Software-Defined Networking (SDN) continues to be deployed spanning from enterprise data centers to cloud computing with the proliferation of various SDN-enabled hardware switches and dynamic control plane applications. However, state-of-the-art SDN-enabled hardware switches have rather limited downlink message processing capability, especially for Flow-Mod and Statistic Query , which may not suffice the huge need of dynamic control plane applications. In this paper, we systematically study the interactions between the control plane applications and the data plane switches, and present two new attacks, namely Control Plane Reflection Attacks, to exploit the limited processing capability of SDN-enabled hardware switches. The reflection attacks adopt direct and indirect data plane events to force the control plane to issue massive expensive downlink messages towards SDN switches. Moreover, we propose a two-phase probing-triggering attack strategy, which makes the reflection attacks much more efficient and powerful. Experiments on a testbed with 3 different physical OpenFlow switches demonstrate that the attacks can lead to catastrophic results such as hurting the establishment of new flows and even disruption of connection between SDN controller and switches. To mitigate such attacks, we present several countermeasures from different perspectives. In particular, we propose a novel, systematical defense framework, SwitchGuard, to detect anomalies of downlink messages and prioritize these messages based on a novel monitoring granularity, i.e., host-application pair (HAP). Implementations and evaluations demonstrate that SwitchGuard can effectively reduce the latency for legitimate hosts and applications under the control plane reflection attacks with only minor overheads.

中文翻译：

---

软件定义网络中的控制平面反射攻击和防御

随着各种支持SDN的硬件交换机和动态控制平面应用程序的泛滥，软件定义网络（SDN）继续从企业数据中心部署到云计算。但是，最新的支持SDN的硬件交换机具有相当有限的下行链路消息处理能力，尤其是对于流模 和 统计查询 ，这可能无法满足动态控制平面应用程序的巨大需求。在本文中，我们系统地研究了控制平面应用程序和数据平面交换机之间的交互，并提出了两种新的攻击，即控制平面反射攻击，以利用支持SDN的硬件交换机有限的处理能力。反射攻击采用直接和间接数据平面事件来迫使控制平面向SDN交换机发出大量昂贵的下行链路消息。此外，我们提出了一种两阶段的探测触发攻击策略，该策略使反射攻击更加有效和强大。在具有3种不同的物理OpenFlow交换机的测试床上进行的实验表明，这些攻击可能导致灾难性的结果，例如，损害新流的建立，甚至破坏SDN控制器与交换机之间的连接。为了减轻此类攻击，我们从不同角度提出了几种对策。特别是，我们提出了一种新颖的系统防御框架SwitchGuard，以检测下行链路消息的异常并基于一种新颖的监视粒度（即主机应用程序对（HAP））对这些消息进行优先级排序。实施和评估表明，SwitchGuard可以有效地减少控制平面反射攻击下合法主机和应用程序的等待时间，而只有很小的开销。我们从不同的角度提出了几种对策。特别是，我们提出了一种新颖的系统防御框架SwitchGuard，以检测下行链路消息的异常并基于一种新颖的监视粒度（即主机应用程序对（HAP））对这些消息进行优先级排序。实施和评估表明，SwitchGuard可以有效地减少控制平面反射攻击下合法主机和应用程序的等待时间，而仅产生很小的开销。我们从不同的角度提出了几种对策。特别是，我们提出了一种新颖的系统防御框架SwitchGuard，以检测下行链路消息的异常并基于一种新颖的监视粒度（即主机应用程序对（HAP））对这些消息进行优先级排序。实施和评估表明，SwitchGuard可以有效地减少控制平面反射攻击下合法主机和应用程序的等待时间，而仅产生很小的开销。