![Page 1: Preventing Malicious SDN Applications From Hiding Adverse ...Appear as normal SDN application • Get global network view efficiently Proposed Solution • Ask SDN controller only](https://reader033.vdocuments.mx/reader033/viewer/2022042021/5e78d066caf6f443ed676d7d/html5/thumbnails/1.jpg)
Preventing Malicious SDN ApplicationsFrom Hiding Adverse Network
Manipulations
Christian Röpke and Thorsten Holz
Ruhr-University Bochum
![Page 2: Preventing Malicious SDN Applications From Hiding Adverse ...Appear as normal SDN application • Get global network view efficiently Proposed Solution • Ask SDN controller only](https://reader033.vdocuments.mx/reader033/viewer/2022042021/5e78d066caf6f443ed676d7d/html5/thumbnails/2.jpg)
Problem Statement
8/24/2018 Christian Röpke and Thorsten Holz 2
• Malicious SDN applications are capable of intensively manipulating internal datastructures of SDN controllers.
• As a result, attackers can hide malicious actions, e.g., from SDN controller security services and SDN security applications.
![Page 3: Preventing Malicious SDN Applications From Hiding Adverse ...Appear as normal SDN application • Get global network view efficiently Proposed Solution • Ask SDN controller only](https://reader033.vdocuments.mx/reader033/viewer/2022042021/5e78d066caf6f443ed676d7d/html5/thumbnails/3.jpg)
Hiding Adverse Network Manipulations
• SDN apps insert/remove rules.• SDN security apps and SDN
controller security services keep track on manipulations by observing the global view.
• Normal case:– A security mechanism raises an
alert in case an observed manipulation violates a policy.
• Compromised SDN controller:– Global view is tampered to hide
adverse manipulations.– A security method does not
notice malicious changes anymore.
8/24/2018 Christian Röpke and Thorsten Holz 3
![Page 4: Preventing Malicious SDN Applications From Hiding Adverse ...Appear as normal SDN application • Get global network view efficiently Proposed Solution • Ask SDN controller only](https://reader033.vdocuments.mx/reader033/viewer/2022042021/5e78d066caf6f443ed676d7d/html5/thumbnails/4.jpg)
• SDN apps insert/remove rules.• SDN security apps and SDN
controller security services keep track on manipulations by observing the global view.
• Normal case:– A security mechanism raises an
alert in case an observed manipulation violates a policy.
• Compromised SDN controller:– Global view is tampered to hide
adverse manipulations.– A security mechanism is
unable to notice adverse network changes anymore!
8/24/2018 Christian Röpke and Thorsten Holz 4
Hiding Adverse Network Manipulations
![Page 5: Preventing Malicious SDN Applications From Hiding Adverse ...Appear as normal SDN application • Get global network view efficiently Proposed Solution • Ask SDN controller only](https://reader033.vdocuments.mx/reader033/viewer/2022042021/5e78d066caf6f443ed676d7d/html5/thumbnails/5.jpg)
Current Solutions
8/24/2018 Christian Röpke and Thorsten Holz 5
• SDN application sandboxing– Put SDN applications into sandboxes and restrict access to
critical operations to prevent SDN controller attacks
– Problems:• Adversely usable critical operations must be known beforehand
• Distinguishing between benign and malicious use is rather difficult
• Policy checking– Intercept network programming attempts and drop the
ones which violate a security policy
– Problems:• Defining security policies in complex networks is error-prone
• A single missing policy can result in an attack
![Page 6: Preventing Malicious SDN Applications From Hiding Adverse ...Appear as normal SDN application • Get global network view efficiently Proposed Solution • Ask SDN controller only](https://reader033.vdocuments.mx/reader033/viewer/2022042021/5e78d066caf6f443ed676d7d/html5/thumbnails/6.jpg)
Our Approach
• Intercept network programming attempts
• Before programming a switch compare the actual network state with the one provided by a potentially compromised SDN controller
• Prevent actively hidden malicious flow rule insertions and removals
No need for Complex analyses Error-prone configurations
8/24/2018 Christian Röpke and Thorsten Holz 6
![Page 7: Preventing Malicious SDN Applications From Hiding Adverse ...Appear as normal SDN application • Get global network view efficiently Proposed Solution • Ask SDN controller only](https://reader033.vdocuments.mx/reader033/viewer/2022042021/5e78d066caf6f443ed676d7d/html5/thumbnails/7.jpg)
Assumption
• Malicious SDN applications hide adverse network manipulations as soon as possibleand as long as possible.
• This is reasonable because
– A security mechanism can easily observe malicious actions and raise alerts, and
– Attackers have an immense interest in remaining undetected.
8/24/2018 Christian Röpke and Thorsten Holz 7
![Page 8: Preventing Malicious SDN Applications From Hiding Adverse ...Appear as normal SDN application • Get global network view efficiently Proposed Solution • Ask SDN controller only](https://reader033.vdocuments.mx/reader033/viewer/2022042021/5e78d066caf6f443ed676d7d/html5/thumbnails/8.jpg)
Challenges
• Take southbound protocol specifics into account (i.e., barrier requests)
– Example:
• Add flow rule 1 -> Barrier request -> Add flow rule 2(Goal: install flow rule 1 before flow rule 2)
• Possible race condition:– If a barrier request is not handled appropriately, flow rule 2 is
installed at first.
– This is the case, e.g., when checking flow rule 1 takes longer than checking flow rule 2.
8/24/2018 Christian Röpke and Thorsten Holz 8
![Page 9: Preventing Malicious SDN Applications From Hiding Adverse ...Appear as normal SDN application • Get global network view efficiently Proposed Solution • Ask SDN controller only](https://reader033.vdocuments.mx/reader033/viewer/2022042021/5e78d066caf6f443ed676d7d/html5/thumbnails/9.jpg)
Challenges
• Take southbound protocol specifics into account (i.e., barrier requests)
• Get global network view from SDN controller (e.g., via REST API)
– Efficiently
• To keep the network programming delay at a minimum
8/24/2018 Christian Röpke and Thorsten Holz 9
![Page 10: Preventing Malicious SDN Applications From Hiding Adverse ...Appear as normal SDN application • Get global network view efficiently Proposed Solution • Ask SDN controller only](https://reader033.vdocuments.mx/reader033/viewer/2022042021/5e78d066caf6f443ed676d7d/html5/thumbnails/10.jpg)
Challenges
• Take southbound protocol specifics into account (i.e., barrier requests)
• Get global network view from SDN controller(e.g., via REST API)
– Efficiently
– Indistinguishably from other SDN applications
• Otherwise, corresponding requests can be handled differently by an attacker, which may result in a bypass
8/24/2018 Christian Röpke and Thorsten Holz 10
![Page 11: Preventing Malicious SDN Applications From Hiding Adverse ...Appear as normal SDN application • Get global network view efficiently Proposed Solution • Ask SDN controller only](https://reader033.vdocuments.mx/reader033/viewer/2022042021/5e78d066caf6f443ed676d7d/html5/thumbnails/11.jpg)
Challenges
• Take southbound protocol specifics into account (i.e., barrier requests)
• Get global network view from SDN controller(e.g., via REST API)
– Efficiently
– Indistinguishably from other SDN applications
• Compare network states efficiently
– To keep the network programming delay minimal
8/24/2018 Christian Röpke and Thorsten Holz 11
![Page 12: Preventing Malicious SDN Applications From Hiding Adverse ...Appear as normal SDN application • Get global network view efficiently Proposed Solution • Ask SDN controller only](https://reader033.vdocuments.mx/reader033/viewer/2022042021/5e78d066caf6f443ed676d7d/html5/thumbnails/12.jpg)
Architecture
1. Observer intercepts relevant messages and passes them to acomparer unit.
2. Comparer queries global network view via an SDN controller stub.
3. Comparer transforms inputs to a format enabling efficient network state comparison.
4. Comparer checks if the network change in question is made visible by the SDN controller.
5. If yes, the change is considered benign and thus forwarded.If no, the change is considered malicious and thus dropped.
8/24/2018 Christian Röpke and Thorsten Holz 12
1
![Page 13: Preventing Malicious SDN Applications From Hiding Adverse ...Appear as normal SDN application • Get global network view efficiently Proposed Solution • Ask SDN controller only](https://reader033.vdocuments.mx/reader033/viewer/2022042021/5e78d066caf6f443ed676d7d/html5/thumbnails/13.jpg)
Architecture
1. Observer intercepts relevant messages and passes them to acomparer unit.
2. Comparer queries global network view via an SDN controller stub.
3. Comparer transforms inputs to a format enabling efficient network state comparison.
4. Comparer checks if the network change in question is made visible by the SDN controller.
5. If yes, the change is considered benign and thus forwarded.If no, the change is considered malicious and thus dropped.
8/24/2018 Christian Röpke and Thorsten Holz 13
1
![Page 14: Preventing Malicious SDN Applications From Hiding Adverse ...Appear as normal SDN application • Get global network view efficiently Proposed Solution • Ask SDN controller only](https://reader033.vdocuments.mx/reader033/viewer/2022042021/5e78d066caf6f443ed676d7d/html5/thumbnails/14.jpg)
Architecture
1. Observer intercepts relevant messages and passes them to acomparer unit.
2. Comparer queries global network view via an SDN controller stub.
3. Comparer transforms inputs to a format which enables efficient network state comparison.
4. Comparer checks if the network change in question is made visible by the SDN controller.
5. If yes, the change is considered benign and thus forwarded.If no, the change is considered malicious and thus dropped.
8/24/2018 Christian Röpke and Thorsten Holz 14
1
![Page 15: Preventing Malicious SDN Applications From Hiding Adverse ...Appear as normal SDN application • Get global network view efficiently Proposed Solution • Ask SDN controller only](https://reader033.vdocuments.mx/reader033/viewer/2022042021/5e78d066caf6f443ed676d7d/html5/thumbnails/15.jpg)
Architecture
1. Observer intercepts relevant messages and passes them to acomparer unit.
2. Comparer queries global network view via an SDN controller stub.
3. Comparer transforms inputs to a format which enables efficient network state comparison.
4. Comparer checks if the network change in question is made visible by the SDN controller.
5. If yes, change is considered benign and thus forwarded.If no, change is considered malicious, dropped, and stored for further investigations.
8/24/2018 Christian Röpke and Thorsten Holz 15
![Page 16: Preventing Malicious SDN Applications From Hiding Adverse ...Appear as normal SDN application • Get global network view efficiently Proposed Solution • Ask SDN controller only](https://reader033.vdocuments.mx/reader033/viewer/2022042021/5e78d066caf6f443ed676d7d/html5/thumbnails/16.jpg)
Implementation
Challenge
• Take southbound protocol specifics into account
Proposed Solution
• Block control channel in case of barrier requests
Ensure message ordering as instructed by SDN controller
Delay switch programming for the checking time
8/24/2018 Christian Röpke and Thorsten Holz 16
![Page 17: Preventing Malicious SDN Applications From Hiding Adverse ...Appear as normal SDN application • Get global network view efficiently Proposed Solution • Ask SDN controller only](https://reader033.vdocuments.mx/reader033/viewer/2022042021/5e78d066caf6f443ed676d7d/html5/thumbnails/17.jpg)
Implementation
Challenge
Take southbound protocol specifics into account
• Appear as normal SDN application
Proposed Solution
• Use REST API
Typical feature of SDN controllers
All kinds of SDN applications can use this interface w/o disclosing their purpose
8/24/2018 Christian Röpke and Thorsten Holz 17
Example:curl –u onos:rocks http://<ip>:8181/onos/v1/flows/of:<dpid>/<cookie>curl –u onos:rocks http://<ip>:8181/onos/v1/flows/of:<dpid>/<cookie>
![Page 18: Preventing Malicious SDN Applications From Hiding Adverse ...Appear as normal SDN application • Get global network view efficiently Proposed Solution • Ask SDN controller only](https://reader033.vdocuments.mx/reader033/viewer/2022042021/5e78d066caf6f443ed676d7d/html5/thumbnails/18.jpg)
Implementation
Challenge
Take southbound protocol specifics into account
Appear as normal SDN application
• Get global network view efficiently
Proposed Solution
• Ask SDN controller only for a relevant subset of installed flow rules
This is possible, e.g., by using the cookie value which can identify a flow-mod message
If supported by an NBI, an SDN application can query a flow rule by its cookie value
8/24/2018 Christian Röpke and Thorsten Holz 18
![Page 19: Preventing Malicious SDN Applications From Hiding Adverse ...Appear as normal SDN application • Get global network view efficiently Proposed Solution • Ask SDN controller only](https://reader033.vdocuments.mx/reader033/viewer/2022042021/5e78d066caf6f443ed676d7d/html5/thumbnails/19.jpg)
Implementation
Challenge
Take southbound protocol specifics into account
Appear as normal SDN application
Get global network view efficiently
Compare network states efficiently
Proposed Solution
• Generate a hash value for flow rule in question and flow rule(s) provided by the SDN controller
Hash value comparison is typically fast
8/24/2018 Christian Röpke and Thorsten Holz 19
![Page 20: Preventing Malicious SDN Applications From Hiding Adverse ...Appear as normal SDN application • Get global network view efficiently Proposed Solution • Ask SDN controller only](https://reader033.vdocuments.mx/reader033/viewer/2022042021/5e78d066caf6f443ed676d7d/html5/thumbnails/20.jpg)
Evaluation
• ONOS, Floodlight and ODL as SDN controllers
• Various network topologies are simulated via Mininet
• Network load is simulated via increasing the number of added rules per switch
• Our prototype sits between SDN controller and network
• Test system: 2x Intel Core i7, 32 GB RAM, Ubuntu 16.04
8/24/2018 Christian Röpke and Thorsten Holz 20
![Page 21: Preventing Malicious SDN Applications From Hiding Adverse ...Appear as normal SDN application • Get global network view efficiently Proposed Solution • Ask SDN controller only](https://reader033.vdocuments.mx/reader033/viewer/2022042021/5e78d066caf6f443ed676d7d/html5/thumbnails/21.jpg)
Evaluation
• Important factors:– trx/tx: time to receive / send
traffic from SDN controller / to network device
– tdispatch: time to dispatch programming attempts to a comparer thread
– trest call: time to query the global network view
– tparse: time to parse global network view and to generate hashes
– tcompare: time to compare network states
8/24/2018 Christian Röpke and Thorsten Holz 21
![Page 22: Preventing Malicious SDN Applications From Hiding Adverse ...Appear as normal SDN application • Get global network view efficiently Proposed Solution • Ask SDN controller only](https://reader033.vdocuments.mx/reader033/viewer/2022042021/5e78d066caf6f443ed676d7d/html5/thumbnails/22.jpg)
8/24/2018 Christian Röpke and Thorsten Holz 22
• By far the slowest part is to get the global network view via REST calls– Delay grows slowly (OpenDaylight) to moderately (ONOS, Floodlight)– OpenDaylight’s responds are the fastest Extend NBI by a mechanism faster than REST
• Parsing the global network view is fast except for Floodlight– Its responds contain all installed flow rules Extend Floodlight’s NBI to query individual flow rules
• Time to compare network states is negligible
ONOS OpenDaylight
ResultsFloodlight
![Page 23: Preventing Malicious SDN Applications From Hiding Adverse ...Appear as normal SDN application • Get global network view efficiently Proposed Solution • Ask SDN controller only](https://reader033.vdocuments.mx/reader033/viewer/2022042021/5e78d066caf6f443ed676d7d/html5/thumbnails/23.jpg)
8/24/2018 Christian Röpke and Thorsten Holz 23
• By far the slowest part is to get the global network view via REST calls– Delay grows slowly (OpenDaylight) to moderately (ONOS, Floodlight)– OpenDaylight’s responds are the fastest Extend NBI by a mechanism faster than REST
• Parsing the global network view is fast except for Floodlight– Its responds contain all installed flow rules Extend Floodlight’s NBI to query individual flow rules
• Time to compare network states is negligible
ONOS OpenDaylight
ResultsFloodlight
![Page 24: Preventing Malicious SDN Applications From Hiding Adverse ...Appear as normal SDN application • Get global network view efficiently Proposed Solution • Ask SDN controller only](https://reader033.vdocuments.mx/reader033/viewer/2022042021/5e78d066caf6f443ed676d7d/html5/thumbnails/24.jpg)
8/24/2018 Christian Röpke and Thorsten Holz 24
• By far the slowest part is to get the global network view via REST calls– Delay grows slowly (OpenDaylight) to moderately (ONOS, Floodlight)– OpenDaylight’s responds are the fastest Extend NBI by a mechanism faster than REST
• Parsing the global network view is fast except for Floodlight– Its responds contain all installed flow rules Extend Floodlight’s NBI to query individual flow rules
• Time to compare network states is negligible
ONOS OpenDaylight
ResultsFloodlight
![Page 25: Preventing Malicious SDN Applications From Hiding Adverse ...Appear as normal SDN application • Get global network view efficiently Proposed Solution • Ask SDN controller only](https://reader033.vdocuments.mx/reader033/viewer/2022042021/5e78d066caf6f443ed676d7d/html5/thumbnails/25.jpg)
Limitation
• Our prototype provides full support for ONOS, but only part support for Floodlight and ODL.
• Reason:
– Adding/removing flow rules can also be achieved without using an internal flow rule database.
– Querying corresponding flow rules requires additional control traffic, which is blocked in case of barrier requests.
8/24/2018 Christian Röpke and Thorsten Holz 25
![Page 26: Preventing Malicious SDN Applications From Hiding Adverse ...Appear as normal SDN application • Get global network view efficiently Proposed Solution • Ask SDN controller only](https://reader033.vdocuments.mx/reader033/viewer/2022042021/5e78d066caf6f443ed676d7d/html5/thumbnails/26.jpg)
Conclusions
• Malicious SDN applications are capable of hiding adverse network manipulations.
• We complement existing security solutions by revealing and preventing such attacks.
• Our performance evaluation indicates efficiency which allows proactive security.
8/24/2018 Christian Röpke and Thorsten Holz 26
![Page 27: Preventing Malicious SDN Applications From Hiding Adverse ...Appear as normal SDN application • Get global network view efficiently Proposed Solution • Ask SDN controller only](https://reader033.vdocuments.mx/reader033/viewer/2022042021/5e78d066caf6f443ed676d7d/html5/thumbnails/27.jpg)
Thank you!
![Page 28: Preventing Malicious SDN Applications From Hiding Adverse ...Appear as normal SDN application • Get global network view efficiently Proposed Solution • Ask SDN controller only](https://reader033.vdocuments.mx/reader033/viewer/2022042021/5e78d066caf6f443ed676d7d/html5/thumbnails/28.jpg)
Backup
Average delay for adding flow rules with ONOS
Average delay and standard deviation for ONOS
8/24/2018 Christian Röpke and Thorsten Holz 28
225ms -> X
![Page 29: Preventing Malicious SDN Applications From Hiding Adverse ...Appear as normal SDN application • Get global network view efficiently Proposed Solution • Ask SDN controller only](https://reader033.vdocuments.mx/reader033/viewer/2022042021/5e78d066caf6f443ed676d7d/html5/thumbnails/29.jpg)
Backup
Adding Flow Rules Removing Flow Rules
8/24/2018 Christian Röpke and Thorsten Holz 29
![Page 30: Preventing Malicious SDN Applications From Hiding Adverse ...Appear as normal SDN application • Get global network view efficiently Proposed Solution • Ask SDN controller only](https://reader033.vdocuments.mx/reader033/viewer/2022042021/5e78d066caf6f443ed676d7d/html5/thumbnails/30.jpg)
Backup
• ONOS– Adding a flow rule
• A db entry is created with status pending_add• Then, a flow-mod and barrier-request is sent• After receiving barrier-reply, this db entry’s status changes to addedWhen intercepting flow-mod’s, corresponding flow rules are supposed
to be visible in ONOS’s global network view If this is not the case, then they must be actively hidden
– Removing a flow rule• A db entry’s status changes to pending_remove• Then, a flow-mod and barrier-request is sent• After receiving barrier-reply, this db entry is removedWhen intercepting flow-mod’s, corresponding flow rules are supposed
to be visible with status pending_remove If this is not the case (added), then their removal is actively hidden
8/24/2018 Christian Röpke and Thorsten Holz 30
![Page 31: Preventing Malicious SDN Applications From Hiding Adverse ...Appear as normal SDN application • Get global network view efficiently Proposed Solution • Ask SDN controller only](https://reader033.vdocuments.mx/reader033/viewer/2022042021/5e78d066caf6f443ed676d7d/html5/thumbnails/31.jpg)
Backup
• No full support for Floodlight and ODL• Reason:
– Adding/removing flow rules can also be achieved without using an internal flow rule database.
– Querying such flow rules requires additional control traffic which we blocked in case of barrier requests.
• Possible solution:– In case the main connection is blocked, establish an auxiliary
connection to exchange flow-stats messages.– Inject/remove data about the flow rule under validation in flow-
stats replies to complete the SDN controller’s global view.• In case of a benign network change, injected/removed data is correct.• In case of a malicious change, injected/removed data is hidden.
8/24/2018 Christian Röpke and Thorsten Holz 31