SlideShare une entreprise Scribd logo
1  sur  37
Research Project:
Floodlight DDoS Vulnerability
Nir Solomon, Yoav Francis and Liahav Eitan
Supervised by : Yotam Harchol and Anat Bremler-Barr
September 2013 | IDC Herzelia
Background
Project Goal: DDoS in an OpenFlow
Controller
We aimed to explore the possibility of DDoS on an OpenFlow Controller
OFC – the “soft-belly” in regards to network security of a Software-Defined
Network.
The controller, by being responsible for multiple switches, is a `high-
valued` target.
Background - OpenFlow
“an open interface for remotely
controlling the forwarding
tables in network switches,
routers, and access points.
Upon this low-level primitive,
researchers can build networks
with new high-level properties”
Jargon – Secure Channel
The secure channel is the interface that connects an OpenFlow device
(switch) to the controller.
This channel is encrypted with SSL.
But… This is not enough to prevent a DDoS from happening!
Jargon – “packet_in”
if a packet does not match any of the existing rules on an OFS, default policy
is to send the header to the OFC.  
This “packet sent to the controller” message is called a “packet-in”.“packet-in”.
We will explore DDoS using this type of packet.
“an OpenFlow controller can block traffic, install rate limiters,
or even change the default policy for an unmatched packet to
drop it on the ground.”
“ ..But on the other side, being too aggressive—that is blocking
or rate limiting too much—can break features or have a negative
impact on performance.” (Floodlight Blog)
Secure Channel Sample pcap
DDoS on an OpenFlow Controller
Effects of OFC-DDoS on the network:
• Increased latency and packet loss in the entire network
• The entire network might stop functioning
• Mishandling of specific protocols by the switches
• Protocols that require constant communication with the OFC are
more vulnerable
Difference from classic DDoS attacks:
• An attack carried out at one place in the network can affect the global
network behavior
Attack Vectors in Software-Defined
Networks
• OFS / OFC Attacks :
• Switch input buffer overload
• OpenFlow Module vulnerability in OFS (Software vulnerability)
• Secure Channel traffic amplification
• Assuming access to the Secure Channel:
•SYN flood (or any other TCP attack)
•ARP Poison between OFS and OFC if there is no SSL
Chosen Attack Vector
• Assume control of multiple endpoint computers in the network
• Send specially-crafted packets that do not match flows in the OFS
• The switches will then create packet_in events to the controller –
Secure Channel Traffic Amplification
• This will also overload the CPU of the controller because of multiple
secure channel connections – CPU depletion
• After some time – the controller will have to drop packets due to
high load  DDoS
DDoS Attack – Example
OpenFlow Controller
OpenFlow
Switches
Crafted
Packet
No Flow
available
 Send to
Controller
Packet_in
Related Work
OpenFlow Vulnerability Assessment
K. Benton, L.J. Camp, C. Small
Sigcomm 2013
A brief overview of the vulnerabilities present in current OpenFlow devices.
Finds that OpenFlow implementations rely on physical security
•Lacks TLS, Access Control
•Repeats errors of older network management protocols
• Telnet, SNMPv2, TFTP
Existing vulnerabilities assuming access to the Secure Channel:
•Man in the Middle
•Listener Mode
•Switch Authentication
•Flow Table Verification
•Denial of Service Risks
•Controller Vulnerabilities
Attacking Software-Defined Networks:
A First Feasibility Study
S. Shin, G. Gu
Sigcomm 2013
A method to fingerprint software-defined networks.
The fingerprinting is done by noticing the different response times in the cases of
Existing-Flow and New-Flow.
The article suggests that if an attacker identifies a network as an SDN, they can
move on to conduct a resource consumption attack (DoS).
OpenFlow: A Security Analysis
R. Kloti
Swiss Federal Institute of Technology Zurich 2012
A detailed security analysis of OpenFlow 1.0 that describes, categorizes and suggests
solutions for different attack methods.
Three categories of attacks on Software Defined Networks:
•Information Disclosure
•Tampering
•Denial of Service
Several targets for DDoS attacks:
-OFS flow table – overload the switches’ flow table
-OFS input buffer – make the switches send whole packets to the OFC
-OFS OpenFlow Module – software vulnerability
-Management Interface and/or Controller – software vulnerability
Most of these attacks do not target the OFC, but some solutions still applicable:
•Rate limiting, flow aggregation, attack detection
Research and Results
Floodlight
We have chosen Floodlight as our targeted OpenFlow controller in this work
Common enterprise level controller
 Used by Arista, Brocade, Citrix, Dell, Extreme Networks, Fujitsu, Google, HP, IBM,
Intel, Juniper Networks and Microsoft
Open-source JAVA code with public git repository
Declares itself to be designed for high-performance
 therefore should not be susceptible to DDoS attacks
Easy to use and deploy
Floodlight
Part I – Floodlight DDoS by Simulating
Packet-In Events with CBench
 Cbench tests OFCs by sending packet-in events
 Cbench emulates switches which connect to a controller, send
packet-in messages, and watch for flow-mods to get pushed down
 We used Cbench to directly test how Floodlight responds to a flood of
packet-in events on the secure channel
 Note that in real-life scenarios, we will also need a way to generate
the packet-in events using specially crafted packets.
 We will demonstrate such a way in part 2.
Floodlight’s LoadMonitor
On high loads, the LoadMonitor practically performs DoS by itself!
Floodlight’s LoadMonitor - cont
Floodlight’s LoadMonitor - cont
The LoadMonitor was disabled by default in the Floodlight git
because the "overload protection is not yet tuned”
Floodlight DoS Test Method
We created a Python script which is run on the mininet VM:
•Kills running Floodlight instances
•Runs Floodlight with correct configuration
•Runs Cbench with an increasing number of switches (20-300) and
a constant number of simulated MAC addresses (100000)
•Sniffs the returning packets from the OFC
•Calculates the average number of flow mods per second returned
from the controller, per run
•Saves the average fmods and the sniffed packets to a pickle file
Floodlight DoS Test Results
• The blue line represents the
normal mode, and the green
line represents the load
monitor mode.
• Overall, especially when
dealing with a large number
of switches, the load
monitor mode decreases
the controller performance.
• This is practically a DoS
using the secure channel
access, as Cbench simulates
OpenFlow switches.
Part II – Create Specially Crafted Packets
 In this part we demonstrate a way to coerce OpenVSwitch to send
packet-ins to the OFC.
 In this part we do not assume access to the Secure Channel – unlike
Cbench in the previous part
 The entire attack must be carried out entirely from the endpoint
computers
 We do this using a specially crafted packet that is sent from the
computers and generates packet-in events in the switches.
Part II - Test Method
• The specially-crafted packets that we sent from the mininet hosts are ARP
packets with random source MACs:
Ethernet Header Arp header
Src MAC = random MAC
Dst Mac = FF:FF:FF:FF:FF:FF (broadcast)
Type = ARP Request
 
Src MAC = random MAC (same as in ETH
header)
Dst MAC = FF:FF:FF:FF:FF:FF (Broadcast)
Src IP = Another host IP
Dst IP = Another host IP (same as Src IP)
• Each host Repeatedly sent this packet to all other hosts that
participate in the DDoS attack, each time with a different source MAC
• We found that when OpenVSwitch observes a packet from a previously
unseen source MAC it sends a packet-in to the Controller and waits for
a flow mod to be installed
Floodlight OpenFlow DDoS
Part II – Additional Results
• We wanted to also test the network performance during the attack.
• During the attack:
• We ran two hosts that did not participate in the DDoS for performance
evaluation on the end-user
• We used the iperf utility, which calculates network throughput, in a pre-
defined interval to evaluate network performace
• We have examined this attack with varying number of “malicious” hosts
and with varying number of OpenFlow Switches, and measured the network
throughput in each case
Part II – Additional Results (cont)
    Throughput (Mbit/s)
Switches Hosts initial 30s 60s 90s 120s 150s 180s 210s 240s 270s 300s 10min
2 10 1270 253 146 135 156 140 186 137 150 158 98 158
2 20 1170 72 62 84 62 60 72 81 65 66 80 55
2 25 1190 30 40 37 1 40 35 43 45 34 37 44
5 10 835 94 103 115 97 53 92 76 92 100 90 61
5 20 798 41 41 FAIL 50 48 48 34 49 FAIL    
5 25 FAIL                      
10 10 551 44 66 20 FAIL              
10 20 538 FAIL                    
10 25 FAIL                      
• These results show clearly that using the Specially-Crafted Packet method we
have successfully denied service in the network.
• As the number of hosts or switches gets sufficiently high, even two hosts that
do not participate in the DDoS attack have a difficulty to communicate
Part II – Additional Results (cont)
Conclusions
 In the work we have found two vulnerabilities in wide-spread SDN
implementations:
1. A DDoS vulnerability in the Floodlight controller
2. A Packet-In generation vulnerability in OpenVSwitch
 While exploiting these vulnerabilities, we have managed to:
 Generate Packet-In events using specially crafted packets
 Overload the Floodlight OpenFlow controller
 Deny service from all of the OpenFlow switches that rely on the
controller.
Possible Solutions
 Rate limiting of Packet-In events per application (switch-level)
 Flow Aggregation
o controller strategy where one rule matches multiple flows
(performance vs. precision)
o Allows network to partially work when the OFC is not responsive
 Fully Proactive Approach (flow rules cover all possible traffic in
advance)
o Immune to this sort of attack
o Relinquishes many benefits of SDN – applications that require
dynamic information can’t function in a proactive network.
Possible Solutions (cont)
 Careful event filtering
o Resembles the idea of Floodlight’s Load Monitor
 Anomaly detection
o Under heavy research for various other network security issues
o More effective in a reactive SDN than in classic networks
Insights
Insights from Research Process
 Current implementations, specifically Floodlight and OpenVSwitch, do
not adhere to the OpenFlow RFC
o TLS is not in supported
o Packets are sent in whole to the OFC by default
 Security is not taken seriously enough in current SDN implementations
o As a Floodlight developer stated: “it would be pretty trivial to
add [TLS support] if there was sufficient interest”
 SDN is inherently susceptible to attacks
 Not enough articles concerning SDN security
 SDN applications need to be designed carefully and to meet a
common security standard:
o Function to some extent without a controller
o Limit the number of packet-in events it generates
Questions ?
Thanks !

Contenu connexe

Tendances

Desktop virtualization customer presentation
Desktop virtualization customer presentationDesktop virtualization customer presentation
Desktop virtualization customer presentationNuno Alves
 
enterprise network design architecture
enterprise network design architectureenterprise network design architecture
enterprise network design architectureAmir Hossain
 
Building a redundant CloudStack management cluster - Vladimir Melnik
Building a redundant CloudStack management cluster - Vladimir MelnikBuilding a redundant CloudStack management cluster - Vladimir Melnik
Building a redundant CloudStack management cluster - Vladimir MelnikShapeBlue
 
LoadBalancer using KeepAlived
LoadBalancer using KeepAlivedLoadBalancer using KeepAlived
LoadBalancer using KeepAlivedKhushalChandak1
 
Network Monitoring System ppt.pdf
Network Monitoring System ppt.pdfNetwork Monitoring System ppt.pdf
Network Monitoring System ppt.pdfkristinatemen
 
Installation windows server 2019 standard
Installation windows server 2019 standardInstallation windows server 2019 standard
Installation windows server 2019 standardMr Cuong
 
66 pfsense tutorial
66 pfsense tutorial66 pfsense tutorial
66 pfsense tutorialequinonesr
 
Programming the Network Data Plane
Programming the Network Data PlaneProgramming the Network Data Plane
Programming the Network Data PlaneC4Media
 
Meraki Solution Overview
Meraki Solution OverviewMeraki Solution Overview
Meraki Solution OverviewClaudiu Sandor
 
Zabbix
ZabbixZabbix
ZabbixTensor
 
Distributed vnf management architecture and use-cases
Distributed vnf management  architecture and use-casesDistributed vnf management  architecture and use-cases
Distributed vnf management architecture and use-casesOPNFV
 
An Introduction to VMware NSX
An Introduction to VMware NSXAn Introduction to VMware NSX
An Introduction to VMware NSXScott Lowe
 
Xen and the art of virtualization
Xen and the art of virtualizationXen and the art of virtualization
Xen and the art of virtualizationAbdul417101
 
DNS and BIND, 5th Edition.pdf
DNS and BIND, 5th Edition.pdfDNS and BIND, 5th Edition.pdf
DNS and BIND, 5th Edition.pdfviditsir
 

Tendances (20)

Desktop virtualization customer presentation
Desktop virtualization customer presentationDesktop virtualization customer presentation
Desktop virtualization customer presentation
 
Secure sd wan
Secure sd wanSecure sd wan
Secure sd wan
 
enterprise network design architecture
enterprise network design architectureenterprise network design architecture
enterprise network design architecture
 
Day 3.1 basic routing
Day 3.1 basic routing Day 3.1 basic routing
Day 3.1 basic routing
 
Zabbix Performance Tuning
Zabbix Performance TuningZabbix Performance Tuning
Zabbix Performance Tuning
 
Building a redundant CloudStack management cluster - Vladimir Melnik
Building a redundant CloudStack management cluster - Vladimir MelnikBuilding a redundant CloudStack management cluster - Vladimir Melnik
Building a redundant CloudStack management cluster - Vladimir Melnik
 
LoadBalancer using KeepAlived
LoadBalancer using KeepAlivedLoadBalancer using KeepAlived
LoadBalancer using KeepAlived
 
Network Monitoring System ppt.pdf
Network Monitoring System ppt.pdfNetwork Monitoring System ppt.pdf
Network Monitoring System ppt.pdf
 
Installation windows server 2019 standard
Installation windows server 2019 standardInstallation windows server 2019 standard
Installation windows server 2019 standard
 
66 pfsense tutorial
66 pfsense tutorial66 pfsense tutorial
66 pfsense tutorial
 
Programming the Network Data Plane
Programming the Network Data PlaneProgramming the Network Data Plane
Programming the Network Data Plane
 
Meraki Solution Overview
Meraki Solution OverviewMeraki Solution Overview
Meraki Solution Overview
 
Zabbix
ZabbixZabbix
Zabbix
 
Vignesh Resume (1) (2)
Vignesh Resume (1) (2)Vignesh Resume (1) (2)
Vignesh Resume (1) (2)
 
Zabbix
ZabbixZabbix
Zabbix
 
Distributed vnf management architecture and use-cases
Distributed vnf management  architecture and use-casesDistributed vnf management  architecture and use-cases
Distributed vnf management architecture and use-cases
 
An Introduction to VMware NSX
An Introduction to VMware NSXAn Introduction to VMware NSX
An Introduction to VMware NSX
 
Xen and the art of virtualization
Xen and the art of virtualizationXen and the art of virtualization
Xen and the art of virtualization
 
DNS and BIND, 5th Edition.pdf
DNS and BIND, 5th Edition.pdfDNS and BIND, 5th Edition.pdf
DNS and BIND, 5th Edition.pdf
 
Virtualization security and threat
Virtualization security and threatVirtualization security and threat
Virtualization security and threat
 

En vedette

DDoS Attack Detection & Mitigation in SDN
DDoS Attack Detection & Mitigation in SDNDDoS Attack Detection & Mitigation in SDN
DDoS Attack Detection & Mitigation in SDNChao Chen
 
Visibility into a Real DDoS attack
Visibility into a Real DDoS attackVisibility into a Real DDoS attack
Visibility into a Real DDoS attackIntruGuard
 
TCP connection management in SDN
TCP connection management in SDNTCP connection management in SDN
TCP connection management in SDNChao Chen
 
Event Based Network Monitoring System with FloodLight SDN Controller and Open...
Event Based Network Monitoring System with FloodLight SDN Controller and Open...Event Based Network Monitoring System with FloodLight SDN Controller and Open...
Event Based Network Monitoring System with FloodLight SDN Controller and Open...Ali Ben Messaoud
 
Analytics driven SDN and commodity switches
Analytics driven SDN and commodity switchesAnalytics driven SDN and commodity switches
Analytics driven SDN and commodity switchesnetvis
 
Entropy based DDos Detection in SDN
Entropy based DDos Detection in SDNEntropy based DDos Detection in SDN
Entropy based DDos Detection in SDNVishal Vasudev
 
Security Advantages of Software-Defined Networking
Security Advantages of Software-Defined NetworkingSecurity Advantages of Software-Defined Networking
Security Advantages of Software-Defined NetworkingPriyanka Aash
 
RUNOS OpenFlow controller (ru)
RUNOS OpenFlow controller (ru)RUNOS OpenFlow controller (ru)
RUNOS OpenFlow controller (ru)Alexander Shalimov
 
ONOS와 Raspberry Pi 기반 가상물리 SDN 실증 환경 구축과 응용 개발
ONOS와 Raspberry Pi 기반 가상물리 SDN 실증 환경 구축과 응용 개발ONOS와 Raspberry Pi 기반 가상물리 SDN 실증 환경 구축과 응용 개발
ONOS와 Raspberry Pi 기반 가상물리 SDN 실증 환경 구축과 응용 개발sangyun han
 
ONOS - setting, configuration, installation, and test
ONOS - setting, configuration, installation, and testONOS - setting, configuration, installation, and test
ONOS - setting, configuration, installation, and testsangyun han
 
SDN Training - Open daylight installation + example with mininet
SDN Training - Open daylight installation + example with mininetSDN Training - Open daylight installation + example with mininet
SDN Training - Open daylight installation + example with mininetSAMeh Zaghloul
 
Software Defined Network - SDN
Software Defined Network - SDNSoftware Defined Network - SDN
Software Defined Network - SDNVenkata Naga Ravi
 
SDN 101: Software Defined Networking Course - Sameh Zaghloul/IBM - 2014
SDN 101: Software Defined Networking Course - Sameh Zaghloul/IBM - 2014SDN 101: Software Defined Networking Course - Sameh Zaghloul/IBM - 2014
SDN 101: Software Defined Networking Course - Sameh Zaghloul/IBM - 2014SAMeh Zaghloul
 
Floodlight - Overview
Floodlight - OverviewFloodlight - Overview
Floodlight - Overviewopenflowhub
 
Resume
ResumeResume
Resumekclyn
 
Internet of Things (IoT) - We Are at the Tip of An Iceberg
Internet of Things (IoT) - We Are at the Tip of An IcebergInternet of Things (IoT) - We Are at the Tip of An Iceberg
Internet of Things (IoT) - We Are at the Tip of An IcebergDr. Mazlan Abbas
 
THE INTERNET OF THINGS
THE INTERNET OF THINGSTHE INTERNET OF THINGS
THE INTERNET OF THINGSRamana Reddy
 

En vedette (20)

DDoS Attack Detection & Mitigation in SDN
DDoS Attack Detection & Mitigation in SDNDDoS Attack Detection & Mitigation in SDN
DDoS Attack Detection & Mitigation in SDN
 
Visibility into a Real DDoS attack
Visibility into a Real DDoS attackVisibility into a Real DDoS attack
Visibility into a Real DDoS attack
 
TCP connection management in SDN
TCP connection management in SDNTCP connection management in SDN
TCP connection management in SDN
 
Event Based Network Monitoring System with FloodLight SDN Controller and Open...
Event Based Network Monitoring System with FloodLight SDN Controller and Open...Event Based Network Monitoring System with FloodLight SDN Controller and Open...
Event Based Network Monitoring System with FloodLight SDN Controller and Open...
 
Analytics driven SDN and commodity switches
Analytics driven SDN and commodity switchesAnalytics driven SDN and commodity switches
Analytics driven SDN and commodity switches
 
Entropy based DDos Detection in SDN
Entropy based DDos Detection in SDNEntropy based DDos Detection in SDN
Entropy based DDos Detection in SDN
 
Security Advantages of Software-Defined Networking
Security Advantages of Software-Defined NetworkingSecurity Advantages of Software-Defined Networking
Security Advantages of Software-Defined Networking
 
Software defined network
Software defined networkSoftware defined network
Software defined network
 
RUNOS OpenFlow controller (ru)
RUNOS OpenFlow controller (ru)RUNOS OpenFlow controller (ru)
RUNOS OpenFlow controller (ru)
 
Model resume
Model resumeModel resume
Model resume
 
ONOS와 Raspberry Pi 기반 가상물리 SDN 실증 환경 구축과 응용 개발
ONOS와 Raspberry Pi 기반 가상물리 SDN 실증 환경 구축과 응용 개발ONOS와 Raspberry Pi 기반 가상물리 SDN 실증 환경 구축과 응용 개발
ONOS와 Raspberry Pi 기반 가상물리 SDN 실증 환경 구축과 응용 개발
 
ONOS - setting, configuration, installation, and test
ONOS - setting, configuration, installation, and testONOS - setting, configuration, installation, and test
ONOS - setting, configuration, installation, and test
 
SDN Training - Open daylight installation + example with mininet
SDN Training - Open daylight installation + example with mininetSDN Training - Open daylight installation + example with mininet
SDN Training - Open daylight installation + example with mininet
 
Software Defined Network - SDN
Software Defined Network - SDNSoftware Defined Network - SDN
Software Defined Network - SDN
 
DDoS Attacks
DDoS AttacksDDoS Attacks
DDoS Attacks
 
SDN 101: Software Defined Networking Course - Sameh Zaghloul/IBM - 2014
SDN 101: Software Defined Networking Course - Sameh Zaghloul/IBM - 2014SDN 101: Software Defined Networking Course - Sameh Zaghloul/IBM - 2014
SDN 101: Software Defined Networking Course - Sameh Zaghloul/IBM - 2014
 
Floodlight - Overview
Floodlight - OverviewFloodlight - Overview
Floodlight - Overview
 
Resume
ResumeResume
Resume
 
Internet of Things (IoT) - We Are at the Tip of An Iceberg
Internet of Things (IoT) - We Are at the Tip of An IcebergInternet of Things (IoT) - We Are at the Tip of An Iceberg
Internet of Things (IoT) - We Are at the Tip of An Iceberg
 
THE INTERNET OF THINGS
THE INTERNET OF THINGSTHE INTERNET OF THINGS
THE INTERNET OF THINGS
 

Similaire à Floodlight OpenFlow DDoS

SDN Architecture & Ecosystem
SDN Architecture & EcosystemSDN Architecture & Ecosystem
SDN Architecture & EcosystemKingston Smiler
 
SDN Fundamentals - short presentation
SDN Fundamentals -  short presentationSDN Fundamentals -  short presentation
SDN Fundamentals - short presentationAzhar Khuwaja
 
Understanding network and service virtualization
Understanding network and service virtualizationUnderstanding network and service virtualization
Understanding network and service virtualizationSDN Hub
 
SDN Security Talk - (ISC)2_3
SDN Security Talk - (ISC)2_3SDN Security Talk - (ISC)2_3
SDN Security Talk - (ISC)2_3Wen-Pai Lu
 
OpenStack Networking and Automation
OpenStack Networking and AutomationOpenStack Networking and Automation
OpenStack Networking and AutomationAdam Johnson
 
Introduction to Software Defined Networking (SDN) presentation by Warren Finc...
Introduction to Software Defined Networking (SDN) presentation by Warren Finc...Introduction to Software Defined Networking (SDN) presentation by Warren Finc...
Introduction to Software Defined Networking (SDN) presentation by Warren Finc...APNIC
 
SDN & NFV Introduction - Open Source Data Center Networking
SDN & NFV Introduction - Open Source Data Center NetworkingSDN & NFV Introduction - Open Source Data Center Networking
SDN & NFV Introduction - Open Source Data Center NetworkingThomas Graf
 
Network Virtualization & Software-defined Networking
Network Virtualization & Software-defined NetworkingNetwork Virtualization & Software-defined Networking
Network Virtualization & Software-defined NetworkingDigicomp Academy AG
 
SDN and Named Data Networking Security
SDN and Named Data Networking SecuritySDN and Named Data Networking Security
SDN and Named Data Networking Securitywolverinetyagi
 
F14_Class1.pptx
F14_Class1.pptxF14_Class1.pptx
F14_Class1.pptxSameer Ali
 
FlowER Erlang Openflow Controller
FlowER Erlang Openflow ControllerFlowER Erlang Openflow Controller
FlowER Erlang Openflow ControllerHolger Winkelmann
 
HACKING THE BRAIN: Customize Evil Protocol to Pwn an SDN Controller
HACKING THE BRAIN: Customize Evil Protocol to Pwn an SDN ControllerHACKING THE BRAIN: Customize Evil Protocol to Pwn an SDN Controller
HACKING THE BRAIN: Customize Evil Protocol to Pwn an SDN ControllerPriyanka Aash
 
Arun prjct dox
Arun prjct doxArun prjct dox
Arun prjct doxBaig Mirza
 
Mr201304 open flow_security_eng
Mr201304 open flow_security_engMr201304 open flow_security_eng
Mr201304 open flow_security_engFFRI, Inc.
 
DTS Solution - Software Defined Security v1.0
DTS Solution - Software Defined Security v1.0DTS Solution - Software Defined Security v1.0
DTS Solution - Software Defined Security v1.0Shah Sheikh
 

Similaire à Floodlight OpenFlow DDoS (20)

SDN Architecture & Ecosystem
SDN Architecture & EcosystemSDN Architecture & Ecosystem
SDN Architecture & Ecosystem
 
SDN Fundamentals - short presentation
SDN Fundamentals -  short presentationSDN Fundamentals -  short presentation
SDN Fundamentals - short presentation
 
Understanding network and service virtualization
Understanding network and service virtualizationUnderstanding network and service virtualization
Understanding network and service virtualization
 
WAN Traffic Control
WAN Traffic ControlWAN Traffic Control
WAN Traffic Control
 
OpenFlow Tutorial
OpenFlow TutorialOpenFlow Tutorial
OpenFlow Tutorial
 
SDN Security Talk - (ISC)2_3
SDN Security Talk - (ISC)2_3SDN Security Talk - (ISC)2_3
SDN Security Talk - (ISC)2_3
 
OpenStack Networking and Automation
OpenStack Networking and AutomationOpenStack Networking and Automation
OpenStack Networking and Automation
 
Introduction to Software Defined Networking (SDN) presentation by Warren Finc...
Introduction to Software Defined Networking (SDN) presentation by Warren Finc...Introduction to Software Defined Networking (SDN) presentation by Warren Finc...
Introduction to Software Defined Networking (SDN) presentation by Warren Finc...
 
Introduction to Software Defined Networking (SDN)
Introduction to Software Defined Networking (SDN)Introduction to Software Defined Networking (SDN)
Introduction to Software Defined Networking (SDN)
 
SDN & NFV Introduction - Open Source Data Center Networking
SDN & NFV Introduction - Open Source Data Center NetworkingSDN & NFV Introduction - Open Source Data Center Networking
SDN & NFV Introduction - Open Source Data Center Networking
 
Network Virtualization & Software-defined Networking
Network Virtualization & Software-defined NetworkingNetwork Virtualization & Software-defined Networking
Network Virtualization & Software-defined Networking
 
SDN and Named Data Networking Security
SDN and Named Data Networking SecuritySDN and Named Data Networking Security
SDN and Named Data Networking Security
 
F14_Class1.pptx
F14_Class1.pptxF14_Class1.pptx
F14_Class1.pptx
 
Demystifying openvswitch
Demystifying openvswitchDemystifying openvswitch
Demystifying openvswitch
 
FlowER Erlang Openflow Controller
FlowER Erlang Openflow ControllerFlowER Erlang Openflow Controller
FlowER Erlang Openflow Controller
 
HACKING THE BRAIN: Customize Evil Protocol to Pwn an SDN Controller
HACKING THE BRAIN: Customize Evil Protocol to Pwn an SDN ControllerHACKING THE BRAIN: Customize Evil Protocol to Pwn an SDN Controller
HACKING THE BRAIN: Customize Evil Protocol to Pwn an SDN Controller
 
Introduction to SDN
Introduction to SDNIntroduction to SDN
Introduction to SDN
 
Arun prjct dox
Arun prjct doxArun prjct dox
Arun prjct dox
 
Mr201304 open flow_security_eng
Mr201304 open flow_security_engMr201304 open flow_security_eng
Mr201304 open flow_security_eng
 
DTS Solution - Software Defined Security v1.0
DTS Solution - Software Defined Security v1.0DTS Solution - Software Defined Security v1.0
DTS Solution - Software Defined Security v1.0
 

Plus de Yoav Francis

Marxism in the internet age and social networks
Marxism in the internet age and social networksMarxism in the internet age and social networks
Marxism in the internet age and social networksYoav Francis
 
1953 and all that. A tale of two sciences (Kitcher, 1984)
1953 and all that. A tale of two sciences (Kitcher, 1984)1953 and all that. A tale of two sciences (Kitcher, 1984)
1953 and all that. A tale of two sciences (Kitcher, 1984)Yoav Francis
 
States of Mind: can they be communicated and compared?
States of Mind: can they be communicated and compared?States of Mind: can they be communicated and compared?
States of Mind: can they be communicated and compared?Yoav Francis
 
Carnivores: Inspection under Philosophy of Action
Carnivores: Inspection under Philosophy of ActionCarnivores: Inspection under Philosophy of Action
Carnivores: Inspection under Philosophy of ActionYoav Francis
 
From Hierarchical to a One-Level view of Consciousness: Overview and Comparison
From Hierarchical to a One-Level view of Consciousness: Overview and ComparisonFrom Hierarchical to a One-Level view of Consciousness: Overview and Comparison
From Hierarchical to a One-Level view of Consciousness: Overview and ComparisonYoav Francis
 
Theories of Consciousness - Overview and Discussion
Theories of Consciousness - Overview and DiscussionTheories of Consciousness - Overview and Discussion
Theories of Consciousness - Overview and DiscussionYoav Francis
 
McTaggart's Argument on the Unreality of Time - Overview and Discussion
McTaggart's Argument on the Unreality of Time - Overview and DiscussionMcTaggart's Argument on the Unreality of Time - Overview and Discussion
McTaggart's Argument on the Unreality of Time - Overview and DiscussionYoav Francis
 
Epicurean Physics: on the Existence of Minimal Units
Epicurean Physics: on the Existence of Minimal UnitsEpicurean Physics: on the Existence of Minimal Units
Epicurean Physics: on the Existence of Minimal UnitsYoav Francis
 
Isaiah Berlin: Positive and Negative Freedom
Isaiah Berlin: Positive and Negative FreedomIsaiah Berlin: Positive and Negative Freedom
Isaiah Berlin: Positive and Negative FreedomYoav Francis
 
"A Single Man": Choosing Life in a Nietzschean Context
"A Single Man": Choosing Life in a Nietzschean Context"A Single Man": Choosing Life in a Nietzschean Context
"A Single Man": Choosing Life in a Nietzschean ContextYoav Francis
 
General Solution for Josephus Problem
General Solution for Josephus ProblemGeneral Solution for Josephus Problem
General Solution for Josephus ProblemYoav Francis
 
Durkheim, Weber and Comte: Comparative Analysis and Analysis
Durkheim, Weber and Comte: Comparative Analysis and AnalysisDurkheim, Weber and Comte: Comparative Analysis and Analysis
Durkheim, Weber and Comte: Comparative Analysis and AnalysisYoav Francis
 
Wii Sensor Bar Positioning in 3D Space
Wii Sensor Bar Positioning in 3D SpaceWii Sensor Bar Positioning in 3D Space
Wii Sensor Bar Positioning in 3D SpaceYoav Francis
 
NLP Literature Survey with focus on Computerized Deception Detection
NLP Literature Survey with focus on Computerized Deception DetectionNLP Literature Survey with focus on Computerized Deception Detection
NLP Literature Survey with focus on Computerized Deception DetectionYoav Francis
 
Fisheye State Routing (FSR) - Protocol Overview
Fisheye State Routing (FSR) - Protocol OverviewFisheye State Routing (FSR) - Protocol Overview
Fisheye State Routing (FSR) - Protocol OverviewYoav Francis
 
CAP Theorem - Theory, Implications and Practices
CAP Theorem - Theory, Implications and PracticesCAP Theorem - Theory, Implications and Practices
CAP Theorem - Theory, Implications and PracticesYoav Francis
 
Cloud Caching Proxy+ - Scalable Cloud-Based Proxy Server
Cloud Caching Proxy+ - Scalable Cloud-Based Proxy ServerCloud Caching Proxy+ - Scalable Cloud-Based Proxy Server
Cloud Caching Proxy+ - Scalable Cloud-Based Proxy ServerYoav Francis
 

Plus de Yoav Francis (17)

Marxism in the internet age and social networks
Marxism in the internet age and social networksMarxism in the internet age and social networks
Marxism in the internet age and social networks
 
1953 and all that. A tale of two sciences (Kitcher, 1984)
1953 and all that. A tale of two sciences (Kitcher, 1984)1953 and all that. A tale of two sciences (Kitcher, 1984)
1953 and all that. A tale of two sciences (Kitcher, 1984)
 
States of Mind: can they be communicated and compared?
States of Mind: can they be communicated and compared?States of Mind: can they be communicated and compared?
States of Mind: can they be communicated and compared?
 
Carnivores: Inspection under Philosophy of Action
Carnivores: Inspection under Philosophy of ActionCarnivores: Inspection under Philosophy of Action
Carnivores: Inspection under Philosophy of Action
 
From Hierarchical to a One-Level view of Consciousness: Overview and Comparison
From Hierarchical to a One-Level view of Consciousness: Overview and ComparisonFrom Hierarchical to a One-Level view of Consciousness: Overview and Comparison
From Hierarchical to a One-Level view of Consciousness: Overview and Comparison
 
Theories of Consciousness - Overview and Discussion
Theories of Consciousness - Overview and DiscussionTheories of Consciousness - Overview and Discussion
Theories of Consciousness - Overview and Discussion
 
McTaggart's Argument on the Unreality of Time - Overview and Discussion
McTaggart's Argument on the Unreality of Time - Overview and DiscussionMcTaggart's Argument on the Unreality of Time - Overview and Discussion
McTaggart's Argument on the Unreality of Time - Overview and Discussion
 
Epicurean Physics: on the Existence of Minimal Units
Epicurean Physics: on the Existence of Minimal UnitsEpicurean Physics: on the Existence of Minimal Units
Epicurean Physics: on the Existence of Minimal Units
 
Isaiah Berlin: Positive and Negative Freedom
Isaiah Berlin: Positive and Negative FreedomIsaiah Berlin: Positive and Negative Freedom
Isaiah Berlin: Positive and Negative Freedom
 
"A Single Man": Choosing Life in a Nietzschean Context
"A Single Man": Choosing Life in a Nietzschean Context"A Single Man": Choosing Life in a Nietzschean Context
"A Single Man": Choosing Life in a Nietzschean Context
 
General Solution for Josephus Problem
General Solution for Josephus ProblemGeneral Solution for Josephus Problem
General Solution for Josephus Problem
 
Durkheim, Weber and Comte: Comparative Analysis and Analysis
Durkheim, Weber and Comte: Comparative Analysis and AnalysisDurkheim, Weber and Comte: Comparative Analysis and Analysis
Durkheim, Weber and Comte: Comparative Analysis and Analysis
 
Wii Sensor Bar Positioning in 3D Space
Wii Sensor Bar Positioning in 3D SpaceWii Sensor Bar Positioning in 3D Space
Wii Sensor Bar Positioning in 3D Space
 
NLP Literature Survey with focus on Computerized Deception Detection
NLP Literature Survey with focus on Computerized Deception DetectionNLP Literature Survey with focus on Computerized Deception Detection
NLP Literature Survey with focus on Computerized Deception Detection
 
Fisheye State Routing (FSR) - Protocol Overview
Fisheye State Routing (FSR) - Protocol OverviewFisheye State Routing (FSR) - Protocol Overview
Fisheye State Routing (FSR) - Protocol Overview
 
CAP Theorem - Theory, Implications and Practices
CAP Theorem - Theory, Implications and PracticesCAP Theorem - Theory, Implications and Practices
CAP Theorem - Theory, Implications and Practices
 
Cloud Caching Proxy+ - Scalable Cloud-Based Proxy Server
Cloud Caching Proxy+ - Scalable Cloud-Based Proxy ServerCloud Caching Proxy+ - Scalable Cloud-Based Proxy Server
Cloud Caching Proxy+ - Scalable Cloud-Based Proxy Server
 

Dernier

Explore the UiPath Community and ways you can benefit on your journey to auto...
Explore the UiPath Community and ways you can benefit on your journey to auto...Explore the UiPath Community and ways you can benefit on your journey to auto...
Explore the UiPath Community and ways you can benefit on your journey to auto...DianaGray10
 
Introduction to RAG (Retrieval Augmented Generation) and its application
Introduction to RAG (Retrieval Augmented Generation) and its applicationIntroduction to RAG (Retrieval Augmented Generation) and its application
Introduction to RAG (Retrieval Augmented Generation) and its applicationKnoldus Inc.
 
Introduction - IPLOOK NETWORKS CO., LTD.
Introduction - IPLOOK NETWORKS CO., LTD.Introduction - IPLOOK NETWORKS CO., LTD.
Introduction - IPLOOK NETWORKS CO., LTD.IPLOOK Networks
 
Top 10 Squarespace Development Companies
Top 10 Squarespace Development CompaniesTop 10 Squarespace Development Companies
Top 10 Squarespace Development CompaniesTopCSSGallery
 
TrustArc Webinar - How to Live in a Post Third-Party Cookie World
TrustArc Webinar - How to Live in a Post Third-Party Cookie WorldTrustArc Webinar - How to Live in a Post Third-Party Cookie World
TrustArc Webinar - How to Live in a Post Third-Party Cookie WorldTrustArc
 
Novo Nordisk's journey in developing an open-source application on Neo4j
Novo Nordisk's journey in developing an open-source application on Neo4jNovo Nordisk's journey in developing an open-source application on Neo4j
Novo Nordisk's journey in developing an open-source application on Neo4jNeo4j
 
2024.03.12 Cost drivers of cultivated meat production.pdf
2024.03.12 Cost drivers of cultivated meat production.pdf2024.03.12 Cost drivers of cultivated meat production.pdf
2024.03.12 Cost drivers of cultivated meat production.pdfThe Good Food Institute
 
CyberSecurity - Computers In Libraries 2024
CyberSecurity - Computers In Libraries 2024CyberSecurity - Computers In Libraries 2024
CyberSecurity - Computers In Libraries 2024Brian Pichman
 
UiPath Studio Web workshop Series - Day 3
UiPath Studio Web workshop Series - Day 3UiPath Studio Web workshop Series - Day 3
UiPath Studio Web workshop Series - Day 3DianaGray10
 
From the origin to the future of Open Source model and business
From the origin to the future of  Open Source model and businessFrom the origin to the future of  Open Source model and business
From the origin to the future of Open Source model and businessFrancesco Corti
 
My key hands-on projects in Quantum, and QAI
My key hands-on projects in Quantum, and QAIMy key hands-on projects in Quantum, and QAI
My key hands-on projects in Quantum, and QAIVijayananda Mohire
 
.NET 8 ChatBot with Azure OpenAI Services.pptx
.NET 8 ChatBot with Azure OpenAI Services.pptx.NET 8 ChatBot with Azure OpenAI Services.pptx
.NET 8 ChatBot with Azure OpenAI Services.pptxHansamali Gamage
 
UiPath Studio Web workshop series - Day 2
UiPath Studio Web workshop series - Day 2UiPath Studio Web workshop series - Day 2
UiPath Studio Web workshop series - Day 2DianaGray10
 
The Zero-ETL Approach: Enhancing Data Agility and Insight
The Zero-ETL Approach: Enhancing Data Agility and InsightThe Zero-ETL Approach: Enhancing Data Agility and Insight
The Zero-ETL Approach: Enhancing Data Agility and InsightSafe Software
 
UiPath Studio Web workshop series - Day 4
UiPath Studio Web workshop series - Day 4UiPath Studio Web workshop series - Day 4
UiPath Studio Web workshop series - Day 4DianaGray10
 
Oracle Database 23c Security New Features.pptx
Oracle Database 23c Security New Features.pptxOracle Database 23c Security New Features.pptx
Oracle Database 23c Security New Features.pptxSatishbabu Gunukula
 
Key Trends Shaping the Future of Infrastructure.pdf
Key Trends Shaping the Future of Infrastructure.pdfKey Trends Shaping the Future of Infrastructure.pdf
Key Trends Shaping the Future of Infrastructure.pdfCheryl Hung
 
Webinar: The Art of Prioritizing Your Product Roadmap by AWS Sr PM - Tech
Webinar: The Art of Prioritizing Your Product Roadmap by AWS Sr PM - TechWebinar: The Art of Prioritizing Your Product Roadmap by AWS Sr PM - Tech
Webinar: The Art of Prioritizing Your Product Roadmap by AWS Sr PM - TechProduct School
 
Q4 2023 Quarterly Investor Presentation - FINAL - v1.pdf
Q4 2023 Quarterly Investor Presentation - FINAL - v1.pdfQ4 2023 Quarterly Investor Presentation - FINAL - v1.pdf
Q4 2023 Quarterly Investor Presentation - FINAL - v1.pdfTejal81
 
EMEA What is ThousandEyes? Webinar
EMEA What is ThousandEyes? WebinarEMEA What is ThousandEyes? Webinar
EMEA What is ThousandEyes? WebinarThousandEyes
 

Dernier (20)

Explore the UiPath Community and ways you can benefit on your journey to auto...
Explore the UiPath Community and ways you can benefit on your journey to auto...Explore the UiPath Community and ways you can benefit on your journey to auto...
Explore the UiPath Community and ways you can benefit on your journey to auto...
 
Introduction to RAG (Retrieval Augmented Generation) and its application
Introduction to RAG (Retrieval Augmented Generation) and its applicationIntroduction to RAG (Retrieval Augmented Generation) and its application
Introduction to RAG (Retrieval Augmented Generation) and its application
 
Introduction - IPLOOK NETWORKS CO., LTD.
Introduction - IPLOOK NETWORKS CO., LTD.Introduction - IPLOOK NETWORKS CO., LTD.
Introduction - IPLOOK NETWORKS CO., LTD.
 
Top 10 Squarespace Development Companies
Top 10 Squarespace Development CompaniesTop 10 Squarespace Development Companies
Top 10 Squarespace Development Companies
 
TrustArc Webinar - How to Live in a Post Third-Party Cookie World
TrustArc Webinar - How to Live in a Post Third-Party Cookie WorldTrustArc Webinar - How to Live in a Post Third-Party Cookie World
TrustArc Webinar - How to Live in a Post Third-Party Cookie World
 
Novo Nordisk's journey in developing an open-source application on Neo4j
Novo Nordisk's journey in developing an open-source application on Neo4jNovo Nordisk's journey in developing an open-source application on Neo4j
Novo Nordisk's journey in developing an open-source application on Neo4j
 
2024.03.12 Cost drivers of cultivated meat production.pdf
2024.03.12 Cost drivers of cultivated meat production.pdf2024.03.12 Cost drivers of cultivated meat production.pdf
2024.03.12 Cost drivers of cultivated meat production.pdf
 
CyberSecurity - Computers In Libraries 2024
CyberSecurity - Computers In Libraries 2024CyberSecurity - Computers In Libraries 2024
CyberSecurity - Computers In Libraries 2024
 
UiPath Studio Web workshop Series - Day 3
UiPath Studio Web workshop Series - Day 3UiPath Studio Web workshop Series - Day 3
UiPath Studio Web workshop Series - Day 3
 
From the origin to the future of Open Source model and business
From the origin to the future of  Open Source model and businessFrom the origin to the future of  Open Source model and business
From the origin to the future of Open Source model and business
 
My key hands-on projects in Quantum, and QAI
My key hands-on projects in Quantum, and QAIMy key hands-on projects in Quantum, and QAI
My key hands-on projects in Quantum, and QAI
 
.NET 8 ChatBot with Azure OpenAI Services.pptx
.NET 8 ChatBot with Azure OpenAI Services.pptx.NET 8 ChatBot with Azure OpenAI Services.pptx
.NET 8 ChatBot with Azure OpenAI Services.pptx
 
UiPath Studio Web workshop series - Day 2
UiPath Studio Web workshop series - Day 2UiPath Studio Web workshop series - Day 2
UiPath Studio Web workshop series - Day 2
 
The Zero-ETL Approach: Enhancing Data Agility and Insight
The Zero-ETL Approach: Enhancing Data Agility and InsightThe Zero-ETL Approach: Enhancing Data Agility and Insight
The Zero-ETL Approach: Enhancing Data Agility and Insight
 
UiPath Studio Web workshop series - Day 4
UiPath Studio Web workshop series - Day 4UiPath Studio Web workshop series - Day 4
UiPath Studio Web workshop series - Day 4
 
Oracle Database 23c Security New Features.pptx
Oracle Database 23c Security New Features.pptxOracle Database 23c Security New Features.pptx
Oracle Database 23c Security New Features.pptx
 
Key Trends Shaping the Future of Infrastructure.pdf
Key Trends Shaping the Future of Infrastructure.pdfKey Trends Shaping the Future of Infrastructure.pdf
Key Trends Shaping the Future of Infrastructure.pdf
 
Webinar: The Art of Prioritizing Your Product Roadmap by AWS Sr PM - Tech
Webinar: The Art of Prioritizing Your Product Roadmap by AWS Sr PM - TechWebinar: The Art of Prioritizing Your Product Roadmap by AWS Sr PM - Tech
Webinar: The Art of Prioritizing Your Product Roadmap by AWS Sr PM - Tech
 
Q4 2023 Quarterly Investor Presentation - FINAL - v1.pdf
Q4 2023 Quarterly Investor Presentation - FINAL - v1.pdfQ4 2023 Quarterly Investor Presentation - FINAL - v1.pdf
Q4 2023 Quarterly Investor Presentation - FINAL - v1.pdf
 
EMEA What is ThousandEyes? Webinar
EMEA What is ThousandEyes? WebinarEMEA What is ThousandEyes? Webinar
EMEA What is ThousandEyes? Webinar
 

Floodlight OpenFlow DDoS

  • 1. Research Project: Floodlight DDoS Vulnerability Nir Solomon, Yoav Francis and Liahav Eitan Supervised by : Yotam Harchol and Anat Bremler-Barr September 2013 | IDC Herzelia
  • 3. Project Goal: DDoS in an OpenFlow Controller We aimed to explore the possibility of DDoS on an OpenFlow Controller OFC – the “soft-belly” in regards to network security of a Software-Defined Network. The controller, by being responsible for multiple switches, is a `high- valued` target.
  • 4. Background - OpenFlow “an open interface for remotely controlling the forwarding tables in network switches, routers, and access points. Upon this low-level primitive, researchers can build networks with new high-level properties”
  • 5. Jargon – Secure Channel The secure channel is the interface that connects an OpenFlow device (switch) to the controller. This channel is encrypted with SSL. But… This is not enough to prevent a DDoS from happening!
  • 6. Jargon – “packet_in” if a packet does not match any of the existing rules on an OFS, default policy is to send the header to the OFC.   This “packet sent to the controller” message is called a “packet-in”.“packet-in”. We will explore DDoS using this type of packet. “an OpenFlow controller can block traffic, install rate limiters, or even change the default policy for an unmatched packet to drop it on the ground.” “ ..But on the other side, being too aggressive—that is blocking or rate limiting too much—can break features or have a negative impact on performance.” (Floodlight Blog)
  • 8. DDoS on an OpenFlow Controller Effects of OFC-DDoS on the network: • Increased latency and packet loss in the entire network • The entire network might stop functioning • Mishandling of specific protocols by the switches • Protocols that require constant communication with the OFC are more vulnerable Difference from classic DDoS attacks: • An attack carried out at one place in the network can affect the global network behavior
  • 9. Attack Vectors in Software-Defined Networks • OFS / OFC Attacks : • Switch input buffer overload • OpenFlow Module vulnerability in OFS (Software vulnerability) • Secure Channel traffic amplification • Assuming access to the Secure Channel: •SYN flood (or any other TCP attack) •ARP Poison between OFS and OFC if there is no SSL
  • 10. Chosen Attack Vector • Assume control of multiple endpoint computers in the network • Send specially-crafted packets that do not match flows in the OFS • The switches will then create packet_in events to the controller – Secure Channel Traffic Amplification • This will also overload the CPU of the controller because of multiple secure channel connections – CPU depletion • After some time – the controller will have to drop packets due to high load  DDoS
  • 11. DDoS Attack – Example OpenFlow Controller OpenFlow Switches Crafted Packet No Flow available  Send to Controller Packet_in
  • 13. OpenFlow Vulnerability Assessment K. Benton, L.J. Camp, C. Small Sigcomm 2013 A brief overview of the vulnerabilities present in current OpenFlow devices. Finds that OpenFlow implementations rely on physical security •Lacks TLS, Access Control •Repeats errors of older network management protocols • Telnet, SNMPv2, TFTP Existing vulnerabilities assuming access to the Secure Channel: •Man in the Middle •Listener Mode •Switch Authentication •Flow Table Verification •Denial of Service Risks •Controller Vulnerabilities
  • 14. Attacking Software-Defined Networks: A First Feasibility Study S. Shin, G. Gu Sigcomm 2013 A method to fingerprint software-defined networks. The fingerprinting is done by noticing the different response times in the cases of Existing-Flow and New-Flow. The article suggests that if an attacker identifies a network as an SDN, they can move on to conduct a resource consumption attack (DoS).
  • 15. OpenFlow: A Security Analysis R. Kloti Swiss Federal Institute of Technology Zurich 2012 A detailed security analysis of OpenFlow 1.0 that describes, categorizes and suggests solutions for different attack methods. Three categories of attacks on Software Defined Networks: •Information Disclosure •Tampering •Denial of Service Several targets for DDoS attacks: -OFS flow table – overload the switches’ flow table -OFS input buffer – make the switches send whole packets to the OFC -OFS OpenFlow Module – software vulnerability -Management Interface and/or Controller – software vulnerability Most of these attacks do not target the OFC, but some solutions still applicable: •Rate limiting, flow aggregation, attack detection
  • 17. Floodlight We have chosen Floodlight as our targeted OpenFlow controller in this work Common enterprise level controller  Used by Arista, Brocade, Citrix, Dell, Extreme Networks, Fujitsu, Google, HP, IBM, Intel, Juniper Networks and Microsoft Open-source JAVA code with public git repository Declares itself to be designed for high-performance  therefore should not be susceptible to DDoS attacks Easy to use and deploy
  • 19. Part I – Floodlight DDoS by Simulating Packet-In Events with CBench  Cbench tests OFCs by sending packet-in events  Cbench emulates switches which connect to a controller, send packet-in messages, and watch for flow-mods to get pushed down  We used Cbench to directly test how Floodlight responds to a flood of packet-in events on the secure channel  Note that in real-life scenarios, we will also need a way to generate the packet-in events using specially crafted packets.  We will demonstrate such a way in part 2.
  • 20. Floodlight’s LoadMonitor On high loads, the LoadMonitor practically performs DoS by itself!
  • 22. Floodlight’s LoadMonitor - cont The LoadMonitor was disabled by default in the Floodlight git because the "overload protection is not yet tuned”
  • 23. Floodlight DoS Test Method We created a Python script which is run on the mininet VM: •Kills running Floodlight instances •Runs Floodlight with correct configuration •Runs Cbench with an increasing number of switches (20-300) and a constant number of simulated MAC addresses (100000) •Sniffs the returning packets from the OFC •Calculates the average number of flow mods per second returned from the controller, per run •Saves the average fmods and the sniffed packets to a pickle file
  • 24. Floodlight DoS Test Results • The blue line represents the normal mode, and the green line represents the load monitor mode. • Overall, especially when dealing with a large number of switches, the load monitor mode decreases the controller performance. • This is practically a DoS using the secure channel access, as Cbench simulates OpenFlow switches.
  • 25. Part II – Create Specially Crafted Packets  In this part we demonstrate a way to coerce OpenVSwitch to send packet-ins to the OFC.  In this part we do not assume access to the Secure Channel – unlike Cbench in the previous part  The entire attack must be carried out entirely from the endpoint computers  We do this using a specially crafted packet that is sent from the computers and generates packet-in events in the switches.
  • 26. Part II - Test Method • The specially-crafted packets that we sent from the mininet hosts are ARP packets with random source MACs: Ethernet Header Arp header Src MAC = random MAC Dst Mac = FF:FF:FF:FF:FF:FF (broadcast) Type = ARP Request   Src MAC = random MAC (same as in ETH header) Dst MAC = FF:FF:FF:FF:FF:FF (Broadcast) Src IP = Another host IP Dst IP = Another host IP (same as Src IP) • Each host Repeatedly sent this packet to all other hosts that participate in the DDoS attack, each time with a different source MAC • We found that when OpenVSwitch observes a packet from a previously unseen source MAC it sends a packet-in to the Controller and waits for a flow mod to be installed
  • 28. Part II – Additional Results • We wanted to also test the network performance during the attack. • During the attack: • We ran two hosts that did not participate in the DDoS for performance evaluation on the end-user • We used the iperf utility, which calculates network throughput, in a pre- defined interval to evaluate network performace • We have examined this attack with varying number of “malicious” hosts and with varying number of OpenFlow Switches, and measured the network throughput in each case
  • 29. Part II – Additional Results (cont)     Throughput (Mbit/s) Switches Hosts initial 30s 60s 90s 120s 150s 180s 210s 240s 270s 300s 10min 2 10 1270 253 146 135 156 140 186 137 150 158 98 158 2 20 1170 72 62 84 62 60 72 81 65 66 80 55 2 25 1190 30 40 37 1 40 35 43 45 34 37 44 5 10 835 94 103 115 97 53 92 76 92 100 90 61 5 20 798 41 41 FAIL 50 48 48 34 49 FAIL     5 25 FAIL                       10 10 551 44 66 20 FAIL               10 20 538 FAIL                     10 25 FAIL                       • These results show clearly that using the Specially-Crafted Packet method we have successfully denied service in the network. • As the number of hosts or switches gets sufficiently high, even two hosts that do not participate in the DDoS attack have a difficulty to communicate
  • 30. Part II – Additional Results (cont)
  • 31. Conclusions  In the work we have found two vulnerabilities in wide-spread SDN implementations: 1. A DDoS vulnerability in the Floodlight controller 2. A Packet-In generation vulnerability in OpenVSwitch  While exploiting these vulnerabilities, we have managed to:  Generate Packet-In events using specially crafted packets  Overload the Floodlight OpenFlow controller  Deny service from all of the OpenFlow switches that rely on the controller.
  • 32. Possible Solutions  Rate limiting of Packet-In events per application (switch-level)  Flow Aggregation o controller strategy where one rule matches multiple flows (performance vs. precision) o Allows network to partially work when the OFC is not responsive  Fully Proactive Approach (flow rules cover all possible traffic in advance) o Immune to this sort of attack o Relinquishes many benefits of SDN – applications that require dynamic information can’t function in a proactive network.
  • 33. Possible Solutions (cont)  Careful event filtering o Resembles the idea of Floodlight’s Load Monitor  Anomaly detection o Under heavy research for various other network security issues o More effective in a reactive SDN than in classic networks
  • 35. Insights from Research Process  Current implementations, specifically Floodlight and OpenVSwitch, do not adhere to the OpenFlow RFC o TLS is not in supported o Packets are sent in whole to the OFC by default  Security is not taken seriously enough in current SDN implementations o As a Floodlight developer stated: “it would be pretty trivial to add [TLS support] if there was sufficient interest”  SDN is inherently susceptible to attacks  Not enough articles concerning SDN security  SDN applications need to be designed carefully and to meet a common security standard: o Function to some extent without a controller o Limit the number of packet-in events it generates