ZTE Communications ›› 2018, Vol. 16 ›› Issue (4): 3-8.DOI: 10.19729/j.cnki.1673-5188.2018.04.002

• Special Topic • Previous Articles     Next Articles

Survey of Attacks and Countermeasures for SDN

BAI Jiasong1,2,3, ZHANG Menghao1,2,3, BI Jun1,2,3   

  1. 1. Institute for Network Sciences and Cyberspace, Tsinghua University, Beijing 100084, China
    2. Department of Computer Science and Technology, Tsinghua University, Beijing 100084, China
    3. Beijing National Research Center for Information Science and Technology (BNRist), Tsinghua University, Beijing 100084, China
  • Received:2018-10-15 Online:2018-04-15 Published:2018-10-25
  • About author:BAI Jiasong (bjs17@mails.tsinghua.edu.cn) received his B.S. degree from Department of Computer Science and Technology, Tsinghua University, China in 2017. He is currently a master student in Department of Computer Science and Technology, Tsinghua University. His research interests include SDN, NFV and programmable data plane.|ZHANG Menghao (zhangmh16@mails.tsinghua.edu.cn) received his B.S. degree from Department of Computer Science and Technology, Tsinghua University, China in 2016. He is currently a Ph.D. student in Department of Computer Science and Technology, Tsinghua University. His research interests include the availability and security of SDN and NFV.|BI Jun (junbi@tsinghua.edu.cn) received his B.S., C.S., and Ph.D. degrees from Department of Computer Science, Tsinghua University, China. He is currently a Changjiang Scholar Distinguished Professor and the Director of Network Architecture Research Division, Institute for Network Sciences and Cyberspace, Tsinghua University. He is also the Director of the Future Network Theory and Application Research Division at Beijing National Research Center for Information Science and Technology. His current research interests include Internet architecture, SDN/NFV, and network security. He successfully led tens of research projects, published over 200 research papers and 20 Internet RFCs and drafts, and also holds 30 innovation patents. He received the National Science and Technology Advancement Prizes, the IEEE ICCCN Outstanding Leadership Award, and Best Paper awards. He is the co-chair of the AsiaFI Steering Group and the Chair of the China SDN Experts Committee. He served as the TPC co-chairs of a number of Future Internet related conferences or workshops/tracks at INFOCOM and ICNP. He served on the Organization Committee or Technical Program Committees of SIGCOMM, and ICNP, INFOCOM, CoNext, and SOSR. He is Distinguished Member of the China Computer Federation.
  • Supported by:
    This work was supported in part by the National Key R&D Program of China under Grant No(2017YFB0801701);the National Science Foundation of China under Grant No(61472213);CERNET Innovation Project(NGII20160123)

Abstract:

Software defined networking (SDN) has attracted significant attention from both academia and industry by its ability to reconfigure network devices with logically centralized applications. However, some critical security issues have also been introduced along with the benefits, which put an obstruction to the deployment of SDN. One root cause of these issues lies in the limited resources and capability of devices involved in the SDN architecture, especially the hardware switches lied in the data plane. In this paper, we analyze the vulnerability of SDN and present two kinds of SDN-targeted attacks: 1) data-to-control plane saturation attack which exhausts resources of all SDN components, including control plane, data plane, and the in-between downlink channel and 2) control plane reflection attack which only attacks the data plane and gets conducted in a more efficient and hidden way. Finally, we propose the corresponding defense frameworks to mitigate such attacks.

Key words: SDN, indirect/direct data plane event, data-to-control plane saturation attack, control plane reflection attack