Analysis of Issues in SDN Security and Solutions

Analysis of Issues in SDN Security and Solutions

Ankur Dumka (University of Petroleum and Energy Studies, India), Hardwari Lal Mandoria (G. B. Pant University of Agriculture and Technology, India) and Anushree Sah (University of Petroleum and Energy Studies, India)
DOI: 10.4018/978-1-5225-3640-6.ch010

Abstract

The chapter surveys the analysis of all the security aspects of software-defined network and determines the areas that are prone to security attacks in the given software-defined network architecture. If the fundamental network topology information is poisoned, all the dependent network services will become immediately affected, causing catastrophic problems like host location hijacking attack, link fabrication attack, denial of service attack, man in the middle attack. These attacks affect the following features of SDN: availability, performance, integrity, and security. The flexibility in the programmability of control plane has both acted as a bane as well as a boon to SDN. Like the ARP poisoning in the legacy networks, there are several other vulnerabilities in the SDN architecture as well.
Chapter Preview
Top

Introduction

SDN provide user a functionality to program the network in easier manner and also creating dynamic flow policies. Distributed Denial of Service (DDoS) attack is one of the major factor which can cause the network as unreachable (Mohammad & Marc, 2015). By the means of spoofing which can cause the destination packet unreachable as the source address will become unreachable in this case. Multiple types of attacks within the SDN networks can be categorized as:

  • 1.

    Exploiting timers

  • 2.

    CPU memory drainage

  • 3.

    Reduction in computing power

  • 4.

    Congestion within the network resources

  • 5.

    Poisoning of the domain name translation

There can be multiple areas where the attacks can be done within the SDN network, such as hindering of the normal functioning of the service by attacking at the application layer. The attacks can also damage web browser, email application or media player. This type of disfunctioning can be caused by disruption of specific application and are termed as application level denial of service.

There can be permanent damage to the system which will completely destroy the hardware of the system through malicious attack which is termed as permanent denial of service or plashing. The permanent damage can be caused by attack on firmware which are the inbuilt code or program inside a system which runs the system (Lau, Rubin., Smith, et al., 2000). The permanent attack will change the firmware which is not acceptable by the hardware and the hardware gets crashed. The attack can caused harm to the routers or switches connected with the system. Thus, it is needed to check for signature of the trusted source before upgrading the firmware.

In terms of computing in SDN network, the denial of service attack is defined as (DoS attack) which is defined as when any host are getting resource temporary or permanently. This can be done by flooding a system with number of request so that the system gets interrupted with these request and will discard the genuine or legitimate requests (Needham, 1994; Tootoonchian & Ganjali, 2010). Denial of service can be categorized into two based on type of attacks. First is classified as those attack which crashes the service whereas second attacks are those which flood the services (Lau, Rubin, Smith, et al. 2000). IP spoofing is also a kind of attack where sender IP address will be forged in order to divert the packets as in this case, the location of attacking machines cannot be easily identified. Distributed Denial of service (DDos) is a cyber attack where perpetrator uses more than one unique IP address (Nakashima, Sueyoshi, Oshima, 2010). One more type of Dos attack is advanced persistent DoS attack, this is a type of cyber attack where cyber criminals uses multiple phases to penetrate the network and obtain valuable information over period of time. APDos attack involve network layer DDos attack through to focused application layer (HTTP) floods, followed by repeated SQLi and XSS attacks (Mirkovic, Reiher, 2004; Wang, Zheng, Lou, et al., 2014). APDoS attack can be categorized as:

  • 1.

    Advanced Reconnaissance: This include pre-attack open source intelligence (OSINT) and extensively decoyed scanning crafted to evade detection over long period.

  • 2.

    Tactical Execution: It refers to attack with a primary and secondary victims but focus is on primary

  • 3.

    Explicit Motivation: It refers to calculated end game or goal target

  • 4.

    Large Computing Capacity: It refers to attack on computer power and network bandwidth resources.

  • 5.

    Simultaneous Multi-Threaded OSI Layer Attacks: This focusses attacks on layer 3-7 of OSI model

  • 6.

    Persistence Over Extended Periods: It include well managed attacks over range of targets.

Complete Chapter List

Search this Book:
Reset