Packet Injection Attack and Its Defense in Software-Defined Networks

Software-defined networks (SDNs) are novel networking architectures that decouple the network control and forwarding functions from the data plane. Unlike traditional networking, the control logic of SDNs is implemented in a logically centralized controller which provides a global network view and open programming interface to the applications. While SDNs have become a hot topic among both academia and industry in recent years, little attention has been paid on the security aspect. In this paper, we introduce a novel attack, namely, packet injection attack, in SDNs. By maliciously injecting manipulated packets into SDNs, attackers can affect the services and networking applications in the control plane, and largely consume the resources in the data plane. The consequences could be the disruption of applications built on the top of the topology manager service and rest API, as well as a huge consumption of network resources, such as the bandwidth of the OpenFlow channel. To defend against the packet injection attack, we present PacketChecker, a lightweight extension module on SDN controllers to effectively detect and mitigate the flooding of falsified packets. We implement a prototype of PacketChecker in floodlight controller and conduct experiments to evaluate the efficiency of the defense mechanism. The evaluation shows that the PacketChecker module can effectively mitigate the attack with a minor overhead to the SDN controller.