Survey of Attacks and Countermeasures for SDN

doi:10.19729/j.cnki.1673-5188.2018.04.002

ZTE Communications ›› 2018, Vol. 16 ›› Issue (4): 3-8.DOI: 10.19729/j.cnki.1673-5188.2018.04.002

• Special Topic • Previous Articles Next Articles

Survey of Attacks and Countermeasures for SDN

BAI Jiasong^1,^2,³, ZHANG Menghao^1,^2,³, BI Jun^1,^2,³

^1. Institute for Network Sciences and Cyberspace, Tsinghua University, Beijing 100084, China
^2. Department of Computer Science and Technology, Tsinghua University, Beijing 100084, China
^3. Beijing National Research Center for Information Science and Technology (BNRist), Tsinghua University, Beijing 100084, China

Received:2018-10-15 Online:2018-04-15 Published:2018-10-25
About author:BAI Jiasong (bjs17@mails.tsinghua.edu.cn) received his B.S. degree from Department of Computer Science and Technology, Tsinghua University, China in 2017. He is currently a master student in Department of Computer Science and Technology, Tsinghua University. His research interests include SDN, NFV and programmable data plane.|ZHANG Menghao (zhangmh16@mails.tsinghua.edu.cn) received his B.S. degree from Department of Computer Science and Technology, Tsinghua University, China in 2016. He is currently a Ph.D. student in Department of Computer Science and Technology, Tsinghua University. His research interests include the availability and security of SDN and NFV.|BI Jun (junbi@tsinghua.edu.cn) received his B.S., C.S., and Ph.D. degrees from Department of Computer Science, Tsinghua University, China. He is currently a Changjiang Scholar Distinguished Professor and the Director of Network Architecture Research Division, Institute for Network Sciences and Cyberspace, Tsinghua University. He is also the Director of the Future Network Theory and Application Research Division at Beijing National Research Center for Information Science and Technology. His current research interests include Internet architecture, SDN/NFV, and network security. He successfully led tens of research projects, published over 200 research papers and 20 Internet RFCs and drafts, and also holds 30 innovation patents. He received the National Science and Technology Advancement Prizes, the IEEE ICCCN Outstanding Leadership Award, and Best Paper awards. He is the co-chair of the AsiaFI Steering Group and the Chair of the China SDN Experts Committee. He served as the TPC co-chairs of a number of Future Internet related conferences or workshops/tracks at INFOCOM and ICNP. He served on the Organization Committee or Technical Program Committees of SIGCOMM, and ICNP, INFOCOM, CoNext, and SOSR. He is Distinguished Member of the China Computer Federation.
Supported by:
This work was supported in part by the National Key R&D Program of China under Grant No(2017YFB0801701);the National Science Foundation of China under Grant No(61472213);CERNET Innovation Project(NGII20160123)

Abstract

Abstract:

Software defined networking (SDN) has attracted significant attention from both academia and industry by its ability to reconfigure network devices with logically centralized applications. However, some critical security issues have also been introduced along with the benefits, which put an obstruction to the deployment of SDN. One root cause of these issues lies in the limited resources and capability of devices involved in the SDN architecture, especially the hardware switches lied in the data plane. In this paper, we analyze the vulnerability of SDN and present two kinds of SDN-targeted attacks: 1) data-to-control plane saturation attack which exhausts resources of all SDN components, including control plane, data plane, and the in-between downlink channel and 2) control plane reflection attack which only attacks the data plane and gets conducted in a more efficient and hidden way. Finally, we propose the corresponding defense frameworks to mitigate such attacks.

Key words: SDN, indirect/direct data plane event, data-to-control plane saturation attack, control plane reflection attack

BAI Jiasong, ZHANG Menghao, BI Jun. Survey of Attacks and Countermeasures for SDN[J]. ZTE Communications, 2018, 16(4): 3-8.

Figures/Tables 6

Figure 1. Architecture and event pipelines of current software-defined networking.

Figure 2. Adversary model of the data-to-control saturation attack.

Figure 3. Templates for a data plane stream.

Figure 4. Timing-based patterns for the counter manipulation attack.

Figure 5. Framework Design of FloodShield.

Figure 6. Framework Design of SWGuard.

[1]	N. McKeown, T. Anderson, H. Balakrishnan , et al., “OpenFlow: enabling innovation in campus networks,” ACM SIGCOMM Computer Communication Review, vol. 38, no. 2, pp. 69-74, 2008. doi: 10.1145/1355734.1355746.
[2]	A. K. Nayak, A. Reimers, N. Feamster, R. Clark , “Resonance: dynamic access control for enterprise networks,” in Proc. 1st ACM Workshop on Research on Enterprise Networking, Barcelona, Spain, 2009, pp. 11-18. doi: 10.1145/1592681.1592684.

[1]	JIA Min, SHU Yuejie, GUO Qing, GAO Zihe, XIE Suofei. DDoS Attack Detection Method for Space-Based Network Based on SDN Architecture [J]. ZTE Communications, 2020, 18(4): 18-25.
[2]	WU Hequan. Ten Reflections on 5G [J]. ZTE Communications, 2020, 18(1): 1-4.
[3]	CHEN Yan, WEN Xitao, LENG Xue, YANG Bo, Li Erran Li, ZHENG Peng, HU Chengchen. Optimization Framework for Minimizing Rule Update Latency in SDN Switches [J]. ZTE Communications, 2018, 16(4): 15-29.
[4]	ZHANG Yunyong, XU Lei, TAO Ye. SDN Based Security Services [J]. ZTE Communications, 2018, 16(4): 9-14.
[5]	XU Xiaoqiong, YU Hongfang, YANG Kun. DDoS Attack in Software Defined Networks: A Survey [J]. ZTE Communications, 2017, 15(3): 13-19.
[6]	LIAO Lingxia, Victor C. M. Leung, LAI Chin-Feng. Evolutionary Algorithms in Software Defined Networks: Techniques, Applications, and Issues [J]. ZTE Communications, 2017, 15(3): 20-36.
[7]	WANG Yangyang, BI Jun. Survey of Mechanisms for Inter-Domain SDN [J]. ZTE Communications, 2017, 15(3): 8-12.
[8]	DONG Baihong, WU Weigang, YANG Zhiwei, LI Junjie. Software Defined Networking Based On-Demand Routing Protocol in Vehicle Ad-Hoc Networks [J]. ZTE Communications, 2017, 15(2): 11-18.
[9]	Zhi Liu, Xiang Wang, and Jun Li. From CIA to PDR:A Top-Down Survey of SDN Security for Cloud DCN [J]. ZTE Communications, 2016, 14(1): 54-60.
[10]	M. Boucadair and C. Jacquenet. Service Parameter Exposure and Dynamic Service Negotiation in SDN Environments [J]. ZTE Communications, 2014, 12(2): 8-17.
[11]	Xiongyan Tang, Pei Zhang, and Chang Cao. SDN-Based Broadband Network for Cloud Services [J]. ZTE Communications, 2014, 12(2): 18-22.
[12]	Jiandong Li, Peng Liu, and Hongyan Li. Software-Defined Cellular Mobile Network Solutions [J]. ZTE Communications, 2014, 12(2): 28-33.
[13]	Lianming Zhang, Jia Liu, and Kun Yang. VirtualizedWireless SDNs: Modelling Delay Through the Use of Stochastic Network Calculus [J]. ZTE Communications, 2014, 12(2): 50-56.
[14]	Bhumip Khasnabish, Jie Hu, and Ghazanfar Ali. Virtualizing Network and Service Functions: Impact on ICT Transformation and Standardization [J]. ZTE Communications, 2013, 11(4): 40-46.

Survey of Attacks and Countermeasures for SDN

RichHTML

PDF

Knowledge

Abstract

Cite this article

share this article

Figures/Tables 6

References 2

Related Articles 14

Recommended Articles

Metrics