When Match Fields Do Not Need to Match: Buffered Packets Hijacking in SDN

Jiahao Cao (Tsinghua University; George Mason University), Renjie Xie (Tsinghua University), Kun Sun (George Mason University), Qi Li (Tsinghua University), Guofei Gu (Texas A&M University), Mingwei Xu (Tsinghua University)

Software-Defined Networking (SDN) greatly meets
the need in industry for programmable, agile, and dynamic
networks by deploying diversified SDN applications on a centralized controller. However, SDN application ecosystem inevitably
introduces new security threats since compromised or malicious
applications can significantly disrupt network operations. A number of effective security enhancement systems have been developed to defend against potential attacks from SDN applications,
including data provenance systems to protect applications from
being poisoned by malicious applications, rule conflict detection
systems to prevent data packets from bypassing network security
policies, and application isolation systems to prevent applications
from corrupting controllers. In this paper, we identify a new
design flaw on flow rule installation in SDN, and this vulnerability
can be exploited by malicious applications to launch effective
attacks bypassing existing defense systems. We discover that
SDN systems do not check the inconsistency between the buffer
ID and match fields when an application attempts to install
flow rules, so that a malicious application can manipulate the
buffer ID to hijack buffered packets even though the installed
flow rule from the application does not match the packet with
that buffer ID. We name this new vulnerability as *buffered
packet hijacking*, which can be exploited to launch attacks that
disrupt all three SDN layers, namely, application layer, data plane
layer, and control layer. First, by modifying buffered packets
and resending them to controllers, a malicious application can
poison other applications. Second, by manipulating forwarding
behaviors of buffered packets, a malicious application can not
only disrupt TCP connections of flows but also make flows bypass
network security policies. Third, by copying massive buffered
packets to controllers, a malicious application can saturate the
bandwidth of the SDN control channel and computing resources.
We demonstrate the feasibility and effectiveness of these attacks
with both theoretical analysis and experiments in a real SDN
testbed. Finally, we develop a lightweight defense system that
can be readily deployed in existing SDN controllers as a patch.