When Match Fields Do Not Need to Match: Buffered Packet Hijacking in SDN Jiahao Cao, Renjie Xie, Kun Sun , Qi Li, Guofei Gu, and Mingwei Xu
Outline SDN Overview Background on SDN Rule Installation A New Vulnerability: Buffered Packet Hijacking Buffered Packet Hijacking Attacks Defense Conclusion 2
Outline SDN Overview 3
SDN Overview SDN applications (apps) Extend controller capacities and SDN functionalities SDN controller Take centralized network control SDN switches Forward and process flows according to the controller 4
Outline Background on SDN Rule Installation 5
Rule Installation in SDN Packet-in Routing App • Query network decisions for a new flow SDN Controller (3) packet-in • Contain a buffer ID and packet headers (4) flow-mod Flow-mod h 1 h 2 S 2 1. Install rules with match S 1 (1) new flow fields and actions Match Action Buffer ID: 1 2. Specify a buffer ID to ip_dst:10.0.0.2 output: S 2 release a buffered packet (2) buffer in S 1 (5) flow rules in S 1 6
Rule Conflict in SDN Conflict reason Routing Malicious App App • Multiple apps process the same flow may generate SDN Controller (3) packet-in conflicting rules Conflict abuse (4) flow-mod x2 • Apps install conflicting h 1 h 2 S 2 rules to override other S 1 (1) new flow apps’ decisions Match Match Action Action Buffer ID: 1 ! t c i l f n ip_dst:10.0.0.2 ip_dst:10.0.0.2 output: S 2 output: S 2 o C ip_dst:10.0.0.2 drop (2) buffer in S 1 (5) flow rules in S 1 7
Rule Conflict Detection Rule conflict detection Malicious Routing App App Extract match fields and Block! actions in all flow-mod • flow-mod • flow-mod • match: ip_dst:10.0.0.1 • match: ip_dst:10.0.0.1 messages • action: drop • action: forward Check potential conflict • buffer id: 1 • buffer id: 1 when installing new rules VerfiFlow (NSDI ’13), SE-Floodlight (NDSS ‘15), FortNOX (HotSDN ‘12)… Do not consider potential buffer ID abuse 8
Outline A New Vulnerability: Buffered Packet Hijacking 9
Buffered Packet Hijacking Vulnerability Mechanism Malicious Routing App App Manipulate buffer IDs to hijack buffered packets • flow-mod • flow-mod • match: ip_dst:1.1.1.1 • match: ip_dst:10.0.0.1 • action: drop • action: forward à 1 • buffer id: 2 • buffer id: 1 Root Cause No checking on the inconsistency between buffer IDs and match fields when installing rules Hijack buffered packets Buffer ID: 1 without conflicting rules! Buffer ID: 2 10
Outline Buffered Packet Hijacking Attacks 11
Threat Model Attacker Objective Exploit the vulnerability to attack all three SDN layers System Assumptions SDN controllers, switches, and control channels are secure Existing SDN defense may be deployed Apps are untrusted , which may originate from third parties A malicious app has basic permissions of listening packet-in and installing flow rules 12
Attacks and Testbed Four attacks Real SDN testbed Attacking application Open source controller 1. cross-app poisoning Floodlight Attacking control plane Commercial SDN switches 2. control traffic amplification EdgeCore AS4610-54T Attacking data plane Real background flows 3. security policy bypass Traffic trace from CAIDA 4. TCP connection disruption Crafted test flows 13
Attack 1: Cross-App Poisoning (CAP) A malicious app resends modified buffered packets to the controller APP Y learns: APP Y learns: APP Y APP X (Host, Port) = (h 1 , port 1 ) (Host, Port) = (h 2 , port 1 ) PACKET-IN FLOW-MOD Incorrect mapping! h 1 h 2 port 2 port 1 S 1 match: other flow APP X: FLOW-MOD buf_id: 1 buf_id: 1 action: set-field (IP_SRC à IP_h 2 ), output:controller 14
Evading Defense against CAP Existing CAP attacks and defense Attack by modifying shared data objects in the control plane Defend by checking information flow control policy violations * This CAP attack Manipulate buffered packets in the data plane Evade defense since there are no policy violations * Ujcich, Benjamin E., et al. “Cross-app poisoning in software-defined networking.” CCS ’18 15
Attack 2: Control Traffic Amplification Bomb A malicious app copies massive buffered packets to trigger packet-in messages consuming bandwidth and computing resources 100% SDN 90% bandwidth APP X Controller CPU FLOW-MOD PACKET-IN x3 50% 0% h 1 h 2 S 1 match: other flow buf_id: 1 buf_id: 1 APP X: FLOW-MOD action: no_buffer, group_all (3 action buckets), output:controller 16
Evading Defense against Packet-in Flooding Existing flooding attacks and defense Attack by generating packets matching no rules to trigger massive packet-in messages Detect malicious flows or adopt TCP SYN proxy to throttle TCP- based flooding * This flooding attack Hijack buffered packets of benign flows to trigger massive packet-in messages Generate no malicious flows and can hijack UDP flows • Shin, Seungwon, et al. “Avant-guard: Scalable and vigilant switch flow management in software-defined networks.” CCS ’13 Shang, Gao, et al. “FloodDefender: Protecting data and control plane resources under SDN-aimed DoS attacks.” INFOCOM ’17 17
Attack 3: Network Security Policy Bypass A malicious app redirects buffered packets to different ports match: red APP Y APP X buf_id: 1 APP Y: FLOW-MOD action: output:Firewall FLOW-MOD FLOW-MOD S 2 h 1 h 2 S 1 S 3 buf_id: 1 match: other flow buf_id: 1 APP X: FLOW-MOD action: output:S 2 Successfully bypass firewall � 18
Evading Defense against Security Bypass Existing security bypass attacks and defense Generate conflicting rules to bypass security policies Detect rule conflict to prevent security policy bypass * This attack Manipulate buffer IDs to bypass security policies Evade defense by generating no conflicting rules * Porras, Phillip A., et al. “Securing the software defined network control layer.” NDSS ’15. Khurshid, Ahmed, et al. “Veriflow: Verifying network-wide invariants in real time.” NSDI ’13 Porras, Philip, et al. “A security enforcement kernel for OpenFlow networks.” HotSDN ’12 19
Attack 4: TCP Connection Disruption TCP three-way handshake process A TCP connection is established only after a successful TCP three- way handshake The first packet of a TCP flow is always the TCP SYN packet 20
Attack 4: TCP Connection Disruption A malicious app drops a buffered TCP SYN packet match: red APP Y APP X APP Y: FLOW-MOD buf_id: 1 action: output:h 2 FLOW-MOD FLOW-MOD 10 ms 1000 ms after 1s try again match: other flow h 1 h 2 buf_id: 1 APP X: FLOW-MOD S 1 action: drop buf_id: 1 Every 100 ms latency may cost 1% in business revenue for Amazon. No existing SDN defense solutions consider this attack � 21
Hijacking Probability: Intra-Chain Hijacking Single Processing Chain Apps in the same processing chain process packet-in and send flow-mod messages in turn Success Condition A malicious app is in front of the app that will process the flow (target app) 22
Hijacking Probability: Inter-Chain Hijacking Multiple Processing Chains Apps in different processing chains process packet-in and send flow-mod messages independently Success Condition A malicious app could be in any position, if %&'"(")*+ 2&3452 ! ,-./0 < ! ,-./0 "#$ "#$ 23
Hijacking Probability: Experimental Results Experiments with two processing chains in real SDN testbed • Intra-chain hijacking probability is either 0 or 100% • Inter-chain hijacking probability decreases when the malicious app moves towards tail, e.g., from 100% to 36.3% for Load Balancer 24
Hijacking Probability: Theory Analysis Derive hijacking probability from processing chain model • Intra-chain hijacking probability: • Inter-chain hijacking probability: ! ",$ : malicious app, the c-th application in the • r-th processing chain ! %,& : target app, the i-th application in the j-th • processing chain Details in our paper! ' • %,& : probability density function of processing delays in ! %,& 25
Outline Defense 26
Defense: ConCheck Add consistency check between buffer IDs and match fields • API Calls Extractor intercepts API calls on reading packet-in and generating flow-mod messages • Consistency Checker checks inconsistency for API calls on generating flow-mod messages Detection Example ConCheck Architecture 27
Outline Conclusion 28
Conclusion We discover a new vulnerability in SDN rule installation. We identify four buffered packet hijacking attacks that disrupt all SDN layers and can evade all existing defense systems. We propose a lightweight and application-transparent countermeasure. 29
Thank you! Kun Sun ksun3@gmu.edu
Backup: Permissions The ratio of applications with the permission of listening packet-in messages and installing flow rules Many apps have the permissions 31
Recommend
More recommend
