Abstract
SDN controller in the SDN (Software Defined Network) environment needs to know the topology of the whole network under its control to ensure successful delivery and routing of packets to their respective destinations and paths. SDN Controller uses OFDP to learn the topology, for which it uses a variant of LLDP packets used in the legacy network. The current implementations of OFDP in popular SDN controllers suffer mainly two categories of attacks, namely Topology Poisoning by LLDP packet injection and Topology Poisoning by LLDP packet relay. Several solutions have been proposed to deal with these two categories of attacks. Our study found that, while most of these proposed solutions successfully prevented the LLDP packet injection-based attack, none could defend the relay-based attack with promising accuracy. In this paper, we have proposed a solution, namely Topology Validator, along with its implementation as a module of FloodLight SDN controller, which, apart from preventing LLDP injection-based attack, was also able to detect and thwart the LLDP relay-based attack successfully.
Access this chapter
Tax calculation will be finalised at checkout
Purchases are for personal use only
Change history
04 January 2022
In an older version of this paper, the “l” was missing from the last name of Sandeep Shukla. This has been corrected.
References
Popic, S., Vuleta, M., Cvjetkovic, P., Todorović, B.M.: Secure topology detection in software-defined networking with network configuration protocol and link layer discovery protocol. In: 2020 International Symposium on Industrial Electronics and Applications (INDEL), pp. 1–5 (2020). https://doi.org/10.1109/INDEL50386.2020.9266137
Chou, L.-D., et al.: Behavior anomaly detection in SDN control plane: a case study of topology discovery attacks. Wirel. Commun. Mobile Comput. (2020). http://dxp.doi.org/10.1155/2020/8898949
Huang, X., Shi, P., Liu, Y., Xu, F.: Towards trusted and efficient SDN topology discovery: a lightweight topology verification scheme. Comput. Netw. 170, 107119 (2020). ISSN 1389-1286
Marin, E., Conti, M.: An in-depth look into SDN topology discovery mechanisms: novel attacks and practical countermeasures. In: CCS 2019, London, United Kingdom (2019)
Cao, J., et al.: The crosspath attack: disrupting the SDN control channel via shared links. In: USENIX Security Symposium, pp. 19–36 (2019)
Abdou, A., van Oorschot, P.C., Wan, T.: Comparative analysis of control plane security of SDN and conventional networks. IEEE Commun. Surv. Tutor. 20, 3542–3559 (2018)
Alimohammadifar, A., et al.: Stealthy probing-based verification (SPV): an active approach to defending software defined networks against topology poisoning attacks. In: Lopez, J., Zhou, J., Soriano, M. (eds.) ESORICS 2018. LNCS, vol. 11099, pp. 463–484. Springer, Cham (2018). https://doi.org/10.1007/978-3-319-98989-1_23
Nehra, A., Tripathi, M., Singh Gaur, M., Babu Battula, R., Lal, C.: TILAK: a token based prevention approach for topology discovery threats in SDN. Int. J. Commun. Syst. 32, e3781 (2018)
Big Switch Networks. Floodlight (2020). http://www.projectfloodlight.org/floodlight/
Big Switch Networks. Floodlight Git repository (2020). https://github.com/floodlight/floodlight
Shrivastava, P., Agarwal, A., Kataoka, K.: Detection of topology poisoning by silent relay attacker in SDN. In: Annual International Conference on Mobile Computing and Networking (MobiCom), pp. 792–794 (2018)
Skowyra, R., et al.: Effective topology tampering attacks and defenses in software-defined networks. In: International Conference on Dependable Systems and Networks (DSN), pp. 374–385 (2018)
Mininet Team. Mininet (2020). http://mininet.org
Ujcich, B.E., et al.: Cross-app poisoning in software-defined networking. In: ACM SIGSAC Conference on Computer and Communications Security (CCS), pp. 648–663 (2018)
Wang, H., Yang, G., Chinprutthiwong, P., Xu, L., Zhang, Y., Gu, G.: Towards fine-grained network security forensics and diagnosis in the SDN era. In: ACM SIGSAC Conference on Computer and Communications Security (CCS), pp. 3–16 (2018)
Xue, L., Ma, X., Luo, X., Chan, E.W.W., Miu, T.T.N., Gu, G.: LinkScope: towards detecting target link flooding attacks. IEEE Trans. Inf. Forensics Secur. (TIFS) 13, 2423–2438 (2018)
Zhang, M., Li, G., Xu, L., Bi, J., Gu, G., Bai., J.: Control plane reflection attacks in SDNs: new attacks and countermeasures. In: Symposium on Research in Attacks, Intrusions and Defenses (RAID) (2018)
Lee, S., Yoon, C., Lee, C., Shin, S., Yegneswaran, V., Porras, P.A.: DELTA: a security assessment framework for software-defined networks. In: Network and Distributed System Security Symposium (NDSS) (2017)
Lin, P.P., Li, P., Nguyen, V.L.: Inferring OpenFlow rules by active probing in software-defined networks. In: International Conference on Advanced Communication Technology (ICACT), pp. 415–420 (2017)
Thimmaraju, K., Schiff, L., Schmid, S.: Outsmarting network security with SDN teleportation. In: IEEE European Symposium on Security and Privacy (EuroS&P), pp. 563–578 (2017)
Xu, L., Huang, J., Hong, S., Zhang, J., Gu, G.: Attacking the brain: races in the SDN control plane. In: USENIX Security Symposium, pp. 451–468 (2017)
Zhang, P.: Towards rule enforcement verification for software defined networks. In: IEEE Conference on Computer Communications (INFOCOM), pp. 1–9 (2017)
Jero, S., Koch, W., Skowyra, R., Okhravi, H., Nita-Rotaru, C., Bigelow, D.: Identifier binding attacks and defenses in software-defined networks. In: USENIX Security Symposium, pp. 415–432 (2017)
Jero, S., Bu, X., NitaRotaru, C., Okhravi, H., Skowyra, R., Fahmy, S.: BEADS: automated attack discovery in OpenFlow-based SDN systems. In: Dacier, M., Bailey, M., Polychronakis, M., Antonakakis, M. (eds.) RAID 2017. LNCS, vol. 10453, pp. 311–333. Springer, Cham (2017). https://doi.org/10.1007/978-3-319-66332-6_14
Chen, H., Benson, T.: The case for making tight control plane latency guarantees in SDN switches. In: Symposium on SDN Research (SOSR), pp. 150–156 (2017)
Ambrosin, M., Conti, M., De Gaspari, F., Poovendran, R.: Lineswitch: tackling control plane saturation attacks in software-defined networking. IEEE/ACM Trans. Netw. (TON) 25(2), 1206–1219 (2017)
Katta, N., Alipourfard, O., Rexford, J., Walker, D.: CacheFlow: dependency aware rule-caching for software-defined networks. In: Symposium on SDN Research (SOSR), pp. 6:1–6:12 (2016)
Sonchack, J., Dubey, A., Aviv, A.J., Smith, J.M., Keller, E.: Timing-based reconnaissance and defense in software-defined networks. In: Annual Conference on Computer Security Applications (ACSAC), pp. 89–100 (2016)
Xu, H., Yu, Z., Yang Li, X., Qian, C., Huang, L., Jung, T.: Real-time update with joint optimization of route selection and update scheduling for SDNs. In: International Conference on Network Protocols (ICNP), pp. 1–10 (2016)
Alharbi, T., Portmann, M., Pakzad, F.: The (in)security of topology discovery in software defined networks. In: Local Computer Networks (LCN), pp. 502–505 (2015)
Dhawan, M., Poddar, R., Mahajan, K., Mann, V.: SPHINX: detecting security attacks in software-defined networks. In: Network and Distributed System Security Symposium (NDSS), pp. 8–11 (2015)
He, K., et al.: Measuring control plane latency in SDN-enabled switches. In: Symposium on SDN Research (SOSR), pp. 25:1–25:6 (2015)
Hong, S., Xu, L., Wang, H., Gu, G.: Poisoning network visibility in software defined networks: new attacks and countermeasures. In: Network and Distributed System Security Symposium (NDSS), pp. 8–11 (2015)
Kreutz, D., Ramos, F., Verissimo, P., Esteve Rothenberg, C., Azodolmolky, S., Uhlig, S.: Software-defined networking: a comprehensive survey. ArXive-prints (2014). https://doi.org/10.1109/JPROC.2014.2371999
Acknowledgements
This research was partially funded by the c3i center (Interdisciplinary Center for Cyber Security and Cyber Defense of Critical Infrastructures, IIT Kanpur) funding SERB, Government of India.
Author information
Authors and Affiliations
Corresponding author
Editor information
Editors and Affiliations
Rights and permissions
Copyright information
© 2021 ICST Institute for Computer Sciences, Social Informatics and Telecommunications Engineering
About this paper
Cite this paper
Kumar, A., Shukla, S. (2021). Topology Validator - Defense Against Topology Poisoning Attack in SDN. In: Yuan, X., Bao, W., Yi, X., Tran, N.H. (eds) Quality, Reliability, Security and Robustness in Heterogeneous Systems. QShine 2021. Lecture Notes of the Institute for Computer Sciences, Social Informatics and Telecommunications Engineering, vol 402. Springer, Cham. https://doi.org/10.1007/978-3-030-91424-0_15
Download citation
DOI: https://doi.org/10.1007/978-3-030-91424-0_15
Published:
Publisher Name: Springer, Cham
Print ISBN: 978-3-030-91423-3
Online ISBN: 978-3-030-91424-0
eBook Packages: Computer ScienceComputer Science (R0)