Computer Science ›› 2017, Vol. 44 ›› Issue (6): 121-132.doi: 10.11896/j.issn.1002-137X.2017.06.021

Previous Articles     Next Articles

Survey for Attack and Defense Approaches of OpenFlow-enabled Software Defined Network

WU Ze-hui, WEI Qiang and WANG Qing-xian   

  • Online:2018-11-13 Published:2018-11-13

Abstract: Software defined network (SDN) grants the network an omnipotent power to increase the flexibility of network deployment,the dynamic of network management and the efficiency of network transmission by centralizing the control plane and separating it with data plane.However,the security of SDN is still outstanding.In this paper,we aimed at analyzing and categorizing a number of relevant research works toward OpenFlow-enabled SDN security.We first provided an overview on threats of SDN with its three layers architecture,and further demonstrated their vulnerabilities within each layer.Thereafter,we presented existing SDN-related attacking approaches according to the procedures of network attacking,such as network probing,defraud inserting and remote controlling.And then we dedicated the next part of this paper to study and compared the current defense approaches underlying probe blocking,system strength,and attack defensing.Furthermore,we reviewed several potential attack and defensed methods as some foreseeable future research challenges.

Key words: Cyber security,Software defined network,Virtualization,Dynamic defense

[1] FEAMSTER N,REXFORD J,ZEGURA E.The road to SDN:an intellectual history of programmable networks[J].ACM SIGCOMM Computer Communication Review,2014,4(2):87-98.
[2] MCKEOWN N,ANDERSON T,BALAKRISHNAN H,et al.OpenFlow:enabling innovation in campus networks[J].ACM SIGCOMM Computer Communication Review,2008,8(2):69-74.
[3] Juniper Networks.Contrail:A SDN Solution Purpose Built for the Cloud[EB/OL].(2015-08-16) [2016-03-10].
[4] Icebeen谷歌利用SDN实现数据中心互联[EB/OL].(2014-05-31) [2016-03-10]. .
[5] 36氪.Nicira:网络虚拟化—互联网的下一波革命[EB/OL].(2012-04-22) [2016-03-10].
[6] 邹铮.Facebook推出其“Wedge”开放数据中心交换机[EB/OL].(2014-06-23) [2016-03-10].
[7] 吴中.华为发布2014系列SDN解决方案[EB/OL].(2014-03-11) [2016-03-10].
[8] 华为敏捷网络.HNC2015|华为发布全球首个基于SDN架构的敏捷物联解决方案[EB/OL].(2015-05-21) [2016-03-10].
[9] FABBI M.Ending the Confusion About Software-Defined Networking:A Taxonomy[EB/OL].(2013-3-10) [2016-03-10].
[10] JARRAYA Y,MADI T,DEBBABI M.A survey and a layered taxonomy of software-defined networking[J].IEEE Communications Surveys & Tutorials,2014,6(4):1955-1980.
[11] ZUO Q Y,CHEN M,ZHAO G S,et al.Research on OpenFlow-based SDN Technologies[J].Journal of Software,2013,4(5):1078-1097.(in Chinese) 左青云,陈鸣,赵广松,等.基于 OpenFlow的SDN技术研究[J].软件学报,2013,4(5):1078-1097.
[12] DHAWAN M,PODDAR R,MAHAJAN K.SPHINX:Detecting security attacks in software-defined networks[C]∥Proceedings of the 2015 Network and Distributed System Security Sympo-sium.2015:69-85.
[13] SDN AP.ETSI NFV架构解读[EB/OL].(2013-10-20) [2016-03-10].
[14] PORRAS P,CHEUNG S,FONG M,et al.Securing the Software-Defined Network Control Layer[C]∥Proceedings of the 2015 Network and Distributed System Security Symposium.2015:116-130.
[15] Floodlight.Floodlight Project[EB/OL].(2014-02-21) [2016-03-10].
[16] SHIN S,GU G.Attacking software-defined networks:A first feasibility study[C]∥Proceedings of the Second ACM SIGCOMM Workshop on Hot Topics in Software Defined Networking.ACM,2013:165-166.
[17] SHU Z,WAN J,LI D,et al.Security in Software-Defined Networking:Threats and Countermeasures[J].Mobile Networks & Applications,2016,0(1):1-13.
[18] WANG M M,LIU J W,CHEN J,et al.Software defined networking:Security model,threats and mechanism[J].Journal of Software,2016,7(4):969-992.(in Chinese) 王蒙蒙,刘建伟,陈杰,等.软件定义网络:安全模型、机制及研究进展[J].软件学报,2016,7(4):969-992.
[19] ALSMADKI I,XU D.Security of software defined networks:A survey[J].Computers & Security,2015,3(1):79-108.
[20] HONG S,XU L,WANG H,et al.Poisoning Network Visibility in Software-Defined Networks:New Attacks and Countermea-sures[C]∥Proceedings of the 2015 Network and Distributed System Security Symposium.2015:51-67.
[21] ONF.Software-Defined Networking:The New Norm for Networks[EB/OL].(2013-04-01) [2016-03-10].
[22] Big Switch networks.The Open SDN Architecture[EB/OL].(2012-10-08) [2016-03-10]. overview.pdf.
[23] Open Networking Foundation,OpenFlow Switch Specification[EB/OL].(2016-01-08) [2016-03-10].
[24] BOZAKOV Z,SANDER V.OpenFlow:A Perspective for Buil-ding Versatile Networks[J].Network-Embedded Management and Applications,2013,2(5):217-245.
[25] LARA A,KOLASANI A,RAMAMURTHY B.Network Innovation using OpenFlow:A Survey[J].Communications Surveys Tutorials,2013,8(99):1-20.
[26] SONKOLY B,GULYAS A,NEMETH F,et al.OpenFlow Virtualization Framework with Advanced Capabilities[C]∥Proceedings of the 2012 European Workshop on Software Defined Networking.IEEE,2012:18-23.
[27] AZODOLMOLKY S.软件定义网络:基于OpenFlow的SDN技术解密[M].机械工业出版社,2014.
[28] XIA W,WEN Y,FOH C H,et al.A survey on software-defined networking[J/OL]
[29] NARISETTY R,DANE L,MALISHEVSKIY A,et al.Open-Flow Configuration Protocol:Implementation for the of Management Plane[C]∥ Research and Educational Experiment Workshop.2013:66-67.
[30] HU F,HAO Q,BAO K.A survey on software-defined network (SDN) and OpenFlow:from concept to implementation[J/OL].
[31] SHAER E,HAJ S.FlowChecker:Configuration Analysis andVerification of Federated OpenFlow Infrastructures[C]∥Proceedings of the 3rd ACM Workshop on Assurable and Usable Security Configuration.ACM,2010:37-44.
[32] KREUTZ D,RAMOS F,ESTEVES P,et al.Software-definednetworking:A comprehensive survey[J].Proceedings of the IEEE,2015,3(1):14-76.
[33] PICKETT G.Abusing Software Defined Networks[EB/OL].(2015-10-09) [2016-03-10].
[34] BENTON K,CAMP L,SMALL C.OpenFlow vulnerability assessment[C]∥Proceedings of the Second Acm Sigcomm Workshop on Hot Topics in Software Defined Networking.2013:15-21.
[35] RPKE C,HOLZ T.SDN Rootkits:Subverting Network Ope-rating Systems of Software-Defined Networks[M].Springer International Publishing,2015:339-356.
[36] WANG H,XU L,GU G.FloodGuard:A DoS Attack Prevention Extension in Software-Defined Networks[C]∥ Proceedings of Dependable Systems and Networks.IEEE,2015:239-250.
[37] YAP K K.n-casting using openflow[EB/OL].(2014-10-08)[2016-03-10].
[38] JAFARIAN H,SHAER E,DUAN Q.Openflow random hostmutation:transparent moving target defense using software defined networking[C]∥Proceedings of the First Workshop on Hot Topics in Software Defined Networks.ACM,2012:127-132.
[39] KAMPANAKIS P,PERROS H,BEYENE T.SDN-based solutions for Moving Target Defense network protection[C]∥ Proceedings of the World of Wireless,Mobile and Multimedia Networks.IEEE,2014:1-6.
[40] KHURSHID A,ZHOU W,CAESAR M.VeriFlow:VerifyingNetwork-Wide Invariants in Real-Time[C]∥Proceedings of the first Workshop on Hot Topics in Software Defined Networks.ACM,2012:49-54.
[41] PORRAS P,SHIN S,YEGNESWARAN V.A Security Enforcement Kernel for OpenFlow Networks[C]∥Proceedings of ACM SIGCOMM Workshop on Hot Topics in Software Defined Networking.ACM,2012:10-17.
[42] FAYAZBAKHSH K,SEKAR V,YU M,et al.FlowTags:enforcing network-wide policies in the presence of dynamic middlebox actions[C]∥ Proceedings of the 2nd ACM SIGCOMM Workshop on Hot Topics in Software Defined Networking.ACM,2013:19-24.
[43] REITBLATT M,FOSTER N,REXFORD J.Consistent Updates for Software-Defined Networks:Change You Can Believe in[C]∥Proceedings of the 10th ACM Workshop on Hot Topics in Networks.ACM,2011:71-76.
[44] MATTOS F,DUARTE B.AuthFlow authentication and access control mechanism for software defined networking[J].Annals of Telecommunications,2016,0(21):1-9.
[45] WANG J,WANG Y,ZANG L.Towards a Security-Enhanced Firewall Application for OpenFlow Networks[C]∥Proceedings of Cyberspace Safety and Security.Springer,2013:92-103.
[46] SON S,SHIN S,GU G.Model Checking Invariant Security Pro-perties in OpenFlow[C]∥Proceedings of 2013 IEEE International Conference on Communications.2013:33-39.
[47] KAZEMIA P,CHANG M,WHYTE S,et al.Real time network policy checking using header space analysis[C]∥ Proceedings of USENIX Symposium on Networked Systems Design and Implementation.2013:69-74.
[48] KAZEMIAN P,CHANG M,ZENG H,et al.Real Time Net-work Policy Checking Using Header Space Analysis[C]∥Proceedings of the 10th USENIX Conference on Networked Systems Design and Implementation.USENIX Association,2013:99-112.
[49] CANINI M,VENZANO D,REXFORD J,et al.A NICE way to Test OpenFlow Applications[C]∥Proceedings of the 9th USENIX conference on Networked Systems Design and Implementation.USENIX Association,2012:10-16.
[50] KUZNIAR M,CANINI M,KOSTIC D.OFTEN Testing OpenFlow Networks[C]∥Proceedings of the 2012 European Workshop on Software-Defined Networking.IEEE,2012:54-60.
[51] SHIN S,PORRAS P,YEGNESWARAN V,et al.FRESCO:Modular compostable security services for software-defined networks[C]∥Proceedings of Network and Distributed Security Symposium.2013:91-97.
[52] ONF.OpenFlow switch specification version 1.0.0[EB/OL].(2012-12-31) [2016-03-10].
[53] BRAGA R,MOTA E,PASSITO A.Lightweight DDoS flooding attack detection using NOX/OpenFlow[C]∥Proceedings of Local Computer Networks (LCN).2010:408-415.
[54] RAMACHANDRAN S,SHANMUGAM V.Impact of DoS Attack in Software Defined Network for Virtual Network[J].Wireless Personal Communications,2016,3(1):1-14.
[55] YAO G,BI J,XIAO P.Source address validation solution with OpenFlow/NOX architecture[C]∥Proceedings of 19th IEEE International Conference on Network Protocols (ICNP).IEEE,2011:7-12.
[56] NAOUS J,STUTSMAN R,MAZIERES D,et al.Delegatingnetwork security with more information[C]∥Proceedings of the 1st ACM Workshop on Research on Enterprise Networking.ACM,2009:19-26.
[57] HASSAS S,GANJALI Y.Kandoo:a framework for efficient and scalable offloading of control applications[C]∥Proceedings of the 1st Workshop on Hot Topics in Software Defined Networks.ACM,2012:19-24.
[58] RADWARE.DefenseFlow[EB/OL].(2013-1-31) [2016-03-10].
[59] KREUTZ D,RAMOS M,VERISSIMO P.Towards Secure and Dependable Software-Defined Networks[C]∥Proceedings of the ACM SIGCOMM Workshop on Hot Topics in Software Defined Etworking (HotSDN).2013:213-219.
[60] SHIN S,YEGNESWARAN V,PORRAS P,et al.AVANT-GU-ARD:scalable and vigilant switch flow management in software-defined networks[C]∥Proceedings of the 2013 ACM SIGSAC Conference on Computer & Communications Security.ACM,2013:413-424.
[61] LIM S,HA J,KIM H,et al.A SDN-oriented DDoS blocking scheme for botnet-based attacks[C]∥Proceedings of Ubiquitous and Future Networks (ICUFN).IEEE,2014:63-68.
[62] MORENO A,MAURO C,FABIO D,et al.LineSwitch:Effi-ciently Managing Switch Flow in Software-Defined Networking while Effectively Tackling DoS Attacks[C]∥Proceedings of the 10th ACM Symposium on Information.ACM,2015:199-204.
[63] GIOTIS K,ARGYROPOULOS C,ANDROULIDAKIS G,et al.Combining OpenFlow and sFlow for an Effective and Scalable Anomaly Detection and Mitigation Mechanism on SDN Environments[J].Computer Networks,2013,1(10):73-87.
[64] XING T,HUANG D,XU L,et al.Snortflow:A openflow-based intrusion prevention system in cloud environment[C]∥Procee-dings of the Research and Educational Experiment Workshop (GREE).IEEE,2013:89-92.
[65] XING T,XIONG Z,HUANG D,et al.SDNIPS:Enabling Software-Defined Networking Based Intrusion Prevention System in Clouds[C]∥Proceedings of the International Conference on Network and Service Management.2014:308-311.
[66] MEHDI A,KHALID J,KHAYAM A.Revisiting traffic anomaly detection using software defined networking[C]∥Procee-dings of the Procee-dings of the 14th International Conference on Recent Advances in Intrusion Detection.2011:161-180.
[67] DOTCENKO S,VLADYKO A,LETENKO I.A fuzzy logic-based information security management for software-defined networks[C]∥Proceedings of the 16th International Confe-rence on Advanced Communication Technology (ICACT).IEEE,2014:167-171.
[68] HU H X,AHN G J,HAN W,et al.Towards a reliable SDNfirewall[C]∥Open Networking Summit 2014 (ONS).2014:23-24.
[69] HUY H,HANZ W,AHNZ G,et al.Building robust firewalls for software-defined networks[C]∥2014 ACM SIGCOMM Workshop on Hot Topics in Software Defined Networking (HotSDN).2014.
[70] JAVID T,RIAZ T,RASHEED A.A layer2 firewall for software defined network[C]∥ 2014 Conference on Information Assu-rance and Cyber Security (CIACS).IEEE,2014:39-42.
[71] DANGOVAS V,KULIESIUS F.SDN-Driven Authenticationand Access Control System[C]∥The International Conference on Digital Information,Networking,and Wireless Communications (DINWC2014).The Society of Digital Information and Wireless Communication,2014:20-23.
[72] TOSEEF U,ZAALOUK A,ROTHE T,et al.CBAS:Certificate-based AAA for SDN experimental facilities[C]∥2014 Third European Workshop on Software Defined Networks (EWSDN).IEEE,2014:91-96.
[73] LIU X,XUE H,FENG X,et al.Design of the multi-level security network switch system which restricts covert channel[C]∥Proceedings of the IEEE 3rd International Conference on Communication Software and Networks (ICCSN).IEEE,2011:233-237
[74] WANG J,WU Z,ZENG T,et al.Covert channel research[J].Journal of Software,2010,1(9):2262-2288.
[75] LEE S,WANG H,WEATHERSPOON H.PHY covert chan-nels:can you see the idles[C]∥Proceedings of the Usenix Conference on Networked Systems Design and Implementation.USENIX Association,2014:173-185.
[76] JAJODIA S,GHOSH A K,SUBRAHMANIAN S,et al.Moving Target Defense II:Application of Game Theory and Adversarial Modeling[J].Advances in Information Security,2012,0(1):196-203.
[77] CASOLA V,DE BENEDICTIS A,ALBANESE M.A moving target defense approach for protecting resource-constrained distributed devices[C]∥ Proceedings of the Information Reuse and Integration (IRI).IEEE,2013:22-29.
[78] NAMAL S,AHMAD I,GURTOV A,et al.Enabling SecureMobility with OpenFlow[C]∥ Proceedings of the IEEE Software Defined Networks for Future Networks and Services.IEEE,2013:179-204.

No related articles found!
Full text



No Suggested Reading articles found!