Vulnerabilities in SDN Topology Discovery Mechanism: Novel Attacks and Countermeasures | IEEE Journals & Magazine | IEEE Xplore

Vulnerabilities in SDN Topology Discovery Mechanism: Novel Attacks and Countermeasures


Abstract:

Software-defined networking (SDN) has significantly enriched network functions by separating the control plane from the data plane. Meanwhile, the unique architecture of ...Show More

Abstract:

Software-defined networking (SDN) has significantly enriched network functions by separating the control plane from the data plane. Meanwhile, the unique architecture of SDN brings new security challenges. Recent studies show that attackers can fabricate inter-switch links to hijack the traffic or interfere with network services. In this paper, we uncover two new vulnerabilities that can tamper with the topology view of the SDN controller. Then, we present two novel attacks named Cluster Splitting and Cluster Amnesia according to such flaws. We split or forget partial network topology by establishing a broadcast domain port or external link. As a result, it affects the module responsible for computing topology instances and disrupts the routing calculations. To defend against such attacks, we design a two-stage algorithm to verify the switch port and link in real-time. With the principle of saving the limited control channel resources and not extending the LLDP protocol, we propose LldpChecker. As a lightweight extension for SDN controllers, it can filter malicious broadcast domain ports and external links. We conduct a series of experiments to evaluate the effectiveness and efficiency of LldpChecker. The results show that LldpChecker can effectively mitigate these two novel attacks with negligible overhead.
Published in: IEEE Transactions on Dependable and Secure Computing ( Volume: 21, Issue: 4, July-Aug. 2024)
Page(s): 2541 - 2551
Date of Publication: 11 September 2023

ISSN Information:

Funding Agency:


References

References is not available for this document.