Flow Misleading: Worm-Hole Attack in Software-Defined Networking via Building In-Band Covert Channel

Link Layer Discovery Protocol (LLDP), which is widely used by the controller in Software-Defined Networking to discover the network topology, has been demonstrated to be unable to guarantee the integrity of its messages. Attackers could exploit this vulnerability to fabricate LLDP packets to declare a false link connecting two distant switches to the controller. By doing so, the controller would be misled to route flows to the false links, which leads to further DoS, eavesdropping and even hijacking attacks. This attack seems very similar to the well-known Worm-Hole Attack in wireless sensor networking (WSN). Nevertheless, in WSN, attackers are assumed to leverage an out-of-band wired channel to achieve the true packet transmission between the two cheating sensor nodes. Unfortunately, in SDN, there usually does not exist any out-of-band channels between the distant cheating switches. Flows misguided to the fake link will cause 100% packet loss, and thus be detected soon. In this article, we address this problem and propose the first True worm-hole attack in SDN, which could achieve packet transmission over the forged link without using any out-of-band channels. Instead, it introduces a relay host in the networks to build a completely in-band covert channel between the two cheating switches. Unlike the existing studies, a relay host is not required to be directly linked to them. Moreover, attackers are only assumed to poss the remote read and write privileges of the flow tables of the both cheating switches and do not have to alter any of their software or hardware. Our extensive experiments demonstrate the high feasibility of this attack. Both the increases of transmission delays and packet loss rates are within a reasonable range. We finally present and evaluate the countermeasures against the proposed attack.

Automated summary

In this article, we propose the first True Worm-Hole Attack in Software-Defined Networking, which introduces a relay host to establish an in-band covert channel between cheating switches, achieving packet transmission over the forged link without using any out-of-band channels. Attackers only need remote read and write privileges of flow tables, without altering software or hardware. Extensive experiments demonstrate the high feasibility and manageable impact of this attack.