Adversarial network forensics in software defined networking

Research output: Chapter in Book/Report/Conference proceedingConference contribution

4 Citations (Scopus)

Abstract

Software Defined Networking (SDN), and its popular implementation OpenFlow, represent the foundation for the design and implementation of modern networks. The essential part of an SDN-based network are flow rules that enable network elements to steer and control the traffic and deploy policy enforcement points with a fine granularity at any entry-point in a network. Such applications, implemented with the usage of OpenFlow rules, are already integral components of widely used SDN controllers such as Floodlight or OpenDayLight. The implementation details of network policies are reflected in the composition of flow rules and leakage of such information provides adversaries with a significant attack advantage such as bypassing Access Control Lists (ACL), reconstructing the resource distribution of Load Balancers or revealing of Moving Target Defense techniques. In this paper we introduce a new attack vector on SDN by showing how the detailed composition of flowrules can be reconstructed by network users without any prior knowledge of the SDN controller or its architecture. To our best knowledge, in SDN, such reconnaissance techniques have not been considered so far. We introduce SDNMap, an open-source scanner that is able to accurately reconstruct the detailed composition of flow rules by performing active probing and listening to the network traffic. We demonstrate in a number of real-world SDN applications that this ability provides adversaries with a significant attack advantage and discuss ways to prevent the introduced reconnaissance techniques. Our SDNMap scanner is able to reconstruct flow rules between network endpoints with an accuracy of over 96%.

Original languageEnglish (US)
Title of host publicationSOSR 2017 - Proceedings of the 2017 Symposium on SDN Research
PublisherAssociation for Computing Machinery, Inc
Pages8-20
Number of pages13
ISBN (Electronic)9781450349475
DOIs
StatePublished - Apr 3 2017
Event2017 Symposium on SDN Research, SOSR 2017 - Santa Clara, United States
Duration: Apr 3 2017Apr 4 2017

Publication series

NameSOSR 2017 - Proceedings of the 2017 Symposium on SDN Research

Other

Other2017 Symposium on SDN Research, SOSR 2017
CountryUnited States
CitySanta Clara
Period4/3/174/4/17

Fingerprint

Chemical analysis
Controllers
Software defined networking
Digital forensics
Access control

All Science Journal Classification (ASJC) codes

  • Computer Networks and Communications
  • Software

Cite this

Achleitner, S., La Porta, T. F., Jaeger, T. R., & McDaniel, P. D. (2017). Adversarial network forensics in software defined networking. In SOSR 2017 - Proceedings of the 2017 Symposium on SDN Research (pp. 8-20). (SOSR 2017 - Proceedings of the 2017 Symposium on SDN Research). Association for Computing Machinery, Inc. https://doi.org/10.1145/3050220.3050223
Achleitner, Stefan ; La Porta, Thomas F. ; Jaeger, Trent Ray ; McDaniel, Patrick Drew. / Adversarial network forensics in software defined networking. SOSR 2017 - Proceedings of the 2017 Symposium on SDN Research. Association for Computing Machinery, Inc, 2017. pp. 8-20 (SOSR 2017 - Proceedings of the 2017 Symposium on SDN Research).
@inproceedings{e4812717fba640db9d7e35aae795b9b0,
title = "Adversarial network forensics in software defined networking",
abstract = "Software Defined Networking (SDN), and its popular implementation OpenFlow, represent the foundation for the design and implementation of modern networks. The essential part of an SDN-based network are flow rules that enable network elements to steer and control the traffic and deploy policy enforcement points with a fine granularity at any entry-point in a network. Such applications, implemented with the usage of OpenFlow rules, are already integral components of widely used SDN controllers such as Floodlight or OpenDayLight. The implementation details of network policies are reflected in the composition of flow rules and leakage of such information provides adversaries with a significant attack advantage such as bypassing Access Control Lists (ACL), reconstructing the resource distribution of Load Balancers or revealing of Moving Target Defense techniques. In this paper we introduce a new attack vector on SDN by showing how the detailed composition of flowrules can be reconstructed by network users without any prior knowledge of the SDN controller or its architecture. To our best knowledge, in SDN, such reconnaissance techniques have not been considered so far. We introduce SDNMap, an open-source scanner that is able to accurately reconstruct the detailed composition of flow rules by performing active probing and listening to the network traffic. We demonstrate in a number of real-world SDN applications that this ability provides adversaries with a significant attack advantage and discuss ways to prevent the introduced reconnaissance techniques. Our SDNMap scanner is able to reconstruct flow rules between network endpoints with an accuracy of over 96{\%}.",
author = "Stefan Achleitner and {La Porta}, {Thomas F.} and Jaeger, {Trent Ray} and McDaniel, {Patrick Drew}",
year = "2017",
month = "4",
day = "3",
doi = "10.1145/3050220.3050223",
language = "English (US)",
series = "SOSR 2017 - Proceedings of the 2017 Symposium on SDN Research",
publisher = "Association for Computing Machinery, Inc",
pages = "8--20",
booktitle = "SOSR 2017 - Proceedings of the 2017 Symposium on SDN Research",

}

Achleitner, S, La Porta, TF, Jaeger, TR & McDaniel, PD 2017, Adversarial network forensics in software defined networking. in SOSR 2017 - Proceedings of the 2017 Symposium on SDN Research. SOSR 2017 - Proceedings of the 2017 Symposium on SDN Research, Association for Computing Machinery, Inc, pp. 8-20, 2017 Symposium on SDN Research, SOSR 2017, Santa Clara, United States, 4/3/17. https://doi.org/10.1145/3050220.3050223

Adversarial network forensics in software defined networking. / Achleitner, Stefan; La Porta, Thomas F.; Jaeger, Trent Ray; McDaniel, Patrick Drew.

SOSR 2017 - Proceedings of the 2017 Symposium on SDN Research. Association for Computing Machinery, Inc, 2017. p. 8-20 (SOSR 2017 - Proceedings of the 2017 Symposium on SDN Research).

Research output: Chapter in Book/Report/Conference proceedingConference contribution

TY - GEN

T1 - Adversarial network forensics in software defined networking

AU - Achleitner, Stefan

AU - La Porta, Thomas F.

AU - Jaeger, Trent Ray

AU - McDaniel, Patrick Drew

PY - 2017/4/3

Y1 - 2017/4/3

N2 - Software Defined Networking (SDN), and its popular implementation OpenFlow, represent the foundation for the design and implementation of modern networks. The essential part of an SDN-based network are flow rules that enable network elements to steer and control the traffic and deploy policy enforcement points with a fine granularity at any entry-point in a network. Such applications, implemented with the usage of OpenFlow rules, are already integral components of widely used SDN controllers such as Floodlight or OpenDayLight. The implementation details of network policies are reflected in the composition of flow rules and leakage of such information provides adversaries with a significant attack advantage such as bypassing Access Control Lists (ACL), reconstructing the resource distribution of Load Balancers or revealing of Moving Target Defense techniques. In this paper we introduce a new attack vector on SDN by showing how the detailed composition of flowrules can be reconstructed by network users without any prior knowledge of the SDN controller or its architecture. To our best knowledge, in SDN, such reconnaissance techniques have not been considered so far. We introduce SDNMap, an open-source scanner that is able to accurately reconstruct the detailed composition of flow rules by performing active probing and listening to the network traffic. We demonstrate in a number of real-world SDN applications that this ability provides adversaries with a significant attack advantage and discuss ways to prevent the introduced reconnaissance techniques. Our SDNMap scanner is able to reconstruct flow rules between network endpoints with an accuracy of over 96%.

AB - Software Defined Networking (SDN), and its popular implementation OpenFlow, represent the foundation for the design and implementation of modern networks. The essential part of an SDN-based network are flow rules that enable network elements to steer and control the traffic and deploy policy enforcement points with a fine granularity at any entry-point in a network. Such applications, implemented with the usage of OpenFlow rules, are already integral components of widely used SDN controllers such as Floodlight or OpenDayLight. The implementation details of network policies are reflected in the composition of flow rules and leakage of such information provides adversaries with a significant attack advantage such as bypassing Access Control Lists (ACL), reconstructing the resource distribution of Load Balancers or revealing of Moving Target Defense techniques. In this paper we introduce a new attack vector on SDN by showing how the detailed composition of flowrules can be reconstructed by network users without any prior knowledge of the SDN controller or its architecture. To our best knowledge, in SDN, such reconnaissance techniques have not been considered so far. We introduce SDNMap, an open-source scanner that is able to accurately reconstruct the detailed composition of flow rules by performing active probing and listening to the network traffic. We demonstrate in a number of real-world SDN applications that this ability provides adversaries with a significant attack advantage and discuss ways to prevent the introduced reconnaissance techniques. Our SDNMap scanner is able to reconstruct flow rules between network endpoints with an accuracy of over 96%.

UR - http://www.scopus.com/inward/record.url?scp=85018959548&partnerID=8YFLogxK

UR - http://www.scopus.com/inward/citedby.url?scp=85018959548&partnerID=8YFLogxK

U2 - 10.1145/3050220.3050223

DO - 10.1145/3050220.3050223

M3 - Conference contribution

AN - SCOPUS:85018959548

T3 - SOSR 2017 - Proceedings of the 2017 Symposium on SDN Research

SP - 8

EP - 20

BT - SOSR 2017 - Proceedings of the 2017 Symposium on SDN Research

PB - Association for Computing Machinery, Inc

ER -

Achleitner S, La Porta TF, Jaeger TR, McDaniel PD. Adversarial network forensics in software defined networking. In SOSR 2017 - Proceedings of the 2017 Symposium on SDN Research. Association for Computing Machinery, Inc. 2017. p. 8-20. (SOSR 2017 - Proceedings of the 2017 Symposium on SDN Research). https://doi.org/10.1145/3050220.3050223