Software-defined networking (SDN), on account of its unprecedented capability of network traffic monitoring and data resource transferring, has been deployed into a wide range of application scenarios. However, typical cyber-attacks which prevail in traditional IP networks, have also mutated their implementation models adjusting to SDN environment. Eavesdropping is one of such attacks and causes severe information disclosure to different degree. In this paper, we focus on data plane eavesdropping in SDN and treat it on two levels according to the extent an adversarial sniffer can exploit a SDN switch. Then we introduce Combat-Sniff, a comprehensive countermeasure which includes two methods to deal with the two-level sniffing respectively. And later, we both theoretically and experimentally demonstrate their reliability and performance. Results represent that we can exert Combat-Sniff in SDN to satisfy different security requirements with an acceptable overhead.
| Published in | American Journal of Networks and Communications (Volume 5, Issue 2) |
| DOI | 10.11648/j.ajnc.20160502.13 |
| Page(s) | 27-34 |
| Creative Commons |
This is an Open Access article, distributed under the terms of the Creative Commons Attribution 4.0 International License (http://creativecommons.org/licenses/by/4.0/), which permits unrestricted use, distribution and reproduction in any medium or format, provided the original work is properly cited. |
| Copyright |
Copyright © The Author(s), 2024. Published by Science Publishing Group |
Eavesdropping, Software-Defined Networking (SDN), Flow Entries Integrity Verification, Moving Target Defense (MTD)
| [1] | Open Network Foundation. Software-defined networking: the new norm for networks [EB/OL]. [2012-04-13]. |
| [2] | MCKEOWN N, ANDERSON T, BALAKRISHNAN H, et al. OpenFlow: enabling innovation in campus networks [J]. ACM. |
| [3] | https://www.owasp.org/index.php/Network_Eavesdropping. |
| [4] | Schultz E E. Assessing and combating the sniffer threat [J]. Local Area Network Handbook, 1999: 85. |
| [5] | Hp switch software - openflow supplement. http://h20000.www2.hp.com/bc/docs/support/SupportManual/c03170243/c03170243.pdf, Feb 2012. |
| [6] | Open vSwitch, 2013. [Online]. Available: http://vswitch.org/ |
| [7] | http://www.pcworld.com/article/2957175/sdn-switches-arent-hard-to-compromise-researcher-says.html. |
| [8] | Benton K, Camp L J, Small C. Openflow vulnerability assessment[C]//Proceedings of the second ACM SIGCOMM workshop on Hot topics in software defined networking. ACM, 2013: 151-152. |
| [9] | M. Antikainen, T. Aura, and M. S¨arel¨a, “Spook in your network: Attacking an SDN with a compromised openflow switch,” in Secure IT Systems - 19th Nordic Conference, NordSec 2014, Tromsø, Norway, October 15-17, 2014, Proceedings, 2014, pp. 229–244. |
| [10] | Chi P W, Kuo C T, Guo J W, et al. How to detect a compromised SDN switch[C]//Network Softwarization (NetSoft), 2015 1st IEEE Conference on. IEEE, 2015: 1-6. |
| [11] | Duan Q, Al-Shaer E, Jafarian H. Efficient random route mutation considering flow and network constraints[C]//Communications and Network Security (CNS), 2013 IEEE Conference on. IEEE, 2013: 260-268. |
| [12] | D. Kreutz, F. M. Ramos, and P. Verissimo. Towards secure and dependable software-defined networks. in Proc.2nd ACM SIGCOMM Workshop Hot Topics Softw. Defined Netw., 2013, pp. 55–60 |
| [13] | Romão D, van Dijkhuizen N, Konstantaras S, et al. practical security analysis of OpenFlow [J]. 2013. |
| [14] | Shin S, Gu G. Attacking software-defined networks: A first feasibility study[C]//Proceedings of the second ACM SIGCOMM workshop on Hot topics in software defined networking. ACM, 2013: 165-166. |
| [15] | https://en.wikipedia.org/wiki/Denial-of-service_attack |
| [16] | Shin S, Yegneswaran V, Porras P, et al. Avant-guard: Scalable and vigilant switch flow management in software-defined networks[C]//Proceedings of the 2013 ACM SIGSAC conference on Computer & communications security. ACM, 2013: 413-424. |
| [17] | Hong S, Xu L, Wang H, et al. Poisoning Network Visibility in Software-Defined Networks: New Attacks and Countermeasures [C]. NDSS, 2015. |
| [18] | Song H. Protocol-oblivious forwarding: Unleash the power of SDN through a future-proof forwarding plane[C]//Proceedings of the second ACM SIGCOMM workshop on Hot topics in software defined networking. ACM, 2013: 127-132. |
| [19] | Specification, OpenFlow Switch. v1.3.0. (2012). |
| [20] | S. Jain and al., “B4: Experience with a Globally-Deployed Software Defined WAN,” in ACM SIGCOMM, 2013. |
| [21] | Berde P, Gerola M, Hart J, et al. ONOS: towards an open, distributed SDN OS[C]//Proceedings of the third workshop on Hot topics in software defined networking. ACM, 2014: 1-6. |
| [22] | M. Miller, T. Burrell, and M. Howard. Mitigating software vulnerabilities, July 2011. http://www.microsoft.com/download/en/details.aspx?displaylang=en&id=26788. |
| [23] | http://www.poforwarding.org/pofcontroller-1-1-7-released/ |
| [24] | http://www.poforwarding.org/pofswitch-1-3-4-released/ |
| [25] | http://www.secdev.org/projects/scapy/doc/usage.html |
APA Style
Fan Jiang, Chen Song, Hao Xun, Zhen Xu. (2016). Combat-Sniff: A Comprehensive Countermeasure to Resist Data Plane Eavesdropping in Software-Defined Networks. American Journal of Networks and Communications, 5(2), 27-34. https://doi.org/10.11648/j.ajnc.20160502.13
ACS Style
Fan Jiang; Chen Song; Hao Xun; Zhen Xu. Combat-Sniff: A Comprehensive Countermeasure to Resist Data Plane Eavesdropping in Software-Defined Networks. Am. J. Netw. Commun. 2016, 5(2), 27-34. doi: 10.11648/j.ajnc.20160502.13
AMA Style
Fan Jiang, Chen Song, Hao Xun, Zhen Xu. Combat-Sniff: A Comprehensive Countermeasure to Resist Data Plane Eavesdropping in Software-Defined Networks. Am J Netw Commun. 2016;5(2):27-34. doi: 10.11648/j.ajnc.20160502.13
Share This Article
Twitter
Linked In
Facebook
Copy
Download@article{10.11648/j.ajnc.20160502.13,
author = {Fan Jiang and Chen Song and Hao Xun and Zhen Xu},
title = {Combat-Sniff: A Comprehensive Countermeasure to Resist Data Plane Eavesdropping in Software-Defined Networks},
journal = {American Journal of Networks and Communications},
volume = {5},
number = {2},
pages = {27-34},
doi = {10.11648/j.ajnc.20160502.13},
url = {https://doi.org/10.11648/j.ajnc.20160502.13},
eprint = {https://article.sciencepublishinggroup.com/pdf/10.11648.j.ajnc.20160502.13},
abstract = {Software-defined networking (SDN), on account of its unprecedented capability of network traffic monitoring and data resource transferring, has been deployed into a wide range of application scenarios. However, typical cyber-attacks which prevail in traditional IP networks, have also mutated their implementation models adjusting to SDN environment. Eavesdropping is one of such attacks and causes severe information disclosure to different degree. In this paper, we focus on data plane eavesdropping in SDN and treat it on two levels according to the extent an adversarial sniffer can exploit a SDN switch. Then we introduce Combat-Sniff, a comprehensive countermeasure which includes two methods to deal with the two-level sniffing respectively. And later, we both theoretically and experimentally demonstrate their reliability and performance. Results represent that we can exert Combat-Sniff in SDN to satisfy different security requirements with an acceptable overhead.},
year = {2016}
}
TY - JOUR T1 - Combat-Sniff: A Comprehensive Countermeasure to Resist Data Plane Eavesdropping in Software-Defined Networks AU - Fan Jiang AU - Chen Song AU - Hao Xun AU - Zhen Xu Y1 - 2016/04/21 PY - 2016 N1 - https://doi.org/10.11648/j.ajnc.20160502.13 DO - 10.11648/j.ajnc.20160502.13 T2 - American Journal of Networks and Communications JF - American Journal of Networks and Communications JO - American Journal of Networks and Communications SP - 27 EP - 34 PB - Science Publishing Group SN - 2326-8964 UR - https://doi.org/10.11648/j.ajnc.20160502.13 AB - Software-defined networking (SDN), on account of its unprecedented capability of network traffic monitoring and data resource transferring, has been deployed into a wide range of application scenarios. However, typical cyber-attacks which prevail in traditional IP networks, have also mutated their implementation models adjusting to SDN environment. Eavesdropping is one of such attacks and causes severe information disclosure to different degree. In this paper, we focus on data plane eavesdropping in SDN and treat it on two levels according to the extent an adversarial sniffer can exploit a SDN switch. Then we introduce Combat-Sniff, a comprehensive countermeasure which includes two methods to deal with the two-level sniffing respectively. And later, we both theoretically and experimentally demonstrate their reliability and performance. Results represent that we can exert Combat-Sniff in SDN to satisfy different security requirements with an acceptable overhead. VL - 5 IS - 2 ER -
Information
Email: