An Evidence-Based Technical Process for OpenFlow-Based SDN Forensics

Abstract

Globally planning packets forwarding based on the operator’s objectives by a centralized controller is possible in Software Defined Network (SDN). The chief purpose of the SDN architecture is to manage the network due to centralized control of the network easily. The SDN architecture does not focus on network security since the beginning of its emergence. That matter has created some vulnerabilities due to centralized control of the network. Vulnerability is caused by attacks causing the packet overload on the controller (such as DoS attack). Hence, the controller runs into a race condition. Another vulnerability existed in the controller is the topology poisoning attack utilizing spoofed packet and exploiting LLDP packets in the network. Forensics in a traditional network does not have the capability to deeply analyze the attack because the tools ignore evidence existed in the control and application layer of SDN. This research focuses on technical processes in running forensics on SDN architecture comprehensively and develops modules needed to retrieve log’s evidence existed in the controller by applying forensics’ principles. The result shows DoS attack and topology poisoning can be investigated by utilizing these technical processes. Evidence in the controller can be utilized to create analyses, attribution, and presentation. The technical processes of this study are expected to help forensic investigators in revealing crime incidents in the OpenFlow-based SDN environment.