Manipulating OpenFlow Link Discovery Packet Forwarding for Topology Poisoning
Authors: 
Mingming Chen, Thomas La Porta, Teryl Taylor, 
Frederico Araujo, Trent JaegerAuthors Info & Claims
Pages 3704 - 3718
Abstract
Software-defined networking (SDN) is a centralized, dynamic, and programmable network management technology that enables flexible traffic control and scalability. SDN facilitates network administration through a centralized view of the underlying physical topology; tampering with this topology view can result in catastrophic damage to network management and security. To underscore this issue, we introduce Marionette, a new topology poisoning technique that manipulates OpenFlow link discovery packet forwarding to alter topology information. Our approach exposes an overlooked yet widespread attack vector, distinguishing itself from traditional link fabrication attacks that tamper, spoof, or relay discovery packets at the data plane. Unlike localized attacks observed in existing methods, our technique introduces a globalized topology poisoning attack that leverages control privileges. Marionette implements a reinforcement learning algorithm to compute a poisoned topology target, and injects flow entries to achieve a long-lived stealthy attack. Our evaluation shows that Marionette successfully attacks five open-source controllers and nine OpenFlow-based discovery protocols. Marionette overcomes the state-of-the-art topology poisoning defenses, showcasing a new class of topology poisoning that initiates on the control plane. This security vulnerability was ethically disclosed to OpenDaylight, and CVE-2024-37018 has been assigned.
References
[1]
Build sdn agilely. https://ryu-sdn.org/, 2011. Accessed on 2023-06--19.
[2]
AbdelRahman Abdou, Paul C Van Oorschot, and Tao Wan. Comparative analysis of control plane security of sdn and conventional networks. IEEE Communications Surveys & Tutorials, 20(4):3542--3559, 2018.
[3]
Mohamed Lamine Adjou, Chafika Benzaïd, and Tarik Taleb. Topotrust: A blockchain-based trustless and secure topology discovery in sdns. In 2022 International Wireless Communications and Mobile Computing (IWCMC), pages 1107--1112. IEEE, 2022.
[4]
Ijaz Ahmad, Suneth Namal, Mika Ylianttila, and Andrei Gurtov. Security in software defined networks: A survey. IEEE Communications Surveys & Tutorials, 17(4):2317--2346, 2015.
[5]
Ismail Al Salti and Ning Zhang. Link-guard: an effective and scalable security framework for link discovery in sdn networks. IEEE Access, 10:130233--130252, 2022.
[6]
Ehab Al-Shaer and Saeed Al-Haj. Flowchecker: Configuration analysis and verification of federated openflow infrastructures. In Proceedings of the 3rd ACM workshop on Assurable and usable security configuration, pages 37--44, 2010.
[7]
Talal Alharbi, Marius Portmann, and Farzaneh Pakzad. The (in) security of topology discovery in software defined networks. In 2015 IEEE 40th Conference on Local Computer Networks (LCN), pages 502--505. IEEE, 2015.
[8]
Amir Alimohammadifar, Suryadipta Majumdar, Taous Madi, Yosr Jarraya, Makan Pourzandi, Lingyu Wang, and Mourad Debbabi. Stealthy probing-based verification (spv): An active approach to defending software defined networks against topology poisoning attacks. In European Symposium on Research in Computer Security, pages 463--484. Springer, 2018.
[9]
Liviu ARSENE. Apic vulnerability in cisco's sdn controller allows unauthenticated remote root access. https://www.bitdefender.com/blog/hotforsecurity/apicvulnerability-in-ciscos-sdn-controller-allows-unauthenticated-remote-rootaccess/, 2015.
[10]
ShaoyongWu Ayaka Koshibe. Onos network discovery. https://wiki.onosproject. org/display/ONOS/NetworkDiscovery, 2016. Accessed on 2023-05--25.
[11]
Abdelhadi Azzouni, Raouf Boutaba, Nguyen Thi Mai Trang, and Guy Pujolle. softdp: Secure and efficient topology discovery protocol for sdn. arXiv preprint arXiv:1705.04527, 2017.
[12]
Sonali Sen Baidya and Rattikorn Hewett. Link discovery attacks in softwaredefined networks: Topology poisoning and impact analysis. J. Commun., 15(8):596--606, 2020.
[13]
Michael D Barrus. On 2-switches and isomorphism classes. Discrete Mathematics, 312(15):2217--2222, 2012.
[14]
Stable Baselines3. Stable-baselines3 docs - reliable reinforcement learning implementations. https://stable-baselines3.readthedocs.io/en/master/, 2022.
[15]
Samuel Jero Benjamin E. Ujcich. Provenance for software-defined networking (sdn). https://github.com/bujcich/PicoSDN/tree/main, 2021.
[16]
Jiahao Cao, Renjie Xie, Kun Sun, Qi Li, Guofei Gu, and Mingwei Xu. When match fields do not need to match: Buffered packets hijacking in sdn. In Proc. of the Network and Distributed System Security Symposium (NDSS'20), 2020.
[17]
Ritu Chadha, Thomas Bowen, Cho-Yu J Chiang, Yitzchak M Gottlieb, Alex Poylisher, Angello Sapello, Constantin Serban, Shridatt Sugrim, Gary Walther, Lisa M Marvel, et al. Cybervan: A cyber security virtual assured network testbed. In MILCOM 2016--2016 IEEE Military Communications Conference, pages 1125--1130. IEEE, 2016.
[18]
Sang-Yoon Chang, Younghee Park, and Bhavana Babu Ashok Babu. Fast ip hopping randomization to secure hop-by-hop access in sdn. IEEE Transactions on Network and Service Management, 16(1):308--320, 2018.
[19]
Mingming Chen. Manipulating OpenFlow link discovery packet forwarding for topology poisoning. https://zenodo.org/doi/10.5281/zenodo.12786197, 2024.
[20]
Mingming Chen, Thomas La Porta, Teryl Taylor, Frederico Araujo, and Trent Jaeger. Manipulating openflow link discovery packet forwarding for topology poisoning. https://doi.org/10.48550/arXiv.2408.16940, 2024.
[21]
Cisco. Open source used in cisco application policy infrastructure controller (apic) 1.2(1). https://www.cisco.com/c/dam/en/us/td/docs/switches/datacenter/ aci/apic/sw/1-x/3rd-party/Cisco_ACI_Open_Source_1_1_3_v1_0.pdf.
[22]
Paul Congdon. Link layer discovery protocol and mib v2.0. https://www.ieee802.org/1/files/public/docs2002/lldp-protocol-02.pdf, 2002. Accessed on 2023-06--21.
[23]
Mohan Dhawan, Rishabh Poddar, Kshiteej Mahajan, and Vijay Mann. Sphinx: detecting security attacks in software-defined networks. In Ndss, volume 15, pages 8--11, 2015.
[24]
Linux Foundation. Open vswitch manual. https://www.openvswitch.org/support/dist-docs/ovs-ofctl.8.html.
[25]
Linux Foundation. Opendaylight. https://www.opendaylight.org/.
[26]
Open Networking Foundation. Threat analysis for the sdn architecture. pages 1--21, 2016.
[27]
Yang Gao and Mingdi Xu. Defense against software-defined network topology poisoning attacks. Tsinghua Science and Technology, 28(1):39--46, 2022.
[28]
Sana Habib, Tiffany Bao, Yan Shoshitaishvili, and Adam Doupé. Mitigating threats emerging from the interaction between sdn apps and sdn (configuration) datastore. In Proceedings of the 2022 on Cloud Computing Security Workshop, pages 23--39, 2022.
[29]
Sungmin Hong, Lei Xu, Haopei Wang, and Guofei Gu. Poisoning network visibility in software-defined networks: New attacks and countermeasures. In Ndss, volume 15, pages 8--11, 2015.
[30]
Tao Hu, Zehua Guo, Peng Yi, Thar Baker, and Julong Lan. Multi-controller based software-defined networking: A survey. IEEE access, 6:15980--15996, 2018.
[31]
Tao Hu, Zhen Zhang, Peng Yi, Dong Liang, Ziyong Li, Quan Ren, Yuxiang Hu, and Julong Lan. Seapp: A secure application management framework based on rest api access control in sdn-enabled cloud environment. Journal of Parallel and Distributed Computing, 147:108--123, 2021.
[32]
Xinli Huang, Peng Shi, Yufei Liu, and Fei Xu. Towards trusted and efficient sdn topology discovery: A lightweight topology verification scheme. Computer Networks, 170:107119, 2020.
[33]
Juniper. Junos space datasheet. https://www.juniper.net/us/en/products/sdnand-orchestration/junos-space-datasheet.html.
[34]
Peyman Kazemian, Michael Chang, Hongyi Zeng, George Varghese, Nick McKeown, and Scott Whyte. Real time network policy checking using header space analysis. In 10th USENIX Symposium on Networked Systems Design and Implementation (NSDI 13), pages 99--111, 2013.
[35]
Suleman Khan, Abdullah Gani, Ainuddin Wahid Abdul Wahab, Mohsen Guizani, and Muhammad Khurram Khan. Topology discovery in software defined networks: Threats, taxonomy, and state-of-the-art. IEEE Communications Surveys & Tutorials, 19(1):303--324, 2016.
[36]
Ahmed Khurshid, Xuan Zou, Wenxuan Zhou, Matthew Caesar, and P. Brighten Godfrey. VeriFlow: Verifying Network-Wide invariants in real time. In 10th USENIX Symposium on Networked Systems Design and Implementation (NSDI 13), pages 15--27, Lombard, IL, April 2013. USENIX Association.
[37]
Jiwon Kim, Benjamin E Ujcich, and Dave Jing Tian. Intender: Fuzzing {Intent-Based} networking with {Intent-State} transition guidance. In 32nd USENIX Security Symposium (USENIX Security 23), pages 4463--4480, 2023.
[38]
Diego Kreutz, Fernando MV Ramos, Paulo Esteves Verissimo, Christian Esteve Rothenberg, Siamak Azodolmolky, and Steve Uhlig. Software-defined networking: A comprehensive survey. Proceedings of the IEEE, 103(1):14--76, 2014.
[39]
Chanhee Lee, Changhoon Yoon, Seungwon Shin, and Sang Kil Cha. Indago: A new framework for detecting malicious sdn applications. In 2018 IEEE 26th International Conference on Network Protocols (ICNP), pages 220--230. IEEE, 2018.
[40]
Charles E. Leiserson. Fat-trees: Universal networks for hardware-efficient supercomputing. IEEE Transactions on Computers, C-34(10), 1985.
[41]
He Li, Peng Li, Song Guo, and Shui Yu. Byzantine-resilient secure softwaredefined networks with multiple controllers. In 2014 IEEE International Conference on Communications (ICC), pages 695--700. IEEE, 2014.
[42]
Tong Li, Jinqiang Chen, and Hongyong Fu. Application scenarios based on sdn: an overview. In Journal of Physics: Conference Series, volume 1187, page 052067. IOP Publishing, 2019.
[43]
Yassine Maleh, Youssef Qasmaoui, Khalid El Gholami, Yassine Sadqi, and Soufyane Mounir. A comprehensive survey on sdn security: threats, mitigations, and future directions. Journal of Reliable Intelligent Environments, 9(2):201--239, 2023.
[44]
Stephanos Matsumoto, Samuel Hitz, and Adrian Perrig. Fleet: Defending sdns from malicious administrators. In Proceedings of the third workshop on Hot topics in software defined networking, pages 103--108, 2014.
[45]
Colin Scott Murphy. The pox network software platform. https://github.com/ noxrepo/pox, 2013. Accessed on 2023-06--19.
[46]
Ajay Nehra, Meenakshi Tripathi, Manoj Singh Gaur, Ramesh Babu Battula, and Chhagan Lal. Sldp: A secure and lightweight link discovery protocol for software defined networking. Computer Networks, 150:102--116, 2019.
[47]
Ajay Nehra, Meenakshi Tripathi, Manoj Singh Gaur, Ramesh Babu Battula, and Chhagan Lal. Tilak: A token-based prevention approach for topology discovery threats in sdn. International Journal of Communication Systems, 32(17):e3781, 2019.
[48]
Samsung Newsroom. Samsung expands its lineup of sdn solutions. https://news. samsung.com/global/samsung-expands-its-lineup-of-sdn-solutions, 2021.
[49]
Tri-Hai Nguyen and Myungsik Yoo. Analysis of link discovery service attacks in sdn controller. In 2017 International Conference on Information Networking (ICOIN), pages 259--261. IEEE, 2017.
[50]
University of Adelaide. Topology zoo. http://www.topology-zoo.org/dataset. html.
[51]
Panagiotis Papadimitriou, Ali Dasdan, and Hector Garcia-Molina. Web graph similarity for anomaly detection. Journal of Internet Services and Applications, 1:19--30, 2010.
[52]
Karl Pertsch, Youngwoon Lee, and Joseph Lim. Accelerating reinforcement learning with learned skill priors. In Conference on robot learning, pages 188--204. PMLR, 2021.
[53]
Philip Porras, Seungwon Shin, Vinod Yegneswaran, Martin Fong, Mabry Tyson, and Guofei Gu. A security enforcement kernel for openflow networks. In Proceedings of the first workshop on Hot topics in software defined networks, pages 121--126, 2012.
[54]
Chao Qi, JiangxingWu, Hongchao Hu, Guozhen Cheng,Wenyan Liu, Jianjian Ai, and Chao Yang. An intensive security architecture with multi-controller for sdn. In 2016 ieee conference on computer communications workshops (infocom wkshps), pages 401--402. IEEE, 2016.
[55]
Ryan Izard Qing Wang, Geddings Barrineau. Floodlight sdn openflow controller. https://github.com/floodlight/floodlight, 2016. Accessed on 2023-06--19.
[56]
Christian Röpke and Thosten Holz. Preventing malicious sdn applications from hiding adverse network manipulations. In Proceedings of the 2018 Workshop on Security in Softwarized Networks: Prospects and Challenges, pages 40--45, 2018.
[57]
Stuart J Russell and Peter Norvig. Artificial intelligence: a modern approach. Malaysia; Pearson Education Limited? 2016.
[58]
Arash Shaghaghi, Mohamed Ali Kaafar, Rajkumar Buyya, and Sanjay Jha. Software-defined network (sdn) data plane security: issues, solutions, and future directions. Handbook of Computer Networks and Cyber Security, pages 341--387, 2020.
[59]
Arash Shaghaghi, Salil S. Kanhere, Mohamed Ali Kaafar, and Sanjay Jha. Gwardar: Towards protecting a software-defined network from malicious network operating systems. In 2018 IEEE 17th International Symposium on Network Computing and Applications (NCA), pages 1--5, 2018.
[60]
Richard Skowyra, Lei Xu, Guofei Gu, Veer Dedhia, Thomas Hobson, Hamed Okhravi, and James Landry. Effective topology tampering attacks and defenses in software-defined networks. In 2018 48th Annual IEEE/IFIP International Conference on Dependable Systems and Networks (DSN), pages 374--385. IEEE, 2018.
[61]
Dylan Smyth, Sean McSweeney, Donna O'Shea, and Victor Cionca. Detecting link fabrication attacks in software-defined networks. In 2017 26th International Conference on Computer Communication and Networks (ICCCN), pages 1--8. IEEE, 2017.
[62]
Amin Tootoonchian and Yashar Ganjali. Hyperflow: A distributed control plane for openflow. In Proceedings of the 2010 internet network management conference on Research on enterprise networking, volume 3, 2010.
[63]
ONF TS-009. Openflowswitch specification version 1.3.2. https://opennetworking. org/wp-content/uploads/2014/10/openflow-spec-v1.3.2.pdf.
[64]
Yuchia Tseng, Farid Naït-Abdesselam, and Ashfaq Khokhar. A comprehensive 3-dimensional security analysis of a controller in software-defined networking. Security and Privacy, 1(2):e21, 2018.
[65]
Yuchia Tseng, Montida Pattaranantakul, Ruan He, Zonghua Zhang, and Farid Naït-Abdesselam. Controller dac: Securing sdn controller with dynamic access control. In 2017 IEEE International Conference on Communications (ICC), pages 1--6. IEEE, 2017.
[66]
Benjamin E Ujcich, Samuel Jero, Anne Edmundson, Qi Wang, Richard Skowyra, James Landry, Adam Bates, William H Sanders, Cristina Nita-Rotaru, and Hamed Okhravi. Cross-app poisoning in software-defined networking. In Proceedings of the 2018 ACM SIGSAC conference on computer and communications security, pages 648--663, 2018.
[67]
Benjamin E Ujcich, Samuel Jero, Richard Skowyra, Adam Bates, William H Sanders, and Hamed Okhravi. Causal analysis for {Software-Defined} networking attacks. In 30th USENIX Security Symposium (USENIX Security 21), pages 3183--3200, 2021.
[68]
Raniyah Wazirali, Rami Ahmad, and Suheib Alhiyari. Sdn-openflow topology discovery: an overview of performance issues. Applied Sciences, 11(15):6999, 2021.
[69]
Alan Weissberger. Comcast: Onf trellis software is in production together with l2/l3 white box switches. https://techblog.comsoc.org/2019/09/14/comcast-putsonf-trellis-software-into-production/.
[70]
Tracy Yang. Picos 4.4.4 configuration guide (special release): Ecmp select group. https://pica8-fs.atlassian.net/wiki/spaces/PicOS4443beta/pages/ 115898390/EcmpSelectGroup.
[71]
Tracy Yang. Picos 4.4.4 configuration guide (special release): ovs-ofctl add-flow . https://pica8-fs.atlassian.net/wiki/spaces/PicOS4443beta/pages/115900326/ovs-ofctladd-flowbridgeflow.
[72]
Ch Yoon and S Lee. Attacking sdn infrastructure: Are we ready for the next-gen networking? BlackHat-USA-2016, pages 17--18, 2016.
[73]
Yuan Zhang, Lin Cui, Wei Wang, and Yuxiang Zhang. A survey on software defined networking with multiple controllers. Journal of Network and Computer Applications, 103:101--118, 2018.
[74]
Haifeng Zhou, Chunming Wu, Chengyu Yang, Pengfei Wang, Qi Yang, Zhouhao Lu, and Qiumei Cheng. Sdn-rdcd: A real-time and reliable method for detecting compromised sdn devices. IEEE/ACM transactions on networking, 26(5):2048--2061, 2018.
Index Terms
- Manipulating OpenFlow Link Discovery Packet Forwarding for Topology Poisoning
Recommendations
Performance impact of topology poisoning attack in SDN and its countermeasure
SIN '17: Proceedings of the 10th International Conference on Security of Information and NetworksTopology Discovery is a crucial task for a controller in Software Defined Networks (SDN). In this paper, we present an attack model to disturb topology discovery service of controller, by injecting fake links in the network. Our attack model assumes, ...
'Global view' in SDN: existing implementation, vulnerabilities & threats
SIN '17: Proceedings of the 10th International Conference on Security of Information and NetworksSoftware Defined Network (SDN) provides a programmable and flexible network with separation in data and control plane. SDN has the capability to maintain a `Global View' at the cotroller which is the core of all SDN promises. A global view refers to the ...
Manipulating Recommender Systems: A Survey of Poisoning Attacks and Countermeasures
Recommender systems have become an integral part of online services due to their ability to help users locate specific information in a sea of data. However, existing studies show that some recommender systems are vulnerable to poisoning attacks, ...
Comments
Please enable JavaScript to view thecomments powered by Disqus.Information & Contributors
Information
Published In
December 2024
5188 pages
ISBN:9798400706363
DOI:10.1145/3658644
- General Chairs:
- Bo Luo,
- Xiaojing Liao,
- Jun Xu,
- Program Chairs:
- Engin Kirda,
- David Lie
Copyright © 2024 ACM.
Permission to make digital or hard copies of all or part of this work for personal or classroom use is granted without fee provided that copies are not made or distributed for profit or commercial advantage and that copies bear this notice and the full citation on the first page. Copyrights for components of this work owned by others than the author(s) must be honored. Abstracting with credit is permitted. To copy otherwise, or republish, to post on servers or to redistribute to lists, requires prior specific permission and/or a fee. Request permissions from [email protected].
Sponsors
Publisher
Association for Computing Machinery
New York, NY, United States
Publication History
Published: 09 December 2024
Check for updates
Badges
Author Tags
Qualifiers
- Research-article
Funding Sources
- U.S. Army Combat Capabilities Development Command Army Research Laboratory
Conference
CCS '24
Sponsor:
CCS '24: ACM SIGSAC Conference on Computer and Communications Security
October 14 - 18, 2024
UT, Salt Lake City, USA
Acceptance Rates
Overall Acceptance Rate 1,261 of 6,999 submissions, 18%
Upcoming Conference
CCS '25
- Sponsor:
- sigsac
Contributors
Other Metrics
Bibliometrics & Citations
Bibliometrics
Article Metrics
- 0Total Citations
- 72Total Downloads
- Downloads (Last 12 months)72
- Downloads (Last 6 weeks)72
Reflects downloads up to 05 Jan 2025
Other Metrics
Citations
View Options
Login options
Check if you have access through your login credentials or your institution to get full access on this article.
Sign in