Journal Home > Volume 28 , Issue 1

Software-Defined Network (SDN) represents a new network paradigm. Unlike conventional networks, SDNs separate control planes and data planes. The function of a data plane is enabled using switches, whereas that of a control plane is facilitated by a controller. The controller learns network topologies and makes traffic forwarding decisions. However, some serious vulnerabilities are gradually exposed in the topology management services of current SDN controller designs. These vulnerabilities mainly exist in host tracking and link discovery services. Attackers can exploit these weak points to poison the network topology information in SDN controllers. In this study, a novel solution is proposed to defend against topology poisoning attacks. By analyzing the existing topology attack principles and threat models, this work constructs legal conditions for host migration to detect host hijacking attacks. The checking of the Link Layer Discovery Protocol (LLDP) source and integrity is designed to defend against link fabrication attacks. A relay-type link fabrication attack detection method based on entropy is also designed. Results show that the proposed solution can effectively detect existing topological attacks and provide complete and comprehensive topological security protection.


menu
Abstract
Full text
Outline
About this article

Defense Against Software-Defined Network Topology Poisoning Attacks

Show Author's information Yang Gao1Mingdi Xu1( )
Platform Research and Development Department, Wuhan Institute of Digital Engineering, Wuhan 430073, China

Abstract

Software-Defined Network (SDN) represents a new network paradigm. Unlike conventional networks, SDNs separate control planes and data planes. The function of a data plane is enabled using switches, whereas that of a control plane is facilitated by a controller. The controller learns network topologies and makes traffic forwarding decisions. However, some serious vulnerabilities are gradually exposed in the topology management services of current SDN controller designs. These vulnerabilities mainly exist in host tracking and link discovery services. Attackers can exploit these weak points to poison the network topology information in SDN controllers. In this study, a novel solution is proposed to defend against topology poisoning attacks. By analyzing the existing topology attack principles and threat models, this work constructs legal conditions for host migration to detect host hijacking attacks. The checking of the Link Layer Discovery Protocol (LLDP) source and integrity is designed to defend against link fabrication attacks. A relay-type link fabrication attack detection method based on entropy is also designed. Results show that the proposed solution can effectively detect existing topological attacks and provide complete and comprehensive topological security protection.

Keywords: Software-Defined Network (SDN), topology discovery, topology poisoning attacks

References(17)

[1]
N. McKeown, T. Anderson, H. Balakrishnan, G. Parulkar, L. Peterson, J. Rexford, S. Shenker, and J. Turner, OpenFlow: Enabling innovation in campus networks, ACM SIGCOMM Comput. Commun. Rev., vol. 38, no. 2, pp. 69–74, 2008.
[2]
X. Mingdi and G. Yang, Distributed deception defense system based on SDN, (in Chinese), J. Commun., vol. 39, no. S2, pp. 54–60, 2018.
[3]
H. I. Kobo, A. M. Abu-Mahfouz, and G. P. Hancke, A survey on software-defined wireless sensor networks: Challenges and design requirements, IEEE Access, vol. 5, pp. 1872–1899, 2017.
[4]
S. B. Zhang, G. J. Wang, M. Z. A. Bhuiyan, and Q. Liu, A dual privacy preserving scheme in continuous location-based services, IEEE Internet Things J., vol. 5, no. 5, pp. 4191–4200, 2018.
[5]
A. Aguado, E. Hugues-Salas, P. A. Haigh, J. Marhuenda, A. B. Price, P. Sibson, J. E. Kennard, C. Erven, J. G. Rarity, M. G. Thompson, et al., Secure NFV orchestration over an SDN-controlled optical network with time-shared quantum key distribution resources, J. Lightw. Technol., vol. 35, no. 8, pp. 1357–1362, 2017.
[6]
A. R. Abdou, P. C. Van Oorschot, and T. Wan, Comparative analysis of control plane security of SDN and conventional networks, IEEE Commun. Surv. Tutor., vol. 20, no. 4, pp. 3542–3559, 2018.
[7]
Hong S., Xu L., Wang H. P., and Gu G. F., Poisoning network visibility in software-defined networks: New attacks and countermeasures, in Proc. of the 22nd Annu. Network and Distributed System Security Symp., 10.14722/ndss 2015.23283.
[8]
D. Smyth, S. McSweeney, D. O’Shea, and V. Cionca, Detecting link fabrication attacks in software-defined networks, in Proc. 26th Int. Conf. on Computer Communication and Networks, Vancouver, Canada, 2017, pp. 1–8.
[9]
Y. Q. Lu, Z. S. Mao, Z. Cheng, J. C. Qin, D. Z. Jin, and W. Q. Pan, Research on SDN topology attack and its defense mechanism, (in Chinese), J. South China Univ. Technol. (Nat. Sci. Ed.), vol. 48, no. 11, pp. 114–122, 2020.
[10]
F. Pakzad, M. Portmann, W. L. Tan, and J. Indulska, Efficient topology discovery in software defined networks, in Proc. 8th Int. Conf. on Signal Processing and Communication Systems (ICSPCS), Gold Coast, Australia, 2014, pp. 1–8.
[11]
A. Azzouni, R. Boutaba, N. T. M. Trang, and G. Pujolle, sOFTDP: Secure and efficient OpenFlow topology discovery protocol, in Proc. 2018 IEEE/IFIP Network Operations and Management Symp., Taipei, China, 2018, pp. 1–7.
[12]
A. Azzouni, N. T. M. Trang, R. Boutaba, and G. Pujolle, Limitations of OpenFlow topology discovery protocol, in Proc. 16th Annu. Mediterranean Ad Hoc Networking Workshop (Med-Hoc-Net), Budva, Montenegro, 2017, pp. 1–3.
[13]
T. Alharbi, M. Portmann, and F. Pakzad, The (in)security of topology discovery in software defined networks, in Proc. 40th IEEE Conf. on Local Computer Networks, Clearwater Beach, FL, USA, 2015, pp. 502–505.
[14]
S. Q. Xiang, H. B. Zhu, L. L. Xiao, and W. L. Xie, Modeling and verifying TopoGuard in OpenFlow-based software defined networks, in Proc. 2018 Int. Symp. on Theoretical Aspects of Software Engineering (TASE), Guangzhou, China, 2018, pp. 84–91.
[15]
Z. Y. Zhao, Research and application of DDoS attack detection and protection technology based on SDN, Master thesis, Beijing University of Posts and Telecommunications, Beijing, China, 2019.
[16]
Z. S. Mao, Research on topology security based on SDN, Master thesis, South China University of Technology, Guangzhou, China, 2020.
[17]
J. Ren, J. Li, H. Liu, and T. Qin, Task offloading strategy with emergency handling and blockchain security in SDN-empowered and fog-assisted healthcare IoT, Tsinghua Science and Technology, vol. 27, no. 4, pp. 760–776, 2022.
Publication history
Copyright
Rights and permissions

Publication history

Received: 30 September 2021
Accepted: 13 October 2021
Published: 21 July 2022
Issue date: February 2023

Copyright

© The author(s) 2023.

Rights and permissions

The articles published in this open access journal are distributed under the terms of the Creative Commons Attribution 4.0 International License (http://creativecommons.org/licenses/by/4.0/).

Return