DefCon 22, Las Vegas 2014

Abusing Software Defined Networks

Gregory Pickett, CISSP, GCIA, GPENChicago, Illinois

gregory.pickett@hellfiresecurity.com

Hellfire Security

Overview

What is it?Exploiting it!Fixing it!Moving ForwardWrapping Up

Modern Day Networks

Vendor DependentDifficult to scaleComplex and Prone to BreakDistributed and Often InconsistentConfigurationUses inflexible and difficult to innovate protocolsUnable to Consider Other Factors

… And Good Luck If You Want To Change It!

Enter … Software Defined Networking

Separate the Control and Data PlaneForwarding Decisions Made By a ControllerSwitches and Routers Just Forward Packets

ControllersProgrammed with the IntelligenceFull visibility of the NetworkCan consider the totality of the networkbefore making any decisionEnforce Granular Policy

Enter … Software Defined Networking

SwitchesBare-Metal OnlyAny Vendor … Hardware or Software

Solves Lots of Problems

Less Expensive HardwareWith BGP

Maintenance Dry-OutCustomer Egress SelectionBetter BGP SecurityFaster ConvergenceGranular Peering at IXPs

Expands Our Capability

Real-World Network Slicing of Flow SpaceNetwork and Server Load BalancingSecurity

Dynamic Access ControlAdaptive Traffic MonitoringAttack Detection and Mitigation

Emerging Standards

Old and BustedSNMPBGPNetconfLISPPCEP

New HotnessOVSDBOpenflow

Introducing Openflow

Establishes ElementsControllerSecure ChannelForwarding Element

Defines …Forwarding ProcessMessaging Format

Introducing Openflow

Forwarding ProcessCheck Flow TableIf Match Found, Execute ActionIf No Match, Send Packet to controllerUpdate Flow Table

Flow TablesMatch/Action Entries12 fields available for matchingWildcard matching available

Introducing Openflow

Leading Platforms

ProprietaryCisco Application Policy Infrastructure Controller (APIC)Cisco Extensible Network Controller (XNC)HP Virtual Application Networks (VAN) SDN ControllerIBM Programmable Network Controller

Open-SourceNox/PoxRyuFloodlightOpendaylight

Floodlight

Open-Source Java ControllerPrimarily an Openflow-based controllerSupports Openflow v1.0.0Fork from the Beacon Java Openflow controllerMaintained by Big Switch Networks

Opendaylight

Open-Source Java ControllerMany southbound options including OpenflowSupports Openflow v1.0.0 and v1.3.0Fork from the Beacon Java Openflow controllerA Linux Foundation Collaborative ProjectSupported by Citrix, Red Hat,Ericsson, Hewlett Packard,Brocade, Cisco, Juniper,Microsoft, and IBM

So It’s Gonna Be All …

Not Exactly!

Protocol Weaknesses

Encryption and Authentication via TLSMore of a suggestion than a requirement though …

Started Out GoodHeading Backwards

v1.0.0 over TLSv1.4.0 over TCP or TLS

Protocol Weaknesses

ControllersFloodlight … NopeOpendaylight … Supported but not required

SwitchesArista … NoBrocade … Surprisingly, YesCisco … Another, YesDell … NoExtreme … Another, YesHP … No

Protocol Weaknesses

SwitchesHuawei … NoIBM … NoJuniper … NoNEC … Another, YesNetgear … NoPronto … YesOVS … No

Could Lead To …

Information Disclosure through InterceptionModification through Man-in-the-MiddleAnd all sorts of DoS Nastiness!

DoS Nastiness

OpenflowCentralization Entails DependencyDependency Can Be ExploitedHow are vendors handing it?

FloodlightExplored by Solomon, Francis, and EitanTheir Results … Handling It Poorly

OpendaylightUnknown but worth investigatingIt is Java for God Sake!

Tools

of-switch.pyImpersonates an Openflow switchUtilizes Openflow v1.0.0

of-flood.pyFloods an Openflow controllerDisrupting the network and bringing it downUtilizes Openflow v1.0.0

Debug Ports

No EncryptionNo AuthenticationJust Full Control of the SwitchAll Via “dpctl” command-linetoolNot a problem yet …But Soon Will Be!

Controller Weaknesses

FloodlightNo Encryption for Northbound HTTP APINo Authentication for Northbound HTTP API

OpendaylightEncryption for Northbound HTTP API

Turned Off by DefaultAuthentication for Northbound HTTP API

HTTP Basic AuthenticationDefault Password WeakStrong Passwords Turned Offby Default

Could Lead To …

Information Disclosure through InterceptionTopologyCredentials

Information Disclosure through Unauthorized Access

TopologyTargets

And …

Topology, Flow, and Message Modification through Unauthorized Access

Add AccessRemove AccessHide TrafficChange Traffic

Identifying Controllers and Switches

Currently Listening on TCP Port 6633New Port Defined … TCP Port 6653Hello’s ExchangedFeature Request

Controller will sendSwitch will not

Tools

of-check.pyIdentifies Openflow ServicesReports on their VersionsCompatible with any version of Openflow

of-enum.pyEnumerates Openflow EndpointsReports on their TypeCompatible with any version of Openflow

Tools

of-enum.nseEnumerates Openflow EndpointsReports on their TypeCompatible with any version of Openflow

Demonstration

Some Attacks

Small Local Area NetworkOne Admin HostTwo User HostsOne ServerOne IDS

Attacker will …Identify TargetsEnumerate ACLsFind Sensors

Tool

of-map.pyDownloads flows from an Openflow controllerUses the flows

To identify targets and target servicesTo build ACLsTo identify sensors

Works with Floodlight and Opendaylightvia JSON

Demonstration

And Some More Attacks …

Small Local Area NetworkOne Admin HostTwo User HostsOne ServerOne IDS

Attacker will …Gain Access to the ServerIsolate the AdministratorHide from the IDSAnd Attack the Server

Tool

of-access.pyModifies flows on the network throughthe Openflow Controller

Adds or Removes access for hostsApplies transformations to theirnetwork activityHides activity from sensors

Works with Floodlight and Opendaylightvia JSON

Demonstration

And Now Some Pwnage …

Sorry Linux Foundation!

Zero-Day Exploit

Opendaylight has other southbound APIs besides OpenflowNo Encryption for Southbound Netconf APINo Authentication for Southbound Netconf API

Just Connect and Exchange MessagesXML-RPCRemember Java?

Boom Goes OpendaylightAnd it runs as “Root”

Demonstration

If No Exploit …

Service Not Available or They Fix ItNot to WorryPassword Guess the !!!!!!

Default Password WeakStrong Passwords Turned OffNo Account LockoutNo SYSLOG Output

Repeat!

Attacker will …Identify TargetsEnumerate ACLsFind SensorsGain Access to the ServerIsolate the AdministratorHide from the IDSAnd Attack the Server

And Pwn That Network Too!

Other Exploits Waiting to Be Found!

FloodlightNorthbound HTTP APISouthbound Openflow API

OpendaylightNorthbound HTTP APISouthbound Openflow APISouthbound Netconf API (TCP,SSH)Southbound Netconf Debug Port

Other Exploits Waiting to Be Found!

OpendaylightJMX AccessOSGi ConsoleLisp Flow MappingODL Internal Clustering RPCODL ClusteringJava Debug Access

Available Solutions

For NowFor the Future

For Now

Transport Layer SecurityFeasible?Realistic?

Hardening … Duh!VLAN … It’s the Network Stupid!Code Review Anyone?

For the Future

Denial of Service (SDN Architecture)Network PartitioningController ClusteringStatic Flow Entries

Modification (SDN Applications)Traffic CountersRespond to Abnormalities

Verification (SDN Operations)

How Prevalent Is It Going To Be?

Gartner: 10 critical IT trends for the next five yearsMajor Networking Vendors Have Products or Products Planned for SDNInformationWeek 2013 Survey

60% felt that SDN would be part of their network within 5 Years43% already have plans to put it inproduction

Reported

While Data Centers/Clouds are the Killer App for SDNNIPPON EXPRESSFIDELITY INVESTMENTSVMWARE

Starting to see it moving toward theLAN

CaltechCern

And WANGoogle, NTT, and AT&T

How It Could Go Right

Vendor Independence and ultimately lower costNetworks that match the application and the businesses needs not the other way aroundFaster Evolution of the Network

Production-Scale Simulationand ExperimentationExchangeable Network Aspects

Dynamic and Truly ActiveDefenses

How It Could Go Wrong

Denial of ServicePeer NodeExternal NodeSelectively Dropping Traffic?

MiTMEntire NetworksLocal Subnets or Hosts

Shadow OperationsDarknetsUber Admins

Making the Difference

Traditional Means of Securing Controllers Still ApplySecurity Needs to Be Part of the Discussion

Until Now … How SDN Can Help SecurityBut How Secure is SDN?

Analyses being DoneBut By OutsidersTraditional Approach and 2-D

Controller’s Need A SecurityReference and Audit Capability

SDN has the potential to turn the entire Internet into a cloudBenefit would be orders of magnitude above what we see nowBut there is hole in the middle of it that could easily be filled by the likes of the NSA … or worse yet, ChinaLet’s Not Let That HappenAnd That Start’s Here

Final Thoughts

Toolkit

SHA1 hash is 8bec7ba4f59344ea63d3760fe473537ea1e36718Updates can be found at http://sdn-toolkit.sourceforge.net/

Linkshttp://www.sdncentral.com/https://www.opennetworking.org/http://www.projectfloodlight.org/http://www.opendaylight.org/https://www.coursera.org/course/sdnhttps://www.baycollege.edu/Academics/Areas-of-Study/Computer-Network-Systems/Faculty/Linderoth/2013-sdn-survey-growing-pains.aspxhttp://www8.hp.com/h20195/v2/GetDocument.aspx?docname=4AA4-7944ENWhttp://www.openflowhub.org/blog/blog/2012/12/03/sdn-use-case-multipath-tcp-at-caltech-and-cern/http://www.networkworld.com/article/2167166/cloud-computing/vmware--we-re-building-one-of-the-biggest-sdn-deployments-in-the-industry.htmlhttp://www.networkcomputing.com/networking/inside-googles-software-defined-network/a/d-id/1234201?http://cseweb.ucsd.edu/~vahdat/papers/b4-sigcomm13.pdfhttp://viodi.com/2014/03/15/ntt-com-leads-all-network-providers-in-deployment-of-sdnopenflow-nfv-coming-soon/