Exploiting pitfalls in software-defined networking implementation

Abstract

The centralised control provided by Software- Defined Networking allows an increase in network security as all traffic can be vetted before leaving the attachment switch. Nevertheless, as in any complex system, there are implementation and policy compromises which lead to security vulnerabilities. This paper exploits such vulnerabilities to implement a suite of attacks, consisting of Address Resolution Protocol (ARP) cache poisoning, Man in the Middle, a firewall and access control bypassing port scan called a Phantom Host Scan, and a Distributed Denial of Service attack called a Phantom Storm which induces the participation of legitimate hosts. These attacks were successfully implemented in a Floodlight controlled network.