On the Fingerprinting of Software-Defined Networks

Heng Cui, Ghassan O. Karame, Felix Klaedtke, Roberto Bifulco

    Research output: Contribution to journalArticlepeer-review

    Abstract

    Software-defined networking (SDN) eases network management by centralizing the control plane and separating it from the data plane. The separation of planes in SDN, however, introduces new vulnerabilities in SDN networks, since the difference in processing packets at each plane allows an adversary to fingerprint the network's packet-forwarding logic. In this paper, we study the feasibility of fingerprinting the controller-switch interactions by a remote adversary, whose aim is to acquire knowledge about specific flow rules that are installed at the switches. This knowledge empowers the adversary with a better understanding of the network's packet-forwarding logic and exposes the network to a number of threats. In this paper, we collect measurements from hosts located across the globe using a realistic SDN network comprising of OpenFlow hardware and software switches. We show that, by leveraging information from the RTT and packet-pair dispersion of the exchanged packets, fingerprinting attacks on SDN networks succeed with overwhelming probability. We additionally show that these attacks are not restricted to active adversaries, but can also be mounted by passive adversaries that only monitor traffic exchanged with the SDN network. Finally, we discuss the implications of these attacks on the security of SDN networks, and we present and evaluate an efficient countermeasure to strengthen SDN networks against fingerprinting. Our results demonstrate the effectiveness of our countermeasure in deterring fingerprinting attacks on SDN networks.

    Original languageEnglish
    Article number7480416
    Pages (from-to)2160-2173
    Number of pages14
    JournalIEEE Transactions on Information Forensics and Security
    Volume11
    Issue number10
    DOIs
    Publication statusPublished - 1 Oct 2016

    Keywords

    • fingerprinting
    • OpenFlow
    • security
    • Software-defined networking

    Fingerprint

    Dive into the research topics of 'On the Fingerprinting of Software-Defined Networks'. Together they form a unique fingerprint.

    Cite this