Attacking SDN infrastructure: Are we ready for the next gen networking

ATTACKING SDN INFRASTRUCTURE:
ARE WE READY FOR THE NEXT-GEN NETWORKING?
Changhoon Yoon, Seungsoo Lee
{chyoon87, lss365}@kaist.ac.kr

1. About us
2. Software-defined Networking (SDN) ?
3. Attacking SDN Infrastructure
• Scenario: Attacking Software-Defined Data Center (SDDC)
• Vulnerabilities
4. Recent work on SDN security
5. Conclusion
Contents

About us
Seungsoo Lee
- PhD student at KAIST
- Project DELTA
- Assistant Professor of EE dept. at KAIST
- Research Associate of
Open Networking Foundation (ONF)
- Leading Network and System Security Lab.
Changhoon Yoon
- PhD student at KAIST
- Project SM-ONOS
http://nss.kaist.ac.kr
Seungwon Shin

• Too complicated
• Control plane is implemented with complicated S/W and ASIC
• Unstable, increased complexity in management
• Closed platform
• Vendor specific
• Hard to modify (nearly impossible)
• Hard to add new functionalities
• Barrier to innovation
• New proposal: Software Defined Networking (SDN)
• Separate the control plane from the data plane
Traditional Networking
Control Plane
Data Plane
Legacy Network Device

What is Software Defined Networking (SDN)?
Northbound Interface
Core Services
Southbound Interface
Storage
App 1 App 2 App 3 App N
SDN Controller
Data Plane
Control Plane• Centralized network management
• Via global network view
• Programmable network
• Flexible and dynamic network control
• useful, innovative SDN applications
• CAPEX, OPEX reduction
• Commodity servers and switches

Basic SDN operation
Controller
L2 Forwarding
Host A Host B
SDN Switch
Flow Table
Host Aà Host B FWD
MATCH ACTION

Data Center Network Design
Servers
Leaf
Edge
Spine
Border
Leaf
East-West Traffic
• Today’s Data Center involves a LOT of Virtual Machines (VMs)
• “Leaf-Spine” Design
• Suitable for handling “East-West” traffic; low latency & bottlenecks
• Remaining challenges
• Increased complexity – frequent VM migrations, a large number of links
• Expensive to scale & maintain

Software-Defined Data Center (SDDC)
Servers
Leaf
SDDC
Control Plane
Edge
Spine
Border
Leaf
Distributed NOS
Node #1
Distributed NOS
Node #2
Distributed NOS
Node #3
• Highly available & scalable control plane
• Distributed SDN controller
• VMs to host controller nodes
• Low complexity
• Global network view + Network programmability
• Low cost
• Commodity servers & switches
• Centralized & automated management

Attack Vectors
Misconfiguration
- Direct access to critical SDN components
- CLI/GUI/SSH etc.
Malware
- Malicious libraries/
SDN applications
Insider(tenant) attacks
- DoS/Control plane saturation attack
against the NOS cluster
- Topology Poisoning
DCN Admin/Operator
Servers
Leaf
SDDC
Control Plane
Edge
Spine
Border
Leaf
Distributed NOS
Node #1
Distributed NOS
Node #2
Distributed NOS
Node #3
Build environment
Update, deploy
Update, deploy

• Open Source SDN Controller (NOS) implementations
• Open Network Operating System (ONOS) & OpenDaylight(ODL)
• Cutting-edge, distributed network operating systems (NOS)
• Provide base design for commercial SDN controllerproducts
• Brocade SDN Controller [1] : ODL-based
• Both are Maven projects
• Both run on Karaf OSGi container
SDN Control Plane Components
[1] http://www.brocade.com/en/products-services/software-networking/sdn-controllers-applications/sdn-controller.html

Attack Vector: Misconfiguration
• Remotely accessible interfaces
• Remote SSH to NOS host machines
• Karaf container CLI
• WebConsole, GUI
• REST API
• Defenses
• Follow the security guideline available here:
• http://docs.opendaylight.org/en/latest/getting-started-
guide/security_considerations.html
• Changing default credentials
• Properly configuring Firewall policies to block remote access

Attack Vector: Malware
• Malware infection at build-time
• Malware infection at runtime

• Compromising SDN Control Plane at Build-time
Attack Vector: Malware 1
Build environment
Maven
Repository
SDN controller
source code
repository
Automatically
fetch
required components
Fetch source code Build
SDN controller project
source
Maven project build
Deployable
SDN controller package
Deployment environment
Distributed NOS
Node #1
Distributed NOS
Node #2
Distributed NOS
Node #3
Conﬁguration
Compromised build machine
- Manipulated hosts file
- Manipulated maven repo. setting
- Etc.
Compromised build env. network
- DNS cache poisoning attack
- ARP spoofing attack
- Etc.
Rogue
maven repository
Rogue
SDN controller
source code
repository

Deployment environment
Distributed NOS Node #1
Controller
Southbound API
Core Services
Northbound API
App1 App 2 App 3 App 4 App 5
Distributed NOS
Node #2
Distributed NOS
Node #3
• Compromising SDN Control Plane at Runtime
Attack Vector: Malware 2
CLI
REST
API
GUI
DCN Admin/Operator
Social Engineering attacks
- Phishing (Spamming, Distribution via Web (Blogs, SNS, etc.)
Repackaging & Redistributing
Can install
SDN apps
at runtime
Malicious
App

• Malicious tenants
• Control plane saturation attack (DoS) against the NOS cluster [1]
• Topology Poisoning [2]
Attack Vectors: Insider (tenant) attacks
Servers
Leaf
SDDC
Control Plane
Edge
Spine
Border
Leaf
Distributed NOS
Node #1
Distributed NOS
Node #2
Distributed NOS
Node #3
[1] Shin, Seungwon, and Guofei Gu. "Attacking software-defined networks: A first feasibility study." Proceedings of the second ACM SIGCOMM workshop on Hot topics in software defined networking. ACM, 2013.
[2] Hong, Sungmin, et al. "Poisoning Network Visibility in Software-Defined Networks: New Attacks and Countermeasures." NDSS. 2015.

Attack Scenario 1
Build environment
SDN controller project
source
Maven project build
Deployable
Deployment
environment Distributed NOS
Node #1
Distributed NOS
Node #2
Distributed NOS
Node #3
Rogue Maven Repository
reverse shell
Inject a rogue NOS node to the cluster
Compromising SDN control plane at build time to launch arbitrary SDN controller node injection attack

Attack Scenario 2
Compromising SDN control plane at runtime to launch stealth network performance attack
Download
DCN Admin/Operator
Third-Party SDN
APP Store
Deployment
environment
Distributed NOS
Node #1
Distributed NOS
Node #2
Distributed NOS
Node #3
Stealthily degrade the
network performance!
Deploy
Manipulate the Leaf-Spine fabric to
aﬀect the overall network performance
DCN

The Vulnerabilities (selected from the scenario)
1. No System Integrity Protection
2. No authentication of NOS cluster nodes
3. No application access control
4. Switch Device Firmware Abuse
5. Packet-IN Flooding
6. Control Message Manipulation
7. Eavesdrop
8. Internal Storage Manipulation
9. ….
Want more?
Visit http://sdnsecurity.org !!
(will open in 09/2016)

Vulnerability 1. No system integrity protection
• There is no system integrity protection for NOS components
• Integrity of the CORE NOS components must be guaranteed
• Possible Defenses
- Code signing
- Integrity protection mechanisms (e.g. checksum) Distributed NOS
Node #1
Distributed NOS
Node #2
Distributed NOS
Node #3
Maven project build
Deployable
Conﬁguration

SD-WAN
External
BGP Routers
External
BGP Routers
External
BGP Routers
External
BGP Routers
Distributed NOS
Node #1
Distributed NOS
Node #2
Los Angeles AS
NewYork AS
San Francisco AS
Florida AS
Vulnerability 2. No authentication of NOS cluster nodes
Malicious NOS
Node
• Possible Defense
- PKI-based authentication for the NOS components
• The malicious node can completely take over
the control of the entire control plane and the network

Vulnerability 3. No application access control
Distributed NOS Node #1
SDN-SW 1 SDN-SW 3 SDN-SW 5
SDN-SW 6SDN-SW 4SDN-SW 2
SDN-SW 7 SDN-SW 9
SDN-SW 10SDN-SW 8
Distributed NOS cluster
Controller
Southbound API
Core Services
Northbound API
App1 App 2 App 3 App 4
DCN Admin/Operator
Distributed NOS
Node #3
Distributed NOS
Node #2
Data Plane
Malicious
App
CLI
SSH
REST
API
GUI
[CP-3] Flow Rule Flooding
[CP-2] Flow Table Manipulation
[CP-1] Service Chain Interference
[CP-5] Resource Exhaustion
[CP-6] System Variable Manipulation
[CP-4] Controller Shutdown
[CP-7] Internal Storage Manipulation
[CP-8] Application Eviction
[CP-8] Switch Firmware Abuse
- Policy-based access control for SDN application
• SDN applications are granted very powerful authority; need to limit

MATCH ACTION
Software Table
Vulnerability 4. Switch device firmware abuse
App 1 App N
OpenFlow
Switch
Host A Host B
Controller
Hardware Table
IP.HOST A -> IP.HOST B
IP.HOST B -> IP.HOST A
OUT: FW1
OUT: FW2
MATCH ACTION
• Packet matching strategy:
Hardware-based vs. Software-based
App 2
• The strategy depends on
the vendor or the firmware version
[1] HP. HP Switch Software OpenFlow Administrator's Guide K/KA/WB 15.14
HP 3800 Switch Match Chart [1]
Hardware match
Software match

Vulnerability 4. Switch device firmware abuse
App 1
Malicious
App
App N
OpenFlow
Switch
Host A Host B
Controller
Hardware Table
IP.HOST A -> IP.HOST B
IP.HOST B -> IP.HOST A
OUT: FW1
OUT: FW2
MATCH ACTION
• Override IP matching flow rules
with MAC matching flow rules!
FLOW_MOD
OUT: FW1
OUT: FW2
MATCH ACTION
Software Table
MAC.HOST A -> MAC.HOST B
MAC.HOST B -> MAC.HOST A
Latency
FLOW_MOD
Network performance degradation
a
2a
X2
- Flow rule conflict detection & arbitration

• Delta (collaborate with ONF) is a new SDN security evaluation framework
with two main functions [1]:
1. Automatically instantiates known attack cases
against SDN elements across diverse environments
2. Assists in uncovering unknown security
problems within an SDN deployment
SDN Security Assessment: Project DELTA
[1] http://opensourcesdn.org/projects/project-delta-sdn-security-evaluation-framework/
Northbound Interface
Core Services
Southbound Interface
Storage
App
Agent
App 2 App N
SDN Controller
Channel
Agent
Host Agent
Agent Manager
Web UI

• Security-Mode ONOS
• Inspired by Mobile application security mechanisms
• Constrains ONOS (SDN) applications’ behavior
• A security policy per app
• Detects and blocks
security policy violations at runtime
SDN Application security policy enforcement
SB API
Core
NB API
OSGi protection domain
Admin Service
ONOS NB-API permission checker
ONOS App 1
Policy
ﬁle
OSGi protection domain
ONOS App 2
Policy
ﬁle
Device Manager Host Manager
Service
Provider Service Provider Registry
Providers
Protocols
Network Elements
Security Manager
grant
permissions
A
B B
C
Bundle-level RBACA
App-level RBACB
API-level
permission-based AC
C
parse

SDNSecurity.org
• We try to discover SDN specific vulnerabilities and devote to systematizing
and characterizing all related points.
• Currently, we have 8 on-going projects and 8 finished projects.
Application Plane
Control Plane
Data PlaneSDN Switch SDN Switch
SDN Controller
Switch Firmware
HardwareSoftware
Flow Table
Network Operating System
App
Southbound API
Northbound API
App
[A-5] Control Message Abuse
Control Channel
Control Channel
[A-6] Northbound API Abuse
[A-3] Internal Storage Manipulation[A-1] Packet-In Flooding
[A-2] Service Chain Interference
[A-4] Control Message Manipulation
[A-7] Resource Exhaustion
[A-8] System Variable Manipulation
[A-9] System Command Execution
[B-1] Eavesdrop
[B-2] Man-In-The-Middle
[C-1] Flow Rule Flooding
[C-2] Firmware Abuse
[C-3] Control Message Manipulation
[A-10] Network Topology Poisoning
http://sdnsecurity.org
SDN Vulnerability Genome Project
(will open in 09/2016)

Final remarks
• Are we ready for the next-gen networking?
• No, not yet at least from a security point of view
• A LOT of work still needs to be done to improve the security of SDN.
• Your urgent attention is needed!

Attacking SDN infrastructure: Are we ready for the next gen networking

More Related Content

What's hot (20)

Viewers also liked (10)

Similar to Attacking SDN infrastructure: Are we ready for the next gen networking (20)

More from Priyanka Aash (20)

Recently uploaded (20)

Attacking SDN infrastructure: Are we ready for the next gen networking