KSII Transactions on Internet and Information Systems (TIIS)

Korean Society for Internet Information (한국인터넷정보학회)
권호 표지
DOI QR코드

DOI QR Code

A Dynamic Defense Using Client Puzzle for Identity-Forgery Attack on the South-Bound of Software Defined Networks

  • Wu, Zehui (State Key Laboratory of Mathematical Engineering and Advanced Computing) ;
  • Wei, Qiang (State Key Laboratory of Mathematical Engineering and Advanced Computing) ;
  • Ren, Kailei (State Key Laboratory of Mathematical Engineering and Advanced Computing) ;
  • Wang, Qingxian (State Key Laboratory of Mathematical Engineering and Advanced Computing)
  • Received : 2016.05.09
  • Accepted : 2016.11.29
  • Published : 2017.02.28
Download PDF
⟨ Previous Next ⟩

Abstract

Software Defined Network (SDN) realizes management and control over the underlying forwarding device, along with acquisition and analysis of network topology and flow characters through south bridge protocol. Data path Identification (DPID) is the unique identity for managing the underlying device, so forged DPID can be used to attack the link of underlying forwarding devices, as well as carry out DoS over the upper-level controller. This paper proposes a dynamic defense method based on Client-Puzzle model, in which the controller achieves dynamic management over requests from forwarding devices through generating questions with multi-level difficulty. This method can rapidly reduce network load, and at the same time separate attack flow from legal flow, enabling the controller to provide continuous service for legal visit. We conduct experiments on open-source SDN controllers like Fluid and Ryu, the result of which verifies feasibility of this defense method. The experimental result also shows that when cost of controller and forwarding device increases by about 2%-5%, the cost of attacker's CPU increases by near 90%, which greatly raises the attack difficulty for attackers.

Keywords

References

  1. D. Kreutz, V. Ramos, and P. Esteves, "Software-defined networking: a comprehensive survey," Journal of Proceedings of the IEEE, vol. 103, no. 1, pp. 14-76, 2015. https://doi.org/10.1109/JPROC.2014.2371999
  2. I. Alsmadi and D. Xu, "Security of software defined networks: a survey," Journal of Computer and Security, vol. 53, no. 3, pp. 79-108, 2015. https://doi.org/10.1016/j.cose.2015.05.006
  3. S. Scott, S. Natarajan, and S. Sezer, "A survey of security in software defined networks," Journal of Communications Surveys & Tutorials, vol. 18, no. 2, pp. 1-21, 2015.
  4. M. M. Wang, J. W. Liu, J. Chen J and et al., "Software Defined Networking: security model, threats and mechanism," Journal of Software, vol. 27, no. 4, pp. 1-22, 2016.
  5. F. Hu, Q. Hao and K. Bao, "A survey on software-defined network and OpenFlow: from concept to implementation," Journal of Communications Surveys & Tutorials, vol. 16, no. 4, pp. 2181-2206, 2014. https://doi.org/10.1109/COMST.2014.2326417
  6. S. Shin, and G. Gu, "Attacking software-defined networks: a first feasibility study," in Proc. of the ACM SIGCOMM workshop on Hot topics in software defined networking, pp. 165-176, 2013.
  7. M. Dover, "A switch table vulnerability in the Open Floodlight SDN controller," http://dovernetworks.com/wp-content/uploads/2014/03/OpenFloodlight-03052014.pdf, (Access on 2016-03-30).
  8. M. Dover, "A denial of service attack against the Open Floodlight SDN controller," http://dovernetworks.com/wp-content/uploads/2013/12/OpenFloodlight-12302013.pdf, (Access on 2016-03-30).
  9. P. Gregory. "Staying persistent in Software Defined Networks," https://www.blackhat.com/docs/us-15/materials/us-15-Pickett-Staying-Persistent-In-Software-Defined-Networks-wp.pdf, (Access on 2016-03-30).
  10. P. Gregory. "Abusing Software Defined Networks," https://www.blackhat.com/docs/eu-14/materials/eu-14-Pickett-Abusing-Software-Defined-Networks-wp.pdf, (Access on 2016-03-30).
  11. I. Sarmal, S. Singh and A. Singh, "Introducing restricted access protocol to enhance the security and eliminate DDoS attack," Jounal of Computer Security, vol. 43, no. 4, pp. 540-553, 2016.
  12. R. Durner and W. Kellerer, "The cost of security in the SDN control plane," http://www.lkn.ei.tum.de/forschung/publikationen/dateien/Durner2015ThecostofSecurity.pdf, (Access on 2016-03-30).
  13. B. Cache, "A timing attack on OpenSSL constant time RSA," https://ssrg.nicta.com.au/projects/TS/cachebleed/cachebleed.pdf, (Access on 2016-03-30).
  14. A. Ramachandran, Y. Mundada and M. Tarig, "Securing enterprise networks using traffic tainting," Report of Georgia Inst. Technol., GTCS-09-15, 2009.
  15. G. Yao, J. Bi and P. Xiao, "Source address validation solution with OpenFlow/NOX architecture," in Proc. of International Conference on Network Protocols, pp. 7-12, 2011.
  16. A. Akhunzada, "Secure and dependable software defined networks," http://dx.doi.org/10.1016/j.jnca.2015.11.012, (Access on 2016-03-30).
  17. M. Liyanage, M. Ylianttila and A. Gurtov, "Securing the control channel of software-defined mobile networks," in Proc. of International Conference on Wireless, pp. 1-6, 2014.
  18. V. Dangovas and F. Kuliesius, "SDN-Driven authentication and access control system," in Proc. of International Conference on Digital Information, Networking, and Wireless Communications, pp. 20-23, 2014.
  19. U. Toseef, A. Zaalouk, T. Rothe and et al., "CBAS: Certificate-based AAA for SDN experimental facilities," in Proc. of International Conference on European Workshop of Software Defined Networks, pp. 91-96, 2014.
  20. A. Juels and J. Brainard, "Client puzzles: a cryptographic defense against connection depletion attacks," in Proc. of International Conference on Network and Distributed System Security Symposium, pp. 27-39, 1999.
  21. F. Wang and K. Reiter, "A multi-layer framework for puzzle-based denial-of-service defense," Journal of Information Security, vol. 7, no. 4, pp. 243-263, 2008. https://doi.org/10.1007/s10207-007-0042-x
  22. J. Clark and A. Essex, Commitcoin: Carbon dating commitments with bitcoin, Springer, Heidelberg, 2012.
  23. J. Becker, D. Breuker and T. Heide, Can we afford integrity by proof-of-work? Scenarios inspired by the Bitcoin currency, Springer, Heidelberg, 2013.
  24. R. Bohme, N. Christin and B. Edelman, "Bitcoin: economics, technology, and governance," Journal of Economic Perspectives, vol. 29, no. 2, pp. 213-238, 2015. https://doi.org/10.1257/jep.29.2.213
  25. O. Kaiwartya, S. Kumar, K. Lobiyal and et al., "Performance improvement in geographic routing for vehicular Ad Hoc networks," Sensors, vol. 14, no. 12, pp. 22342-22371, 2014. https://doi.org/10.3390/s141222342
  26. O. Kaiwartya and S. Kumar, "Cache agent-based geocasting in VANETs," International Journal of Information and Communication Technology, vol. 7, no. 6, pp. 562-584, 2015. https://doi.org/10.1504/IJICT.2015.072038

Cited by

  1. Validating User Flows to Protect Software Defined Network Environments vol.2018, pp.None, 2017, https://doi.org/10.1155/2018/1308678