Research Article
Disrupting SDN via the Data Plane: A Low-Rate Flow Table Overflow Attack
@INPROCEEDINGS{10.1007/978-3-319-78813-5_18, author={Jiahao Cao and Mingwei Xu and Qi Li and Kun Sun and Yuan Yang and Jing Zheng}, title={Disrupting SDN via the Data Plane: A Low-Rate Flow Table Overflow Attack}, proceedings={Security and Privacy in Communication Networks. 13th International Conference, SecureComm 2017, Niagara Falls, ON, Canada, October 22--25, 2017, Proceedings}, proceedings_a={SECURECOMM}, year={2018}, month={4}, keywords={Software-Defined Networking Low-rate attack Flow table overflow}, doi={10.1007/978-3-319-78813-5_18} }- Jiahao Cao
Mingwei Xu
Qi Li
Kun Sun
Yuan Yang
Jing Zheng
Year: 2018
Disrupting SDN via the Data Plane: A Low-Rate Flow Table Overflow Attack
SECURECOMM
Springer
DOI: 10.1007/978-3-319-78813-5_18
Abstract
The emerging Software-Defined Networking (SDN) is being adopted by data centers and cloud service providers to enable flexible control. Meanwhile, the current SDN design brings new vulnerabilities. In this paper, we explore a stealthy data plane based attack that uses a rate of attack packet to disrupt SDN. To achieve this, we propose the LOFT attack that computes the lower bound of attack rate to overflow flow tables based on the inferred network configurations. Particularly, each attack packet always triggers or maintains consumption of one flow rule. LOFT can ensure the attack effect with various network configurations while reducing the possibility of being captured. We demonstrate its feasibility and effectiveness in a real SDN testbed consisting of commercial hardware switches. The experiment results show that LOFT can incur significant network performance degradation and potential network DoS at an attack rate of only tens of Kbps.