| Peer-Reviewed

Combat-Sniff: A Comprehensive Countermeasure to Resist Data Plane Eavesdropping in Software-Defined Networks

Received: 20 April 2016     Published: 21 April 2016
Views:       Downloads:
Abstract

Software-defined networking (SDN), on account of its unprecedented capability of network traffic monitoring and data resource transferring, has been deployed into a wide range of application scenarios. However, typical cyber-attacks which prevail in traditional IP networks, have also mutated their implementation models adjusting to SDN environment. Eavesdropping is one of such attacks and causes severe information disclosure to different degree. In this paper, we focus on data plane eavesdropping in SDN and treat it on two levels according to the extent an adversarial sniffer can exploit a SDN switch. Then we introduce Combat-Sniff, a comprehensive countermeasure which includes two methods to deal with the two-level sniffing respectively. And later, we both theoretically and experimentally demonstrate their reliability and performance. Results represent that we can exert Combat-Sniff in SDN to satisfy different security requirements with an acceptable overhead.

Published in American Journal of Networks and Communications (Volume 5, Issue 2)
DOI 10.11648/j.ajnc.20160502.13
Page(s) 27-34
Creative Commons

This is an Open Access article, distributed under the terms of the Creative Commons Attribution 4.0 International License (http://creativecommons.org/licenses/by/4.0/), which permits unrestricted use, distribution and reproduction in any medium or format, provided the original work is properly cited.

Copyright

Copyright © The Author(s), 2016. Published by Science Publishing Group

Keywords

Eavesdropping, Software-Defined Networking (SDN), Flow Entries Integrity Verification, Moving Target Defense (MTD)

References
[1] Open Network Foundation. Software-defined networking: the new norm for networks [EB/OL]. [2012-04-13].
[2] MCKEOWN N, ANDERSON T, BALAKRISHNAN H, et al. OpenFlow: enabling innovation in campus networks [J]. ACM.
[3] https://www.owasp.org/index.php/Network_Eavesdropping.
[4] Schultz E E. Assessing and combating the sniffer threat [J]. Local Area Network Handbook, 1999: 85.
[5] Hp switch software - openflow supplement. http://h20000.www2.hp.com/bc/docs/support/SupportManual/c03170243/c03170243.pdf, Feb 2012.
[6] Open vSwitch, 2013. [Online]. Available: http://vswitch.org/
[7] http://www.pcworld.com/article/2957175/sdn-switches-arent-hard-to-compromise-researcher-says.html.
[8] Benton K, Camp L J, Small C. Openflow vulnerability assessment[C]//Proceedings of the second ACM SIGCOMM workshop on Hot topics in software defined networking. ACM, 2013: 151-152.
[9] M. Antikainen, T. Aura, and M. S¨arel¨a, “Spook in your network: Attacking an SDN with a compromised openflow switch,” in Secure IT Systems - 19th Nordic Conference, NordSec 2014, Tromsø, Norway, October 15-17, 2014, Proceedings, 2014, pp. 229–244.
[10] Chi P W, Kuo C T, Guo J W, et al. How to detect a compromised SDN switch[C]//Network Softwarization (NetSoft), 2015 1st IEEE Conference on. IEEE, 2015: 1-6.
[11] Duan Q, Al-Shaer E, Jafarian H. Efficient random route mutation considering flow and network constraints[C]//Communications and Network Security (CNS), 2013 IEEE Conference on. IEEE, 2013: 260-268.
[12] D. Kreutz, F. M. Ramos, and P. Verissimo. Towards secure and dependable software-defined networks. in Proc.2nd ACM SIGCOMM Workshop Hot Topics Softw. Defined Netw., 2013, pp. 55–60
[13] Romão D, van Dijkhuizen N, Konstantaras S, et al. practical security analysis of OpenFlow [J]. 2013.
[14] Shin S, Gu G. Attacking software-defined networks: A first feasibility study[C]//Proceedings of the second ACM SIGCOMM workshop on Hot topics in software defined networking. ACM, 2013: 165-166.
[15] https://en.wikipedia.org/wiki/Denial-of-service_attack
[16] Shin S, Yegneswaran V, Porras P, et al. Avant-guard: Scalable and vigilant switch flow management in software-defined networks[C]//Proceedings of the 2013 ACM SIGSAC conference on Computer & communications security. ACM, 2013: 413-424.
[17] Hong S, Xu L, Wang H, et al. Poisoning Network Visibility in Software-Defined Networks: New Attacks and Countermeasures [C]. NDSS, 2015.
[18] Song H. Protocol-oblivious forwarding: Unleash the power of SDN through a future-proof forwarding plane[C]//Proceedings of the second ACM SIGCOMM workshop on Hot topics in software defined networking. ACM, 2013: 127-132.
[19] Specification, OpenFlow Switch. v1.3.0. (2012).
[20] S. Jain and al., “B4: Experience with a Globally-Deployed Software Defined WAN,” in ACM SIGCOMM, 2013.
[21] Berde P, Gerola M, Hart J, et al. ONOS: towards an open, distributed SDN OS[C]//Proceedings of the third workshop on Hot topics in software defined networking. ACM, 2014: 1-6.
[22] M. Miller, T. Burrell, and M. Howard. Mitigating software vulnerabilities, July 2011. http://www.microsoft.com/download/en/details.aspx?displaylang=en&id=26788.
[23] http://www.poforwarding.org/pofcontroller-1-1-7-released/
[24] http://www.poforwarding.org/pofswitch-1-3-4-released/
[25] http://www.secdev.org/projects/scapy/doc/usage.html
Cite This Article
  • APA Style

    Fan Jiang, Chen Song, Hao Xun, Zhen Xu. (2016). Combat-Sniff: A Comprehensive Countermeasure to Resist Data Plane Eavesdropping in Software-Defined Networks. American Journal of Networks and Communications, 5(2), 27-34. https://doi.org/10.11648/j.ajnc.20160502.13

    Copy | Download

    ACS Style

    Fan Jiang; Chen Song; Hao Xun; Zhen Xu. Combat-Sniff: A Comprehensive Countermeasure to Resist Data Plane Eavesdropping in Software-Defined Networks. Am. J. Netw. Commun. 2016, 5(2), 27-34. doi: 10.11648/j.ajnc.20160502.13

    Copy | Download

    AMA Style

    Fan Jiang, Chen Song, Hao Xun, Zhen Xu. Combat-Sniff: A Comprehensive Countermeasure to Resist Data Plane Eavesdropping in Software-Defined Networks. Am J Netw Commun. 2016;5(2):27-34. doi: 10.11648/j.ajnc.20160502.13

    Copy | Download

  • @article{10.11648/j.ajnc.20160502.13,
      author = {Fan Jiang and Chen Song and Hao Xun and Zhen Xu},
      title = {Combat-Sniff: A Comprehensive Countermeasure to Resist Data Plane Eavesdropping in Software-Defined Networks},
      journal = {American Journal of Networks and Communications},
      volume = {5},
      number = {2},
      pages = {27-34},
      doi = {10.11648/j.ajnc.20160502.13},
      url = {https://doi.org/10.11648/j.ajnc.20160502.13},
      eprint = {https://article.sciencepublishinggroup.com/pdf/10.11648.j.ajnc.20160502.13},
      abstract = {Software-defined networking (SDN), on account of its unprecedented capability of network traffic monitoring and data resource transferring, has been deployed into a wide range of application scenarios. However, typical cyber-attacks which prevail in traditional IP networks, have also mutated their implementation models adjusting to SDN environment. Eavesdropping is one of such attacks and causes severe information disclosure to different degree. In this paper, we focus on data plane eavesdropping in SDN and treat it on two levels according to the extent an adversarial sniffer can exploit a SDN switch. Then we introduce Combat-Sniff, a comprehensive countermeasure which includes two methods to deal with the two-level sniffing respectively. And later, we both theoretically and experimentally demonstrate their reliability and performance. Results represent that we can exert Combat-Sniff in SDN to satisfy different security requirements with an acceptable overhead.},
     year = {2016}
    }
    

    Copy | Download

  • TY  - JOUR
    T1  - Combat-Sniff: A Comprehensive Countermeasure to Resist Data Plane Eavesdropping in Software-Defined Networks
    AU  - Fan Jiang
    AU  - Chen Song
    AU  - Hao Xun
    AU  - Zhen Xu
    Y1  - 2016/04/21
    PY  - 2016
    N1  - https://doi.org/10.11648/j.ajnc.20160502.13
    DO  - 10.11648/j.ajnc.20160502.13
    T2  - American Journal of Networks and Communications
    JF  - American Journal of Networks and Communications
    JO  - American Journal of Networks and Communications
    SP  - 27
    EP  - 34
    PB  - Science Publishing Group
    SN  - 2326-8964
    UR  - https://doi.org/10.11648/j.ajnc.20160502.13
    AB  - Software-defined networking (SDN), on account of its unprecedented capability of network traffic monitoring and data resource transferring, has been deployed into a wide range of application scenarios. However, typical cyber-attacks which prevail in traditional IP networks, have also mutated their implementation models adjusting to SDN environment. Eavesdropping is one of such attacks and causes severe information disclosure to different degree. In this paper, we focus on data plane eavesdropping in SDN and treat it on two levels according to the extent an adversarial sniffer can exploit a SDN switch. Then we introduce Combat-Sniff, a comprehensive countermeasure which includes two methods to deal with the two-level sniffing respectively. And later, we both theoretically and experimentally demonstrate their reliability and performance. Results represent that we can exert Combat-Sniff in SDN to satisfy different security requirements with an acceptable overhead.
    VL  - 5
    IS  - 2
    ER  - 

    Copy | Download

Author Information
  • Institute of Information Engineering, Chinese Academy of Sciences, Beijng, China

  • Institute of Information Engineering, Chinese Academy of Sciences, Beijng, China

  • Institute of Information Engineering, Chinese Academy of Sciences, Beijng, China

  • Institute of Information Engineering, Chinese Academy of Sciences, Beijng, China

  • Sections