Attacking Software-Defined Networks: The First Feasibility Study

In this work, we demonstrate an effective and efficient attack against software-defined networks with the knowledge of some basic characteristics of the SDN technology. Essentially, since the control plane is separated from the data plane in a SDN network, the data plane will typically ask the control plane to obtain flow rules when the data plane sees new network packets that it does not know how to handle. By exploiting this key property, our proposed attack can first fingerprint whether a given network uses SDN/OpenFlow switches and then generate specifically crafted flow requests from the data plane to the control plane. This has two effects: (i) it can make the (logically centralized singlepoint) control plane hard to handle all requests (i.e., control plane resource consumption or DoS attack); (ii) the generated fake flow requests can produce many useless flow rules that need to be held by the data plane, thus making the data plane hard to store flow rules for normal network flows (data plane resource consumption or DoS attack). To demonstrate the feasibility of such attack, we create a new SDN network scanning prototype tool (named as SDN scanner) to remotely fingerprint networks that deploy SDN, and this method can be easily operated by mod-