Software Defined Networking (SDN) is a recent network architecture based on the separation of forwarding functions from network logic, and provides high flexibility in the management of the network. In this paper, we show how an attacker can exploit SDN programmability to obtain detailed knowledge about the network behaviour. In particular, we introduce a novel attack, named Know Your Enemy (KYE), which allows an attacker to gather vital information about the configuration of the network. Through the KYE attack, an attacker can obtain information ranging from the configuration of security tools, such as attack detection thresholds for network scanning, to general network policies like QoS and network virtualization. Additionally, we show that the KYE attack can be performed in a stealthy fashion, allowing an attacker to learn configuration secrets without being detected. We underline that the vulnerability exploited by the KYE attack is proper of SDN and is not present in legacy networks. Finally, we address the KYE attack by proposing an active defense countermeasure based on network flows obfuscation, which considerably increases the complexity for a successful attack. Our solution offers provable security guarantees that can be tailored to the needs of the specific network under consideration.

中文翻译：

---

一种收集 SDN 配置信息的新型隐形攻击

软件定义网络（Software Defined Networking，SDN）是一种基于转发功能与网络逻辑分离的新型网络架构，为网络管理提供了高度的灵活性。在本文中，我们展示了攻击者如何利用 SDN 可编程性来获取有关网络行为的详细信息。特别是，我们引入了一种名为“了解你的敌人”（KYE）的新型攻击，它允许攻击者收集有关网络配置的重要信息。通过KYE攻击，攻击者可以获得从安全工具的配置（例如网络扫描的攻击检测阈值）到QoS和网络虚拟化等一般网络策略的信息。此外，我们表明 KYE 攻击可以隐蔽地进行，允许攻击者在不被发现的情况下学习配置秘密。我们强调，KYE 攻击所利用的漏洞是 SDN 特有的，在传统网络中不存在。最后，我们通过提出基于网络流混淆的主动防御对策来解决 KYE 攻击，这大大增加了成功攻击的复杂性。我们的解决方案提供可证明的安全保证，可以根据所考虑的特定网络的需求进行定制。