Skip to main content
SpringerLink
Log in

Topology Validator - Defense Against Topology Poisoning Attack in SDN

  • Conference paper
  • First Online:
Quality, Reliability, Security and Robustness in Heterogeneous Systems (QShine 2021)

  • 511 Accesses

Abstract

SDN controller in the SDN (Software Defined Network) environment needs to know the topology of the whole network under its control to ensure successful delivery and routing of packets to their respective destinations and paths. SDN Controller uses OFDP to learn the topology, for which it uses a variant of LLDP packets used in the legacy network. The current implementations of OFDP in popular SDN controllers suffer mainly two categories of attacks, namely Topology Poisoning by LLDP packet injection and Topology Poisoning by LLDP packet relay. Several solutions have been proposed to deal with these two categories of attacks. Our study found that, while most of these proposed solutions successfully prevented the LLDP packet injection-based attack, none could defend the relay-based attack with promising accuracy. In this paper, we have proposed a solution, namely Topology Validator, along with its implementation as a module of FloodLight SDN controller, which, apart from preventing LLDP injection-based attack, was also able to detect and thwart the LLDP relay-based attack successfully.

This is a preview of subscription content, log in via an institution to check access.

Access this chapter

Log in via an institution
Chapter
USD 29.95
Price excludes VAT (USA)
  • Available as PDF
  • Read on any device
  • Instant download
  • Own it forever
eBook
USD 79.99
Price excludes VAT (USA)
  • Available as EPUB and PDF
  • Read on any device
  • Instant download
  • Own it forever
Softcover Book
USD 99.99
Price excludes VAT (USA)
  • Compact, lightweight edition
  • Dispatched in 3 to 5 business days
  • Free shipping worldwide - see info

Tax calculation will be finalised at checkout

Purchases are for personal use only

Institutional subscriptions

Change history

  • 04 January 2022

    In an older version of this paper, the “l” was missing from the last name of Sandeep Shukla. This has been corrected.

References

  1. Popic, S., Vuleta, M., Cvjetkovic, P., Todorović, B.M.: Secure topology detection in software-defined networking with network configuration protocol and link layer discovery protocol. In: 2020 International Symposium on Industrial Electronics and Applications (INDEL), pp. 1–5 (2020). https://doi.org/10.1109/INDEL50386.2020.9266137

  2. Chou, L.-D., et al.: Behavior anomaly detection in SDN control plane: a case study of topology discovery attacks. Wirel. Commun. Mobile Comput. (2020). http://dxp.doi.org/10.1155/2020/8898949

  3. Huang, X., Shi, P., Liu, Y., Xu, F.: Towards trusted and efficient SDN topology discovery: a lightweight topology verification scheme. Comput. Netw. 170, 107119 (2020). ISSN 1389-1286

    Google Scholar 

  4. Marin, E., Conti, M.: An in-depth look into SDN topology discovery mechanisms: novel attacks and practical countermeasures. In: CCS 2019, London, United Kingdom (2019)

    Google Scholar 

  5. Cao, J., et al.: The crosspath attack: disrupting the SDN control channel via shared links. In: USENIX Security Symposium, pp. 19–36 (2019)

    Google Scholar 

  6. Abdou, A., van Oorschot, P.C., Wan, T.: Comparative analysis of control plane security of SDN and conventional networks. IEEE Commun. Surv. Tutor. 20, 3542–3559 (2018)

    Google Scholar 

  7. Alimohammadifar, A., et al.: Stealthy probing-based verification (SPV): an active approach to defending software defined networks against topology poisoning attacks. In: Lopez, J., Zhou, J., Soriano, M. (eds.) ESORICS 2018. LNCS, vol. 11099, pp. 463–484. Springer, Cham (2018). https://doi.org/10.1007/978-3-319-98989-1_23

    Chapter  Google Scholar 

  8. Nehra, A., Tripathi, M., Singh Gaur, M., Babu Battula, R., Lal, C.: TILAK: a token based prevention approach for topology discovery threats in SDN. Int. J. Commun. Syst. 32, e3781 (2018)

    Google Scholar 

  9. Big Switch Networks. Floodlight (2020). http://www.projectfloodlight.org/floodlight/

  10. Big Switch Networks. Floodlight Git repository (2020). https://github.com/floodlight/floodlight

  11. Shrivastava, P., Agarwal, A., Kataoka, K.: Detection of topology poisoning by silent relay attacker in SDN. In: Annual International Conference on Mobile Computing and Networking (MobiCom), pp. 792–794 (2018)

    Google Scholar 

  12. Skowyra, R., et al.: Effective topology tampering attacks and defenses in software-defined networks. In: International Conference on Dependable Systems and Networks (DSN), pp. 374–385 (2018)

    Google Scholar 

  13. Mininet Team. Mininet (2020). http://mininet.org

  14. Ujcich, B.E., et al.: Cross-app poisoning in software-defined networking. In: ACM SIGSAC Conference on Computer and Communications Security (CCS), pp. 648–663 (2018)

    Google Scholar 

  15. Wang, H., Yang, G., Chinprutthiwong, P., Xu, L., Zhang, Y., Gu, G.: Towards fine-grained network security forensics and diagnosis in the SDN era. In: ACM SIGSAC Conference on Computer and Communications Security (CCS), pp. 3–16 (2018)

    Google Scholar 

  16. Xue, L., Ma, X., Luo, X., Chan, E.W.W., Miu, T.T.N., Gu, G.: LinkScope: towards detecting target link flooding attacks. IEEE Trans. Inf. Forensics Secur. (TIFS) 13, 2423–2438 (2018)

    Google Scholar 

  17. Zhang, M., Li, G., Xu, L., Bi, J., Gu, G., Bai., J.: Control plane reflection attacks in SDNs: new attacks and countermeasures. In: Symposium on Research in Attacks, Intrusions and Defenses (RAID) (2018)

    Google Scholar 

  18. Lee, S., Yoon, C., Lee, C., Shin, S., Yegneswaran, V., Porras, P.A.: DELTA: a security assessment framework for software-defined networks. In: Network and Distributed System Security Symposium (NDSS) (2017)

    Google Scholar 

  19. Lin, P.P., Li, P., Nguyen, V.L.: Inferring OpenFlow rules by active probing in software-defined networks. In: International Conference on Advanced Communication Technology (ICACT), pp. 415–420 (2017)

    Google Scholar 

  20. Thimmaraju, K., Schiff, L., Schmid, S.: Outsmarting network security with SDN teleportation. In: IEEE European Symposium on Security and Privacy (EuroS&P), pp. 563–578 (2017)

    Google Scholar 

  21. Xu, L., Huang, J., Hong, S., Zhang, J., Gu, G.: Attacking the brain: races in the SDN control plane. In: USENIX Security Symposium, pp. 451–468 (2017)

    Google Scholar 

  22. Zhang, P.: Towards rule enforcement verification for software defined networks. In: IEEE Conference on Computer Communications (INFOCOM), pp. 1–9 (2017)

    Google Scholar 

  23. Jero, S., Koch, W., Skowyra, R., Okhravi, H., Nita-Rotaru, C., Bigelow, D.: Identifier binding attacks and defenses in software-defined networks. In: USENIX Security Symposium, pp. 415–432 (2017)

    Google Scholar 

  24. Jero, S., Bu, X., NitaRotaru, C., Okhravi, H., Skowyra, R., Fahmy, S.: BEADS: automated attack discovery in OpenFlow-based SDN systems. In: Dacier, M., Bailey, M., Polychronakis, M., Antonakakis, M. (eds.) RAID 2017. LNCS, vol. 10453, pp. 311–333. Springer, Cham (2017). https://doi.org/10.1007/978-3-319-66332-6_14

    Chapter  Google Scholar 

  25. Chen, H., Benson, T.: The case for making tight control plane latency guarantees in SDN switches. In: Symposium on SDN Research (SOSR), pp. 150–156 (2017)

    Google Scholar 

  26. Ambrosin, M., Conti, M., De Gaspari, F., Poovendran, R.: Lineswitch: tackling control plane saturation attacks in software-defined networking. IEEE/ACM Trans. Netw. (TON) 25(2), 1206–1219 (2017)

    Article  Google Scholar 

  27. Katta, N., Alipourfard, O., Rexford, J., Walker, D.: CacheFlow: dependency aware rule-caching for software-defined networks. In: Symposium on SDN Research (SOSR), pp. 6:1–6:12 (2016)

    Google Scholar 

  28. Sonchack, J., Dubey, A., Aviv, A.J., Smith, J.M., Keller, E.: Timing-based reconnaissance and defense in software-defined networks. In: Annual Conference on Computer Security Applications (ACSAC), pp. 89–100 (2016)

    Google Scholar 

  29. Xu, H., Yu, Z., Yang Li, X., Qian, C., Huang, L., Jung, T.: Real-time update with joint optimization of route selection and update scheduling for SDNs. In: International Conference on Network Protocols (ICNP), pp. 1–10 (2016)

    Google Scholar 

  30. Alharbi, T., Portmann, M., Pakzad, F.: The (in)security of topology discovery in software defined networks. In: Local Computer Networks (LCN), pp. 502–505 (2015)

    Google Scholar 

  31. Dhawan, M., Poddar, R., Mahajan, K., Mann, V.: SPHINX: detecting security attacks in software-defined networks. In: Network and Distributed System Security Symposium (NDSS), pp. 8–11 (2015)

    Google Scholar 

  32. He, K., et al.: Measuring control plane latency in SDN-enabled switches. In: Symposium on SDN Research (SOSR), pp. 25:1–25:6 (2015)

    Google Scholar 

  33. Hong, S., Xu, L., Wang, H., Gu, G.: Poisoning network visibility in software defined networks: new attacks and countermeasures. In: Network and Distributed System Security Symposium (NDSS), pp. 8–11 (2015)

    Google Scholar 

  34. Kreutz, D., Ramos, F., Verissimo, P., Esteve Rothenberg, C., Azodolmolky, S., Uhlig, S.: Software-defined networking: a comprehensive survey. ArXive-prints (2014). https://doi.org/10.1109/JPROC.2014.2371999

Download references

Acknowledgements

This research was partially funded by the c3i center (Interdisciplinary Center for Cyber Security and Cyber Defense of Critical Infrastructures, IIT Kanpur) funding SERB, Government of India.

Author information

Authors and Affiliations

  1. Department of CSE, IIT Kanpur, Kanpur, 208016, India

    Abhay Kumar & Sandeep Shukla

Authors
  1. Abhay Kumar
    View author publications

    You can also search for this author in PubMed Google Scholar

  2. Sandeep Shukla
    View author publications

    You can also search for this author in PubMed Google Scholar

Corresponding author

Correspondence to Abhay Kumar .

Editor information

Editors and Affiliations

  1. Monash University, Clayton, VIC, Australia

    Xingliang Yuan

  2. School of Computer Science, University of Sydney, Camperdown, NSW, Australia

    Wei Bao

  3. RMIT University, Melbourne, VIC, Australia

    Xun Yi

  4. University of Sydney, Camperdown, NSW, Australia

    Nguyen Hoang Tran

Rights and permissions

Reprints and permissions

Copyright information

© 2021 ICST Institute for Computer Sciences, Social Informatics and Telecommunications Engineering

About this paper

Check for updates. Verify currency and authenticity via CrossMark

Cite this paper

Kumar, A., Shukla, S. (2021). Topology Validator - Defense Against Topology Poisoning Attack in SDN. In: Yuan, X., Bao, W., Yi, X., Tran, N.H. (eds) Quality, Reliability, Security and Robustness in Heterogeneous Systems. QShine 2021. Lecture Notes of the Institute for Computer Sciences, Social Informatics and Telecommunications Engineering, vol 402. Springer, Cham. https://doi.org/10.1007/978-3-030-91424-0_15

Download citation

  • DOI: https://doi.org/10.1007/978-3-030-91424-0_15

  • Published:

  • Publisher Name: Springer, Cham

  • Print ISBN: 978-3-030-91423-3

  • Online ISBN: 978-3-030-91424-0

  • eBook Packages: Computer ScienceComputer Science (R0)

Publish with us

Policies and ethics

Search

Navigation