SDN has enabled extensive network programmability and speedy network innovations by decoupling the control plane from the data plane. However, the separation of the two planes could also be a potential threat to the whole network. Previous approaches pointed out that attackers can launch various attacks from the data plane against SDN, such as DoS attacks, topology poisoning attacks, and side-channel attacks. To address the security issues, we present a comprehensive study of data plane attacks in SDN, and propose FlowKeeper, a common framework to build a robust data plane against different attacks. FlowKeeper enforces port control of the data plane and reduces the workload of the control plane by filtering out illegal packets. Experimental results show that FlowKeeper could be used to efficiently mitigate different kinds of attacks (i.e., DoS and topology poisoning attacks).

中文翻译：

---

软件定义网络数据平面的安全威胁


SDN 通过将控制平面与数据平面解耦，实现了广泛的网络可编程性和快速的网络创新。然而，两架飞机的分离也可能对整个网络构成潜在威胁。先前的方法指出，攻击者可以从数据平面对SDN发起各种攻击，例如DoS攻击、拓扑中毒攻击和旁道攻击。为了解决安全问题，我们对 SDN 中的数据平面攻击进行了全面的研究，并提出了 FlowKeeper，这是一个通用框架，用于构建针对不同攻击的鲁棒数据平面。 FlowKeeper加强了数据平面的端口控制，并通过过滤掉非法数据包来减少控制平面的工作量。实验结果表明，FlowKeeper 可用于有效缓解不同类型的攻击（即 DoS 和拓扑中毒攻击）。