Defense Against Software-Defined Network Topology Poisoning Attacks

Software-Defined Network (SDN) represents a new network paradigm. Unlike conventional networks, SDNs separate control planes and data planes. The function of a data plane is enabled using switches, whereas that of a control plane is facilitated by a controller. The controller learns network topologies and makes traffic forwarding decisions. However, some serious vulnerabilities are gradually exposed in the topology management services of current SDN controller designs. These vulnerabilities mainly exist in host tracking and link discovery services. Attackers can exploit these weak points to poison the network topology information in SDN controllers. In this study, a novel solution is proposed to defend against topology poisoning attacks. By analyzing the existing topology attack principles and threat models, this work constructs legal conditions for host migration to detect host hijacking attacks. The checking of the Link Layer Discovery Protocol (LLDP) source and integrity is designed to defend against link fabrication attacks. A relay-type link fabrication attack detection method based on entropy is also designed. Results show that the proposed solution can effectively detect existing topological attacks and provide complete and comprehensive topological security protection.