Annual Computer Security Applications Conference (ACSAC) 2016
 OpenConf Peer Review & Conference Management System

Full Program »

Timing-based Reconnaissance and Defense in Software-defined Networks

Software-defined Networking (SDN) enables advanced network applications by separating a network into a data plane that forwards packets and a control plane that computes and installs forwarding rules into the data plane. Many SDN applications rely on dynamic rule installation, where the control plane processes the first few packet of each traffic flow and then installs a dynamically computed rule into the data plane to forward the remaining packets. Control plane processing adds delay, as the switch must forward each packet and meta-information to a (often centralized) control server and wait for a response specifying how to handle the packet. How much delay the control plane imposes depends on its load, and the applications and protocols it runs. In this work, we develop a non- intrusive timing attack that exploits this property to learn about a SDN network's configuration. The attack analyzes the amount of delay added to timing pings that are specially crafted to invoke the control plane, while transmitting other packets that may invoke the control plane, depending on the network's configuration. We show, in a testbed with physical OpenFlow switches and controllers, that an attacker can probe the network at a low rate for short periods of time to learn a bevy of sensitive information about networks with >99% accuracy, including host communication patterns, ACL entries, and network monitoring settings. We also implement and test a practical defense: a timeout proxy, which normalizes control plane delay by providing configurable default responses to control plane requests that take too long. The proxy can be deployed on unmodified OpenFlow switches, reduced the attack accuracy to below 50% in experiments, and can be configured to have minimal impact on non-attack traffic.

Author(s):

John Sonchack    
University of Pennsylvania
United States

Anurag Dubey    
University of Colorado, Boulder
United States

Adam Aviv    
United States Naval Academy
United States

Eric Keller    
University of Colorado, Boulder
United States

Jonathan Smith    
University of Pennsylvania
United States

 

Powered by OpenConf®
Copyright©2002-2016 Zakon Group LLC