Exploiting software-defined networks : DoS attacks and security enhancement

Abstract

Software-defined networking (SDN) has introduced a more flexible way to manage and control network traffic with high programmability by decoupling the control plane from the data plane in traditional networks. The attributes of centralized control and programmability in SDN can be exploited to enhance network security with a highly reactive security system. However, the same centralized structure is also considered vulnerable, which can cause severe network security problems. In the thesis, the security in SDN is studied in both identifying vulnerabilities in SDN and enhancing network security with SDN. For SDN vulnerability identification, we study the DoS attacks aiming at OpenFlow networks, and propose FloodDefender, a scalable, efficient and protocol-independent defense framework against the DoS attacks. Furthermore, we identify new SDN-aimed DDoS attacks which could use the communication bottleneck between the two planes to jam switch-controller links and overload the control plane in proactive OpenFlow networks. To mitigate the new DDoS attack, we propose FloodBarrier to reduce the communication and efficiently handle attack traffic. For the SDN-enabled security, we propose software-defined firewall (SDF) based on the architecture of SDN to enhance personal firewalls for malware detection. SDF can detect the hidden traffic generated by malware and enable programmable security policy control by abstracting the firewall architecture into control and data planes. Experimental results show that the proposed FloodDefender and FloodBarrier systems can efficiently protect OpenFlow networks against the attacks with little overhead, and SDF can successfully monitor all network traffic and improve the accuracy of malicious traffic identification.