ISSN 1000-1239 CN 11-1777/TP

Journal of Computer Research and Development ›› 2018, Vol. 55 ›› Issue (1): 207-215.doi: 10.7544/issn1000-1239.2018.20160740

Previous Articles     Next Articles

Defending Against SDN Network Topology Poisoning Attacks

Zheng Zheng1, Xu Mingwei2, Li Qi1, Zhang Yun1   

  1. 1(Graduate School at Shenzhen, Tsinghua University, Shenzhen, Guangdong 518055);2(Department of Computer Science and Technology, Tsinghua University, Beijing 100084)
  • Online:2018-01-01

Abstract: Software-defined networking (SDN) is a new network paradigm. Unlike the conventional network, SDN separates the control plane from the data plane. The function of the data plane is enabled in switches while only the controller provides the functions of the control plane. The controller learns topologies of the whole networks and makes the traffic forwarding decisions. However, recent studies show that there exist some serious vulnerabilities in topology management services of the current SDN controller designs, which mainly exists in host tracking service and link discovery service. Attackers can exploit these vulnerabilities to poison the network topology information in the SDN controllers. What’s more, attackers can even make the whole network down. Fortunately, researchers have paid some attention to this serious problem and proposed their defense solution. However, the existing countermeasures can be easily evaded by the attackers. In this paper, we propose an effective approach called SecTopo, to defend against the network topology poisoning attacks. Our evaluation on SecTopo in the Floodlight controller shows that the defense solution can effectively secure network topology with a minor impact on normal operations of OpenFlow controllers.

Key words: software-defined networking (SDN), controller, switch, network topology poisoning, network security

CLC Number: