Setting Malicious Flow Entries Against SDN Operations: Attacks and Countermeasures

Abstract

Software-defined networking (SDN) apps are developed to support various functions (e.g., traffic engineering, routing, security, etc.) for SDN networks. Their operations rely on the APIs offered by the control plane. They may be compromised or designed to be malicious by third parties. Though there have been many studies against malicious apps, they only restrict the APIs used by them with coarse-grained controls. In this work, we seek to show that some malicious flow entries cannot be detected or prevented by current defenses. They may impede the operations of control-plane services or hinder packets from being forwarded correctly in the data plane. To show their negative impact, we devise two attacks, topology spoofing and forwarding-based DoS, as well as examine their damage and analyze root causes. We then propose a context-aware, event-based anomaly detection (CEAD) framework to defend against the malicious flow entries. It provides more fine-grained controls over the flow entries set by apps. Different from other studies, it does anomaly detection by examining the context correlation between an event, the app registering it, and the flow entries set by the app for the event. Our evaluation results show that the CEAD can detect all the malicious flow entries in our given cases, and confirm its scalability with negligible overhead at increasing TCP connection attempt rates.