Several Security Issues In Software-Defined Networking

Software-Defined Networking is a novel networking architecture that implements the separation of control logic and forwarding functions.The control logic of SDN is implemented in a logically centralized controller which provides an open programming interface to the applications.Such designs significantly simplify the deployment of network policies and shorten the development cycle of networking applications.SDN has been widely deployed in data centers and cloud computing environments.However,SDN also raises new security concerns.In this paper,we study several security issues in the SDN architecture.The main contributions include the following three aspects.(1)We study the denial of service attacks in OpenFlow switches.By investigating the architecture and princple of the OpenFlow switch,a denial of service attack was proposed based on the weakness of the limited throughput of the control agent in the switch.The attacker can control one host in the network to send a large number of requests,consumes the resources of the switch control agent,and causes the switch CPU to be overloaded.To defend against such attack,a hierarchical multi-threshold attack detection algorithm is proposed.We conduct a series of experiments in physical environment.The experimental results show that this algorithm can effectively detect switch denial of service attacks.(2)We study the denial of service attack in the SDN controller.Through the investigation and analysis of existing denial of service attacks against SDN controllers,we find that these attacks are mainly implemented by using forged MAC,IP and port.After analyzing the limitations of the existing solutions and combining the characteristics of DoS attack methods,a method was proposed to detect and prevent abnormal traffic from the source of attacks.Then,the DosDefender system was designed and implemented,and we test it in a hardware experiment environment.The experimental results show that DosDefender can effectively detect controller denial of service attacks while protecting the switch control agents,control channels,and controller resources in the SDN network.(3)We study packet injection attacks in SDN networks.By analyzing the topology management service and device Rest API in the SDN controller,a packet injection attack model is proposed.According to this model,spoofing attacks against topology management services and the Rest API are designed,and denial of service attacks against network bandwidth and Rest API-based applications are designed.In order to detect and defend against this kind of attack,a defense strategy that bindings the host MAC address with the switch port is proposed.The PacketChecker system is designed and implemented to achieve this strategy.We test the efficiency and effectiveness of the PacketChecker in the Mininet environment.Experimental results show that PacketC hecker can effectively detect and prevent this kind of attack with a minor overhead to the SDN controller.