ATTACKING

SDN INFRASTRUCTURE:
ARE WE READY FOR THE NEXT-GEN NETWORKING?
Changhoon Yoon, Seungsoo Lee
{chyoon87, lss365}@kaist.ac.kr
Contents
1. About us
2. Software-defined Networking (SDN) ?
3. Attacking SDN Infrastructure
Scenario: Attacking Software-Defined Data Center (SDDC)
Vulnerabilities

4. Recent work on SDN security

5. Conclusion
 About us
http://nss.kaist.ac.kr

Seungwon Shin
- Assistant Professor of EE dept. at KAIST
- Research Associate of
Open Networking Foundation (ONF)
- Leading Network and System Security Lab.
Seungsoo Lee
Changhoon Yoon - PhD student at KAIST
- PhD student at KAIST - Project DELTA
- Project SM-ONOS
Traditional Networking
Too complicated
Control plane is implemented with complicated S/W and ASIC
Unstable, increased complexity in management
Closed platform
Control Plane
Vendor specific
Hard to modify (nearly impossible) Data Plane
Hard to add new functionalities
Barrier to innovation Legacy Network Device

New proposal: Software Defined Networking (SDN)

Separate the control plane from the data plane
What is Software Defined Networking (SDN)?
Centralized network management Control Plane
Via global network view
App 1 App 2 App 3 App N
Programmable network
Flexible and dynamic network control Northbound Interface
useful, innovative SDN applications
Core Services Storage
CAPEX, OPEX reduction
Southbound Interface
Commodity servers and switches
SDN Controller

Data Plane
Basic SDN operation
L2 Forwarding

Controller

Host A Host B

SDN Switch
Flow Table
MATCH ACTION
Host A Host B FWD
Data Center Network Design
Spine

Leaf Border
Leaf

Servers Edge

East-West Traffic

Todays Data Center involves a LOT of Virtual Machines (VMs)

Leaf-Spine Design
Suitable for handling East-West traffic; low latency & bottlenecks
Remaining challenges
Increased complexity frequent VM migrations, a large number of links
Expensive to scale & maintain
 Software-Defined Data Center (SDDC)
SDDC
Control Plane
Distributed NOS Distributed NOS Distributed NOS
Node #1 Node #2 Node #3

Spine

Leaf Border
Leaf

Servers Edge

Low complexity Highly available & scalable control plane

Global network view + Network programmability Distributed SDN controller
Low cost VMs to host controller nodes
Commodity servers & switches
Centralized & automated management
 Attack Vectors
Malware
- Malicious libraries/
SDN applications
Update, deploy
DCN Admin/Operator

SDDC
Control Plane
Distributed NOS Distributed NOS Distributed NOS
Node #1 Node #2 Node #3
Update, deploy

Spine
Build environment

Leaf Border
Leaf

Servers Edge

Insider(tenant) attacks
Misconfiguration
- DoS/Control plane saturation attack
against the NOS cluster - Direct access to critical SDN components
- Topology Poisoning - CLI/GUI/SSH etc.
 SDN Control Plane Components
Open Source SDN Controller (NOS) implementations
Open Network Operating System (ONOS) & OpenDaylight (ODL)

Cutting-edge, distributed network operating systems (NOS)

Provide base design for commercial SDN controller products
Brocade SDN Controller [1] : ODL-based
Both are Maven projects
Both run on Karaf OSGi container

[1] http://www.brocade.com/en/products-services/software-networking/sdn-controllers-applications/sdn-controller.html
Attack Vector: Misconfiguration
Remotely accessible interfaces
Remote SSH to NOS host machines
Karaf container CLI
WebConsole, GUI
REST API
Defenses
Follow the security guideline available here:
http://docs.opendaylight.org/en/latest/getting-started-
guide/security_considerations.html
Changing default credentials
Properly configuring Firewall policies to block remote access
Attack Vector: Malware

Malware infection at build-time

Malware infection at runtime

Attack Vector: Malware 1
Compromising SDN Control Plane at Build-time

Compromised build machine Rogue Maven

- Manipulated hosts file maven repository Repository
- Manipulated maven repo. setting
- Etc. Automatically
Build environment fetch
Compromised build env. network
required components
- DNS cache poisoning attack
- ARP spoofing attack
- Etc. Fetch source code Build
Maven project build

SDN controller project Deployable

SDN controller source SDN controller package
source code
repository

Configuration

Deployment environment
Rogue Distributed NOS Distributed NOS Distributed NOS
SDN controller Node #1 Node #2 Node #3
source code
repository
Attack Vector: Malware 2
Compromising SDN Control Plane at Runtime

Social Engineering attacks

- Phishing (Spamming, Distribution via Web (Blogs, SNS, etc.)
Repackaging & Redistributing
DCN Admin/Operator

Deployment environment
Malicious
REST App1 App 2 App 3 App 4 App 5
App
Can install API
Northbound API
SDN apps
at runtime GUI Core Services

Southbound API
CLI
Controller
Distributed NOS Distributed NOS
Node #2 Node #3
Distributed NOS Node #1
 Attack Vectors: Insider (tenant) attacks
Malicious tenants
Control plane saturation attack (DoS) against the NOS cluster [1]
Topology Poisoning [2]
SDDC
Control Plane
Distributed NOS Distributed NOS Distributed NOS
Node #1 Node #2 Node #3

Spine

Leaf Border
Leaf

Servers Edge

[1] Shin, Seungwon, and Guofei Gu. "Attacking software-defined networks: A first feasibility study." Proceedings of the second ACM SIGCOMM workshop on Hot topics in software defined networking. ACM, 2013.
[2] Hong, Sungmin, et al. "Poisoning Network Visibility in Software-Defined Networks: New Attacks and Countermeasures." NDSS. 2015.
 Attack Scenario 1
Compromising SDN control plane at build time to launch arbitrary SDN controller node injection attack

Rogue Maven Repository

Build environment

Maven project build

Deployment
SDN controller project Deployable environment Distributed NOS Distributed NOS Distributed NOS
source SDN controller package
Node #1 Node #2 Node #3

reverse shell

Inject a rogue NOS node to the cluster

 Attack Scenario 2
Compromising SDN control plane at runtime to launch stealth network performance attack

Stealthily degrade the

network performance!
Third-Party SDN Download Deploy
APP Store

Deployment
DCN Admin/Operator environment
Distributed NOS Distributed NOS Distributed NOS
Node #1 Node #2 Node #3

Manipulate the Leaf-Spine fabric to

aect the overall network performance

DCN
The Vulnerabilities (selected from the scenario)
1. No System Integrity Protection
2. No authentication of NOS cluster nodes
3. No application access control
4. Switch Device Firmware Abuse
5. Packet-IN Flooding
6. Control Message Manipulation
7. Eavesdrop Want more?
8. Internal Storage Manipulation
9. . Visit http://sdnsecurity.org !!
(will open in 09/2016)
 Vulnerability 1. No system integrity protection
There is no system integrity protection for NOS components
Integrity of the CORE NOS components must be guaranteed

Maven project build

Deployable
SDN controller package

Possible Defenses
Configuration

- Code signing
- Integrity protection mechanisms (e.g. checksum) Distributed NOS
Node #1
Distributed NOS
Node #2
Distributed NOS
Node #3
 Vulnerability 2. No authentication of NOS cluster nodes
Distributed NOS Distributed NOS
Node #1 Node #2

San Francisco AS

NewYork AS
External
BGP Routers

External

Possible Defense BGP Routers

SD-WAN
- PKI-based authentication for the NOS components
Malicious NOS
Los Angeles AS External
Node
BGP Routers

External
BGP Routers

The malicious node can completely take over Florida AS

the control of the entire control plane and the network

 Vulnerability 3. No application access control
[CP-1] Service Chain Interference
[CP-2] Flow Table Manipulation
Distributed
[CP-3] Flow NOS
Rule Flooding cluster
Malicious
App 2 App 3 App 4 [CP-4] Controller Shutdown
App1 App
DCN Admin/Operator [CP-5] Resource Exhaustion
Northbound API
[CP-6] System Variable Manipulation

REST Core Services

[CP-7] Internal Storage Manipulation
[CP-8] Application Eviction
API Southbound API [CP-8] Switch Firmware Abuse

GUI Possible Defense Controller

Distributed NOS Distributed NOS
Node #2 Node #3
Distributed NOS Node #1
CLI - Policy-based access control for SDN application
SSH
SDN-SW 1 SDN-SW 3 SDN-SW 5 SDN-SW 7 SDN-SW 9

SDN-SW 2 SDN-SW 4 SDN-SW 6 SDN-SW 8 SDN-SW 10

SDN applications are granted very powerful authority; need to limit Data Plane
 Vulnerability 4. Switch device firmware abuse
App 1 App 2 App N

Controller
HP 3800 Switch Match Chart [1]

Packet matching strategy: Hardware Table

Hardware-based vs. Software-based MATCH ACTION
IP.HOST A -> IP.HOST B OUT: FW1
The strategy depends on IP.HOST B -> IP.HOST A OUT: FW2
Software Table
the vendor or the firmware version Hardware match
MATCH ACTION

Host A OpenFlow Software match

Host B
Switch
[1] HP. HP Switch Software OpenFlow Administrator's Guide K/KA/WB 15.14
 Vulnerability 4. Switch device firmware abuse
Network performance degradation
Malicious
Latency App 1 App
App N
2a

X2
Controller
a
Hardware Table
Software Table
MATCH ACTION
FLOW_MOD
IP.HOST A -> IP.HOST B
MAC.HOST A -> MAC.HOST B OUT: FW1
FLOW_MOD
IP.HOST B -> IP.HOST A
MAC.HOST B -> MAC.HOST A OUT: FW2
Override IP matching flow rules Possible Defense
with MAC matching flow rules!
- Flow rule conflict detection & arbitration

Host A OpenFlow Host B

Switch
 SDN Security Assessment: Project DELTA
Delta (collaborate with ONF) is a new SDN security evaluation framework
with two main functions [1]:
1. Automatically instantiates known attack cases
against SDN elements across diverse environments
2. Assists in uncovering unknown security App
App 2 App N
Agent
problems within an SDN deployment
Northbound Interface

Core Services Storage

Web UI
Southbound Interface

SDN Controller

Channel
Agent

Agent Manager
Host Agent
[1] http://opensourcesdn.org/projects/project-delta-sdn-security-evaluation-framework/
SDN Application security policy enforcement
Security-Mode ONOS
Inspired by Mobile application security mechanisms
Constrains ONOS (SDN) applications behavior
A security policy per app
OSGi protection domain OSGi protection domain
Detects and blocks Policy Policy

security policy violations at runtime

file file
ONOS App 1 ONOS App 2
A
grant
B B permissions

NB API Admin Service Service parse

ONOS NB-API permission checker C

Device Manager Host Manager Security Manager

Core

SB API Provider Service Provider Registry

A Bundle-level RBAC
Providers
B App-level RBAC
Protocols
API-level
C
Network Elements permission-based AC
SDNSecurity.org (will open in 09/2016)

We try to discover SDN specific vulnerabilities and devote to systematizing

and characterizing all related points.
Currently, we have 8 on-going projects and 8 finished projects.
[A-5] Control Message Abuse [A-6] Northbound API Abuse
Application Plane

[A-7] Resource Exhaustion

[A-2] Service Chain Interference App App
[A-9] System Command Execution

Northbound API
[A-1] Packet-In Flooding [A-3] Internal Storage Manipulation

[A-8] System Variable Manipulation Network Operating System [A-4] Control Message Manipulation

[A-10] Network Topology Poisoning

Southbound API Control Plane

SDN Controller [B-1] Eavesdrop

Control Channel
[B-2] Man-In-The-Middle

Control Channel [C-1] Flow Rule Flooding

Switch Firmware
http://sdnsecurity.org Flow Table
[C-3] Control Message Manipulation

[C-2] Firmware Abuse

Software Hardware
SDN Switch SDN Switch Data Plane

SDN Vulnerability Genome Project

Final remarks
Are we ready for the next-gen networking?
No, not yet at least from a security point of view

A LOT of work still needs to be done to improve the security of SDN.

Your urgent attention is needed!

Thank you