-to-control-plane interactions that arise during such attacks. The second challenge is that of enabling the control plane to expedite both detection of, and responses to, the changing flow dynamics within the data plane. For this, we introduce "actuating triggers" over the data plane's existing statistics collection services. These triggers are inserted by control layer applications to both register for asynchronous call backs, and insert conditional flow rules that are only activated when a trigger condition is detected within the data plane's statistics module. We present Avant-Guard, an implementation of our two data plane extensions, evaluate the performance impact, and examine its use for developing more scalable and resilient SDN security services.
- K. Benton, L. J. Camp, and C. Small. Openflow vulnerability assessment. In Proceedings of the second ACM SIGCOMM workshop on Hot topics in software defined networking (HotSDN), 2013. Google Scholar
Digital Library
- D. J. Bernstein. SYN Cookies. http://cr.yp.to/syncookies.html.Google Scholar
- R. S. Braga, E. Mota, and A. Passito. Lightweight DDoS Flooding Attack Detection Using NOX/OpenFlow. In Proceedings of the 35th Annual IEEE Conference on Local Computer Networks (LCN), 2010. Google ScholarDigital Library
- M. Casado, M. J. Freedman, J. Pettit, J. Luo, N. McKeown, and S. Shenker. Ethane: Taking Control of the Enterprise. In Proceedings of ACM SIGCOMM, 2007. Google ScholarDigital Library
- M. Casado, T. Garfinkel, M. Freedman, A. Akella, D. Boneh, N. McKeowon, and S. Shenker. SANE: A Protection Architecture for Enterprise Networks. In Proceedings of the Usenix Security Symposium, August 2006. Google ScholarDigital Library
- Cisco. Cisco Guard Anomaly Detector. http://www.cisco.com/en/US/prod/collateral/modules/ps2706/ps6235/produc%t_data_sheet0900aecd80220a7c.html.Google Scholar
- A. Curtis, J. Mogul, J. Tourrilhes, P. Yalagandula, P. Sharma, and S. Banerjee. DevoFlow: Scaling Flow Management for High-Performance Networks. In Proceedings of ACM SIGCOMM, 2011. Google ScholarDigital Library
- A. Greenberg, G. Hjalmtysson, D. A. Maltz, A. Myers, J. Rexford, G. Xie, H. Yan, J. Zhan, and H. Zhang. A Clean Slate 4D Approach to Network Control and Management. In Proceedings of ACM Computer Communications Review, 2005. Google ScholarDigital Library
- G. Gu, Z. Chen, P. Porras, and W. Lee. Misleading and Defeating Importance-Scanning Malware Propagation. In Proceedings of International Conference on Security and Privacy in Communication Networks (SecureComm), 2007.Google Scholar
- J. H. Jafarian, E. Al-Shaer, and Q. Duan. Openflow Random Host Mutation: Transparent Moving Target Defense using Software Defined Networking. In Proceedings of the 1st ACM Workshop on Hot Topics in Software Defined Networks (HotSDN), 2012. Google ScholarDigital Library
- P. C. Jeffrey C. Mogul. Hey, You Darned Counters! Get Off My ASIC! In Proceedings of the 1st ACM Workshop on Hot Topics in Software Defined Networks (HotSDN), 2012. Google ScholarDigital Library
- Juniper. Junos Security Configuration. http://www.juniper.net/us/en/products-services/nos/junos/.Google Scholar
- T. Koponen, M. Casado, N. Gude, J. Stribling, L. Poutievski, M. Zhu, R. Ramanathan, Y. Iwata, H. Inoue, T. Hama, and S. Shenker. Onix: A Distributed Control Platform for Large-scale Production Networks. In Proceedings of the Symposium on Operating Systems Design and Implementation (OSDI), 2010. Google ScholarDigital Library
- D. Kreutz, F. M. Ramos, and P. Verissimo. Towards Secure and Dependable Software-Defined Networks. In Proceedings of the second ACM SIGCOMM workshop on Hot Topics in Software Defined Networking (HotSDN), 2013. Google ScholarDigital Library
- G. Lu, R. Miao, Y. Xiong, and C. Guo. Using CPU as a Traffic Co-processing Unit in Commodity Switches. In Proceedings of the 1st ACM Workshop on Hot Topics in Software Defined Networks (HotSDN), 2012. Google ScholarDigital Library
- A. Mahimka, J. Dange, V. Shmatikov, H. Vin, and Y. Zhang. dFence: Transparent Network-based Denial of Service Mitigation. In Proceedings of the Symposium on Networked Systems Design and Implementation (NSDI), 2007. Google ScholarDigital Library
- S. Mehdi, J. Khalid, and S. Khayam. Revisiting Traffic Anomaly Detection Using Software Defined Networking. In Recent Advances in Intrusion Detection (RAID), 2011. Google ScholarDigital Library
- J. Naous, D. Erickson, G. A. Covington, G. Appenzeller, and N. McKeown. Implementing an OpenFlow switch on the NetFPGA Platform. In Proceedings of the 4th ACM/IEEE Symposium on Architectures for Networking and Communications Systems (ANCS), 2008. Google ScholarDigital Library
- Open Networking Foundation. Software-Defined Networking: The New Norm for Networks. Technical report, 2012. https://www.opennetworking.org/images/stories/downloads/white-papers/wp%-sdn-newnorm.pdf.Google Scholar
- OpenFlow. OpenFlow Switch Specification version 1.0.0. Technical report, 2010. http://www.openflow.org/documents/openflow-spec-v1.0.0.pdf.Google Scholar
- OpenFlow.org. OpenFlow Switching Reference System. http://www.openflow.org/wp/downloads/.Google Scholar
- L. Popa, M. Yu, S. Y. Ko, I. Stoica, and S. Ratnasamy. CloudPolice: Taking Access Control out of the Network. In Proceedings of the 9th ACM Workshop on Hot Topics in Networks (HotNets), 2010. Google ScholarDigital Library
- POX. Python Network Controller. http://www.noxrepo.org/pox/about-pox/.Google Scholar
- N. Security. http://nmap.org/.Google Scholar
- S. Shin and G. Gu. CloudWatcher: Network Security Monitoring Using OpenFlow in Dynamic Cloud Networks (or: How to Provide Security Monitoring as a Service in Clouds?). In Proceedings of the 7th Workshop on NPSec, 2012. Google ScholarDigital Library
- S. Shin, P. Porras, V. Yegneswaran, M. Fong, G. Gu, and M. Tyson. FRESCO: Modular Composable Security Services for Software-Defined Networks. In Proceedings of the 20th Annual Network and Distributed System Security Symposium (NDSS), 2013.Google Scholar
- A. Tootoonchian and Y. Ganjali. HyperFlow: A Distributed Control Plane for OpenFlow. In Proceedings of the Internet Network Management Workshop/Workshop on Research on Enterprise Networking (INM/WREN), 2010. Google ScholarDigital Library
- X. Wen, Y. Chen, C. Hu, C. Shi, and Y. Wang. Towards a secure controller platform for openflow applications. In Proceedings of the second ACM SIGCOMM workshop on Hot topics in software defined networking (HotSDN), 2013. Google ScholarDigital Library
- M. Yu, J. Rexford, M. J. Freedman, and J. Wang. Scalable Flow-based Networking with DIFANE. In Proceedings of ACM SIGCOMM, 2010. Google ScholarDigital Library
- T. S. E. N. Zheng Cai, Alan L. Cox. Maestro: Balancing Fairness, Latency and Throughput in the OpenFlow Control Plane. Rice University Technical Report TR11-07.Google Scholar
Index Terms
- AVANT-GUARD: scalable and vigilant switch flow management in software-defined networks
Recommendations
Rosemary: A Robust, Secure, and High-performance Network Operating System
CCS '14: Proceedings of the 2014 ACM SIGSAC Conference on Computer and Communications SecurityWithin the hierarchy of the Software Defined Network (SDN) network stack, the control layer operates as the critical middleware facilitator of interactions between the data plane and the network applications, which govern flow routing decisions. In the ...
Collaborative Detection and Mitigation of Distributed Denial-of-Service Attacks on Software-Defined Network
AbstractThis paper presents a collaborative technique to detect and mitigate Distributed Denial-of-Service (DDoS) flooding attacks on Software-Defined Network (SDN). This technique integrates sflow-RT application and Snort rules for the detection of DDoS ...
Game Theory Based Dynamic Defense Mechanism for SDN
Machine Learning for Cyber SecurityAbstractMany efforts have been down on tackling the network security issues using game theory, especially studying the dynamic defense mechanism. They mostly concentrated on the traditional networks, while omitting the advantages of SDN (software-defined ...
Comments