Top

Mobile Networks and Applications

09-01-2024

Misreporting Attacks Against Load Balancers in Software-Defined Networking

Authors: Quinn Burke, Patrick McDaniel, Thomas La Porta, Mingli Yu, Ting He

Published in: Mobile Networks and Applications

Activate our intelligent search to find suitable subject content or patents.

search-config

AI-assisted search

Off

Abstract

Load balancers enable efficient use of network resources by distributing traffic fairly across them. In software-defined networking (SDN), load balancing is most often realized by a controller application that solicits traffic load reports from network switches and enforces load balancing decisions through flow rules. This separation between the control and data planes in SDNs creates an opportunity for an adversary at a compromised switch to misreport traffic loads to influence load balancing. In this paper, we evaluate the ability of such an adversary to control the volume of traffic flowing through a compromised switch by misreporting traffic loads. We take a probabilistic approach to model the attack and develop algorithms for misreporting that allow an adversary to tune attack parameters toward specific adversarial goals. We validate the algorithms with a virtual network testbed, finding that through misreporting the adversary can control traffic flow to a high degree by drawing a target amount of load (e.g., + 200%) to within a 2% to 10% error of that target. This is yet another example of how depending on untrustworthy reporting in making control decisions can lead to fundamental security failures.

Dont have a licence yet? Then find out more about our products and how to get one now:

Springer Professional "Wirtschaft+Technik"

Online-Abonnement

Mit Springer Professional "Wirtschaft+Technik" erhalten Sie Zugriff auf:

über 102.000 Bücher
über 537 Zeitschriften

aus folgenden Fachgebieten:

Automobil + Motoren
Bauwesen + Immobilien
Business IT + Informatik
Elektrotechnik + Elektronik
Energie + Nachhaltigkeit
Finance + Banking
Management + Führung
Marketing + Vertrieb
Maschinenbau + Werkstoffe
Versicherung + Risiko

Jetzt Wissensvorsprung sichern!

inform now

Springer Professional "Technik"

Online-Abonnement

Mit Springer Professional "Technik" erhalten Sie Zugriff auf:

über 67.000 Bücher
über 390 Zeitschriften

aus folgenden Fachgebieten:

Automobil + Motoren
Bauwesen + Immobilien
Business IT + Informatik
Elektrotechnik + Elektronik
Energie + Nachhaltigkeit
Maschinenbau + Werkstoffe

Jetzt Wissensvorsprung sichern!

inform now

Springer Professional "Wirtschaft"

Online-Abonnement

Mit Springer Professional "Wirtschaft" erhalten Sie Zugriff auf:

über 67.000 Bücher
über 340 Zeitschriften

aus folgenden Fachgebieten:

Bauwesen + Immobilien
Business IT + Informatik
Finance + Banking
Management + Führung
Marketing + Vertrieb
Versicherung + Risiko

Jetzt Wissensvorsprung sichern!

inform now

ATZelektronik

Die Fachzeitschrift ATZelektronik bietet für Entwickler und Entscheider in der Automobil- und Zulieferindustrie qualitativ hochwertige und fundierte Informationen aus dem gesamten Spektrum der Pkw- und Nutzfahrzeug-Elektronik.

Lassen Sie sich jetzt unverbindlich 2 kostenlose Ausgabe zusenden.

inform now

ATZelectronics worldwide

ATZlectronics worldwide is up-to-speed on new trends and developments in automotive electronics on a scientific level with a high depth of information.

Order your 30-days-trial for free and without any commitment.

inform now

We leave to future work analyzing more specialized variants of these algorithms.

Note that switches may have multiple pool members (ports), but here we just consider a single pool member per switch and use switch and pool member interchangeably.

Project floodlight (2011) http://www.projectfloodlight.org/floodlight/. [Online; accessed 19-October-2018]

Opendaylight project (2013) https://www.opendaylight.org/. [Online; accessed 19-October-2018]

Aslam S, Shah MA (2015) Load balancing algorithms in cloud computing: a survey of modern techniques. In: 2015 National Software Engineering Conference (NSEC). IEEE, Rawalpindi, Pakistan, pp 30–35

Handigol N, Seetharaman S, Flajslik M, McKeown N, Johari R (2009) Plug-n-serve: Load-balancing web traffic using openflow. ACM Sigcomm Demo 4(5):6

Li J, Chang X, Ren Y, Zhang Z, Wang G (2014) An effective path load balancing mechanism based on SDN. In: 2014 IEEE 13th International Conference on Trust, Security and Privacy in Computing and Communications. IEEE, Beijing, China, pp 527–533

Mesbahi M, Rahmani AM (2016) Load balancing in cloud computing: a state of the art survey. Int J Modern Educ Comput Sci 8(3):64CrossRef

Qilin M, Weikang S (2015) A load balancing method based on SDN. In: 2015 Seventh International Conference on Measuring Technology and Mechatronics Automation. IEEE, Nanchang, China, pp 18–21

Zhang J, Yu FR, Wang S, Huang T, Liu Z, Liu Y (2018) Load balancing in data center networks: A survey. IEEE Commun Surv Tutorials 20(3):2324–2352CrossRef

Guo Z, Su M, Xu Y, Duan Z, Wang L, Hui S, Chao HJ (2014) Improving the performance of load balancing in software-defined networks through load variance-based synchronization. Comput Netw 68:95–109CrossRef

10.

Neghabi AA, Jafari Navimipour N, Hosseinzadeh M, Rezaee A (2018) Load balancing mechanisms in the software defined networks: A systematic and comprehensive review of the literature. IEEE Access 6:14159–14178. https://doi.org/10.1109/ACCESS.2018.2805842CrossRef

11.

Benson T, Akella A, Maltz DA (2010) Network traffic characteristics of data centers in the wild. In: Proceedings of the 10th ACM SIGCOMM conference on Internet measurement. ACM, New York, NY, pp 267–280

12.

Rao A, Legout A, Lim Ys, Towsley D, Barakat C, Dabbous W (2011) Network characteristics of video streaming traffic. In: Proceedings of the Seventh COnference on emerging Networking EXperiments and Technologies. ACM, New York, NY, pp 1–12

13.

Hong S, Xu L, Wang H, Gu G (2015) Poisoning network visibility in software-defined networks: New attacks and countermeasures. NDSS 15:8–11

14.

Khan S, Gani A, Wahab AWA, Guizani M, Khan MK (2016) Topology discovery in software defined networks: Threats, taxonomy, and state-of-the-art. IEEE Commun Surv Tutorials 19(1):303–324CrossRef

15.

Yoon C, Lee S, Kang H, Park T, Shin S, Yegneswaran V, Porras P, Gu G (2017) Flow wars: Systemizing the attack surface and defenses in software-defined networks. IEEE/ACM Trans Netw (TON) 25(6):3514–3530CrossRef

16.

Kang N, Ghobadi M, Reumann J, Shraer A, Rexford J (2014) Niagara: scalable load balancing on commodity switches. Tech Rep, Technical Report (TR-973–14), Princeton

17.

Wang R, Butnariu D, Rexford J et al (2011) Openflow based server load balancing gone wild. Hot-ICE 11:12–12

18.

Mahmood A, Rashid I (2011) Comparison of load balancing algorithms for clustered web servers. In: ICIMU 2011: proceedings of the 5th international Conference on Information Technology & Multimedia. IEEE, Kuala Lumpur, Malaysia, pp 1–6

19.

Zhou Y, Zhu M, Xiao L, Ruan L, Duan W, Li D, Liu R, Zhu M (2014) A load balancing strategy of SDN controller based on distributed decision. In: 2014 IEEE 13th International Conference on Trust, Security and Privacy in Computing and Communications. IEEE, Beijing, China, pp 851–856

20.

Arau´jo JT, Saino L, Buytenhek L, Landa R (2018) Balancing on the edge: Transport affinity without network state. In: 15th USENIX Symposium on Networked Systems Design and Implementation (NSDI 18), pp. 111–124

21.

The netfilter.org project (1998). URL https://www.netfilter.org/

22.

Eisenbud DE, Yi C, Contavalli C, Smith C, Kononov R, Mann-Hielscher E, Cilingiroglu A, Cheyney B, Shang W, Hosein JD (2016) Maglev: A fast and reliable software network load balancer. In: 13th USENIX Symposium on Networked Systems Design and Implementation ({NSDI} 16), pp. 523–535

23.

Patel P, Bansal D, Yuan L, Murthy A, Greenberg A, Maltz DA, Kern R, Kumar H, Zikos M, Wu H et al (2013) Ananta: Cloud scale load balancing. ACM SIGCOMM Comput Commun Rev 43(4):207–218CrossRef

24.

Openflow switch specification (2015) https://www.opennetworking.org/software-defined-standards/specifications/. [Online; accessed 19-October- 2018]

25.

Raghavan B, Vishwanath K, Ramabhadran S, Yocum K, Snoeren AC (2007) Cloud control with distributed rate limiting. In: ACM SIGCOMM Computer Communication Review, vol. 37. ACM, New York, NY, pp 337–348

26.

Feghhi S, Leith DJ (2016) A web traffic analysis attack using only timing information. IEEE Trans Inf Forensics Secur 11(8):1747–1759CrossRef

27.

Aslan M, Matrawy A (2016) On the impact of network state collection on the performance of sdn applications. IEEE Commun Lett 20(1):5–8CrossRef

28.

Arbettu RK, Khondoker R, Bayarou K, Weber F (2016) Security analysis of opendaylight, onos, rosemary and ryu sdn controllers. In: 2016 17th International Telecommunications Network Strategy and Planning Symposium (Networks). IEEE, Montreal, QC, pp 37–44. https://doi.org/10.1109/NETWKS.2016.7751150

29.

Benzekki K, El Fergougui A, Elbelrhiti Elalaoui A (2016) Software-defined networking (sdn): a survey. Secur Commun Netw 9(18):5803–5833CrossRef

30.

Dargahi T, Caponi A, Ambrosin M, Bianchi G, Conti M (2017) A survey on the security of stateful sdn data planes. IEEE Commun Surv Tutorials 19(3):1701–1725CrossRef

31.

Scott-Hayward S, O’Callaghan G, Sezer S (2013) SDN security: a survey. In: 2013 IEEE SDN For Future Networks and Services (SDN4FNS). IEEE, Trento, Italy, pp 1–7

32.

Thimmaraju K, Schiff L, Schmid S (2017) Outsmarting network security with sdn teleportation. In: 2017 IEEE European Symposium on Security and Privacy (EuroS&P). IEEE, Paris, France, pp 563–578

33.

Pfaff B, Pettit J, Koponen T, Jackson E, Zhou A, Rajahalme J, Gross J, Wang A, Stringer J, Shelar P et al (2015) The design and implementation of open vSwitch. In: 12th USENIX Symposium on Networked Systems Design and Implementation (NSDI 15). USENIX Association, Oakland, CA, pp 117–130

34.

Thimmaraju K, Shastry B, Fiebig T, Hetzelt F, Seifert JP, Feldmann A, Schmid S (2018) Taking control of sdn-based cloud systems via the data plane. In: Proceedings of the Symposium on SDN Research. ACM, New York, NY, pp 1–15

35.

Chica JCC, Imbachi JC, Vega JFB (2020) Security in sdn: A comprehensive survey. J Netw Comput Appl 159:102595CrossRef

36.

Benson T, Anand A, Akella A, Zhang M (2009) Understanding data center traffic characteristics. In: Proceedings of the 1st ACM workshop on Research on enterprise networking, pp. 65–72. ACM

37.

Burke Q, McDaniel P, Porta TL, Yu M, He T (2020) Misreporting attacks in software-defined networking. In: EAI SecureComm 2020 – 16th EAI International Conference on Security and Privacy in Communication Networks. EAI, pp 1519–1528

38.

Achleitner S, La Porta T, Jaeger T, McDaniel P (2017) Adversarial network forensics in software defined networking. In: Proceedings of the Symposium on SDN Research, SOSR ’17. ACM, New York, NY, USA, pp 8–20. https://doi.org/10.1145/3050220.3050223

39.

Kampanakis P, Perros H, Beyene T (2014) SDN-based solutions for moving target defense network protection. In: Proceeding of IEEE International Symposium on a World of Wireless, Mobile and Multimedia Networks 2014. IEEE, Sydney, NSW, pp 1–6

40.

De Oliveira RLS, Schweitzer CM, Shinoda AA, Prete LR (2014) Using mininet for emulation and prototyping software-defined networks. In: 2014 IEEE Colombian Conference on Communications and Computing (COLCOM). IEEE, Bogota, Colombia, pp 1–6

41.

Qian H, Medhi D (2011) Server operational cost optimization for cloud computing service providers over a time horizon. In: Hot-ICE. USENIX Association, Boston, MA

42.

Curtis AR, Mogul JC, Tourrilhes J, Yalagandula P, Sharma P, Banerjee S (2011) Devoflow: scaling flow management for high-performance networks. In: ACM SIGCOMM Computer Communication Review, vol 41. ACM, New York, NY, pp 254–265

43.

Greenberg A, Hamilton JR, Jain N, Kandula S, Kim C, Lahiri P, Maltz DA, Patel P, Sengupta S (2009) Vl2: a scalable and flexible data center network. In: ACM SIGCOMM computer communication review, vol 39. ACM, New York, NY, pp 51–62

44.

Chandrasekaran SS (2017) Understanding traffic characteristics in a server to server data center network. Thesis, Rochester Institute of Technology

45.

Aweya J, Ouellette M, Montuno DY, Doray B, Felske K (2002) An adaptive load balancing scheme for web servers. Int J Network Manage 12(1):3–39CrossRef

46.

Ahmed M, Mahmood AN, Hu J (2016) A survey of network anomaly detection techniques. J Netw Comput Appl 60:19–31CrossRef

47.

Caberera J, Ravichandran B, Mehra RK (2000) Statistical traffic modeling for network intrusion detection. In: Proceedings 8th International Symposium on Modeling, Analysis and Simulation of Computer and Telecommunication Systems (Cat. No. PR00728). IEEE, San Francisco, CA, pp 466–473

48.

Dhawan M, Poddar R, Mahajan K, Mann V (2015) Sphinx: detecting security attacks in software-defined networks. Ndss 15:8–11

49.

Kamisin´ski A, Fung C (2015) Flowmon: detecting malicious switches in software-defined networks. In: Proceedings of the 2015 Workshop on Automated Decision Making for Active Cyber Defense. ACM, New York, NY, pp 39–45

50.

Zhang Y (2013) An adaptive flow counting method for anomaly detection in SDN. In: Proceedings of the ninth ACM conference on Emerging networking experiments and technologies. ACM, New York, NY, pp 25–30

51.

Dridi L, Zhani MF (2016) SDN-guard: Dos attacks mitigation in sdn networks. In: 2016 5th IEEE International Conference on Cloud Networking (Cloudnet). IEEE, Pisa, Italy, pp 212–217

52.

Achleitner S, Burke Q, McDaniel P, Jaeger T, Porta TL, Krishnamurthy S (2019) MLSNet: A Policy Complying Multilevel Security Framework for Software Defined Networking. Tech. Rep. INSR-500-TR-0500–2019, Institute of Networking and Security Research, Department of Computer Science and Engineering, Pennsylvania State University, University Park, PA, USA. http://patrickmcdaniel.org/papers-ct.html

53.

Yu M, He T, McDaniel P, Burke QK (2020) Flow table security in SDN: adversarial reconnaissance and intelligent attacks. In: IEEE INFOCOM 2020-IEEE Conference on Computer Communications. IEEE, Toronto, ON, pp 1519–1528

54.

Kang MS, Gligor VD, Sekar V et al (2016) Spiffy: Inducing cost-detectability tradeoffs for persistent link-flooding attacks. NDSS 1:53–55

55.

Yu H, Shen Z, Miao C, Leung C, Niyato D (2010) A survey of trust and reputation management systems in wireless communications. Proc IEEE 98(10):1755–1772CrossRef

56.

Tan S, Li X, Dong Q (2015) Trust based routing mechanism for securing oslr-based manet. Ad Hoc Netw 30:84–98CrossRef

57.

Zhang J (2011) A survey on trust management for VANETs. In: 2011 IEEE International Conference on Advanced Information Networking and Applications. IEEE, Biopolis, Singapore, pp 105–112

58.

Lopez J, Roman R, Agudo I, Fernandez-Gago C (2010) Trust management systems for wireless sensor networks: Best practices. Comput Commun 33(9):1086–1093CrossRef

59.

Buchegger S, Le Boudec JY (2002) Performance analysis of the confidant protocol. In: Proceedings of the 3rd ACM international symposium on Mobile ad hoc networking & computing. ACM, New York, NY, pp 226–236

60.

Aliyu AL, Bull P, Abdallah A (2017) A trust management framework for network applications within an SDN environment. In: 2017 31st International Conference on Advanced Information Networking and Applications Workshops (WAINA). IEEE, Taipei, Taiwan, pp 93–98

61.

Betg´e-Brezetz S, Kamga GB, Tazi M (2015) Trust support for SDN controllers and virtualized network applications. In: Proceedings of the 2015 1st IEEE Conference on Network Softwarization (NetSoft). IEEE, London, UK, pp 1–5

Title: Misreporting Attacks Against Load Balancers in Software-Defined Networking
Authors: Quinn Burke
Patrick McDaniel
Thomas La Porta
Mingli Yu
Ting He
Publication date: 09-01-2024
Publisher: Springer US
Published in: Mobile Networks and Applications
Print ISSN: 1383-469X
Electronic ISSN: 1572-8153
DOI: https://doi.org/10.1007/s11036-023-02156-0

Springer Professional

Abstract

Please log in to get access to your license.

Dont have a licence yet? Then find out more about our products and how to get one now:

Springer Professional "Wirtschaft+Technik"

Springer Professional "Technik"

Springer Professional "Wirtschaft"

ATZelektronik

ATZelectronics worldwide