Attacking SoftwareDened Networks A First Feasibility S - PDF document

eldofthepacketheader.Finally,SDNscannercollectsT1andT2foreachdierentheadereld.ThisoperationispresentedinFigure1. Figure1:SimpliedfunctiondiagramofSDNscan-nerStatisticalTestingforTwoSampleSets:OnceanattackercollectssamplesofT1andT2usingSDNscan-ner,he/shenowfacesthesecondchallenge,whichcanbesolvedbyemployingstatisticaltestingmethods,suchast-test[2].Thismethodsimplytestswhethertwosamplesetsaresignicantlydierentfromeachotherornotwithahighcondence.Thistestjustrequiresthemeanandstandarddeviationvaluesofeachsamplethatcanbeeasilyobtained,andthetestmethodisprettysimple.Ofcourse,anattackercaneasilyusemoreadvancedstatisticsormachinelearningtechniquestoimprovetheaccuracy.2.3LaunchingDoSattackstoaSDNnetworkIfanattackerrunsSDNscannerandcollectsnetworkinformation,he/shecaninvestigatewhetheratargetnet-workisusingSDNornotthroughasimplestatisticaltest-ingmethod.IfthetestresultsshowthatatargetnetworkislikelytouseSDN,theattackerwillfurtherconducttheresourceconsumptionattack.Sincetheattackeralreadyknowstheconditionofthe owruleforthetargetnetwork(withthehelpofSDNscanner),nowhe/shejustneedstosendnetworkpacketstoconsumeSDNresourcesofthetargetnetwork.3.EVALUATIONIncurrentnetworksituation,itisveryhardtocollectthisinformationfromtheInternet,becauseSDNisnotwidelydeployedtomanynetworksyet(butwebelievethatSDNwillbeemployedtomanynetworkssoon).Therefore,wehavedecidedtouseothermeasurementresultstoestimateT1andT2values.EstimatingT2:Wesend20pingpacketsto28dierentreal-worldnetworks(wecallthemtargetnetworks)tocollectT2values,andwecollecttheresponsetimesfromthesecondpackets(i.e.,ignoretheresponsetimefortherstpacket)toavoidanypossibilityofincluding owsetuptimeofaSDNnetwork.WesendpingpacketsfromastateinU.S.A.,andthevariouslocationsofthetargetnetworksaredistributedinthesamestate,indierentstates(ofthesamecontinent),andindierentcontinents.EstimatingT1Values:Itisveryhardtogettheinfor-mationofT1,thuswedecidetoestimateT1byadding owsetuptimetoT2values.Withthehelpofthepreviouswork[4],wecangettheinformationof owsetuptimeforthreedierentcontrolplanecases:NOX,Beacon,andMaestro.FingerprintingResult:Weapplyt-test[2]tocollectedT2andestimatedT1samplestogureoutifT1issignif-icantlydierentfromT2,andwendthatSDNscannercanngerprint24networksoutof28cases(i.e.,thenger-printingrateis85.7%).DoSAttackResult:WehavesetupatestenvironmenttounderstandwhethertheproposedDoSattackissuccessfulornot,andtheenvironmentconsistsofasingleOpenFlowswitch,acontroller,andtwohostsfornetworkcommunica-tions.WeusethesoftwarebasedOpenFlowswitchimple-mentationfortheOpenFlowswitch[3],anditisinstalledonanindependentLinuxhost,andwesetthemaximum owrulesforthisswitchas1,500,whichisthesamecongura-tionforHP5406zlswitch[1].Figure2showsthetimeandbandwidththatarerequiredforaDoSattacktoconsumeresourcesofthecontrolplaneandthedataplane. Figure2:Requiredattacktimeandnetworkband-widthforDoSattacks4.CONCLUSIONANDFUTUREWORKInthispaper,weintroduceanewngerprintingattackagainstSDNnetworks,andwealsoshowitsfeasibilitywithrealworldexperimentaldata.Tothebestofourknowl-edge,theproposedattackscenarioistherstrealisticat-tackcasetoaSDNnetworkthatcanbeconductedbyaremoteattacker,andthisattackcouldsignicantlydegradetheperformanceofaSDNnetworkwithoutrequiringhighperformanceorhighcapacitydevices.Inourfuturework,wewillsetupamorerealisticSDNnetworkenvironmentforourevaluation,furtherimproveSDNscanner,anddesignnewdefensesolutions.5.REFERENCES[1]A.Curtis,J.Mogul,J.Tourrilhes,P.Yalagandula,P.Sharma,andS.Banerjee.Devo ow:Scaling owmanagementforhigh-performancenetworks.InProceedingsofACMSIGCOMM,2011.[2]J.FisherBox.Guinness,gosset,sher,andsmallsamples.InStatisticalScience,1987.[3]OpenFlow.org.Open owswitchingreferencesystem.http://www.openflow.org/wp/downloads/.[4]A.Tootoonchian,S.Gorbunov,Y.Ganjali,M.Casado,andR.Sherwood.Oncontrollerperformanceinsoftware-denednetworks.InProceedingsofHotICE,2012. \feldofthepacketheader.Finally,SDNscannercollects1and2foreachdierentheader\feld.ThisoperationispresentedinFigure1. Figure1:Simpli\fedfunctiondiagramofSDNscan-nerStatisticalTestingforTwoSampleSets:Onceanattackercollectssamplesof1and2usingSDNscan-ner,he/shenowfacesthesecondchallenge,whichcanbesolvedbyemployingstatisticaltestingmethods,suchastest[2].Thismethodsimplytestswhethertwosamplesetsaresigni\fcantlydierentfromeachotherornotwithahighcon\fdence.Thistestjustrequiresthemeanandstandarddeviationvaluesofeachsamplethatcanbeeasilyobtained,andthetestmethodisprettysimple.Ofcourse,anattackercaneasilyusemoreadvancedstatisticsormachinelearningtechniquestoimprovetheaccuracy.2.3LaunchingDoSattackstoaSDNnetworkIfanattackerrunsSDNscannerandcollectsnetworkinformation,he/shecaninvestigatewhetheratargetnet-workisusingSDNornotthroughasimplestatisticaltest-ingmethod.IfthetestresultsshowthatatargetnetworkislikelytouseSDN,theattackerwillfurtherconducttheresourceconsumptionattack.Sincetheattackeralreadyknowstheconditionofthe\rowruleforthetargetnetwork(withthehelpofSDNscanner),nowhe/shejustneedstosendnetworkpacketstoconsumeSDNresourcesofthetargetnetwork.3.EVALUATIONIncurrentnetworksituation,itisveryhardtocollectthisinformationfromtheInternet,becauseSDNisnotwidelydeployedtomanynetworksyet(butwebelievethatSDNwillbeemployedtomanynetworkssoon).Therefore,wehavedecidedtouseothermeasurementresultstoestimate1and2values.EstimatingWesend20pingpacketsto28dierentreal-worldnetworks(wecallthemtargetnetworks)tocollect2values,andwecollecttheresponsetimesfromthesecondpackets(i.e.,ignoretheresponsetimeforthe\frstpacket)toavoidanypossibilityofincluding\rowsetuptimeofaSDNnetwork.WesendpingpacketsfromastateinU.S.A.,andthevariouslocationsofthetargetnetworksaredistributedinthesamestate,indierentstates(ofthesamecontinent),andindierentcontinents.EstimatingValues:Itisveryhardtogettheinfor-mationof1,thuswedecidetoestimate1byadding\rowsetuptimeto2values.Withthehelpofthepreviouswork[4],wecangettheinformationof\rowsetuptimeforthreedierentcontrolplanecases:NOX,Beacon,andMaestro.FingerprintingResult:Weapplyt-test[2]tocollected2andestimated1samplesto\fgureoutif1issignif-icantlydierentfrom2,andwe\fndthatSDNscannercan\fngerprint24networksoutof28cases(i.e.,the\fnger-printingrateis85.7%).DoSAttackResult:WehavesetupatestenvironmenttounderstandwhethertheproposedDoSattackissuccessfulornot,andtheenvironmentconsistsofasingleOpenFlowswitch,acontroller,andtwohostsfornetworkcommunica-tions.WeusethesoftwarebasedOpenFlowswitchimple-mentationfortheOpenFlowswitch[3],anditisinstalledonanindependentLinuxhost,andwesetthemaximum\rowrulesforthisswitchas1,500,whichisthesamecon\fgura-tionforHP5406zlswitch[1].Figure2showsthetimeandbandwidththatarerequiredforaDoSattacktoconsumeresourcesofthecontrolplaneandthedataplane. Figure2:Requiredattacktimeandnetworkband-widthforDoSattacks4.CONCLUSIONANDFUTUREWORKInthispaper,weintroduceanew\fngerprintingattackagainstSDNnetworks,andwealsoshowitsfeasibilitywithrealworldexperimentaldata.Tothebestofourknowl-edge,theproposedattackscenarioisthe\frstrealisticat-tackcasetoaSDNnetworkthatcanbeconductedbyaremoteattacker,andthisattackcouldsigni\fcantlydegradetheperformanceofaSDNnetworkwithoutrequiringhighperformanceorhighcapacitydevices.Inourfuturework,wewillsetupamorerealisticSDNnetworkenvironmentforourevaluation,furtherimproveSDNscanner,anddesignnewdefensesolutions.5.REFERENCES[1]A.Curtis,J.Mogul,J.Tourrilhes,P.Yalagandula,P.Sharma,andS.Banerjee.Devo\row:Scaling\rowmanagementforhigh-performancenetworks.InProceedingsofACMSIGCOMM,2011.[2]J.FisherBox.Guinness,gosset,\fsher,andsmallsamples.InStatisticalScience,1987.[3]OpenFlow.org.Open\rowswitchingreferencesystem.http://www.openflow.org/wp/downloads/[4]A.Tootoonchian,S.Gorbunov,Y.Ganjali,M.Casado,andR.Sherwood.Oncontrollerperformanceinsoftware-de\fnednetworks.InProceedingsofHotICE2012. 166 AttackingSoftware-DenedNetworks:AFirstFeasibilityStudy[ExtendedAbstract]SeungwonShinSUCCESSLab,TexasA&MUniversityseungwon.shin@neo.tamu.eduGuofeiGuSUCCESSLab,TexasA&MUniversityguofei@cse.tamu.eduABSTRACTInthispaper,forthe\frsttimeweshowanewattackto\fn-gerprintSDNnetworksandfurtherlaunchecientresourceconsumptionattacks.ThisattackdemonstratesthatSDNbringsnewsecurityissuesthatmaynotbeignored.Weprovidethe\frstfeasibilitystudyofsuchattackandhopetostimulatefurtherstudiesinSDNsecurityresearch.CategoriesandSubjectDescriptorsH.4[InformationSystemsApplications]:Miscellaneous;D.2.8[SoftwareEngineering]:Metrics|complexitymea-sures,performancemeasuresKeywordsSoftwareDe\fnedNetworking,NetworkSecurity,Attack1.INTRODUCTIONInthiswork,wedemonstrateaneectiveandecientat-tackagainstsoftware-de\fnednetworkswiththeknowledgeofsomebasiccharacteristicsoftheSDNtechnology.Es-sentially,sincethecontrolplaneisseparatedfromthedataplaneinaSDNnetwork,thedataplanewilltypicallyaskthecontrolplanetoobtain\rowruleswhenthedataplaneseesnewnetworkpacketsthatitdoesnotknowhowtohandle.Byexploitingthiskeyproperty,ourproposedattackcan\frst\fngerprintwhetheragivennetworkusesSDN/OpenFlowswitchesandthengeneratespeci\fcallycrafted\rowrequestsfromthedataplanetothecontrolplane.Thishastwoef-fects:(i)itcanmakethe(logicallycentralizedsingle-point)controlplanehardtohandleallrequests,i.e.,controlplaneresourceconsumptionorDenial-of-Service(DoS)at-tack;(ii)thegeneratedfake\rowrequestscanproducemanyuseless\rowrulesthatneedtobeheldbythedataplane,thusmakingthedataplanehardtostore\rowrulesfornor-malnetwork\rows(dataplaneresourceconsumptionorDoSattack).Todemonstratethefeasibilityofsuchattack,wecreateanewSDNnetworkscanningprototypePermissiontomakedigitalorhardcopiesofpartorallofthisworkforpersonalorclassroomuseisgrantedwithoutfeeprovidedthatcopiesarenotmadeordistributedforprotorcommercialadvantageandthatcopiesbearthisnoticeandthefullcitationontherstpage.Copyrightsforthird-partycomponentsofthisworkmustbehonored.Forallotheruses,contacttheowner/author(s).August16,2013,HongKong,China.ACM978-1-4503-2178-5/13/08.tool(namedasSDNscanner)toremotely\fngerprintnet-worksthatdeploySDN,andthismethodcanbeeasilyimple-mentedbymodifyingexistingnetworkscanningtools(e.g.,ICMPscanningandTCPSYNscanning).2.MOTIVATIONANDATTACKMETHOD2.1MotivationInaSDNenvironment,thecontrolplanecandynami-callyenforce\rowruleswhenthedataplanerequires,anditenablesustocontrolthenetworkeciently.However,thiskindofreactive-modecontrolcancauseseriousprob-lemwhentherearetoomanyrequestsfromthedataplanetothecontrolplane.Ifthedataplanereceivesmanyre-questsinashorttimeperiod,itcan\roodthemessagestothecontrolplane.Inaddition,a\rowtableinthedataplanecanalsobe\roodedbytherulesforhandlingtherequests.2.2FingerprintingaSDNnetworkIfaclientsendspacketstoaSDNnetwork,thisclientwillobservedierentresponsetimes,becausethe\rowsetuptimecanbeaddedinthecaseofNew-Flow(i.e.,no\rowruleforhandlingpacketsinthedataplane)comparedwiththecaseofExisting-Flow(i.e.,thereisa\rowruleforhandlingpacketsinthedataplane).Todescribethismoreclearly,wesimplyformalizetheresponsetimethatisobservedataclientside.First,wede\fnetheresponsetimefortheExisting-Flowcaseas,andtheadditional\rowsetuptimeas.Inaddition,forbrevity,wede\fnetheresponsetimeforthecaseofNew-FlowandExisting-Flowas1andrespectively,andtheycanberepresentedasfollows.1(w/o\rowruleinthedataplane)=2(w/\rowruleinthedataplane)=Inthiscase,ifanattackercanclearlydierentiatefrom2,he/shecan\fngerprintaSDNnetwork.However,anattackerwillstillfacetwochallenges:(i)howtocollect1and2values,and(ii)howtoknowwhether1valuesaredierentfrom2whenconsideringrandomnoises.SDNScanner:The\frstchallengecanbeaddressedbyournewnetworkscanningmethod,header\feldchangescanning,whichscansnetworksaschangingnetworkheader\felds.WhenSDNscannercollects1and2values,itfollowsthefollowingsteps.First,itsendstwo(ormore)speci\fcallycraftedpacketstoatargetnetworkandrecordstheresponsetimeofeachpacket.Atthistime,SDNscan-nerconsiderstheresponsetimeforthe\frstpacketcouldrepresent1,andthetimeforthesecondpacketshowsAnd,SDNscannerrepeatthisoperationbychanginga 165