Mitigating attacks in software defined networks

  • Kallol Krishna KarmakarEmail author
  • Vijay Varadharajan
  • Uday Tupakula


Future network innovation lies in software defined networking (SDN). This innovative technology has revolutionised the networking world for half a decade and contributes to transform legacy network architectures. This transformation blesses the networking world with improved performance and quality of service. However, security for SDN remains an afterthought. In this paper we present a detailed discussion of some of the attacks possible in SDN and techniques to deal with the attacks. The threat model will consider some significantly vulnerable areas in SDN which can lead to severe network security breaches. In particular, we describe different attacks such as attacks on the Controller, attacks on networking devices, attacks exploiting the communication links between the control plane and the data plane and different types of topology poisoning attacks. We then propose techniques to deal with some of the attacks in SDN. We make use of northbound security application on the Controller and OpenFlow agents in the networking devices for enforcing security policies in the data plane. The security application is used for specification and storage of the security policies and to make decisions on the enforcement of security policies to deal with different types of attacks. We will describe the prototype implementation of our approach using ONOS Controller and demonstrate its effectiveness against different types of attacks.


Software defined networking (SDN) security Threat model Policy control 


  1. 1.
    Zhang, H., Yan, J.: Performance of sdn routing in comparison with legacy routing protocols. In: 2015 International Conference on Cyber-Enabled Distributed Computing and Knowledge Discovery (CyberC), pp. 491–494. IEEE (2015)Google Scholar
  2. 2.
    Kirkpatrick, K.: Software-defined networking. Commun. ACM 56(9), 16–19 (2013)CrossRefGoogle Scholar
  3. 3.
    Feamster, N., Rexford, J., Zegura, E.: The road to sdn: an intellectual history of programmable networks. ACM SIGCOMM Comput. Commun. Rev. 44(2), 87–98 (2014)CrossRefGoogle Scholar
  4. 4.
    Benton, K., Camp, L.J., Small, C.: Openflow vulnerability assessment. In: Proceedings of the Second ACM SIGCOMM Workshop on Hot Topics in Software Defined Networking, pp. 151–152. ACM (2013)Google Scholar
  5. 5.
    Kreutz, D., Ramos, F.M., Verissimo, P.: Towards secure and dependable software-defined networks. In: Proceedings of the Second ACM SIGCOMM Workshop on Hot Topics in Software Defined Networking, HotSDN ’13, pp. 55–60. ACM, New York, NY, USA (2013).
  6. 6.
    Kreutz, D., Ramos, F.M., Verissimo, P.E., Rothenberg, C.E., Azodolmolky, S., Uhlig, S.: Software-defined networking: a comprehensive survey. Proc. IEEE 103(1), 14–76 (2015)CrossRefGoogle Scholar
  7. 7.
    Scott-Hayward, S., Natarajan, S., Sezer, S.: A survey of security in software defined networks. IEEE Commun. Surv. Tutor. 18(1), 623–654 (2016)CrossRefGoogle Scholar
  8. 8.
    Ahmad, I., Namal, S., Ylianttila, M., Gurtov, A.: Security in software defined networks: a survey. IEEE Commun. Surv. Tutor. 17(4), 2317–2346 (2015)CrossRefGoogle Scholar
  9. 9.
  10. 10.
    McKeown, N., Anderson, T., Balakrishnan, H., Parulkar, G., Peterson, L., Rexford, J., Shenker, S., Turner, J.: Openflow: enabling innovation in campus networks. ACM SIGCOMM Comput. Commun. Rev. 38(2), 69–74 (2008)CrossRefGoogle Scholar
  11. 11.
    Strassner, J.: Policy-Based Network Management: Solutions for the Next Generation. Morgan Kaufmann, San Francisco (2003)Google Scholar
  12. 12.
    Porras, P., Shin, S., Yegneswaran, V., Fong, M., Tyson, M., Gu, G.: A security enforcement kernel for openflow networks. In: Proceedings of the First Workshop on Hot topics in Software Defined Networks, pp. 121–126. ACM (2012)Google Scholar
  13. 13.
    Shin, S., Porras, P.A., Yegneswaran, V., Fong, M.W., Gu, G., Tyson, M.: Fresco: Modular composable security services for software-defined networks. In: NDSS (2013)Google Scholar
  14. 14.
    Dhawan, M., Poddar, R., Mahajan, K., Mann, V.: Sphinx: Detecting security attacks in software-defined networks. In: NDSS (2015)Google Scholar
  15. 15.
    Davey, B., Houghton, R.F.: Why not osi? In: IFIP International Conference on the History of Computing, pp. 115–121. Springer, Berlin (2016)Google Scholar
  16. 16.
    Horing, S., Menard, J., Staehler, R., Yokelson, B.: Stored program controlled network: overview. Bell Syst. Tech. J. 61(7), 1579–1588 (1982)CrossRefGoogle Scholar
  17. 17.
    Casado, M., Garfinkel, T., Akella, A., Freedman, M.J., Boneh, D., McKeown, N., Shenker, S.: Sane: a protection architecture for enterprise networks. In: USENIX Security Symposium, vol. 49, p. 50 (2006)Google Scholar
  18. 18.
    Casado, M., Freedman, M.J., Pettit, J., Luo, J., McKeown, N., Shenker, S.: Ethane: taking control of the enterprise. In: ACM SIGCOMM Computer Communication Review, vol. 37, pp. 1–12. ACM (2007)Google Scholar
  19. 19.
    Yang, M., Li, Y., Jin, D., Zeng, L., Wu, X., Vasilakos, A.V.: Software-defined and virtualized future mobile and wireless networks: a survey. Mob. Netw. Appl. 20(1), 4–18 (2015)CrossRefGoogle Scholar
  20. 20.
    Nadeau, T.D., Gray, K.: SDN: software defined networks. “ O’Reilly Media, Inc.” (2013)Google Scholar
  21. 21.
    Shin, M.K., Nam, K.H., Kim, H.J.: Software-defined networking (sdn): a reference architecture and open apis. In: 2012 International Conference on ICT Convergence (ICTC), pp. 360–361. IEEE (2012)Google Scholar
  22. 22.
    Lin, P., Bi, J., Wolff, S., Wang, Y., Xu, A., Chen, Z., Hu, H., Lin, Y.: A west-east bridge based sdn inter-domain testbed. IEEE Commun. Mag. 53(2), 190–197 (2015)CrossRefGoogle Scholar
  23. 23.
    Vizarreta, P., Trivedi, K., Helvik, B., Heegaard, P., Kellerer, W., Machuca, C.M.: An empirical study of software reliability in sdn controllers. In: 2017 13th International Conference on Network and Service Management (CNSM), pp. 1–9. IEEE (2017)Google Scholar
  24. 24.
    Xu, L., Huang, J., Hong, S., Zhang, J., Gu, G.: Attacking the brain: races in the sdn control plane. In: 26th \(\{{\rm USENIX}\}\) Security Symposium (\(\{{\rm USENIX}\}\) Security 17), pp. 451–468 (2017)Google Scholar
  25. 25.
    Zhang, P.: Towards rule enforcement verification for software defined networks. In: INFOCOM 2017-IEEE Conference on Computer Communications, IEEE, pp. 1–9. IEEE (2017)Google Scholar
  26. 26.
    Wang, H., Xu, L., Gu, G.: Of-guard: a dos attack prevention extension in software-defined networks. The Open Network Summit (ONS) (2014) (2014)Google Scholar
  27. 27.
    Shin, S., Gu, G.: Attacking software-defined networks: A first feasibility study. In: Proceedings of the Second ACM SIGCOMM Workshop on Hot Topics in Software Defined Networking, pp. 165–166. ACM (2013)Google Scholar
  28. 28.
    Hong, S., Xu, L., Wang, H., Gu, G.: Poisoning network visibility in software-defined networks: new attacks and countermeasures. In: NDSS (2015)Google Scholar
  29. 29.
    Chapman, C., Stolee, K.T.: Exploring regular expression usage and context in python. In: Proceedings of the 25th International Symposium on Software Testing and Analysis, pp. 282–293. ACM (2016)Google Scholar
  30. 30.
    Clark, D.: Policy Routing in Internet Protocols. Request for Comment rfc-1102. Network Information Center (1989)Google Scholar
  31. 31.
    Bi, J., Xu, K., Li, X., Williams, M., Wu, J., Ren, G.: A source address validation architecture (sava) testbed and deployment experience (2008)Google Scholar
  32. 32.
    Dabirsiaghi, A.: Javasnoop: How to Hack Anything in Java. BlackHat Las Vegas (2010)Google Scholar
  33. 33.
    Schneier, B.: Heartbleed. Schneier on Security. Blog (2014)Google Scholar
  34. 34.
    Tirumala, A., Qin, F., Dugan, J., Ferguson, J., Gibbs, K.: Iperf (2006)Google Scholar
  35. 35.
    Shin, S., Yegneswaran, V., Porras, P., Gu, G.: Avant-guard: Scalable and vigilant switch flow management in software-defined networks. In: Proceedings of the 2013 ACM SIGSAC Conference on Computer & Communications Security, pp. 413–424. ACM (2013)Google Scholar
  36. 36.
    Lee, S., Kim, J., Shin, S., Porras, P., Yegneswaran, V.: Athena: A framework for scalable anomaly detection in software-defined networks. In: 2017 47th Annual IEEE/IFIP International Conference on Dependable Systems and Networks (DSN), pp. 249–260. IEEE (2017)Google Scholar
  37. 37.
    Al-Zewairi, M., Suleiman, D., Almajali, S.: An experimental software defined security controller for software defined network. In: 2017 Fourth International Conference on Software Defined Systems (SDS), pp. 32–36. IEEE (2017)Google Scholar
  38. 38.
    El Moussaid, N., Toumanari, A., El Azhari, M.: Security analysis as software-defined security for sdn environment. In: 2017 Fourth International Conference on Software Defined Systems (SDS), pp. 87–92. IEEE (2017)Google Scholar
  39. 39.
    Estrin, D., Tsudik, G.: Security issues in policy routing. In: 1989 IEEE Symposium on Security and Privacy, 1989. Proceedings, pp. 183–193. IEEE (1989)Google Scholar
  40. 40.
    Hinrichs, T.L., et al.: Practical declarative network management. In: Proceedings of the 1st ACM Workshop on Research on Enterprise Networking, pp. 1–10. ACM (2009)Google Scholar
  41. 41.
    Foster, N., et al.: Frenetic: a network programming language. In: ACM SIGPLAN Notices, vol. 46, pp. 279–291. ACM (2011)Google Scholar
  42. 42.
    Reich, J., et al.: Modular sdn programming with pyretic. Technical Reprot of USENIX (2013)Google Scholar
  43. 43.
    Voellmy, A., et al.: Maple: simplifying sdn programming using algorithmic policies. In: ACM SIGCOMM Computer Communication Review, vol. 43, pp. 87–98. ACM (2013)Google Scholar
  44. 44.
    Voellmy, A., Hudak, P.: Nettle: Taking the sting out of programming network routers. In: Practical Aspects of Declarative Languages, pp. 235–249. Springer, Berlin (2011)Google Scholar
  45. 45.
    Karmakar, K.K., Varadharajan, V., Tupakula, U.: Mitigating attacks in software defined network (sdn). In: 2017 Fourth International Conference on Software Defined Systems (SDS), pp. 112–117. IEEE (2017)Google Scholar

Copyright information

© Springer Science+Business Media, LLC, part of Springer Nature 2019

Authors and Affiliations

  1. 1.Advanced Cyber Security Engineering Research CentreUniversity of NewcastleCallaghanAustralia
  2. 2.Global Innovation Chair in Cybersecurity and Director, Advanced Cyber Security Engineering Research CentreUniversity of NewcastleCallaghanAustralia
  3. 3.School of Electrical Engineering and ComputingUniversity of NewcastleCallaghanAustralia

Personalised recommendations