Attacking SDN infrastructure: Are we ready for the next gen networking

ATTACKINGSDNINFRASTRUCTURE:AREWEREADYFORTHENEXT-GENNETWORKING?

Changhoon Yoon,SeungsooLee{chyoon87,lss365}@kaist.ac.kr

1. Aboutus

2. Software-definedNetworking(SDN)?

3. AttackingSDNInfrastructure• Scenario:AttackingSoftware-DefinedDataCenter(SDDC)

• Vulnerabilities

4. RecentworkonSDNsecurity

5. Conclusion

Contents

Aboutus

Seungsoo Lee- PhDstudentatKAIST- ProjectDELTA

- AssistantProfessorofEEdept.atKAIST- ResearchAssociateofOpenNetworkingFoundation(ONF)

- LeadingNetworkandSystemSecurityLab.

Changhoon Yoon- PhDstudentatKAIST- ProjectSM-ONOS

http://nss.kaist.ac.kr

Seungwon Shin

• Toocomplicated• ControlplaneisimplementedwithcomplicatedS/WandASIC• Unstable,increasedcomplexityinmanagement

• Closedplatform• Vendorspecific

• Hardtomodify(nearlyimpossible)• Hardtoaddnewfunctionalities• Barriertoinnovation

• Newproposal:SoftwareDefinedNetworking(SDN)• Separatethecontrolplanefromthedataplane

TraditionalNetworking

ControlPlane

DataPlane

LegacyNetworkDevice

WhatisSoftwareDefinedNetworking(SDN)?

Northbound Interface

CoreServices

Southbound Interface

Storage

App1 App2 App3 AppN

SDN Controller

DataPlane

ControlPlane• Centralizednetworkmanagement• Viaglobalnetworkview

• Programmablenetwork• Flexibleanddynamicnetworkcontrol• useful, innovativeSDNapplications

• CAPEX,OPEXreduction• Commodityserversandswitches

BasicSDNoperation

Controller

L2Forwarding

HostA HostB

SDNSwitchFlowTable

HostAà HostB FWDMATCH ACTION

DataCenterNetworkDesign

Servers

Leaf

Edge

Spine

Border Leaf

East-WestTraffic

• Today’sDataCenterinvolvesaLOTofVirtualMachines(VMs)• “Leaf-Spine”Design

• Suitableforhandling“East-West”traffic;lowlatency&bottlenecks• Remainingchallenges

• Increasedcomplexity– frequentVMmigrations,alargenumberoflinks• Expensivetoscale&maintain

Software-DefinedDataCenter(SDDC)

Servers

Leaf

SDDCControl Plane

Edge

Spine

Border Leaf

Distributed NOSNode #1



• Highlyavailable&scalablecontrolplane• DistributedSDNcontroller

• VMstohostcontrollernodes

• Lowcomplexity• Globalnetworkview+Networkprogrammability

• Lowcost• Commodity servers&switches• Centralized&automatedmanagement

AttackVectors

Misconfiguration- DirectaccesstocriticalSDNcomponents- CLI/GUI/SSHetc.

Malware- Maliciouslibraries/SDNapplications

Insider(tenant)attacks- DoS/Controlplanesaturationattack

againsttheNOScluster- TopologyPoisoning

DCN Admin/Operator

Servers

Leaf

SDDCControl Plane

Edge

Spine

Border Leaf




Build environment

Update, deploy

Update, deploy

• OpenSourceSDNController(NOS)implementations• OpenNetworkOperatingSystem(ONOS)&OpenDaylight (ODL)

• Cutting-edge,distributednetworkoperatingsystems(NOS)• Provide base design for commercial SDN controllerproducts

• BrocadeSDNController[1]:ODL-based• BothareMavenprojects• BothrunonKaraf OSGi container

SDNControlPlaneComponents

[1]http://www.brocade.com/en/products-services/software-networking/sdn-controllers-applications/sdn-controller.html

AttackVector:Misconfiguration• Remotelyaccessibleinterfaces• RemoteSSHtoNOShostmachines• Karaf containerCLI• WebConsole,GUI• RESTAPI

• Defenses• Followthesecurityguidelineavailablehere:

• http://docs.opendaylight.org/en/latest/getting-started-guide/security_considerations.html• Changingdefaultcredentials• Properlyconfiguring Firewallpoliciestoblockremoteaccess

AttackVector:Malware

• Malwareinfectionatbuild-time

• Malwareinfectionatruntime

• CompromisingSDNControlPlaneatBuild-time

AttackVector:Malware1

Build environment

MavenRepository

SDN controller source coderepository

Automaticallyfetch required components

Fetch source code Build

SDN controller projectsource

Maven project build

DeployableSDN controller package

Deployment environmentDistributed NOS

Node #1Distributed NOS


Node #3

Configuration

Compromisedbuild machine- Manipulated hostsfile- Manipulated mavenrepo. setting- Etc.

Compromisedbuild env.network- DNScachepoisoningattack- ARPspoofingattack- Etc.

Rogue maven repository

Rogue SDN controllersource code

repository

Deployment environment

Distributed NOS Node #1

Controller

Southbound API

Core Services

Northbound API

App1 App 2 App 3 App 4 App 5



• CompromisingSDNControlPlaneat Runtime

AttackVector:Malware2

CLI

RESTAPI

GUI

DCN Admin/Operator

SocialEngineeringattacks- Phishing(Spamming,DistributionviaWeb(Blogs,SNS,etc.)

Repackaging&Redistributing

CaninstallSDNappsatruntime

MaliciousApp

• Malicioustenants• Controlplanesaturationattack(DoS)againsttheNOScluster[1]• TopologyPoisoning[2]

AttackVectors:Insider(tenant)attacks

Servers

Leaf

SDDCControl Plane

Edge

Spine

Border Leaf




[1]Shin,Seungwon,andGuofei Gu."Attackingsoftware-defined networks:Afirst feasibilitystudy." ProceedingsofthesecondACMSIGCOMMworkshoponHot topics insoftwaredefinednetworking.ACM,2013.[2]Hong,Sungmin,etal."PoisoningNetworkVisibility inSoftware-Defined Networks:NewAttacksandCountermeasures." NDSS.2015.

AttackScenario1

Build environment

SDN controller projectsource

Maven project build


Deploymentenvironment Distributed NOS



Node #3

Rogue Maven Repository

reverse shell

Inject a rogue NOS node to the cluster

CompromisingSDNcontrolplaneatbuildtimetolauncharbitrarySDNcontrollernodeinjectionattack

AttackScenario2CompromisingSDNcontrolplaneatruntimetolaunchstealthnetworkperformanceattack

Download

DCN Admin/Operator

Third-Party SDNAPP Store

Deploymentenvironment




Stealthily degrade the network performance!

Deploy

Manipulate the Leaf-Spine fabric to affect the overall network performance

DCN

TheVulnerabilities(selectedfromthescenario)

1. NoSystemIntegrityProtection2. NoauthenticationofNOSclusternodes3. Noapplicationaccesscontrol4. SwitchDeviceFirmwareAbuse5. Packet-INFlooding6. ControlMessageManipulation7. Eavesdrop8. InternalStorageManipulation9. ….

Wantmore?

Visithttp://sdnsecurity.org !!(willopenin09/2016)

Vulnerability1.Nosystemintegrityprotection

• Thereisnosystemintegrityprotection forNOScomponents

• IntegrityoftheCORENOScomponentsmustbeguaranteed

• PossibleDefenses

- Codesigning

- Integrityprotectionmechanisms(e.g.checksum) Distributed NOSNode #1



Maven project build


Configuration

SD-WAN

ExternalBGP Routers

ExternalBGP Routers

ExternalBGP Routers

ExternalBGP Routers



Los Angeles AS

NewYork AS

San Francisco AS

Florida AS

Vulnerability2.NoauthenticationofNOSclusternodes

MaliciousNOSNode

• PossibleDefense

- PKI-basedauthenticationfortheNOScomponents

• Themaliciousnodecancompletelytakeoverthecontroloftheentirecontrolplaneandthenetwork

Vulnerability3.Noapplicationaccesscontrol

Distributed NOS Node #1

SDN-SW 1 SDN-SW 3 SDN-SW 5

SDN-SW 6SDN-SW 4SDN-SW 2

SDN-SW 7 SDN-SW 9

SDN-SW 10SDN-SW 8

Distributed NOS cluster

Controller

Southbound API

Core Services

Northbound API

App1 App 2 App 3 App 4DCN Admin/Operator



Data Plane

MaliciousApp

CLI

SSH

RESTAPI

GUI

[CP-3] Flow Rule Flooding[CP-2] Flow Table Manipulation

[CP-1] Service Chain Interference

[CP-5] Resource Exhaustion

[CP-6] System Variable Manipulation

[CP-4] Controller Shutdown

[CP-7] Internal Storage Manipulation

[CP-8] Application Eviction

[CP-8] Switch Firmware Abuse

• PossibleDefense

- Policy-basedaccesscontrolforSDNapplication

• SDNapplicationsaregrantedverypowerfulauthority;needtolimit

MATCH ACTIONSoftwareTable

Vulnerability4.Switchdevicefirmwareabuse

App1 AppN

OpenFlowSwitch

HostA HostB

Controller

HardwareTable

IP.HOSTA->IP.HOSTBIP.HOSTB->IP.HOSTA

OUT:FW1OUT:FW2

MATCH ACTION• Packetmatchingstrategy:

Hardware-basedvs.Software-based

App2

• Thestrategydependsonthevendororthefirmwareversion

[1]HP.HPSwitch SoftwareOpenFlow Administrator's GuideK/KA/WB15.14

HP3800SwitchMatchChart[1]

Hardwarematch

Softwarematch

Vulnerability4.Switchdevicefirmwareabuse

App1 MaliciousApp AppN

OpenFlowSwitch

HostA HostB

Controller

HardwareTable

IP.HOSTA->IP.HOSTBIP.HOSTB->IP.HOSTA

OUT:FW1OUT:FW2

MATCH ACTION

• OverrideIPmatchingflowruleswithMACmatchingflowrules!

FLOW_MODOUT:FW1OUT:FW2

MATCH ACTIONSoftwareTable

MAC.HOSTA->MAC.HOSTBMAC.HOSTB->MAC.HOSTA

Latency

FLOW_MOD

Networkperformancedegradation

a

2a

X2

• PossibleDefense

- Flowruleconflictdetection&arbitration

• Delta(collaboratewithONF)isanewSDNsecurityevaluationframeworkwithtwomainfunctions[1]:1. Automaticallyinstantiatesknownattackcases

againstSDNelementsacrossdiverseenvironments2. Assistsinuncoveringunknownsecurity

problemswithinanSDNdeployment

SDNSecurityAssessment: ProjectDELTA

[1]http://opensourcesdn.org/projects/project-delta-sdn-security-evaluation-framework/

Northbound Interface

CoreServices

Southbound Interface

Storage

AppAgent App2 AppN

SDN Controller

ChannelAgent

HostAgentAgentManager

WebUI

• Security-ModeONOS• InspiredbyMobileapplicationsecuritymechanisms• ConstrainsONOS(SDN)applications’behavior

• Asecuritypolicyperapp• Detectsandblockssecuritypolicyviolationsatruntime

SDNApplicationsecuritypolicyenforcement

SB API

Core

NB API

OSGi protection domain

Admin Service

ONOS NB-API permission checker

ONOS App 1Policyfile

OSGi protection domain

ONOS App 2Policyfile

Device Manager Host Manager

Service

Provider Service Provider Registry

Providers

Protocols

Network Elements

Security Manager

grantpermissions

A

B B

C

Bundle-level RBACA

App-level RBACB

API-level permission-based ACC

parse

SDNSecurity.org• WetrytodiscoverSDNspecificvulnerabilitiesanddevotetosystematizingandcharacterizingallrelatedpoints.• Currently,wehave 8 on-goingprojectsand 8 finishedprojects.

Application Plane

Control Plane

Data PlaneSDN Switch SDN Switch

SDN Controller

Switch Firmware

HardwareSoftwareFlow Table

Network Operating System

App

Southbound API

Northbound API

App

[A-5] Control Message Abuse

Control Channel

Control Channel

[A-6] Northbound API Abuse

[A-3] Internal Storage Manipulation[A-1] Packet-In Flooding

[A-2] Service Chain Interference

[A-4] Control Message Manipulation

[A-7] Resource Exhaustion

[A-8] System Variable Manipulation

[A-9] System Command Execution

[B-1] Eavesdrop

[B-2] Man-In-The-Middle

[C-1] Flow Rule Flooding

[C-2] Firmware Abuse

[C-3] Control Message Manipulation

[A-10] Network Topology Poisoning

http://sdnsecurity.org

SDNVulnerabilityGenomeProject

(willopenin09/2016)

Finalremarks

• Arewereadyforthenext-gennetworking?

• No,notyetatleastfromasecuritypointofview

• A LOT ofworkstillneedstobedonetoimprovethesecurityofSDN.

• Yoururgentattentionisneeded!

Thankyou

Technology

Attacking SDN infrastructure: Are we ready for the next gen networking