Abstract
The essential part of an SDN-based network are flow rules that enable network elements to steer and control the traffic and deploy policy enforcement points with a fine granularity at any entry-point in a network. Such applications, implemented with the usage of OpenFlow rules, are already integral components of widely used SDN controllers such as Floodlight or OpenDayLight. The implementation details of network policies are reflected in the composition of flow rules and leakage of such information provides adversaries with a significant attack advantage such as bypassing Access Control Lists (ACL), reconstructing the resource distribution of Load Balancers or revealing of Moving Target Defense techniques. In this demo [4, 5] we present our open-source scanner SDNMap and demonstrate the findings discussed in the paper "Adversarial Network Forensics in Software Defined Networking" [6]. On two real world examples, Floodlight's Access Control Lists (ACL) and Floodlight's Load Balancer (LBaaS), we show that severe security issues arise with the ability to reconstruct the details of OpenFlow rules on the data-plane.
| Original language | English (US) |
|---|---|
| Title of host publication | SOSR 2017 - Proceedings of the 2017 Symposium on SDN Research |
| Publisher | Association for Computing Machinery, Inc |
| Pages | 177-178 |
| Number of pages | 2 |
| ISBN (Electronic) | 9781450349475 |
| DOIs | |
| State | Published - Apr 3 2017 |
| Event | 2017 Symposium on SDN Research, SOSR 2017 - Santa Clara, United States Duration: Apr 3 2017 → Apr 4 2017 |
Publication series
| Name | SOSR 2017 - Proceedings of the 2017 Symposium on SDN Research |
|---|
Other
| Other | 2017 Symposium on SDN Research, SOSR 2017 |
|---|---|
| Country | United States |
| City | Santa Clara |
| Period | 4/3/17 → 4/4/17 |
Fingerprint
All Science Journal Classification (ASJC) codes
- Computer Networks and Communications
- Software
Cite this
}
Demo : Adversarial network forensics in software defined networking. / Achleitner, Stefan; La Porta, Thomas; Jaeger, Trent; McDaniel, Patrick.
SOSR 2017 - Proceedings of the 2017 Symposium on SDN Research. Association for Computing Machinery, Inc, 2017. p. 177-178 (SOSR 2017 - Proceedings of the 2017 Symposium on SDN Research).Research output: Chapter in Book/Report/Conference proceeding › Conference contribution
TY - GEN
T1 - Demo
T2 - Adversarial network forensics in software defined networking
AU - Achleitner, Stefan
AU - La Porta, Thomas
AU - Jaeger, Trent
AU - McDaniel, Patrick
PY - 2017/4/3
Y1 - 2017/4/3
N2 - The essential part of an SDN-based network are flow rules that enable network elements to steer and control the traffic and deploy policy enforcement points with a fine granularity at any entry-point in a network. Such applications, implemented with the usage of OpenFlow rules, are already integral components of widely used SDN controllers such as Floodlight or OpenDayLight. The implementation details of network policies are reflected in the composition of flow rules and leakage of such information provides adversaries with a significant attack advantage such as bypassing Access Control Lists (ACL), reconstructing the resource distribution of Load Balancers or revealing of Moving Target Defense techniques. In this demo [4, 5] we present our open-source scanner SDNMap and demonstrate the findings discussed in the paper "Adversarial Network Forensics in Software Defined Networking" [6]. On two real world examples, Floodlight's Access Control Lists (ACL) and Floodlight's Load Balancer (LBaaS), we show that severe security issues arise with the ability to reconstruct the details of OpenFlow rules on the data-plane.
AB - The essential part of an SDN-based network are flow rules that enable network elements to steer and control the traffic and deploy policy enforcement points with a fine granularity at any entry-point in a network. Such applications, implemented with the usage of OpenFlow rules, are already integral components of widely used SDN controllers such as Floodlight or OpenDayLight. The implementation details of network policies are reflected in the composition of flow rules and leakage of such information provides adversaries with a significant attack advantage such as bypassing Access Control Lists (ACL), reconstructing the resource distribution of Load Balancers or revealing of Moving Target Defense techniques. In this demo [4, 5] we present our open-source scanner SDNMap and demonstrate the findings discussed in the paper "Adversarial Network Forensics in Software Defined Networking" [6]. On two real world examples, Floodlight's Access Control Lists (ACL) and Floodlight's Load Balancer (LBaaS), we show that severe security issues arise with the ability to reconstruct the details of OpenFlow rules on the data-plane.
UR - http://www.scopus.com/inward/record.url?scp=85018960648&partnerID=8YFLogxK
UR - http://www.scopus.com/inward/citedby.url?scp=85018960648&partnerID=8YFLogxK
U2 - 10.1145/3050220.3060599
DO - 10.1145/3050220.3060599
M3 - Conference contribution
AN - SCOPUS:85018960648
T3 - SOSR 2017 - Proceedings of the 2017 Symposium on SDN Research
SP - 177
EP - 178
BT - SOSR 2017 - Proceedings of the 2017 Symposium on SDN Research
PB - Association for Computing Machinery, Inc
ER -