Security and Privacy in Communication Networks. 13th International Conference, SecureComm 2017, Niagara Falls, ON, Canada, October 22–25, 2017, Proceedings

Research Article

Disrupting SDN via the Data Plane: A Low-Rate Flow Table Overflow Attack

  • @INPROCEEDINGS{10.1007/978-3-319-78813-5_18,
        author={Jiahao Cao and Mingwei Xu and Qi Li and Kun Sun and Yuan Yang and Jing Zheng},
        title={Disrupting SDN via the Data Plane: A Low-Rate Flow Table Overflow Attack},
        proceedings={Security and Privacy in Communication Networks. 13th International Conference, SecureComm 2017, Niagara Falls, ON, Canada, October 22--25, 2017, Proceedings},
        proceedings_a={SECURECOMM},
        year={2018},
        month={4},
        keywords={Software-Defined Networking Low-rate attack Flow table overflow},
        doi={10.1007/978-3-319-78813-5_18}
    }
    
  • Jiahao Cao
    Mingwei Xu
    Qi Li
    Kun Sun
    Yuan Yang
    Jing Zheng
    Year: 2018
    Disrupting SDN via the Data Plane: A Low-Rate Flow Table Overflow Attack
    SECURECOMM
    Springer
    DOI: 10.1007/978-3-319-78813-5_18
Jiahao Cao,*, Mingwei Xu,*, Qi Li,*, Kun Sun1,*, Yuan Yang,*, Jing Zheng,*
  • 1: George Mason University
*Contact email: caojh15@mails.tsinghua.edu.cn, xumw@tsinghua.edu.cn, qi.li@sz.tsinghua.edu.cn, ksun3@gmu.edu, yyang@csnet1.cs.tsinghua.edu.cn, zhengj14@mails.tsinghua.edu.cn

Abstract

The emerging Software-Defined Networking (SDN) is being adopted by data centers and cloud service providers to enable flexible control. Meanwhile, the current SDN design brings new vulnerabilities. In this paper, we explore a stealthy data plane based attack that uses a rate of attack packet to disrupt SDN. To achieve this, we propose the LOFT attack that computes the lower bound of attack rate to overflow flow tables based on the inferred network configurations. Particularly, each attack packet always triggers or maintains consumption of one flow rule. LOFT can ensure the attack effect with various network configurations while reducing the possibility of being captured. We demonstrate its feasibility and effectiveness in a real SDN testbed consisting of commercial hardware switches. The experiment results show that LOFT can incur significant network performance degradation and potential network DoS at an attack rate of only tens of Kbps.