Skip to main content
SpringerLink
Log in

Know Your Enemy: Stealth Configuration-Information Gathering in SDN

  • Conference paper
  • First Online:
Green, Pervasive, and Cloud Computing (GPC 2017)

Part of the book series: Lecture Notes in Computer Science ((LNTCS,volume 10232))

Included in the following conference series:

Abstract

Software Defined Networking (SDN) is a widely-adopted network architecture that provides high flexibility through the separation of the network logic from the forwarding functions. Researchers thoroughly analyzed SDN vulnerabilities and improved its security. However, we believe important security aspects of SDN are still left uninvestigated.

In this paper, we raise the concern of the possibility for an attacker to obtain detailed knowledge about an SDN network. In particular, we introduce a novel attack, named Know Your Enemy (KYE), by means of which an attacker can gather vital information about the configuration of the network. This information ranges from the configuration of security tools, such as attack detection thresholds for network scanning, to general network policies like QoS and network virtualization. Additionally, we show that an attacker can perform a KYE attack in a stealthy fashion, i.e., without the risk of being detected. We underline that the vulnerability exploited by the KYE attack is proper of SDN and is not present in legacy networks.

This is a preview of subscription content, log in via an institution to check access.

Access this chapter

Log in via an institution

Institutional subscriptions

References

  1. Openflow specification. https://www.opennetworking.org/images/stories/downloads/sdn-resources/onf-specifications/openflow/openflow-switch-v1.5.1.pdf. Accessed 03 2016

  2. Pox network controller. https://github.com/noxrepo/pox. Accessed 05 2016

  3. Al-Shaer, E.S., et al.: Modeling and management of firewall policies. IEEE Trans. Netw. Serv. Manage. 1, 2–10 (2004)

    Article  Google Scholar 

  4. Ambrosin, M., et al.: Lineswitch: efficiently managing switch flow in software-defined networking while effectively tackling DoS attacks. In: ACM Symposium on Information, Computer and Communications Security (2015)

    Google Scholar 

  5. Ambrosin, M., et al.: Lineswitch: tackling control plane saturation attacks in software-defined networking. In: IEEE/ACM Transactions on Networking (2016)

    Google Scholar 

  6. Antikainen, M., Aura, T., Särelä, M.: Spook in your network: attacking an SDN with a compromised openflow switch. In: Bernsmed, K., Fischer-Hübner, S. (eds.) NordSec 2014. LNCS, vol. 8788, pp. 229–244. Springer, Cham (2014). doi:10.1007/978-3-319-11599-3_14

    Google Scholar 

  7. Ashfaq, A.B., et al.: A comparative evaluation of anomaly detectors under portscan attacks. In: Symposium on Recent Advances in Intrusion Detection (2008)

    Google Scholar 

  8. Ateniese, G., et al.: Hacking smart machines with smarter ones: how to extract meaningful data from machine learning classifiers. Int. J. Secur. Netw. 10, 137–150 (2015)

    Article  Google Scholar 

  9. Benton, K., et al.: Openflow vulnerability assessment. In: ACM SIGCOMM Workshop on Hot Topics in Software Defined Networking (2013)

    Google Scholar 

  10. Braga, R., et al.: Lightweight DDoS flooding attack detection using NOX/OpenFlow. In: Conference on Local Computer Networks (2010)

    Google Scholar 

  11. Chung, C.J., et al.: Nice: network intrusion detection and countermeasure selection in virtual network systems. IEEE Trans. Dependable Secure Comput. 10, 198–211 (2013)

    Article  Google Scholar 

  12. Dhawan, M., et al.: Sphinx: detecting security attacks in software-defined networks. In: Network and Distributed System Security Symposium (2015)

    Google Scholar 

  13. Drutskoy, D., et al.: Scalable network virtualization in software-defined networks. IEEE Internet Comput. 17, 20–27 (2013)

    Article  Google Scholar 

  14. Ahmad, I., et al.: Security in software defined networks: a survey. IEEE Commun. Surv. Tutorials 17, 2317–2346 (2015)

    Article  Google Scholar 

  15. Suh, M., et al.: Building firewall over the software-defined network controller. In: International Conference on Advanced Communication Technology (2014)

    Google Scholar 

  16. Kloti, R., et al.: OpenFlow: a security analysis. In: IEEE International Conference on Network Protocols (2013)

    Google Scholar 

  17. Giotis, K., et al.: Combining OpenFlow and sFlow for an effective and scalable anomaly detection and mitigation mechanism on SDN environments. Comput. Netw. 62, 122–136 (2016)

    Article  Google Scholar 

  18. Hu, H., et al.: FLOWGUARD: building robust firewalls for software-defined networks. In: Workshop on Hot Topics in Software Defined Networking, HotSDN 2014 (2014)

    Google Scholar 

  19. Jain, S., et al.: B4: experience with a globally-deployed software defined WAN. In: SIGCOMM Computer Communication Review (2013)

    Google Scholar 

  20. Kamisiński, A., et al.: FlowMon: detecting malicious switches in software-defined networks. In: Automated Decision Making for Active Cyber Defense (2015)

    Google Scholar 

  21. Kreutz, D., et al.: Towards secure and dependable software-defined networks. In: ACM SIGCOMM Workshop on Hot Topics in Software Defined Networking (2013)

    Google Scholar 

  22. Mahimkar, A., et al.: Dfence: transparent network-based denial of service mitigation. In: USENIX Conference on Networked Systems Design and Implementation (2007)

    Google Scholar 

  23. Mehdi, S.A., Khalid, J., Khayam, S.A.: Revisiting traffic anomaly detection using software defined networking. In: Sommer, R., Balzarotti, D., Maier, G. (eds.) RAID 2011. LNCS, vol. 6961, pp. 161–180. Springer, Heidelberg (2011). doi:10.1007/978-3-642-23644-0_9

    Chapter  Google Scholar 

  24. Schechter, S.E., Jung, J., Berger, A.W.: Fast detection of scanning worm infections. In: Jonsson, E., Valdes, A., Almgren, M. (eds.) RAID 2004. LNCS, vol. 3224, pp. 59–81. Springer, Heidelberg (2004). doi:10.1007/978-3-540-30143-1_4

    Chapter  Google Scholar 

  25. Scott-Hayward, S., et al.: A survey of security in software defined networks. IEEE Commun. Surv. Tutorials (2016)

    Google Scholar 

  26. Shin, S., et al.: AVANT-GUARD: scalable and vigilant switch flow management in software-defined networks. In: ACM Conference on Computer and Communications Security (2013)

    Google Scholar 

  27. Shin, S., et al.: Fresco: modular composable security services for software-defined networks. In: Network and Distributed System Security Symposium (2013)

    Google Scholar 

  28. Sonchack, J., et al.: Timing-based reconnaissance and defense in software-defined networks. In: Annual Conference on Computer Security Applications (2016)

    Google Scholar 

  29. Twycross, J., et al.: Implementing and testing a virus throttle. In: USENIX Security Symposium (2003)

    Google Scholar 

  30. Wang, J., et al.: Towards a security-enhanced firewall application for openflow networks. In: Symposium on Cyberspace Safety and Security, CSS 2013 (2013)

    Google Scholar 

Download references

Acknowledgement

This work has been supported by the EU H2020 Programme under the SUNFISH project, grant agreement N.644666. Mauro Conti is supported by a Marie Curie Fellowship funded by the European Commission (agreement PCIG11-GA-2012-321980). This work is also partially supported by the EU TagItSmart! Project (agreement H2020-ICT30-2015-688061), the EU-India REACH Project (agreement ICI+/2014/342-896), and by the projects “Physical-Layer Security for Wireless Communication”, and “Content Centric Networking: Security and Privacy Issues” funded by the University of Padua. This work is partially supported by the grant n. 2017-166478 (3696) from Cisco University Research Program Fund and Silicon Valley Community Foundation.

Author information

Authors and Affiliations

  1. University of Padova, Padua, Italy

    Mauro Conti

  2. Sapienza University of Rome, Rome, Italy

    Fabio De Gaspari & Luigi V. Mancini

Authors
  1. Mauro Conti
    View author publications

    You can also search for this author in PubMed Google Scholar

  2. Fabio De Gaspari
    View author publications

    You can also search for this author in PubMed Google Scholar

  3. Luigi V. Mancini
    View author publications

    You can also search for this author in PubMed Google Scholar

Corresponding author

Correspondence to Fabio De Gaspari .

Editor information

Editors and Affiliations

  1. Hong Kong Polytechnic University, Hong Kong, Hong Kong

    Man Ho Allen Au

  2. University of Salerno, Fisciano, Italy

    Arcangelo Castiglione

  3. University of Texas at San Antonio, San Antonio, Texas, USA

    Kim-Kwang Raymond Choo

  4. University of Salerno, Fisciano, Italy

    Francesco Palmieri

  5. Providence University, Taichung City, Taiwan

    Kuan-Ching Li

Rights and permissions

Reprints and permissions

Copyright information

© 2017 Springer International Publishing AG

About this paper

Cite this paper

Conti, M., De Gaspari, F., Mancini, L.V. (2017). Know Your Enemy: Stealth Configuration-Information Gathering in SDN. In: Au, M., Castiglione, A., Choo, KK., Palmieri, F., Li, KC. (eds) Green, Pervasive, and Cloud Computing. GPC 2017. Lecture Notes in Computer Science(), vol 10232. Springer, Cham. https://doi.org/10.1007/978-3-319-57186-7_29

Download citation

  • DOI: https://doi.org/10.1007/978-3-319-57186-7_29

  • Published:

  • Publisher Name: Springer, Cham

  • Print ISBN: 978-3-319-57185-0

  • Online ISBN: 978-3-319-57186-7

  • eBook Packages: Computer ScienceComputer Science (R0)

Publish with us

Policies and ethics

Search

Navigation