Know Your Enemy: Stealth Configuration-Information Gathering in SDN

TL;DR

This paper introduces a novel stealth attack called KYE that allows attackers to gather sensitive SDN configuration information without detection, highlighting a unique vulnerability of SDN networks and proposing an obfuscation-based defense.

Contribution

The paper identifies a new stealth information-gathering attack on SDN, and proposes a flow obfuscation countermeasure with provable security guarantees.

Findings

KYE attack can stealthily extract SDN configuration details.

Flow obfuscation significantly increases attack complexity.

Proposed defense offers tailored security guarantees.

Abstract

Software Defined Networking (SDN) is a network architecture that aims at providing high flexibility through the separation of the network logic from the forwarding functions. The industry has already widely adopted SDN and researchers thoroughly analyzed its vulnerabilities, proposing solutions to improve its security. However, we believe important security aspects of SDN are still left uninvestigated. In this paper, we raise the concern of the possibility for an attacker to obtain knowledge about an SDN network. In particular, we introduce a novel attack, named Know Your Enemy (KYE), by means of which an attacker can gather vital information about the configuration of the network. This information ranges from the configuration of security tools, such as attack detection thresholds for network scanning, to general network policies like QoS and network virtualization. Additionally, we show that an attacker can perform a KYE attack in a stealthy fashion, i.e., without the risk of being detected. We underline that the vulnerability exploited by the KYE attack is proper of SDN and is not present in legacy networks. To address the KYE attack, we also propose an active defense countermeasure based on network flows obfuscation, which considerably increases the complexity for a successful attack. Our solution offers provable security guarantees that can be tailored to the needs of the specific network under consideration