Manipulating OpenFlow Link Discovery Packet Forwarding for Topology Poisoning
Mingming Chen, Thomas La Porta, Teryl Taylor, Frederico Araujo, Trent, Jaeger
TL;DR
This paper introduces Marionette, a novel control-plane topology poisoning attack on SDN networks that manipulates OpenFlow link discovery packets using reinforcement learning, successfully compromising multiple controllers and protocols.
Contribution
The paper presents Marionette, a new globalized topology poisoning technique that exploits control privileges and bypasses existing defenses, highlighting a critical security vulnerability in SDN.
Findings
Successfully attacks five open-source controllers
Compromises nine OpenFlow discovery protocols
Overcomes existing topology poisoning defenses
Abstract
Software-defined networking (SDN) is a centralized, dynamic, and programmable network management technology that enables flexible traffic control and scalability. SDN facilitates network administration through a centralized view of the underlying physical topology; tampering with this topology view can result in catastrophic damage to network management and security. To underscore this issue, we introduce Marionette, a new topology poisoning technique that manipulates OpenFlow link discovery packet forwarding to alter topology information. Our approach exposes an overlooked yet widespread attack vector, distinguishing itself from traditional link fabrication attacks that tamper, spoof, or relay discovery packets at the data plane. Unlike localized attacks observed in existing methods, our technique introduces a globalized topology poisoning attack that leverages control privileges.…
Peer Reviews
No public reviews on file for this paper yet. If you reviewed it on a platform where reviews are public (OpenReview, ICLR, NeurIPS, ICML), you can paste yours below so the community can read it here.
Videos
No videos yet. Explain this paper in a talk, walkthrough, or lecture? Add one.