Research ArticleExploiting the Vulnerability of FlowTable Overflow in Software-Defined NetworkAttack Model Evaluation and Defense

Yadong Zhou 1 Kaiyue Chen1 Junjie Zhang2 Junyuan Leng1 and Yazhe Tang1

1MOE Key Lab for Intelligent Networks and Network Security Xirsquoan Jiaotong University Xirsquoan China2Department of Computer Science and Engineering Wright State University Fairborn OH USA

Correspondence should be addressed to Yadong Zhou yadongzhougmailcom

Received 28 September 2017 Accepted 6 December 2017 Published 9 January 2018

Academic Editor Zhiping Cai

Copyright copy 2018 Yadong Zhou et al This is an open access article distributed under the Creative Commons Attribution Licensewhich permits unrestricted use distribution and reproduction in any medium provided the original work is properly cited

As the most competitive solution for next-generation network SDN and its dominant implementation OpenFlow are attractingmore and more interests But besides convenience and flexibility SDNOpenFlow also introduces new kinds of limitations andsecurity issuesOf these limitations themost obvious andmaybe themost neglected one is the flow table capacity of SDNOpenFlowswitches In this paper we proposed a novel inference attack targeting at SDNOpenFlow network which is motivated by thelimited flow table capacities of SDNOpenFlow switches and the following measurable network performance decrease resultingfrom frequent interactions between data and control plane when the flow table is full To the best of our knowledge this is the firstproposed inference attack model of this kind for SDNOpenFlow We implemented an inference attack framework according toour model and examined its efficiency and accuracy The evaluation results demonstrate that our framework can infer the networkparameters (flow table capacity and usage) with an accuracy of 80 or higher We also proposed two possible defense strategies forthe discovered vulnerability including routing aggregation algorithm and multilevel flow table architecture These findings give usa deeper understanding of SDNOpenFlow limitations and serve as guidelines to future improvements of SDNOpenFlow

1 Introduction

By decoupling the control plane from the data planeSoftware-Defined Network (SDN) makes programmability abuilt-in feature for networks thereby introducing automatic-ity and flexibility to the networking management SDN hastherefore been foreseen as the key technology that enables thenext generation of networking paradigmDespite its promiseone of the most significant barriers towards SDNrsquos widepractical deployment resides in overwhelming security con-cerns [1] Therefore proactively detecting quantifying andmitigating its security vulnerabilities become of fundamentalimportance

In spite of its novelty SDN indeed reuses various designand implementation elements ranging from architecturesand protocols to systems from traditional network It isnot surprising that SDN inheres the vulnerabilities intrinsicto these elements For example similar to any networkedservice secure channels between controllers and switches

might be disrupted by DDoS attacks like firewall rulesthe flow entries may also conflict with each other leakingunwanted traffic malicious arp spoofing generated by attack-ers may poison the controller MAC table disturbing the nor-mal topology information gathering and packet forwardinguntrusted applications may instrument SDN controller toperform malicious behaviors without proper access controlwhich is one of the design objectives for modern operatingsystems In response existing research in the context ofSDN security mainly focuses on detecting and mitigatingthese vulnerabilities For example [2] evaluates man-in-the-middle attacks that target at SDNOpenFlow secure channelsFortNOX [3] brings security enforcement module into NOX[4] and enables real-time flow entry conflict check VeriFlow[5] detects network-wide invariant violations by acting as atransparent layer between control plane and data plane

In this paper we introduce a novel SDN vulnerabilityThe novelty of this vulnerability stems from the feedback-loop nature of SDN a fundamental difference compared

HindawiSecurity and Communication NetworksVolume 2018 Article ID 4760632 15 pageshttpsdoiorg10115520184760632

2 Security and Communication Networks

with traditional networks Particularly this vulnerability canbe extremely severe in SDN-based networks where networktraffic from different sources shares the same SDN switchrsquosflow table for example different tenants in a SDN-basedcloud computing network

Specifically most commercial SDNOpenFlow switcheshave limited flow table capacities ranging from hundreds tothousands [6] Such capacity is usually insufficient to handlemillions of flows that are typical for enterprise and data centernetworks [7] Nevertheless the flow table capacity was justconsidered as a potential bottleneck of resource consumingattacks in the past motivating researches on flow cachingsystems like [8ndash10] But according to our analysis the flowtable capacity can lead to inference attack and privacy leakageunder certain circumstances

As a consequence of flow table overflow the SDNcontroller needs to dynamically maintain the flow table byinserting and deleting flow entries The maintaining processtypically includes packet information transferring routingrule calculation and flow entry deployment which leads tomeasurable network performance decrease

Particularly once the flow table is full extra interactionsbetween controller and switch are needed to remove certainexisting flow entries to make room for newly generated flowentries resulting in further network performance decreaseAn attacker can therefore leverage the perceived performancechange to deduce the internal state of the SDN To be morespecific we consider the scenario that an attacker resides ina network that is managed by a SDN The attacker can thenactively generate network traffic triggering the interactionsbetween the controller and switch with respect to flow entryinsertion and deletion The attacker can then measure thechange of the network performance to estimate the internalstate of the SDN including the flow table capacity and flowtable usage We have designed innovative algorithms toexploit this vulnerability and quantify their effectiveness onexploiting this vulnerability based on extensive evaluation

Additionally to mitigate this vulnerability we have pro-posed two possible defense strategies The first strategy isa new routing aggregation algorithm to compress the flowentries so they will consume less flow table spaceThe secondstrategy is building a multilevel flow table architectureMultilevel flow table architecture can implement flow tableswith larger capacities without introducing additional powerassumption or charges

To summarize in this paper we made the followingcontributions

(i) We have identified a novel vulnerability introducedby the limited flow table capacities of SDNOpenFlowswitches and formalized that threat

(ii) We have designed effective algorithms that can suc-cessfully exploit this vulnerability to accurately inferthe internal states of the SDN network including flowtable capacity and flow table usage

(iii) We have performed extensive evaluation to quantifythe effectiveness of proposed algorithms The experi-mental results have demonstrated that the discovered

vulnerability indeed leads to significant security con-cerns our algorithm can infer the network parame-ters with an accuracy of 80 or higher across variousnetwork settings

(iv) We have proposed two possible defense strategiesfor the discovered vulnerability including routingaggregation algorithm to compress the flow entriesand multilevel flow table architecture to implementflow tables with larger capacities

The rest of this paper is organized as follows Section 2gives an overall statement of the inference attack problemSection 3 gives detailed inference algorithms targeting atFIFO and LRU replacement algorithms respectively Sec-tion 4 gives a detailed evaluation of the simulation resultsSection 5 proposes two possible defense methods against thiskind of inference attack Section 6 is a brief discussion aboutour findings and future research Section 7 describes somerelated works in this area Finally Section 8 concludes thispaper

2 Problem Statement

The vulnerability of flow table overflow in SDN potentiallyexists in SDN-based cloud computing network and otherimportant SDN-based networking systems [11 12]

After analyzing current structure and implementation ofSDNOpenFlow its decoupled nature gives us inspiration theinteractions between control plane and data plane will leadto network performance decrease which can be measuredthrough performance parameters like round trip time (RTT)If a flow matches one flow entry the flow will be forwardeddirectly according to the matched entry This process is fastand will cost little timeWhen the flow table is full some flowentry will be removed then the controller has to calculatethe rule and send a new flow entry to the switch and thisprocess is more complex and has more interactions betweencontroller and switch than the previous case which will costmore time

Figure 1 gives an overall flowchart of packet processingin an OpenFlow switch The three rectangular regions sur-rounded by dotted line stand for three possible packet pro-cessing branches respectively When the switch encountersan incoming packet it will parse it and send the parsed packetinto the subsequent processing pipeline

Then as the first step of the pipeline the switch willlook up its flow table to search flow entries matching thepacket When there is a match the switch will directlyforward the packet according to actions associated with thecorresponding flow entry This branch is illustrated in theinnermost rectangle of Figure 1

When there is no corresponding flow entry in the flowtable extra steps will be introduced into the procedureAdditional interactions between the switch and the controllerwill happen to acquire corresponding routing rules includingpacket information transferring routing rule calculation andflow entry deployment The middle rectangle of Figure 1illustrates this process

Security and Communication Networks 3

Packetparsing

Flow table lookup

Flow table status check

Flow table replacement

Insert new flow entry

Packet forwardIncomingpacket

Match

No match

Not full

Full

Outcoming packet

Figure 1 OpenFlow packet processing flowchart

T3

T2

T1

Pkt1 Pkt1 Pkt1

RTT

Packet sequence

TS1

(a)

Pkt2 PktNPkt3 Pkt4

RTT

Packet sequence

TS3

TS2

(b)

Figure 2 RTT measurement of different flow table state

Before the switch inserts the newly generated flow entryit has to check the flow table status to make sure that there isenough space in the flow tableWhen the flow table is full thecontroller has to perform flow table replacement operationsto make room for the upcoming flow entry These operationsinclude deciding which old flow entry to delete accordingto certain flow table replacement algorithm and flow entrydeletion The outermost rectangle in Figure 1 stands for thisbranch

That is exactly where the vulnerability lies In traditionalnetworks the switches and routers are autonomous whichmeans they can maintain their routing tables locally withoutinteracting with an external device But due to the decouplednature of SDNOpenFlow maintaining switch flow tablesneeds frequent interactions between switches and controllersmaking it possible for an attacker to leverage the perceivedperformance change to deduce the internal state of the SDNnetwork

As shown in Figure 1 the rectangular regions surroundedby dotted line correspond to different possible packet pro-cessing branches The larger a rectangle is the longer theprocessing time of that branch will be because of the extrasteps that rectangle contains When there is a match in the

flow table the processing time will be the shortest whenthere is no match in the flow table and the flow table is notfull the processing time will be longer because of additionrouting calculation and flow entry deployment when thereis no match in the flow table and the flow table is fullthe processing time will be the longest because a flow tablereplacement operation has to be performed So as a networkparameter directly influenced by the processing time theRTT of a packet can serve as an indicator of flow table stateand flow entry state

The process of deciding RTT thresholds for flow tablestate detection is shown in Figure 2

Figures 2(a) and 2(b) represent two cooperating threadsthe 119909-axis represents the packet sequence and the 119910-axisrepresents the recorded RTT of every packet Firstly inthe upper thread we generate a packet with a specificsrc ip dst ip src mac dst mac combination calling it Pkt1Send Pkt1 to the target OpenFlow switch and record thecorresponding RTT as 1198792 Currently there is no correspond-ing flow entry in the OpenFlow switch because Pkt1 is anew packet After a time span TS1 send Pkt

1to the target

OpenFlow switch again and record the corresponding RTTas 1198791 If TS1 is chosen properly the newly installed flow

4 Security and Communication Networks

entry matching Pkt1should still exist in the OpenFlow

switch Next in the lower thread we continuously generatepackets Pkt

2Pkt3 Pkt

119873 each with a different combi-

nation of src ip dst ip src mac dst mac and send thesepackets to the target OpenFlow switch with the time spanof TS

2 Because there are no flow entries matching their

packets in the OpenFlow switch the recorded RTTs will beapproximately the same as 1198792 Keep generating and sendingpackets until we observe a sudden increase of the RTT whichindicates that the flow table is full Then in the upper threadwe send Pkt1 again immediately and record the RTT as 1198793To achieve higher precision we can repeat the process anduse average values of 1198791 1198792 and 1198793 as final results

From the process above we can see that 1198791 1198792 and

1198793will serve as thresholds for flow table state detection

when the measured RTT is around 1198791 we can infer that

there is corresponding flow entry in the flow table when themeasured RTT is around 119879

2 we can infer that there is no

corresponding flow entry in the flow table and the flow tableis not full when themeasured RTT is around119879

3 we can infer

that there is no corresponding flow entry in the flow table andthe flow table is full

We model the SDNOpenFlow network as a black boxand observe its response (RTT) to different input (networkpackets) then we use the response to estimate the flow tablestate and flow entry state and perform further inference Thewhole process comes in three steps

Firstly we send probing packets into the network totrigger the interaction As there is still no mature routingaggregation algorithm or hierarchical routing rule solutioncurrent SDNOpenFlow switches typically use exact matchrules That means if we send 119899 packets with different fakedmetainformation like src ip and dst ip there will be 119899 newlygenerated flow entries inserted into the flow table If wesend excessive probing packets in a short period of time theflow table will overflow and then the interaction process willbe triggered Secondly we measure RTTs of the respondedpackets and infer the flow table state and flow entry stateThirdly we use observed flow table states and flow table statesas controlling signals in our inference algorithm and performflow table capacity inference

Having to achieve a hit rate as high as possible in a ratherlimited space flow table serves like a ldquocacherdquo in operatingsystems and web proxy servers In this paper we choose FIFOand LRU because they are common and popular [13]

3 Inference Algorithm

The logical structure of our inference algorithm is shownin Figure 3 The inference algorithm consists of two mainpart flow table state detection and flow table state controlFor flow table state detection we perform RTTmeasurementto classify the different states of flow table and specificflow entry For flow table state control we generate specificsequence of attacking network packets to manipulate thestate of flow entries For different flow table replacementalgorithms the relation betweennetwork traffic sequence andflow entry state will be different so we will have different

LRUinferencealgorithm

Strategy for FIFO

Strategy for LRU

Flow table state controlRTT measurement

FIFO inferencealgorithm Flow table state detection

traffic generation strategy

Figure 3 Inference algorithm

A

B

C

D

Figure 4 FIFO inference principle

network traffic generation strategy for different flow tablereplacement algorithms like FIFO and LRU We will intro-duce the inference algorithms for FIFO andLRU respectively

31 FIFO Inference Algorithm Asmentioned in Section 2 theinference process of FIFO algorithm will be as follows wegenerate and send a huge amount of probing packets eachwith a different combination of src ip dst ip src mac anddst mac and the newly inserted flow entries matching thegenerated packets will ldquopushrdquo the other usersrsquo flow entries outof the flow table We can detect if the flow table is full and theexistence of our flow entries Combined with the number ofinserted flow entries we recorded we can infer the flow tablecapacity and flow table usage The process of flow table statetransformation is shown in Figure 4

We use 119865our to represent the number of our inserted flowentries and use 119865other to represent the number of flow entriesfrom other users in the flow table Both 119865our and 119865other arefunctions of timeWe use119879

119860119879119861119879119862 and119879

119863to represent four

time points corresponding to four subfigures respectivelyand use 119862 to represent the flow table capacity

Figure 4 (119860) shows the flow table and the flow entriesit contains just before the experiment starts The rectangleitems represent the flow entries from other users sharing theOpenFlow switch The current number of other usersrsquo flowentries can be expressed as 119865other(119879119860)

Figure 4 (119861) illustrates the time when we start to sendgenerated packets inserting new flow entries into the flowtable The grey rectangles represent the flow entries insertedby us As we can see our flow entries keep pushing otherusersrsquo flow entries to the front of the FIFO queue During theexperiment we should keep a record of the generated packetsincluding their attributes and serial numbers

Security and Communication Networks 5

Require(1) Packet-Sending Function 119878119890119899119889119875119886119888119896119890119905()(2) List of IP 119868119875Ensure(3) The flow table capacity 119865capacity(4) The number of other usersrsquo flow entries 119865other(5) 119865capacity larr 0(6) 119865other larr 0(7) 119873 larr 0(8) 119873

1larr 0

(9) 1198732larr 0

(10) while 119873 lt length(119868119875) do(11) 119894119901 larr 119868119875[119873](12) SendPacket(119894119901)(13) 119873 larr 119873 + 1(14) if Flow table is full then(15) 119873

1larr 119873

(16) continue(17) end if(18) if One of our flow entries is deleted then(19) 119873

2larr 119873

(20) break(21) end if(22) end while(23) 119865capacity larr 1198732(24) 119865other larr 1198732 minus 1198731(25) return 119865capacity 119865other

Algorithm 1 FIFO inference algorithm

Figure 4 (119862) shows the timewhenwe detect the flow tableis full At this point of time flow entries from us and otherusers add up to fill the whole flow table precisely We have

119865our (119879119862) + 119865other (119879119862) = 119862 (1)

Figure 4 (119863) shows the time when we detect that one ofour inserted flow entries has been deleted That means theflow table is now full of our flow entries without any flowentries from other users We have

119865our (119879119863) = 119862 (2)

Combine the two equations above we have

119865other (119879119860) = 119865other (119879119862) = 119862 minus 119865our (119879119862)

= 119865our (119879119863) minus 119865our (119879119862) (3)

According to the analysis above we describe the inferenceprocess for FIFO algorithm as shown in Algorithm 1

The main error of the inference comes from the flowentries inserted by other users when our insertion is inprogressWe assume that our flow entry insertion speed is fastenough so that during the period of experiment the newlyinserted flow entries are all from us But that is not alwaysthe truth Ignoring the possible flow entries inserted by otherusers will make our inference result smaller than the actualvalue

Considering the flow entries inserted by other users theactual equations are listed below

When we detect the flow table is full if we use 119864(119860 119861)to represent the number of just inserted flow entries fromother users from time point 119860 to time point 119861 the equationbecomes

119865our (119879119862) + 119865other (119879119862) + 119864 (119879119860 119879119862) = 119862 (4)

And when we detect that one of our inserted flow entriesis deleted the equation becomes

119865our (119879119863) + 119864 (119879119860 119879119862) + 119864 (119879119862 119879119863) = 119862 (5)

Combine the two equations above we have

119865other (119879119862) = 119865our (119879119863) minus 119865our (119879119862) + 119864 (119879119862 119879119863) (6)

So the actual equation considering flow entry insertionsduring inference should be

119862 = 119865our (119879119863) + 119864 (119879119860 119879119862) + 119864 (119879119862 119879119863)

119865other (119879119862) = 119865our (119879119863) minus 119865our (119879119862) + 119864 (119879119862 119879119863) (7)

Compared with our former equation ignoring flow entryinsertions

119862 = 119865our (119879119863)

119865other (119879119862) = 119865our (119879119863) minus 119865our (119879119862) (8)

We can see that the inferred flow table usage119865other and theinferred flow table capacity 119865capacity will both be smaller thanthe actual value

32 LRU Inference Algorithm The experiment principle ofLRU algorithm has something in common with that of FIFOalgorithm because under these two circumstances we canboth keep our flow entries stay in the back of the cache queueusing certain operations However there are still differenceslies in the flow entry maintaining process

The nature of FIFO algorithm ensures that the position ofthe flow entries only depends on the time they are insertedThe earlier inserted flow entries are sure to be nearer to thefront of the cache queue comparedwith the later inserted flowentries But in LRUalgorithm the positions of the flow entriesdepend not only on the time they are inserted but also on thelast time they are accessed In order to keep our flow entriesstay in the back of the cache queue we need to continuouslyaccess the previously inserted flow entries

During the maintain process every time we insert anew flow entry we need to access all previously insertedflow entries for one time to ldquoliftrdquo them to the backof the cache queue The access history may be like1198751 1198751 1198752 1198751 1198752 1198753 1198751 1198752 1198753 1198754 and we call it aldquorollingrdquo maintaining process The maintaining algorithm isshown in Algorithm 2 According to the analysis above wedescribe the inference process for LRU in Algorithm 3

The feasibility and error analysis of LRU algorithm issimilar to that of FIFO algorithm The inferred flow tableusage 119865other and the inferred flow table capacity 119865capacity willboth be smaller than the actual value because of ignoring theflow entries inserted by other users during the experiment

6 Security and Communication Networks

Require(1) Packet-Sending Function 119878119890119899119889119875119886119888119896119890119905()(2) List of Inserted IP 119868119875inserted(3) function RollingPacketSender(119868119875inserted)(4) 119894 larr 1(5) while 119894 lt length(119868119875inserted) do(6) for 119895 larr 0 119895 lt 119894 119895 + + do(7) 119894119901 larr 119868119875inserted[119895](8) SendPacket(119894119901)(9) end for(10) 119894 larr 119894 + 1(11) end while(12) end function

Algorithm 2 Rolling maintaining algorithm

Require(1) Packet-Sending Function 119878119890119899119889119875119886119888119896119890119905()(2) List of IP 119868119875Ensure(3) The flow table capacity 119865capacity(4) The number of other usersrsquo flow entries 119865other(5) 119865capacity larr 0(6) 119865other larr 0(7) 119873 larr 0(8) 119873

1larr 0

(9) 1198732larr 0

(10) 119868119875inserted larr [](11) while 119873 lt length(119868119875) do(12) 119894119901 larr 119868119875[119873](13) 119868119875inserted larr 119868119875inserted + 119894119901(14) RollingPacketSender(119868119875inserted)(15) 119873 larr 119873 + 1(16) if Flow table is full then(17) 119873

1larr 119873

(18) continue(19) end if(20) if One of our flow entries is deleted then(21) 119873

2larr 119873

(22) break(23) end if(24) end while(25) 119865capacity larr 1198732(26) 119865other larr 1198732 minus 1198731(27) return 119865capacity 119865other

Algorithm 3 LRU inference algorithm

4 Evaluation

41 Implementation The emulation environment of ourexperiment consists of three parts a network prototypingsystem used to emulate host and switch a network controllerand our inference attack toolkit

We choose Mininet [14] as the network prototypingsystem because it encapsulates host and switch emulationand thus easy to use Our emulated network prototype

for evaluation uses a star topology consisting of 20 hostsconnected to a single OpenFlow switch We build FIFO andLRUcontroller applications using Python on the basis of POX[15] OpenFlow controller As for the inference attack toolkitwe use libnet [16] to generate probing packets and libpcap[17] to capture replied packets To simulate the backgroundtraffic in real network we built a SDN testbed using Mininetand POX On the SDN testbed we performed a series ofbasic SDN operations These operations include buildinga customized SDN network topology setting up the linkbetween SDN switches and performing the ping test betweenall SDN nodes We captured the network traffic generatedduring these operations and use them as the backgroundnetwork traffic sample

42 RTT Measurement As we have mentioned in Sec-tion 2 the difference between traditional network andSDNOpenFlow network in handling previously unseenpackets gives us a possible indicator of the flow table stateand the flow entry living state RTT When there is notcorresponding flow entry existing in the flow table the RTTof a packet will significantly increase due to the interactionsbetween controller and switch in order to acquire new flowentries That is the case when there is still space in the flowtable Once the flow table is full the RTT of a packet willfurther increase as a result of extra flow table replacementoperations To prove the effectiveness of using RTT as theflow table state and flow entry state indicator we measuredpacket RTTs corresponding to different flow table state andflow entry state

Figure 5 gives the RTT measurement result showing thedifference The points with different symbols represent thetotal 300 times of RTTmeasurements we have conducted 100times ofmeasurement for each combination of flow table stateand flow entry state The square points stand for RTTs whenflow entry exists in flow table The circle points and trianglepoints both stand for RTTs when flow entry does not exist inflow table the circle points are measured when the flow tableis full and the triangle points are measured when the flowtable is not full

As can be seen from the figure when flow entry existsin flow table the packet RTTs are highly concentrated in the

Security and Communication Networks 7

50 100Group

8

7

6

5

4

3

2

1

00

RTT

(ms)

Flow entry exists in flow tableFlow entry does not exist and flow table is not fullFlow entry does not exist and flow table is full

Figure 5 RTT measurement

Table 1 Default timeout values

Controller Hard timeout Idle timeoutRyu 0 0Beacon 0 5 sFloodlight 0 5 sNOX 0 5 sPOX 30 s 10 sTrema 0 60 sMaestro 180 s 30 s

range of 02sim03ms when flow entry does not exist in flowtable and flow table is not full the packet RTTswill increase toabout 3sim5ms when flow entry does not exist in flow table andflow table is full the packet RTTs will be the highest rangingfrom 6ms to 8ms These three groups of RTTs all distributeintensively in a small rangewithout overlapping other groupsshowing the excellent discrimination of using RTT as a flowtable state and flow entry state indicator

43 Timeout

431 Default Timeout Values According to our previousanalysis the feasibility of our inference attack depends onwhether we can generate enough flow entries to fulfill theflow table within a single timeout cycle That means wemust have the ability to generate as many flow entries as theflow entry can hold during a timeout period So we analyzeseveral popular open-source controllers and search for theirdefault timeout values in the built-in applications The resultis presented in Table 1 The zero values in the table mean thecorresponding timeout will not take effect or in other wordsthe timeout value is ldquopermanentrdquo As can be seen from thetable most available controllers have timeout values in therange of 5 s to 30 s

If we take the flow table capacity of 2000 flow entries asan example the minimum packet generating speed requiredwill be 20005 = 400 packets per second while libnet can

generate tens of thousand packets per second So the defaulttimeout values ensure the feasibility of our inference attack

432 Timeout Measurement Though default timeout valuesof mainstream OpenFlow controllers can be read from theirsource codes it is still possible for SDN network administra-tors to manually change the default timeout values In orderto handle nondefault timeout values and provide basis foradjusting packet generating speed it is essential to examinethe accuracy of passive timeout measurement

Figure 6 illustrates relative errors (see equation (9)) ofhard timeout and idle timeout measurement respectivelyWemanuallymodify hard timeout and idle timeout values ofPOX OpenFlow controller to 5 s 10 s 15 s 20 s 25 s and 30 sand then we use timeout measurement algorithmmentionedin Section 2 to measure these timeout values and calculaterelative errors

relative error =1003816100381610038161003816valuedetected minus valuetrue

1003816100381610038161003816valuetrue

lowast 100 (9)

Every line in Figures 6(a) and 6(b) corresponds to 10times of repeated measurements conducted under a certaintimeout setting from 5 s to 30 sThemargin stays in the rangeof plus-or-minus 10 percent showing the effectiveness andhigh accuracy of our timeout measurement algorithm

44 Flow Table Capacity Flow capacity is the primary targetof our inference attack It reflects the hardware specificationof an OpenFlow switch Figure 7 illustrates the flow tablecapacity measurement result when controller adopts FIFOreplacement algorithm We manually limited the switch flowtable capacity to 10 different values from 100 flow entries to1000 flow entries and used our framework to perform theinference

The dark bars represent the manually set flow tablecapacities or real capacities The light bars represent themeasured flow table capacities For every manually set flowtable capacity we conduct 10 times of repeatedmeasurementsand take their mean value as the final result From thefigure we can see that the measured capacities are quite closeto the real capacities indicating the high accuracy of ourinference framework For example when the real capacity is400 flow entries our measured capacity is 408 flow entrieswith an error of only 8 flow entries As the real capacitygrows the packet generating speed required becomes fasterplacing higher requirements on packet sending receivingsynchronization and accurate timing But our inferencealgorithm shows unbelievable stability and accuracy whenthe real capacity is 1000 flow entries our measured capacityis 973 flow entries with an error of just 27 flow entries

Like Figure 7 Figure 8 also illustrates the flow tablecapacity measurement results with the only difference ofbeing performed under LRU replacement algorithm insteadof FIFO

According to our previous analysis the inference princi-ple of LRU replacement algorithm is more complex becauseof the unavoidable mixed nature of flow entries in the flowtable and the rolling maintaining process But our inference

8 Security and Communication Networks

Hard timeout = 30

Hard timeout = 25

Hard timeout = 20

Hard timeout = 15

Hard timeout = 10

Hard timeout = 5

minus10

0

10

20

30

Rela

tive e

rror

2 4 6 8 10Group

Hard timeout relative error

(a)

Idle timeout = 30

Idle timeout = 25

Idle timeout = 20

Idle timeout = 15

Idle timeout = 10

Idle timeout = 5

minus10

0

10

20

30

Rela

tive e

rror

2 4 6 8 10Group

Idle timeout relative error

(b)

Figure 6 Timeout relative error

100 95

200 192

300 315

400 408

500 486

600 619

700666

800831

900 883

1000973

0

200

400

600

800

1000

Capa

city

10 3 6 5 8 9 4 7 2 1 Group

Real capacityMeasured capacity

Figure 7 FIFO flow table capacity

framework still shows high accuracy and reliability Evenwhen the real flow table capacities are set to be rather largevalues like 900 and 1000 the errors of our measure capacitiesare just around 20 flow entries

Only illustrating the mean value of measured flow tablecapacities may not be enough the mean value may bethe result of error compensations and hide the detailed

0

200

400

600

800

1000

Capa

city

10 3 6 5 8 9 4 7 2 1 Group

Real capacityMeasured capacity

100 120

200 180

350300

400 422

500 475

600630

700

788 800828

900 880

10001021

Figure 8 LRU flow table capacity

measurement errors of every separate experiment So inFigure 9 we illustrate the relative error of every single flowtable capacity measurement

We choose 5 groups of different flow table capacitiesfrom 200 flow entries to 1000 flow entries and perform 10times of measurements under every single flow table capacityvalue Figure 9(a) stands for relative error of flow tablecapacity measurements conducted under FIFO replacement

Security and Communication Networks 9

Capacity = 1000

Capacity = 800

Capacity = 600

Capacity = 400

Capacity = 200

minus10

0

10

20

30

Rela

tive e

rror

2 4 6 8 10Group

FIFO capacity relative error

(a)

Capacity = 1000

Capacity = 800

Capacity = 600

Capacity = 400

Capacity = 200

minus10

0

10

20

30

Rela

tive e

rror

2 4 6 8 10Group

LRU capacity relative error

(b)

Figure 9 Flow table capacity relative error

algorithm showing that the margin is no larger than plus-or-minus 10 percent Figure 9(b) stands for relative errorof flow table capacity measurements conducted under LRUreplacement algorithm Due to the more complex inferenceprinciple and the rolling maintaining process the marginbecomes larger but still has not exceeded 15 percent even inthe worst case

The above inference attacks are performed without anybackground network traffic When performing inferenceattack in real networks the impact of background networktraffic cannot be ignored So it is necessary to examine the effi-ciency of our inference algorithm under these circumstances

In this evaluation we choose the background networktraffic dataset from a SDN testbed Figures 10 and 11 havethe same experiment setting with Figures 7 and 8 with theonly difference of replaying background traffic captured fromSDN testbed during the inference attack process Even withthe impact of background traffic our inference algorithm stillshows high accuracy

45 Flow Table Usage In this section we evaluated ourframeworkrsquos efficiency of inferring the number of flow entriesfrom other users sharing the same flow table or the flow tableusage Flow table usage is our secondary inference target andit reflects the network resource consuming condition of othertenants in the same SDN network Figures 12 and 13 illustratethe flow table usage measurement results conducted underFIFO and LRU replacement algorithm respectively

100 81

200174

300 295

1000

931900

852800 805

700 641

600 595

500 463

400 385

0

200

400

600

800

1000

Capa

city

10 3 6 5 8 9 4 7 2 1 Group

Real capacityMeasured capacity

Figure 10 FIFO flow table capacity with testbed background traffic

Again wemanually set 10 different flow table usage valuesfrom 100 to 1000 flow entries by manually generating andinserting corresponding number of flow entries into the flowtable beforehand Then we use our inference algorithm toinfer the flow table usage and take mean values of every 10times of measurements as the final results The errors of allthese measurements show the high accuracy stability andreliability of our inference algorithm

10 Security and Communication Networks

0

200

400

600

800

1000

Capa

city

10 3 6 5 8 9 4 7 2 1 Group

Real capacityMeasured capacity

100 99

200158

300328

400 399

500447

600 595

700752

800 790

900841

1000 978

Figure 11 LRU flow table capacity with testbed background traffic

10 3 6 5 8 9 4 7 2 1 Group

Real usageMeasured usage

0

200

400

600

800

1000

Usa

ge

100 120

200 184

300 322

400 378

500 492

600 617

700 723

800

900 895

1000976

809

Figure 12 FIFO flow table usage

We also conducted the flow table usage inference attackwith background traffic Experiment results with testbedbackground traffic are shown in Figures 14 and 15 Ourinference algorithm can smoothly handle the impact ofbackground traffic which ensures the stability and robustnessdemonstrated in the experiment results

The relative errors are shown in Figure 16 We emulate5 groups of different flow table usage values and conducted10 times of flow table usage inference for every single valueFor both FIFO and LRU replacement algorithm the relativeerrors of flow table usage inference stay in a quite small rangeThe results prove that our algorithm can infer other tenantsrsquoflow table usage condition in high accuracy

5 Defense

From the previous sections we can conclude that the infer-ence attack is rooted in the flow table overflow To defendthat kind of inference attack we have to prevent flow tableoverflow in two aspects one aspect is to compress the flow

10 3 6 5 8 9 4 7 2 1 Group

Real usageMeasured usage

0

200

400

600

800

1000

Usa

ge

10080

200 195

300 278

400

500466

600 602

700731

800 783

900 882

1000 976

378

Figure 13 LRU flow table usage

10 3 6 5 8 9 4 7 2 1 Group

Real usageMeasured usage

0

200

400

600

800

1000 U

sage

100 107

200163

300 301

400357

500468

600 590

700 694

800 780

900865

1000

935

Figure 14 FIFO flow table usage with testbed background traffic

entries to save flow table space and the other one is toimplement a larger flow table to store more flow entries

51 Routing Aggregation Routing aggregation is to combinemultiple entries in the flow table without changing the nexthops for packet forwarding This approach is particularlyappealing because it can be done by a software upgrade at theOpenFlow switch and its impact is limited within that switchRouting aggregation has already been used in traditionalnetworks but it has not been deployed in SDNOpenFlownetworks To fully utilize the flexibility of SDNOpenFlownetwork under certain scenarios like load balancing we pro-posed a global routing schedule using packing optimizationalgorithms

Traditional routing aggregation algorithms [18] can beused to compress the flow table but their effectiveness cannotbe ensured If thematching fields and next hops are dispersedenough chances are that we may not be able to performany routing aggregation because we cannot find flow entriessharing commonmatching fields and next hopsThis is often

Security and Communication Networks 11

10 3 6 5 8 9 4 7 2 1 Group

Real usageMeasured usage

0

200

400

600

800

1000

Usa

ge100

200168

300251

400346

500

433

600566

700

57

693

800745

900842

1000

935

Figure 15 LRU flow table usage with testbed background traffic

Capacity = 1000

Capacity = 800

Capacity = 600

Capacity = 400

Capacity = 200

Capacity = 1000

Capacity = 800

Capacity = 600

Capacity = 400

Capacity = 200

minus10

0

10

20

30

Rela

tive e

rror

minus10

0

10

20

30

Rela

tive e

rror

2 4 6 8 10Group

2 4 6 8 10Group

FIFO usage relative error LRU usage relative error

Figure 16 Flow table usage relative error

the case when dealing with web traffic for example load bal-ancing services For that reason we introduced an extra stageof routing aggregation global routing schedule optimizationFirst we model this routing aggregation problem as a packingoptimization problem and solve it then we perform globalrouting reschedule by rewriting the flow entries accordingto the optimization result and finally we perform anothertime of traditional routing aggregation on these new flowentries After the global routing reschedule there will be

much more aggregatable flow entries so the effectiveness ofrouting aggregation is ensured

52 Multilevel Flow Table Architecture It is important to notethat routing aggregation is not a replacement for the long-term architectural solutions because it does not address theroot causes of the flow table scalability problem and thefollowing inference attack To eliminate the inference attackvulnerability a flow table architecture with larger capacity is

12 Security and Communication Networks

Table0

Table1

Tablem

Executeaction

set

Packetin

Packetout

TCAM

Figure 17 Single-level flow table architecture

Table0

Table1

Tablem

Executeaction

set

Packetin

Packetout

TCAM

Match

Table0

Table1

Tablen

SRAM

Match

Table miss

Executeaction

set

Packetout

Flow tablereplacement

Figure 18 Multilevel flow table architecture

required which can be achieved throughmultilevel flow tableconsisting of both TCAM and SRAM

The original single-level flow table architecture is shownin Figure 17 In this architecture the flow table is completelyimplemented using TCAM An input packet will traversefrom table 0 to table119898 and add corresponding actions to theaction set Then all actions in the action set are executed andthe packet is forwarded according to these actions

Our proposed multilevel flow table architecture is shownin Figure 18 Besides flow table implemented using TCAMwe add another flow table implemented using SRAM whichis cheaper and can provide larger flow table space Underthis multilevel flow table architecture the packet processingpipeline will be different first an input packet will findmatching flow entries in TCAM flow table just like in theoriginal single-level flow table architecture If there is amatchthe packet will execute the corresponding actions and getforwarded If there is no match the packet will continueits lookup in the SRAM flow table If there is a match inthe SRAM flow table the packet can then be forwardedotherwise it will be sent to the controller

From the process above we can see that if the capacityof TCAM flow table is 119898 the capacity of SRAM flow table is119899 and then the multilevel flow table will have a capacity of119898 + 119899 Actually 119899 is far more larger than 119898 so this approachcan greatly increase the flow table capacity thus preventingflow table overflow

6 Discussion

SDNOpenFlow has become a competitive solution for next-generation network and is being more and more widelyused in modern datacenters But considering its key role asthe fundamental infrastructure we have to admit that thesecurity issues of SDNOpenFlow have not been exploredto a large extent Particularly the flow table capacity ofSDNOpenFlow switch is only considered as a vulnerable partfor DDoS and flooding attacks in published researches Butaccording to our analysis in previous sections the flow tablecapacity can lead to potential inference attack if combinedwith reasonable assumptions and RTT measurements

Firstly we found in Section 2 that exactmatch flow entriesas well as the lack of route aggregation would consume a lot

Security and Communication Networks 13

of flow table space making it impossible to process millionsof flows per seconding using SDNOpenFlow Secondly wefound in Section 4 that assigning the decision making jobof flow table replacement to the controller would lead tosignificant network performance decrease which had to bechanged in time Thirdly there is currently no mature attackdetection mechanism for SDNOpenFlow network so it isquite easy for criminals to exploit system vulnerabilities orinvoke DDoS attacks

The inference method proposed in this paper just usessome basic elements and parameters of OpenFlow such asidle timeout and hard timeout which are significant for theimplementation of SDN These features will not be removedexcept very huge changes made On the other hand althoughsome security frameworks [3] were proposed to detect themalicious insertion of flow rules attackers can also bypass thedetection by some well-designed insertion strategies

All these security issues call for improvements to currentOpenFlow switch and flow table design The improvementsshould at least contain the following aspects (1) New Open-Flow switch architecture like embedding local caches inthe switch or implementing multilevel flow table to achievea much larger flow table capacity With larger flow tablecapacity the switch will not have to query the controller forflow entries which will reduce the interaction latency to alarge extent (2) New flow table maintaining mechanism liketransferring the flow entry deleting workload from controllerto switch Switch itself can decide which flow entry to deleteand then sync state with controller and during the flowentry deleting process the controllerrsquos intervention is notneeded In the widely used OpenFlow Switch Specification140 [19] this mechanism has been added as an optionalfeature but without any mature implementation so far (3)Routing aggregation Routing aggregation canmatch a groupof flows using one flow entry which will reduce the flowtable consuming significantly comparedwith exactmatch (4)Inference attack detection Administrators can develop infer-ence attack detecting applications and then perform defenseslike portspeed limiting or network address validation

From the discussion above we can see that there is stilla long road to go before SDNOpenFlow becomes a trulymature and reliable network paradigm There are still urgentand severe issues to solve which have been neglected in thepast Only by solving these security issues and architecturalvulnerabilities can SDNOpenFlow be widely deployed inreal-world commercial datacenters and fully demonstrate itsrevolutionary flexibility and intelligence

7 Related Work

The inference attack proposed in this paper is motivated bythe limited flow table capacity of SDNOpenFlow switchesThe flow table capacity issue has been presented in manyprevious works like [20ndash24] They all point out the limitationof switch flow table memory and potential scalability andsecurity issue However these works do not give furtheranalysis on the inference attack and information leakagecaused by the limited flow table capacity

Kloti et al [25] present potentially problematic issues inSDNOpenFlow including information disclosure throughtiming analysis However this information disclosurerequires disclosing existing flows with side channel attackwhich is hard to perform in real world Compared with theirapproach our inference attack is self-contained and requiresno prior knowledge

Gong et al [26] present a kind of inference attackusing RTT measurement to infer which website the victimis browsing They recover victimsrsquo network traffic patternsbased on the queuing side channel happened at the Internetrouter However the scenario of their work is in the publicInternet while our approach focuses on SDNOpenFlowinfrastructures in cloud computing network Compared withpublic Internet and website inference the inference attackand information leakage in modern data centers are moresensitive and valuable

Shin and Gu [27] demonstrate a novel attack targetingat SDN networks This attack includes fingerprinting SDNnetworks and further flooding the data plane flow table bysending specifically crafted fake flow requests in high speedIn the fingerprinting phase header field change scanning isused to collect the different response time (RTT) for new flowand existing flow The fingerprinting result is then analyzedto estimate if the target network used SDN technology TheRTT measurement and analysis they used in fingerprintingare similar to our approach But they just perform DoSattacks to the SDN network without performing any furtherinformation leakage or network parameter inference

As for flow table overflow defending strategy Shelly etal [28] and Katta et al [29] introduce flow entry cachingmechanism into SDNOpenflow network by inserting atransparent intermediate layer between controller and switchYan et al [9] use CAB to generate wildcard flow entriesdynamically and reactively to handle bursting network trafficKannan and Banerjee [30] present a flow entry compactionalgorithm to saveTCAMflow table spaceThis algorithmusesflow entry tags instead of matching fields as forwarding rulesKim et al [31] develop a new flow entry management schemeto reduce the controller overhead

8 Conclusion

In this paper we have explored the structure of SDNOpenFlow network and some of the possible security issues itbrings After our detailed analysis of the SDNOpenFlow net-work we proposed a novel inference attack model targetingat the SDNOpenFlow network which is the first proposedinference attack model of this kind in the SDNOpenFlowarea This inference attack is introduced by the OpenFlowswitch especially by its limited flow table capacity The infer-ence attack can be done in a completely passive waymaking ithard to detect and defendWe also implemented the inferenceattack framework and examined the efficiency and accuracyof it using network traffic data from different sources Thesimulation results show that the inference attack frameworkcan infer the network parameter (flow table capacity and flowtable usage) with an accuracy of up to 80 or higher We alsoproposed two possible defense strategies for the discovered

14 Security and Communication Networks

vulnerability including routing aggregation algorithm andmultilevel flow table architecture

Conflicts of Interest

The authors declare that they have no conflicts of interest

Acknowledgments

The research presented in this paper is supported in partby the National Key Research and Development Program ofChina (no 2016YFB0800100) the Fund of China NationalAeronautical Radio Electronics Research Institute (PM-12210-2016-001) the National Natural Science Foundation(61572397 U1766215 U1736205 61502383 61672425 and61702407) and State Grid Corporation of China (DZ71-16-030)

References

[1] W Li W Meng and L F Kwok ldquoA survey on OpenFlow-basedSoftware Defined Networks Security challenges and counter-measuresrdquo Journal of Network and Computer Applications vol68 pp 126ndash139 2016

[2] M Brooks and B Yang ldquoA Man-in-the-Middle attack againstOpenDayLight SDN controllerrdquo in Proceedings of the 4thAnnual Conference on Research in Information TechnologyAssociation for Computing Machinery Chicago IL USASeptember 2015

[3] P Porras S Shin V Yegneswaran M Fong M Tyson and GGu ldquoA security enforcement kernel for OpenFlow networksrdquoin Proceedings of the 1st ACM International Workshop on HotTopics in Software Defined Networks HotSDN 2012 pp 121ndash126 Association for Computing Machinery Helsinki FinlandAugust 2012

[4] N Gude T Koponen and J Pettit ldquoNOX towards an operatingsystem for networksrdquoACM SIGCOMMComputer Communica-tion Review vol 38 no 3 pp 105ndash110 2008

[5] A Khurshid W Zhou M Caesar and P B Godfrey ldquoVeriflowVerifying network-wide invariants in real timerdquo in Proceedingsof the Annual Conference of the ACM Special Interest Group onData Communication on the Applications Technologies Archi-tectures and Protocols for Computer Communication ACMSIGCOMM 2012 pp 467ndash472 Finland August 2012

[6] G Zhao L Huang Z Yu H Xu and P Wang ldquoOn the effectof flow table size and controller capacity on SDN networkthroughputrdquo in Proceedings of the 2017 IEEE InternationalConference on Communications (ICC) pp 1ndash6 Paris FranceMay 2017

[7] A RoyH Zengy J BaggayG Porter andAC Snoeren ldquoInsidethe social networkrsquos (Datacenter) networkrdquo in Proceedings of theACM Conference on Special Interest Group on Data Communi-cation SIGCOMM 2015 pp 123ndash137 UK August 2015

[8] N Shelly E J Jackson T Koponen N McKeown and JRajahalme ldquoFlow caching for high entropy packet fieldsrdquo inProceedings of the 3rd ACM SIGCOMM 2014 Workshop on HotTopics in Software Defined Networking HotSDN 2014 pp 151ndash156 Chicago Illinois USA August 2014

[9] B Yan Y Xu H Xing K Xi and H J Chao ldquoCAB A reactivewildcard rule caching system for software-defined networksrdquo inProceedings of the 3rd ACM SIGCOMM 2014 Workshop on Hot

Topics in Software Defined Networking HotSDN 2014 pp 163ndash168 Chicago Illinois USA August 2014

[10] Katta Naga Jennifer Rexford and David Walker ldquoInfinitecacheflow in software-defined networksrdquo Princeton School ofEngineering and Applied Science 2013

[11] Yanwen Wang Hainan Chen Hainan Chen and Lei ShuldquoAn energy-efficient SDN based sleep scheduling algorithm forWSNsrdquo Journal of Network and Computer Applications vol 59pp 39ndash45 2016 httpdxdoiorg101016jjnca201505002

[12] S-N Yang S-W Ho Y-B Lin and C-H Gan ldquoA multi-RATbandwidth aggregation mechanism with software-defined net-workingrdquo Journal ofNetwork andComputerApplications vol 61pp 189ndash198 2016 httpdxdoiorg101016jjnca201511003

[13] M Dehghan L Massoulie D Towsley D Menasche andY C Tay ldquoA utility optimization approach to network cachedesignrdquo in Proceedings of the 35th Annual IEEE InternationalConference on Computer Communications IEEE INFOCOM2016 San Francisco CA USA April 2016

[14] ldquoMininetrdquo httpmininetorg[15] ldquoPOX Controllerrdquo httpwwwnoxrepoorgpoxabout-pox[16] ldquolibnet-devrdquo httpsgithubcomsam-githublibnet[17] ldquolibpcaprdquo httpwwwtcpdumporg[18] X Zhao Y Liu L Wang and B Zhang ldquoOn the aggregatability

of router forwarding tablesrdquo in Proceedings of IEEE INFOCOM2010 Institute of Electrical and Electronics Engineers SanDiego CA USA March 2010

[19] ldquoOpenFlow Switch Specification 140rdquo httpswwwopennet-workingorgimagesstoriesdownloadssdn-resourcesonf-spec-ificationsopenflowopenflow-spec-v140pdf

[20] S Sezer S Scott-Hayward P Chouhan et al ldquoAre we readyfor SDN Implementation challenges for software-defined net-worksrdquo IEEE Communications Magazine vol 51 no 7 pp 36ndash43 2013

[21] D Kreutz F M V Ramos P E Verissimo C E RothenbergS Azodolmolky and S Uhlig ldquoSoftware-defined networking acomprehensive surveyrdquo Proceedings of the IEEE vol 103 no 1pp 14ndash76 2015

[22] S Scott-Hayward G OrsquoCallaghan and S Sezer ldquoSDN securityA surveyrdquo in Proceedings of the 2013 Workshop on SoftwareDefined Networks for Future Networks and Services SDN4FNS2013 Trento Italy November 2013

[23] A Akhunzada E Ahmed A Gani M K Khan M Imran andS Guizani ldquoSecuring software defined networks Taxonomyrequirements and open issuesrdquo IEEE Communications Maga-zine vol 53 no 4 pp 36ndash44 2015

[24] M Tsugawa A Matsunaga and J A B Fortes ldquoCloud comput-ing securityWhat changes with software-defined networkingrdquoSecure Cloud Computing pp 77ndash93 2014

[25] R Kloti V Kotronis and P Smith ldquoOpenFlow A securityanalysisrdquo in Proceedings of the 2013 21st IEEE International Con-ference on Network Protocols ICNP 2013 Institute of ElectricalandElectronics EngineersGoettingenGermanyOctober 2013

[26] X Gong N Borisov N Kiyavash and N Schear ldquoWebsiteDetection Using Remote Traffic Analysisrdquo in Privacy EnhancingTechnologies vol 7384 of Lecture Notes in Computer Science pp58ndash78 Springer Berlin Heidelberg 2012

[27] S Shin and G Gu ldquoAttacking software-defined networks afirst feasibility studyrdquo in Proceedings of the 2nd ACM SIG-COMMWorkshop onHot Topics in SoftwareDefinedNetworking(HotSDN rsquo13) pp 165-166 Association for Computing Machin-ery Hong Kong China August 2013

Security and Communication Networks 3

Packetparsing

Flow table lookup

Flow table status check

Flow table replacement

Insert new flow entry

Packet forwardIncomingpacket

Match

No match

Not full

Full

Outcoming packet

Figure 1 OpenFlow packet processing flowchart

T3

T2

T1

Pkt1 Pkt1 Pkt1

RTT

Packet sequence

TS1

(a)

Pkt2 PktNPkt3 Pkt4

RTT

Packet sequence

TS3

TS2

(b)

Figure 2 RTT measurement of different flow table state

Before the switch inserts the newly generated flow entryit has to check the flow table status to make sure that there isenough space in the flow tableWhen the flow table is full thecontroller has to perform flow table replacement operationsto make room for the upcoming flow entry These operationsinclude deciding which old flow entry to delete accordingto certain flow table replacement algorithm and flow entrydeletion The outermost rectangle in Figure 1 stands for thisbranch

That is exactly where the vulnerability lies In traditionalnetworks the switches and routers are autonomous whichmeans they can maintain their routing tables locally withoutinteracting with an external device But due to the decouplednature of SDNOpenFlow maintaining switch flow tablesneeds frequent interactions between switches and controllersmaking it possible for an attacker to leverage the perceivedperformance change to deduce the internal state of the SDNnetwork

As shown in Figure 1 the rectangular regions surroundedby dotted line correspond to different possible packet pro-cessing branches The larger a rectangle is the longer theprocessing time of that branch will be because of the extrasteps that rectangle contains When there is a match in the

flow table the processing time will be the shortest whenthere is no match in the flow table and the flow table is notfull the processing time will be longer because of additionrouting calculation and flow entry deployment when thereis no match in the flow table and the flow table is fullthe processing time will be the longest because a flow tablereplacement operation has to be performed So as a networkparameter directly influenced by the processing time theRTT of a packet can serve as an indicator of flow table stateand flow entry state

The process of deciding RTT thresholds for flow tablestate detection is shown in Figure 2

Figures 2(a) and 2(b) represent two cooperating threadsthe 119909-axis represents the packet sequence and the 119910-axisrepresents the recorded RTT of every packet Firstly inthe upper thread we generate a packet with a specificsrc ip dst ip src mac dst mac combination calling it Pkt1Send Pkt1 to the target OpenFlow switch and record thecorresponding RTT as 1198792 Currently there is no correspond-ing flow entry in the OpenFlow switch because Pkt1 is anew packet After a time span TS1 send Pkt

1to the target

OpenFlow switch again and record the corresponding RTTas 1198791 If TS1 is chosen properly the newly installed flow

4 Security and Communication Networks

entry matching Pkt1should still exist in the OpenFlow

switch Next in the lower thread we continuously generatepackets Pkt

2Pkt3 Pkt

119873 each with a different combi-

nation of src ip dst ip src mac dst mac and send thesepackets to the target OpenFlow switch with the time spanof TS

2 Because there are no flow entries matching their

packets in the OpenFlow switch the recorded RTTs will beapproximately the same as 1198792 Keep generating and sendingpackets until we observe a sudden increase of the RTT whichindicates that the flow table is full Then in the upper threadwe send Pkt1 again immediately and record the RTT as 1198793To achieve higher precision we can repeat the process anduse average values of 1198791 1198792 and 1198793 as final results

From the process above we can see that 1198791 1198792 and

1198793will serve as thresholds for flow table state detection

when the measured RTT is around 1198791 we can infer that

there is corresponding flow entry in the flow table when themeasured RTT is around 119879

2 we can infer that there is no

corresponding flow entry in the flow table and the flow tableis not full when themeasured RTT is around119879

3 we can infer

that there is no corresponding flow entry in the flow table andthe flow table is full

We model the SDNOpenFlow network as a black boxand observe its response (RTT) to different input (networkpackets) then we use the response to estimate the flow tablestate and flow entry state and perform further inference Thewhole process comes in three steps

Firstly we send probing packets into the network totrigger the interaction As there is still no mature routingaggregation algorithm or hierarchical routing rule solutioncurrent SDNOpenFlow switches typically use exact matchrules That means if we send 119899 packets with different fakedmetainformation like src ip and dst ip there will be 119899 newlygenerated flow entries inserted into the flow table If wesend excessive probing packets in a short period of time theflow table will overflow and then the interaction process willbe triggered Secondly we measure RTTs of the respondedpackets and infer the flow table state and flow entry stateThirdly we use observed flow table states and flow table statesas controlling signals in our inference algorithm and performflow table capacity inference

Having to achieve a hit rate as high as possible in a ratherlimited space flow table serves like a ldquocacherdquo in operatingsystems and web proxy servers In this paper we choose FIFOand LRU because they are common and popular [13]

3 Inference Algorithm

The logical structure of our inference algorithm is shownin Figure 3 The inference algorithm consists of two mainpart flow table state detection and flow table state controlFor flow table state detection we perform RTTmeasurementto classify the different states of flow table and specificflow entry For flow table state control we generate specificsequence of attacking network packets to manipulate thestate of flow entries For different flow table replacementalgorithms the relation betweennetwork traffic sequence andflow entry state will be different so we will have different

LRUinferencealgorithm

Strategy for FIFO

Strategy for LRU

Flow table state controlRTT measurement

FIFO inferencealgorithm Flow table state detection

traffic generation strategy

Figure 3 Inference algorithm

A

B

C

D

Figure 4 FIFO inference principle

network traffic generation strategy for different flow tablereplacement algorithms like FIFO and LRU We will intro-duce the inference algorithms for FIFO andLRU respectively

31 FIFO Inference Algorithm Asmentioned in Section 2 theinference process of FIFO algorithm will be as follows wegenerate and send a huge amount of probing packets eachwith a different combination of src ip dst ip src mac anddst mac and the newly inserted flow entries matching thegenerated packets will ldquopushrdquo the other usersrsquo flow entries outof the flow table We can detect if the flow table is full and theexistence of our flow entries Combined with the number ofinserted flow entries we recorded we can infer the flow tablecapacity and flow table usage The process of flow table statetransformation is shown in Figure 4

We use 119865our to represent the number of our inserted flowentries and use 119865other to represent the number of flow entriesfrom other users in the flow table Both 119865our and 119865other arefunctions of timeWe use119879

119860119879119861119879119862 and119879

119863to represent four

time points corresponding to four subfigures respectivelyand use 119862 to represent the flow table capacity

Figure 4 (119860) shows the flow table and the flow entriesit contains just before the experiment starts The rectangleitems represent the flow entries from other users sharing theOpenFlow switch The current number of other usersrsquo flowentries can be expressed as 119865other(119879119860)

Figure 4 (119861) illustrates the time when we start to sendgenerated packets inserting new flow entries into the flowtable The grey rectangles represent the flow entries insertedby us As we can see our flow entries keep pushing otherusersrsquo flow entries to the front of the FIFO queue During theexperiment we should keep a record of the generated packetsincluding their attributes and serial numbers

Security and Communication Networks 5

Require(1) Packet-Sending Function 119878119890119899119889119875119886119888119896119890119905()(2) List of IP 119868119875Ensure(3) The flow table capacity 119865capacity(4) The number of other usersrsquo flow entries 119865other(5) 119865capacity larr 0(6) 119865other larr 0(7) 119873 larr 0(8) 119873

1larr 0

(9) 1198732larr 0

(10) while 119873 lt length(119868119875) do(11) 119894119901 larr 119868119875[119873](12) SendPacket(119894119901)(13) 119873 larr 119873 + 1(14) if Flow table is full then(15) 119873

1larr 119873

(16) continue(17) end if(18) if One of our flow entries is deleted then(19) 119873

2larr 119873

(20) break(21) end if(22) end while(23) 119865capacity larr 1198732(24) 119865other larr 1198732 minus 1198731(25) return 119865capacity 119865other

Algorithm 1 FIFO inference algorithm

Figure 4 (119862) shows the timewhenwe detect the flow tableis full At this point of time flow entries from us and otherusers add up to fill the whole flow table precisely We have

119865our (119879119862) + 119865other (119879119862) = 119862 (1)

Figure 4 (119863) shows the time when we detect that one ofour inserted flow entries has been deleted That means theflow table is now full of our flow entries without any flowentries from other users We have

119865our (119879119863) = 119862 (2)

Combine the two equations above we have

119865other (119879119860) = 119865other (119879119862) = 119862 minus 119865our (119879119862)

= 119865our (119879119863) minus 119865our (119879119862) (3)

According to the analysis above we describe the inferenceprocess for FIFO algorithm as shown in Algorithm 1

The main error of the inference comes from the flowentries inserted by other users when our insertion is inprogressWe assume that our flow entry insertion speed is fastenough so that during the period of experiment the newlyinserted flow entries are all from us But that is not alwaysthe truth Ignoring the possible flow entries inserted by otherusers will make our inference result smaller than the actualvalue

Considering the flow entries inserted by other users theactual equations are listed below

When we detect the flow table is full if we use 119864(119860 119861)to represent the number of just inserted flow entries fromother users from time point 119860 to time point 119861 the equationbecomes

119865our (119879119862) + 119865other (119879119862) + 119864 (119879119860 119879119862) = 119862 (4)

And when we detect that one of our inserted flow entriesis deleted the equation becomes

119865our (119879119863) + 119864 (119879119860 119879119862) + 119864 (119879119862 119879119863) = 119862 (5)

Combine the two equations above we have

119865other (119879119862) = 119865our (119879119863) minus 119865our (119879119862) + 119864 (119879119862 119879119863) (6)

So the actual equation considering flow entry insertionsduring inference should be

119862 = 119865our (119879119863) + 119864 (119879119860 119879119862) + 119864 (119879119862 119879119863)

119865other (119879119862) = 119865our (119879119863) minus 119865our (119879119862) + 119864 (119879119862 119879119863) (7)

Compared with our former equation ignoring flow entryinsertions

119862 = 119865our (119879119863)

119865other (119879119862) = 119865our (119879119863) minus 119865our (119879119862) (8)

We can see that the inferred flow table usage119865other and theinferred flow table capacity 119865capacity will both be smaller thanthe actual value

32 LRU Inference Algorithm The experiment principle ofLRU algorithm has something in common with that of FIFOalgorithm because under these two circumstances we canboth keep our flow entries stay in the back of the cache queueusing certain operations However there are still differenceslies in the flow entry maintaining process

The nature of FIFO algorithm ensures that the position ofthe flow entries only depends on the time they are insertedThe earlier inserted flow entries are sure to be nearer to thefront of the cache queue comparedwith the later inserted flowentries But in LRUalgorithm the positions of the flow entriesdepend not only on the time they are inserted but also on thelast time they are accessed In order to keep our flow entriesstay in the back of the cache queue we need to continuouslyaccess the previously inserted flow entries

During the maintain process every time we insert anew flow entry we need to access all previously insertedflow entries for one time to ldquoliftrdquo them to the backof the cache queue The access history may be like1198751 1198751 1198752 1198751 1198752 1198753 1198751 1198752 1198753 1198754 and we call it aldquorollingrdquo maintaining process The maintaining algorithm isshown in Algorithm 2 According to the analysis above wedescribe the inference process for LRU in Algorithm 3

The feasibility and error analysis of LRU algorithm issimilar to that of FIFO algorithm The inferred flow tableusage 119865other and the inferred flow table capacity 119865capacity willboth be smaller than the actual value because of ignoring theflow entries inserted by other users during the experiment

6 Security and Communication Networks

Require(1) Packet-Sending Function 119878119890119899119889119875119886119888119896119890119905()(2) List of Inserted IP 119868119875inserted(3) function RollingPacketSender(119868119875inserted)(4) 119894 larr 1(5) while 119894 lt length(119868119875inserted) do(6) for 119895 larr 0 119895 lt 119894 119895 + + do(7) 119894119901 larr 119868119875inserted[119895](8) SendPacket(119894119901)(9) end for(10) 119894 larr 119894 + 1(11) end while(12) end function

Algorithm 2 Rolling maintaining algorithm

Require(1) Packet-Sending Function 119878119890119899119889119875119886119888119896119890119905()(2) List of IP 119868119875Ensure(3) The flow table capacity 119865capacity(4) The number of other usersrsquo flow entries 119865other(5) 119865capacity larr 0(6) 119865other larr 0(7) 119873 larr 0(8) 119873

1larr 0

(9) 1198732larr 0

(10) 119868119875inserted larr [](11) while 119873 lt length(119868119875) do(12) 119894119901 larr 119868119875[119873](13) 119868119875inserted larr 119868119875inserted + 119894119901(14) RollingPacketSender(119868119875inserted)(15) 119873 larr 119873 + 1(16) if Flow table is full then(17) 119873

1larr 119873

(18) continue(19) end if(20) if One of our flow entries is deleted then(21) 119873

2larr 119873

(22) break(23) end if(24) end while(25) 119865capacity larr 1198732(26) 119865other larr 1198732 minus 1198731(27) return 119865capacity 119865other

Algorithm 3 LRU inference algorithm

4 Evaluation

41 Implementation The emulation environment of ourexperiment consists of three parts a network prototypingsystem used to emulate host and switch a network controllerand our inference attack toolkit

We choose Mininet [14] as the network prototypingsystem because it encapsulates host and switch emulationand thus easy to use Our emulated network prototype

for evaluation uses a star topology consisting of 20 hostsconnected to a single OpenFlow switch We build FIFO andLRUcontroller applications using Python on the basis of POX[15] OpenFlow controller As for the inference attack toolkitwe use libnet [16] to generate probing packets and libpcap[17] to capture replied packets To simulate the backgroundtraffic in real network we built a SDN testbed using Mininetand POX On the SDN testbed we performed a series ofbasic SDN operations These operations include buildinga customized SDN network topology setting up the linkbetween SDN switches and performing the ping test betweenall SDN nodes We captured the network traffic generatedduring these operations and use them as the backgroundnetwork traffic sample

42 RTT Measurement As we have mentioned in Sec-tion 2 the difference between traditional network andSDNOpenFlow network in handling previously unseenpackets gives us a possible indicator of the flow table stateand the flow entry living state RTT When there is notcorresponding flow entry existing in the flow table the RTTof a packet will significantly increase due to the interactionsbetween controller and switch in order to acquire new flowentries That is the case when there is still space in the flowtable Once the flow table is full the RTT of a packet willfurther increase as a result of extra flow table replacementoperations To prove the effectiveness of using RTT as theflow table state and flow entry state indicator we measuredpacket RTTs corresponding to different flow table state andflow entry state

Figure 5 gives the RTT measurement result showing thedifference The points with different symbols represent thetotal 300 times of RTTmeasurements we have conducted 100times ofmeasurement for each combination of flow table stateand flow entry state The square points stand for RTTs whenflow entry exists in flow table The circle points and trianglepoints both stand for RTTs when flow entry does not exist inflow table the circle points are measured when the flow tableis full and the triangle points are measured when the flowtable is not full

As can be seen from the figure when flow entry existsin flow table the packet RTTs are highly concentrated in the

Security and Communication Networks 7

50 100Group

8

7

6

5

4

3

2

1

00

RTT

(ms)

Flow entry exists in flow tableFlow entry does not exist and flow table is not fullFlow entry does not exist and flow table is full

Figure 5 RTT measurement

Table 1 Default timeout values

Controller Hard timeout Idle timeoutRyu 0 0Beacon 0 5 sFloodlight 0 5 sNOX 0 5 sPOX 30 s 10 sTrema 0 60 sMaestro 180 s 30 s

range of 02sim03ms when flow entry does not exist in flowtable and flow table is not full the packet RTTswill increase toabout 3sim5ms when flow entry does not exist in flow table andflow table is full the packet RTTs will be the highest rangingfrom 6ms to 8ms These three groups of RTTs all distributeintensively in a small rangewithout overlapping other groupsshowing the excellent discrimination of using RTT as a flowtable state and flow entry state indicator

43 Timeout

431 Default Timeout Values According to our previousanalysis the feasibility of our inference attack depends onwhether we can generate enough flow entries to fulfill theflow table within a single timeout cycle That means wemust have the ability to generate as many flow entries as theflow entry can hold during a timeout period So we analyzeseveral popular open-source controllers and search for theirdefault timeout values in the built-in applications The resultis presented in Table 1 The zero values in the table mean thecorresponding timeout will not take effect or in other wordsthe timeout value is ldquopermanentrdquo As can be seen from thetable most available controllers have timeout values in therange of 5 s to 30 s

If we take the flow table capacity of 2000 flow entries asan example the minimum packet generating speed requiredwill be 20005 = 400 packets per second while libnet can

generate tens of thousand packets per second So the defaulttimeout values ensure the feasibility of our inference attack

432 Timeout Measurement Though default timeout valuesof mainstream OpenFlow controllers can be read from theirsource codes it is still possible for SDN network administra-tors to manually change the default timeout values In orderto handle nondefault timeout values and provide basis foradjusting packet generating speed it is essential to examinethe accuracy of passive timeout measurement

Figure 6 illustrates relative errors (see equation (9)) ofhard timeout and idle timeout measurement respectivelyWemanuallymodify hard timeout and idle timeout values ofPOX OpenFlow controller to 5 s 10 s 15 s 20 s 25 s and 30 sand then we use timeout measurement algorithmmentionedin Section 2 to measure these timeout values and calculaterelative errors

relative error =1003816100381610038161003816valuedetected minus valuetrue

1003816100381610038161003816valuetrue

lowast 100 (9)

Every line in Figures 6(a) and 6(b) corresponds to 10times of repeated measurements conducted under a certaintimeout setting from 5 s to 30 sThemargin stays in the rangeof plus-or-minus 10 percent showing the effectiveness andhigh accuracy of our timeout measurement algorithm

44 Flow Table Capacity Flow capacity is the primary targetof our inference attack It reflects the hardware specificationof an OpenFlow switch Figure 7 illustrates the flow tablecapacity measurement result when controller adopts FIFOreplacement algorithm We manually limited the switch flowtable capacity to 10 different values from 100 flow entries to1000 flow entries and used our framework to perform theinference

The dark bars represent the manually set flow tablecapacities or real capacities The light bars represent themeasured flow table capacities For every manually set flowtable capacity we conduct 10 times of repeatedmeasurementsand take their mean value as the final result From thefigure we can see that the measured capacities are quite closeto the real capacities indicating the high accuracy of ourinference framework For example when the real capacity is400 flow entries our measured capacity is 408 flow entrieswith an error of only 8 flow entries As the real capacitygrows the packet generating speed required becomes fasterplacing higher requirements on packet sending receivingsynchronization and accurate timing But our inferencealgorithm shows unbelievable stability and accuracy whenthe real capacity is 1000 flow entries our measured capacityis 973 flow entries with an error of just 27 flow entries

Like Figure 7 Figure 8 also illustrates the flow tablecapacity measurement results with the only difference ofbeing performed under LRU replacement algorithm insteadof FIFO

According to our previous analysis the inference princi-ple of LRU replacement algorithm is more complex becauseof the unavoidable mixed nature of flow entries in the flowtable and the rolling maintaining process But our inference

8 Security and Communication Networks

Hard timeout = 30

Hard timeout = 25

Hard timeout = 20

Hard timeout = 15

Hard timeout = 10

Hard timeout = 5

minus10

0

10

20

30

Rela

tive e

rror

2 4 6 8 10Group

Hard timeout relative error

(a)

Idle timeout = 30

Idle timeout = 25

Idle timeout = 20

Idle timeout = 15

Idle timeout = 10

Idle timeout = 5

minus10

0

10

20

30

Rela

tive e

rror

2 4 6 8 10Group

Idle timeout relative error

(b)

Figure 6 Timeout relative error

100 95

200 192

300 315

400 408

500 486

600 619

700666

800831

900 883

1000973

0

200

400

600

800

1000

Capa

city

10 3 6 5 8 9 4 7 2 1 Group

Real capacityMeasured capacity

Figure 7 FIFO flow table capacity

framework still shows high accuracy and reliability Evenwhen the real flow table capacities are set to be rather largevalues like 900 and 1000 the errors of our measure capacitiesare just around 20 flow entries

Only illustrating the mean value of measured flow tablecapacities may not be enough the mean value may bethe result of error compensations and hide the detailed

0

200

400

600

800

1000

Capa

city

10 3 6 5 8 9 4 7 2 1 Group

Real capacityMeasured capacity

100 120

200 180

350300

400 422

500 475

600630

700

788 800828

900 880

10001021

Figure 8 LRU flow table capacity

measurement errors of every separate experiment So inFigure 9 we illustrate the relative error of every single flowtable capacity measurement

We choose 5 groups of different flow table capacitiesfrom 200 flow entries to 1000 flow entries and perform 10times of measurements under every single flow table capacityvalue Figure 9(a) stands for relative error of flow tablecapacity measurements conducted under FIFO replacement

Security and Communication Networks 9

Capacity = 1000

Capacity = 800

Capacity = 600

Capacity = 400

Capacity = 200

minus10

0

10

20

30

Rela

tive e

rror

2 4 6 8 10Group

FIFO capacity relative error

(a)

Capacity = 1000

Capacity = 800

Capacity = 600

Capacity = 400

Capacity = 200

minus10

0

10

20

30

Rela

tive e

rror

2 4 6 8 10Group

LRU capacity relative error

(b)

Figure 9 Flow table capacity relative error

algorithm showing that the margin is no larger than plus-or-minus 10 percent Figure 9(b) stands for relative errorof flow table capacity measurements conducted under LRUreplacement algorithm Due to the more complex inferenceprinciple and the rolling maintaining process the marginbecomes larger but still has not exceeded 15 percent even inthe worst case

The above inference attacks are performed without anybackground network traffic When performing inferenceattack in real networks the impact of background networktraffic cannot be ignored So it is necessary to examine the effi-ciency of our inference algorithm under these circumstances

In this evaluation we choose the background networktraffic dataset from a SDN testbed Figures 10 and 11 havethe same experiment setting with Figures 7 and 8 with theonly difference of replaying background traffic captured fromSDN testbed during the inference attack process Even withthe impact of background traffic our inference algorithm stillshows high accuracy

45 Flow Table Usage In this section we evaluated ourframeworkrsquos efficiency of inferring the number of flow entriesfrom other users sharing the same flow table or the flow tableusage Flow table usage is our secondary inference target andit reflects the network resource consuming condition of othertenants in the same SDN network Figures 12 and 13 illustratethe flow table usage measurement results conducted underFIFO and LRU replacement algorithm respectively

100 81

200174

300 295

1000

931900

852800 805

700 641

600 595

500 463

400 385

0

200

400

600

800

1000

Capa

city

10 3 6 5 8 9 4 7 2 1 Group

Real capacityMeasured capacity

Figure 10 FIFO flow table capacity with testbed background traffic

Again wemanually set 10 different flow table usage valuesfrom 100 to 1000 flow entries by manually generating andinserting corresponding number of flow entries into the flowtable beforehand Then we use our inference algorithm toinfer the flow table usage and take mean values of every 10times of measurements as the final results The errors of allthese measurements show the high accuracy stability andreliability of our inference algorithm

10 Security and Communication Networks

0

200

400

600

800

1000

Capa

city

10 3 6 5 8 9 4 7 2 1 Group

Real capacityMeasured capacity

100 99

200158

300328

400 399

500447

600 595

700752

800 790

900841

1000 978

Figure 11 LRU flow table capacity with testbed background traffic

10 3 6 5 8 9 4 7 2 1 Group

Real usageMeasured usage

0

200

400

600

800

1000

Usa

ge

100 120

200 184

300 322

400 378

500 492

600 617

700 723

800

900 895

1000976

809

Figure 12 FIFO flow table usage

We also conducted the flow table usage inference attackwith background traffic Experiment results with testbedbackground traffic are shown in Figures 14 and 15 Ourinference algorithm can smoothly handle the impact ofbackground traffic which ensures the stability and robustnessdemonstrated in the experiment results

The relative errors are shown in Figure 16 We emulate5 groups of different flow table usage values and conducted10 times of flow table usage inference for every single valueFor both FIFO and LRU replacement algorithm the relativeerrors of flow table usage inference stay in a quite small rangeThe results prove that our algorithm can infer other tenantsrsquoflow table usage condition in high accuracy

5 Defense

From the previous sections we can conclude that the infer-ence attack is rooted in the flow table overflow To defendthat kind of inference attack we have to prevent flow tableoverflow in two aspects one aspect is to compress the flow

10 3 6 5 8 9 4 7 2 1 Group

Real usageMeasured usage

0

200

400

600

800

1000

Usa

ge

10080

200 195

300 278

400

500466

600 602

700731

800 783

900 882

1000 976

378

Figure 13 LRU flow table usage

10 3 6 5 8 9 4 7 2 1 Group

Real usageMeasured usage

0

200

400

600

800

1000 U

sage

100 107

200163

300 301

400357

500468

600 590

700 694

800 780

900865

1000

935

Figure 14 FIFO flow table usage with testbed background traffic

entries to save flow table space and the other one is toimplement a larger flow table to store more flow entries

51 Routing Aggregation Routing aggregation is to combinemultiple entries in the flow table without changing the nexthops for packet forwarding This approach is particularlyappealing because it can be done by a software upgrade at theOpenFlow switch and its impact is limited within that switchRouting aggregation has already been used in traditionalnetworks but it has not been deployed in SDNOpenFlownetworks To fully utilize the flexibility of SDNOpenFlownetwork under certain scenarios like load balancing we pro-posed a global routing schedule using packing optimizationalgorithms

Traditional routing aggregation algorithms [18] can beused to compress the flow table but their effectiveness cannotbe ensured If thematching fields and next hops are dispersedenough chances are that we may not be able to performany routing aggregation because we cannot find flow entriessharing commonmatching fields and next hopsThis is often

Security and Communication Networks 11

10 3 6 5 8 9 4 7 2 1 Group

Real usageMeasured usage

0

200

400

600

800

1000

Usa

ge100

200168

300251

400346

500

433

600566

700

57

693

800745

900842

1000

935

Figure 15 LRU flow table usage with testbed background traffic

Capacity = 1000

Capacity = 800

Capacity = 600

Capacity = 400

Capacity = 200

Capacity = 1000

Capacity = 800

Capacity = 600

Capacity = 400

Capacity = 200

minus10

0

10

20

30

Rela

tive e

rror

minus10

0

10

20

30

Rela

tive e

rror

2 4 6 8 10Group

2 4 6 8 10Group

FIFO usage relative error LRU usage relative error

Figure 16 Flow table usage relative error

the case when dealing with web traffic for example load bal-ancing services For that reason we introduced an extra stageof routing aggregation global routing schedule optimizationFirst we model this routing aggregation problem as a packingoptimization problem and solve it then we perform globalrouting reschedule by rewriting the flow entries accordingto the optimization result and finally we perform anothertime of traditional routing aggregation on these new flowentries After the global routing reschedule there will be

much more aggregatable flow entries so the effectiveness ofrouting aggregation is ensured

52 Multilevel Flow Table Architecture It is important to notethat routing aggregation is not a replacement for the long-term architectural solutions because it does not address theroot causes of the flow table scalability problem and thefollowing inference attack To eliminate the inference attackvulnerability a flow table architecture with larger capacity is

12 Security and Communication Networks

Table0

Table1

Tablem

Executeaction

set

Packetin

Packetout

TCAM

Figure 17 Single-level flow table architecture

Table0

Table1

Tablem

Executeaction

set

Packetin

Packetout

TCAM

Match

Table0

Table1

Tablen

SRAM

Match

Table miss

Executeaction

set

Packetout

Flow tablereplacement

Figure 18 Multilevel flow table architecture

required which can be achieved throughmultilevel flow tableconsisting of both TCAM and SRAM

The original single-level flow table architecture is shownin Figure 17 In this architecture the flow table is completelyimplemented using TCAM An input packet will traversefrom table 0 to table119898 and add corresponding actions to theaction set Then all actions in the action set are executed andthe packet is forwarded according to these actions

Our proposed multilevel flow table architecture is shownin Figure 18 Besides flow table implemented using TCAMwe add another flow table implemented using SRAM whichis cheaper and can provide larger flow table space Underthis multilevel flow table architecture the packet processingpipeline will be different first an input packet will findmatching flow entries in TCAM flow table just like in theoriginal single-level flow table architecture If there is amatchthe packet will execute the corresponding actions and getforwarded If there is no match the packet will continueits lookup in the SRAM flow table If there is a match inthe SRAM flow table the packet can then be forwardedotherwise it will be sent to the controller

From the process above we can see that if the capacityof TCAM flow table is 119898 the capacity of SRAM flow table is119899 and then the multilevel flow table will have a capacity of119898 + 119899 Actually 119899 is far more larger than 119898 so this approachcan greatly increase the flow table capacity thus preventingflow table overflow

6 Discussion

SDNOpenFlow has become a competitive solution for next-generation network and is being more and more widelyused in modern datacenters But considering its key role asthe fundamental infrastructure we have to admit that thesecurity issues of SDNOpenFlow have not been exploredto a large extent Particularly the flow table capacity ofSDNOpenFlow switch is only considered as a vulnerable partfor DDoS and flooding attacks in published researches Butaccording to our analysis in previous sections the flow tablecapacity can lead to potential inference attack if combinedwith reasonable assumptions and RTT measurements

Firstly we found in Section 2 that exactmatch flow entriesas well as the lack of route aggregation would consume a lot

Security and Communication Networks 13

of flow table space making it impossible to process millionsof flows per seconding using SDNOpenFlow Secondly wefound in Section 4 that assigning the decision making jobof flow table replacement to the controller would lead tosignificant network performance decrease which had to bechanged in time Thirdly there is currently no mature attackdetection mechanism for SDNOpenFlow network so it isquite easy for criminals to exploit system vulnerabilities orinvoke DDoS attacks

The inference method proposed in this paper just usessome basic elements and parameters of OpenFlow such asidle timeout and hard timeout which are significant for theimplementation of SDN These features will not be removedexcept very huge changes made On the other hand althoughsome security frameworks [3] were proposed to detect themalicious insertion of flow rules attackers can also bypass thedetection by some well-designed insertion strategies

All these security issues call for improvements to currentOpenFlow switch and flow table design The improvementsshould at least contain the following aspects (1) New Open-Flow switch architecture like embedding local caches inthe switch or implementing multilevel flow table to achievea much larger flow table capacity With larger flow tablecapacity the switch will not have to query the controller forflow entries which will reduce the interaction latency to alarge extent (2) New flow table maintaining mechanism liketransferring the flow entry deleting workload from controllerto switch Switch itself can decide which flow entry to deleteand then sync state with controller and during the flowentry deleting process the controllerrsquos intervention is notneeded In the widely used OpenFlow Switch Specification140 [19] this mechanism has been added as an optionalfeature but without any mature implementation so far (3)Routing aggregation Routing aggregation canmatch a groupof flows using one flow entry which will reduce the flowtable consuming significantly comparedwith exactmatch (4)Inference attack detection Administrators can develop infer-ence attack detecting applications and then perform defenseslike portspeed limiting or network address validation

From the discussion above we can see that there is stilla long road to go before SDNOpenFlow becomes a trulymature and reliable network paradigm There are still urgentand severe issues to solve which have been neglected in thepast Only by solving these security issues and architecturalvulnerabilities can SDNOpenFlow be widely deployed inreal-world commercial datacenters and fully demonstrate itsrevolutionary flexibility and intelligence

7 Related Work

The inference attack proposed in this paper is motivated bythe limited flow table capacity of SDNOpenFlow switchesThe flow table capacity issue has been presented in manyprevious works like [20ndash24] They all point out the limitationof switch flow table memory and potential scalability andsecurity issue However these works do not give furtheranalysis on the inference attack and information leakagecaused by the limited flow table capacity

Kloti et al [25] present potentially problematic issues inSDNOpenFlow including information disclosure throughtiming analysis However this information disclosurerequires disclosing existing flows with side channel attackwhich is hard to perform in real world Compared with theirapproach our inference attack is self-contained and requiresno prior knowledge

Gong et al [26] present a kind of inference attackusing RTT measurement to infer which website the victimis browsing They recover victimsrsquo network traffic patternsbased on the queuing side channel happened at the Internetrouter However the scenario of their work is in the publicInternet while our approach focuses on SDNOpenFlowinfrastructures in cloud computing network Compared withpublic Internet and website inference the inference attackand information leakage in modern data centers are moresensitive and valuable

Shin and Gu [27] demonstrate a novel attack targetingat SDN networks This attack includes fingerprinting SDNnetworks and further flooding the data plane flow table bysending specifically crafted fake flow requests in high speedIn the fingerprinting phase header field change scanning isused to collect the different response time (RTT) for new flowand existing flow The fingerprinting result is then analyzedto estimate if the target network used SDN technology TheRTT measurement and analysis they used in fingerprintingare similar to our approach But they just perform DoSattacks to the SDN network without performing any furtherinformation leakage or network parameter inference

As for flow table overflow defending strategy Shelly etal [28] and Katta et al [29] introduce flow entry cachingmechanism into SDNOpenflow network by inserting atransparent intermediate layer between controller and switchYan et al [9] use CAB to generate wildcard flow entriesdynamically and reactively to handle bursting network trafficKannan and Banerjee [30] present a flow entry compactionalgorithm to saveTCAMflow table spaceThis algorithmusesflow entry tags instead of matching fields as forwarding rulesKim et al [31] develop a new flow entry management schemeto reduce the controller overhead

8 Conclusion

In this paper we have explored the structure of SDNOpenFlow network and some of the possible security issues itbrings After our detailed analysis of the SDNOpenFlow net-work we proposed a novel inference attack model targetingat the SDNOpenFlow network which is the first proposedinference attack model of this kind in the SDNOpenFlowarea This inference attack is introduced by the OpenFlowswitch especially by its limited flow table capacity The infer-ence attack can be done in a completely passive waymaking ithard to detect and defendWe also implemented the inferenceattack framework and examined the efficiency and accuracyof it using network traffic data from different sources Thesimulation results show that the inference attack frameworkcan infer the network parameter (flow table capacity and flowtable usage) with an accuracy of up to 80 or higher We alsoproposed two possible defense strategies for the discovered

14 Security and Communication Networks

vulnerability including routing aggregation algorithm andmultilevel flow table architecture

Conflicts of Interest

The authors declare that they have no conflicts of interest

Acknowledgments

The research presented in this paper is supported in partby the National Key Research and Development Program ofChina (no 2016YFB0800100) the Fund of China NationalAeronautical Radio Electronics Research Institute (PM-12210-2016-001) the National Natural Science Foundation(61572397 U1766215 U1736205 61502383 61672425 and61702407) and State Grid Corporation of China (DZ71-16-030)

References

[1] W Li W Meng and L F Kwok ldquoA survey on OpenFlow-basedSoftware Defined Networks Security challenges and counter-measuresrdquo Journal of Network and Computer Applications vol68 pp 126ndash139 2016

[2] M Brooks and B Yang ldquoA Man-in-the-Middle attack againstOpenDayLight SDN controllerrdquo in Proceedings of the 4thAnnual Conference on Research in Information TechnologyAssociation for Computing Machinery Chicago IL USASeptember 2015

[3] P Porras S Shin V Yegneswaran M Fong M Tyson and GGu ldquoA security enforcement kernel for OpenFlow networksrdquoin Proceedings of the 1st ACM International Workshop on HotTopics in Software Defined Networks HotSDN 2012 pp 121ndash126 Association for Computing Machinery Helsinki FinlandAugust 2012

[4] N Gude T Koponen and J Pettit ldquoNOX towards an operatingsystem for networksrdquoACM SIGCOMMComputer Communica-tion Review vol 38 no 3 pp 105ndash110 2008

[5] A Khurshid W Zhou M Caesar and P B Godfrey ldquoVeriflowVerifying network-wide invariants in real timerdquo in Proceedingsof the Annual Conference of the ACM Special Interest Group onData Communication on the Applications Technologies Archi-tectures and Protocols for Computer Communication ACMSIGCOMM 2012 pp 467ndash472 Finland August 2012

[6] G Zhao L Huang Z Yu H Xu and P Wang ldquoOn the effectof flow table size and controller capacity on SDN networkthroughputrdquo in Proceedings of the 2017 IEEE InternationalConference on Communications (ICC) pp 1ndash6 Paris FranceMay 2017

[7] A RoyH Zengy J BaggayG Porter andAC Snoeren ldquoInsidethe social networkrsquos (Datacenter) networkrdquo in Proceedings of theACM Conference on Special Interest Group on Data Communi-cation SIGCOMM 2015 pp 123ndash137 UK August 2015

[8] N Shelly E J Jackson T Koponen N McKeown and JRajahalme ldquoFlow caching for high entropy packet fieldsrdquo inProceedings of the 3rd ACM SIGCOMM 2014 Workshop on HotTopics in Software Defined Networking HotSDN 2014 pp 151ndash156 Chicago Illinois USA August 2014

[9] B Yan Y Xu H Xing K Xi and H J Chao ldquoCAB A reactivewildcard rule caching system for software-defined networksrdquo inProceedings of the 3rd ACM SIGCOMM 2014 Workshop on Hot

Topics in Software Defined Networking HotSDN 2014 pp 163ndash168 Chicago Illinois USA August 2014

[10] Katta Naga Jennifer Rexford and David Walker ldquoInfinitecacheflow in software-defined networksrdquo Princeton School ofEngineering and Applied Science 2013

[11] Yanwen Wang Hainan Chen Hainan Chen and Lei ShuldquoAn energy-efficient SDN based sleep scheduling algorithm forWSNsrdquo Journal of Network and Computer Applications vol 59pp 39ndash45 2016 httpdxdoiorg101016jjnca201505002

[12] S-N Yang S-W Ho Y-B Lin and C-H Gan ldquoA multi-RATbandwidth aggregation mechanism with software-defined net-workingrdquo Journal ofNetwork andComputerApplications vol 61pp 189ndash198 2016 httpdxdoiorg101016jjnca201511003

[13] M Dehghan L Massoulie D Towsley D Menasche andY C Tay ldquoA utility optimization approach to network cachedesignrdquo in Proceedings of the 35th Annual IEEE InternationalConference on Computer Communications IEEE INFOCOM2016 San Francisco CA USA April 2016

[14] ldquoMininetrdquo httpmininetorg[15] ldquoPOX Controllerrdquo httpwwwnoxrepoorgpoxabout-pox[16] ldquolibnet-devrdquo httpsgithubcomsam-githublibnet[17] ldquolibpcaprdquo httpwwwtcpdumporg[18] X Zhao Y Liu L Wang and B Zhang ldquoOn the aggregatability

of router forwarding tablesrdquo in Proceedings of IEEE INFOCOM2010 Institute of Electrical and Electronics Engineers SanDiego CA USA March 2010

[19] ldquoOpenFlow Switch Specification 140rdquo httpswwwopennet-workingorgimagesstoriesdownloadssdn-resourcesonf-spec-ificationsopenflowopenflow-spec-v140pdf

[20] S Sezer S Scott-Hayward P Chouhan et al ldquoAre we readyfor SDN Implementation challenges for software-defined net-worksrdquo IEEE Communications Magazine vol 51 no 7 pp 36ndash43 2013

[21] D Kreutz F M V Ramos P E Verissimo C E RothenbergS Azodolmolky and S Uhlig ldquoSoftware-defined networking acomprehensive surveyrdquo Proceedings of the IEEE vol 103 no 1pp 14ndash76 2015

[22] S Scott-Hayward G OrsquoCallaghan and S Sezer ldquoSDN securityA surveyrdquo in Proceedings of the 2013 Workshop on SoftwareDefined Networks for Future Networks and Services SDN4FNS2013 Trento Italy November 2013

[23] A Akhunzada E Ahmed A Gani M K Khan M Imran andS Guizani ldquoSecuring software defined networks Taxonomyrequirements and open issuesrdquo IEEE Communications Maga-zine vol 53 no 4 pp 36ndash44 2015

[24] M Tsugawa A Matsunaga and J A B Fortes ldquoCloud comput-ing securityWhat changes with software-defined networkingrdquoSecure Cloud Computing pp 77ndash93 2014

[25] R Kloti V Kotronis and P Smith ldquoOpenFlow A securityanalysisrdquo in Proceedings of the 2013 21st IEEE International Con-ference on Network Protocols ICNP 2013 Institute of ElectricalandElectronics EngineersGoettingenGermanyOctober 2013

[26] X Gong N Borisov N Kiyavash and N Schear ldquoWebsiteDetection Using Remote Traffic Analysisrdquo in Privacy EnhancingTechnologies vol 7384 of Lecture Notes in Computer Science pp58ndash78 Springer Berlin Heidelberg 2012

[27] S Shin and G Gu ldquoAttacking software-defined networks afirst feasibility studyrdquo in Proceedings of the 2nd ACM SIG-COMMWorkshop onHot Topics in SoftwareDefinedNetworking(HotSDN rsquo13) pp 165-166 Association for Computing Machin-ery Hong Kong China August 2013

4 Security and Communication Networks

entry matching Pkt1should still exist in the OpenFlow

switch Next in the lower thread we continuously generatepackets Pkt

2Pkt3 Pkt

119873 each with a different combi-

nation of src ip dst ip src mac dst mac and send thesepackets to the target OpenFlow switch with the time spanof TS

2 Because there are no flow entries matching their

packets in the OpenFlow switch the recorded RTTs will beapproximately the same as 1198792 Keep generating and sendingpackets until we observe a sudden increase of the RTT whichindicates that the flow table is full Then in the upper threadwe send Pkt1 again immediately and record the RTT as 1198793To achieve higher precision we can repeat the process anduse average values of 1198791 1198792 and 1198793 as final results

From the process above we can see that 1198791 1198792 and

1198793will serve as thresholds for flow table state detection

when the measured RTT is around 1198791 we can infer that

there is corresponding flow entry in the flow table when themeasured RTT is around 119879

2 we can infer that there is no

corresponding flow entry in the flow table and the flow tableis not full when themeasured RTT is around119879

3 we can infer

that there is no corresponding flow entry in the flow table andthe flow table is full

We model the SDNOpenFlow network as a black boxand observe its response (RTT) to different input (networkpackets) then we use the response to estimate the flow tablestate and flow entry state and perform further inference Thewhole process comes in three steps

Firstly we send probing packets into the network totrigger the interaction As there is still no mature routingaggregation algorithm or hierarchical routing rule solutioncurrent SDNOpenFlow switches typically use exact matchrules That means if we send 119899 packets with different fakedmetainformation like src ip and dst ip there will be 119899 newlygenerated flow entries inserted into the flow table If wesend excessive probing packets in a short period of time theflow table will overflow and then the interaction process willbe triggered Secondly we measure RTTs of the respondedpackets and infer the flow table state and flow entry stateThirdly we use observed flow table states and flow table statesas controlling signals in our inference algorithm and performflow table capacity inference

Having to achieve a hit rate as high as possible in a ratherlimited space flow table serves like a ldquocacherdquo in operatingsystems and web proxy servers In this paper we choose FIFOand LRU because they are common and popular [13]

3 Inference Algorithm

The logical structure of our inference algorithm is shownin Figure 3 The inference algorithm consists of two mainpart flow table state detection and flow table state controlFor flow table state detection we perform RTTmeasurementto classify the different states of flow table and specificflow entry For flow table state control we generate specificsequence of attacking network packets to manipulate thestate of flow entries For different flow table replacementalgorithms the relation betweennetwork traffic sequence andflow entry state will be different so we will have different

LRUinferencealgorithm

Strategy for FIFO

Strategy for LRU

Flow table state controlRTT measurement

FIFO inferencealgorithm Flow table state detection

traffic generation strategy

Figure 3 Inference algorithm

A

B

C

D

Figure 4 FIFO inference principle

network traffic generation strategy for different flow tablereplacement algorithms like FIFO and LRU We will intro-duce the inference algorithms for FIFO andLRU respectively

31 FIFO Inference Algorithm Asmentioned in Section 2 theinference process of FIFO algorithm will be as follows wegenerate and send a huge amount of probing packets eachwith a different combination of src ip dst ip src mac anddst mac and the newly inserted flow entries matching thegenerated packets will ldquopushrdquo the other usersrsquo flow entries outof the flow table We can detect if the flow table is full and theexistence of our flow entries Combined with the number ofinserted flow entries we recorded we can infer the flow tablecapacity and flow table usage The process of flow table statetransformation is shown in Figure 4

We use 119865our to represent the number of our inserted flowentries and use 119865other to represent the number of flow entriesfrom other users in the flow table Both 119865our and 119865other arefunctions of timeWe use119879

119860119879119861119879119862 and119879

119863to represent four

time points corresponding to four subfigures respectivelyand use 119862 to represent the flow table capacity

Figure 4 (119860) shows the flow table and the flow entriesit contains just before the experiment starts The rectangleitems represent the flow entries from other users sharing theOpenFlow switch The current number of other usersrsquo flowentries can be expressed as 119865other(119879119860)

Figure 4 (119861) illustrates the time when we start to sendgenerated packets inserting new flow entries into the flowtable The grey rectangles represent the flow entries insertedby us As we can see our flow entries keep pushing otherusersrsquo flow entries to the front of the FIFO queue During theexperiment we should keep a record of the generated packetsincluding their attributes and serial numbers

Security and Communication Networks 5

Require(1) Packet-Sending Function 119878119890119899119889119875119886119888119896119890119905()(2) List of IP 119868119875Ensure(3) The flow table capacity 119865capacity(4) The number of other usersrsquo flow entries 119865other(5) 119865capacity larr 0(6) 119865other larr 0(7) 119873 larr 0(8) 119873

1larr 0

(9) 1198732larr 0

(10) while 119873 lt length(119868119875) do(11) 119894119901 larr 119868119875[119873](12) SendPacket(119894119901)(13) 119873 larr 119873 + 1(14) if Flow table is full then(15) 119873

1larr 119873

(16) continue(17) end if(18) if One of our flow entries is deleted then(19) 119873

2larr 119873

(20) break(21) end if(22) end while(23) 119865capacity larr 1198732(24) 119865other larr 1198732 minus 1198731(25) return 119865capacity 119865other

Algorithm 1 FIFO inference algorithm

Figure 4 (119862) shows the timewhenwe detect the flow tableis full At this point of time flow entries from us and otherusers add up to fill the whole flow table precisely We have

119865our (119879119862) + 119865other (119879119862) = 119862 (1)

Figure 4 (119863) shows the time when we detect that one ofour inserted flow entries has been deleted That means theflow table is now full of our flow entries without any flowentries from other users We have

119865our (119879119863) = 119862 (2)

Combine the two equations above we have

119865other (119879119860) = 119865other (119879119862) = 119862 minus 119865our (119879119862)

= 119865our (119879119863) minus 119865our (119879119862) (3)

According to the analysis above we describe the inferenceprocess for FIFO algorithm as shown in Algorithm 1

The main error of the inference comes from the flowentries inserted by other users when our insertion is inprogressWe assume that our flow entry insertion speed is fastenough so that during the period of experiment the newlyinserted flow entries are all from us But that is not alwaysthe truth Ignoring the possible flow entries inserted by otherusers will make our inference result smaller than the actualvalue

Considering the flow entries inserted by other users theactual equations are listed below

When we detect the flow table is full if we use 119864(119860 119861)to represent the number of just inserted flow entries fromother users from time point 119860 to time point 119861 the equationbecomes

119865our (119879119862) + 119865other (119879119862) + 119864 (119879119860 119879119862) = 119862 (4)

And when we detect that one of our inserted flow entriesis deleted the equation becomes

119865our (119879119863) + 119864 (119879119860 119879119862) + 119864 (119879119862 119879119863) = 119862 (5)

Combine the two equations above we have

119865other (119879119862) = 119865our (119879119863) minus 119865our (119879119862) + 119864 (119879119862 119879119863) (6)

So the actual equation considering flow entry insertionsduring inference should be

119862 = 119865our (119879119863) + 119864 (119879119860 119879119862) + 119864 (119879119862 119879119863)

119865other (119879119862) = 119865our (119879119863) minus 119865our (119879119862) + 119864 (119879119862 119879119863) (7)

Compared with our former equation ignoring flow entryinsertions

119862 = 119865our (119879119863)

119865other (119879119862) = 119865our (119879119863) minus 119865our (119879119862) (8)

We can see that the inferred flow table usage119865other and theinferred flow table capacity 119865capacity will both be smaller thanthe actual value

32 LRU Inference Algorithm The experiment principle ofLRU algorithm has something in common with that of FIFOalgorithm because under these two circumstances we canboth keep our flow entries stay in the back of the cache queueusing certain operations However there are still differenceslies in the flow entry maintaining process

The nature of FIFO algorithm ensures that the position ofthe flow entries only depends on the time they are insertedThe earlier inserted flow entries are sure to be nearer to thefront of the cache queue comparedwith the later inserted flowentries But in LRUalgorithm the positions of the flow entriesdepend not only on the time they are inserted but also on thelast time they are accessed In order to keep our flow entriesstay in the back of the cache queue we need to continuouslyaccess the previously inserted flow entries

During the maintain process every time we insert anew flow entry we need to access all previously insertedflow entries for one time to ldquoliftrdquo them to the backof the cache queue The access history may be like1198751 1198751 1198752 1198751 1198752 1198753 1198751 1198752 1198753 1198754 and we call it aldquorollingrdquo maintaining process The maintaining algorithm isshown in Algorithm 2 According to the analysis above wedescribe the inference process for LRU in Algorithm 3

The feasibility and error analysis of LRU algorithm issimilar to that of FIFO algorithm The inferred flow tableusage 119865other and the inferred flow table capacity 119865capacity willboth be smaller than the actual value because of ignoring theflow entries inserted by other users during the experiment

6 Security and Communication Networks

Require(1) Packet-Sending Function 119878119890119899119889119875119886119888119896119890119905()(2) List of Inserted IP 119868119875inserted(3) function RollingPacketSender(119868119875inserted)(4) 119894 larr 1(5) while 119894 lt length(119868119875inserted) do(6) for 119895 larr 0 119895 lt 119894 119895 + + do(7) 119894119901 larr 119868119875inserted[119895](8) SendPacket(119894119901)(9) end for(10) 119894 larr 119894 + 1(11) end while(12) end function

Algorithm 2 Rolling maintaining algorithm

Require(1) Packet-Sending Function 119878119890119899119889119875119886119888119896119890119905()(2) List of IP 119868119875Ensure(3) The flow table capacity 119865capacity(4) The number of other usersrsquo flow entries 119865other(5) 119865capacity larr 0(6) 119865other larr 0(7) 119873 larr 0(8) 119873

1larr 0

(9) 1198732larr 0

(10) 119868119875inserted larr [](11) while 119873 lt length(119868119875) do(12) 119894119901 larr 119868119875[119873](13) 119868119875inserted larr 119868119875inserted + 119894119901(14) RollingPacketSender(119868119875inserted)(15) 119873 larr 119873 + 1(16) if Flow table is full then(17) 119873

1larr 119873

(18) continue(19) end if(20) if One of our flow entries is deleted then(21) 119873

2larr 119873

(22) break(23) end if(24) end while(25) 119865capacity larr 1198732(26) 119865other larr 1198732 minus 1198731(27) return 119865capacity 119865other

Algorithm 3 LRU inference algorithm

4 Evaluation

41 Implementation The emulation environment of ourexperiment consists of three parts a network prototypingsystem used to emulate host and switch a network controllerand our inference attack toolkit

We choose Mininet [14] as the network prototypingsystem because it encapsulates host and switch emulationand thus easy to use Our emulated network prototype

for evaluation uses a star topology consisting of 20 hostsconnected to a single OpenFlow switch We build FIFO andLRUcontroller applications using Python on the basis of POX[15] OpenFlow controller As for the inference attack toolkitwe use libnet [16] to generate probing packets and libpcap[17] to capture replied packets To simulate the backgroundtraffic in real network we built a SDN testbed using Mininetand POX On the SDN testbed we performed a series ofbasic SDN operations These operations include buildinga customized SDN network topology setting up the linkbetween SDN switches and performing the ping test betweenall SDN nodes We captured the network traffic generatedduring these operations and use them as the backgroundnetwork traffic sample

42 RTT Measurement As we have mentioned in Sec-tion 2 the difference between traditional network andSDNOpenFlow network in handling previously unseenpackets gives us a possible indicator of the flow table stateand the flow entry living state RTT When there is notcorresponding flow entry existing in the flow table the RTTof a packet will significantly increase due to the interactionsbetween controller and switch in order to acquire new flowentries That is the case when there is still space in the flowtable Once the flow table is full the RTT of a packet willfurther increase as a result of extra flow table replacementoperations To prove the effectiveness of using RTT as theflow table state and flow entry state indicator we measuredpacket RTTs corresponding to different flow table state andflow entry state

Figure 5 gives the RTT measurement result showing thedifference The points with different symbols represent thetotal 300 times of RTTmeasurements we have conducted 100times ofmeasurement for each combination of flow table stateand flow entry state The square points stand for RTTs whenflow entry exists in flow table The circle points and trianglepoints both stand for RTTs when flow entry does not exist inflow table the circle points are measured when the flow tableis full and the triangle points are measured when the flowtable is not full

As can be seen from the figure when flow entry existsin flow table the packet RTTs are highly concentrated in the

Security and Communication Networks 7

50 100Group

8

7

6

5

4

3

2

1

00

RTT

(ms)

Flow entry exists in flow tableFlow entry does not exist and flow table is not fullFlow entry does not exist and flow table is full

Figure 5 RTT measurement

Table 1 Default timeout values

Controller Hard timeout Idle timeoutRyu 0 0Beacon 0 5 sFloodlight 0 5 sNOX 0 5 sPOX 30 s 10 sTrema 0 60 sMaestro 180 s 30 s

range of 02sim03ms when flow entry does not exist in flowtable and flow table is not full the packet RTTswill increase toabout 3sim5ms when flow entry does not exist in flow table andflow table is full the packet RTTs will be the highest rangingfrom 6ms to 8ms These three groups of RTTs all distributeintensively in a small rangewithout overlapping other groupsshowing the excellent discrimination of using RTT as a flowtable state and flow entry state indicator

43 Timeout

431 Default Timeout Values According to our previousanalysis the feasibility of our inference attack depends onwhether we can generate enough flow entries to fulfill theflow table within a single timeout cycle That means wemust have the ability to generate as many flow entries as theflow entry can hold during a timeout period So we analyzeseveral popular open-source controllers and search for theirdefault timeout values in the built-in applications The resultis presented in Table 1 The zero values in the table mean thecorresponding timeout will not take effect or in other wordsthe timeout value is ldquopermanentrdquo As can be seen from thetable most available controllers have timeout values in therange of 5 s to 30 s

If we take the flow table capacity of 2000 flow entries asan example the minimum packet generating speed requiredwill be 20005 = 400 packets per second while libnet can

generate tens of thousand packets per second So the defaulttimeout values ensure the feasibility of our inference attack

432 Timeout Measurement Though default timeout valuesof mainstream OpenFlow controllers can be read from theirsource codes it is still possible for SDN network administra-tors to manually change the default timeout values In orderto handle nondefault timeout values and provide basis foradjusting packet generating speed it is essential to examinethe accuracy of passive timeout measurement

Figure 6 illustrates relative errors (see equation (9)) ofhard timeout and idle timeout measurement respectivelyWemanuallymodify hard timeout and idle timeout values ofPOX OpenFlow controller to 5 s 10 s 15 s 20 s 25 s and 30 sand then we use timeout measurement algorithmmentionedin Section 2 to measure these timeout values and calculaterelative errors

relative error =1003816100381610038161003816valuedetected minus valuetrue

1003816100381610038161003816valuetrue

lowast 100 (9)

Every line in Figures 6(a) and 6(b) corresponds to 10times of repeated measurements conducted under a certaintimeout setting from 5 s to 30 sThemargin stays in the rangeof plus-or-minus 10 percent showing the effectiveness andhigh accuracy of our timeout measurement algorithm

44 Flow Table Capacity Flow capacity is the primary targetof our inference attack It reflects the hardware specificationof an OpenFlow switch Figure 7 illustrates the flow tablecapacity measurement result when controller adopts FIFOreplacement algorithm We manually limited the switch flowtable capacity to 10 different values from 100 flow entries to1000 flow entries and used our framework to perform theinference

The dark bars represent the manually set flow tablecapacities or real capacities The light bars represent themeasured flow table capacities For every manually set flowtable capacity we conduct 10 times of repeatedmeasurementsand take their mean value as the final result From thefigure we can see that the measured capacities are quite closeto the real capacities indicating the high accuracy of ourinference framework For example when the real capacity is400 flow entries our measured capacity is 408 flow entrieswith an error of only 8 flow entries As the real capacitygrows the packet generating speed required becomes fasterplacing higher requirements on packet sending receivingsynchronization and accurate timing But our inferencealgorithm shows unbelievable stability and accuracy whenthe real capacity is 1000 flow entries our measured capacityis 973 flow entries with an error of just 27 flow entries

Like Figure 7 Figure 8 also illustrates the flow tablecapacity measurement results with the only difference ofbeing performed under LRU replacement algorithm insteadof FIFO

According to our previous analysis the inference princi-ple of LRU replacement algorithm is more complex becauseof the unavoidable mixed nature of flow entries in the flowtable and the rolling maintaining process But our inference

8 Security and Communication Networks

Hard timeout = 30

Hard timeout = 25

Hard timeout = 20

Hard timeout = 15

Hard timeout = 10

Hard timeout = 5

minus10

0

10

20

30

Rela

tive e

rror

2 4 6 8 10Group

Hard timeout relative error

(a)

Idle timeout = 30

Idle timeout = 25

Idle timeout = 20

Idle timeout = 15

Idle timeout = 10

Idle timeout = 5

minus10

0

10

20

30

Rela

tive e

rror

2 4 6 8 10Group

Idle timeout relative error

(b)

Figure 6 Timeout relative error

100 95

200 192

300 315

400 408

500 486

600 619

700666

800831

900 883

1000973

0

200

400

600

800

1000

Capa

city

10 3 6 5 8 9 4 7 2 1 Group

Real capacityMeasured capacity

Figure 7 FIFO flow table capacity

framework still shows high accuracy and reliability Evenwhen the real flow table capacities are set to be rather largevalues like 900 and 1000 the errors of our measure capacitiesare just around 20 flow entries

Only illustrating the mean value of measured flow tablecapacities may not be enough the mean value may bethe result of error compensations and hide the detailed

0

200

400

600

800

1000

Capa

city

10 3 6 5 8 9 4 7 2 1 Group

Real capacityMeasured capacity

100 120

200 180

350300

400 422

500 475

600630

700

788 800828

900 880

10001021

Figure 8 LRU flow table capacity

measurement errors of every separate experiment So inFigure 9 we illustrate the relative error of every single flowtable capacity measurement

We choose 5 groups of different flow table capacitiesfrom 200 flow entries to 1000 flow entries and perform 10times of measurements under every single flow table capacityvalue Figure 9(a) stands for relative error of flow tablecapacity measurements conducted under FIFO replacement

Security and Communication Networks 9

Capacity = 1000

Capacity = 800

Capacity = 600

Capacity = 400

Capacity = 200

minus10

0

10

20

30

Rela

tive e

rror

2 4 6 8 10Group

FIFO capacity relative error

(a)

Capacity = 1000

Capacity = 800

Capacity = 600

Capacity = 400

Capacity = 200

minus10

0

10

20

30

Rela

tive e

rror

2 4 6 8 10Group

LRU capacity relative error

(b)

Figure 9 Flow table capacity relative error

algorithm showing that the margin is no larger than plus-or-minus 10 percent Figure 9(b) stands for relative errorof flow table capacity measurements conducted under LRUreplacement algorithm Due to the more complex inferenceprinciple and the rolling maintaining process the marginbecomes larger but still has not exceeded 15 percent even inthe worst case

The above inference attacks are performed without anybackground network traffic When performing inferenceattack in real networks the impact of background networktraffic cannot be ignored So it is necessary to examine the effi-ciency of our inference algorithm under these circumstances

In this evaluation we choose the background networktraffic dataset from a SDN testbed Figures 10 and 11 havethe same experiment setting with Figures 7 and 8 with theonly difference of replaying background traffic captured fromSDN testbed during the inference attack process Even withthe impact of background traffic our inference algorithm stillshows high accuracy

45 Flow Table Usage In this section we evaluated ourframeworkrsquos efficiency of inferring the number of flow entriesfrom other users sharing the same flow table or the flow tableusage Flow table usage is our secondary inference target andit reflects the network resource consuming condition of othertenants in the same SDN network Figures 12 and 13 illustratethe flow table usage measurement results conducted underFIFO and LRU replacement algorithm respectively

100 81

200174

300 295

1000

931900

852800 805

700 641

600 595

500 463

400 385

0

200

400

600

800

1000

Capa

city

10 3 6 5 8 9 4 7 2 1 Group

Real capacityMeasured capacity

Figure 10 FIFO flow table capacity with testbed background traffic

Again wemanually set 10 different flow table usage valuesfrom 100 to 1000 flow entries by manually generating andinserting corresponding number of flow entries into the flowtable beforehand Then we use our inference algorithm toinfer the flow table usage and take mean values of every 10times of measurements as the final results The errors of allthese measurements show the high accuracy stability andreliability of our inference algorithm

10 Security and Communication Networks

0

200

400

600

800

1000

Capa

city

10 3 6 5 8 9 4 7 2 1 Group

Real capacityMeasured capacity

100 99

200158

300328

400 399

500447

600 595

700752

800 790

900841

1000 978

Figure 11 LRU flow table capacity with testbed background traffic

10 3 6 5 8 9 4 7 2 1 Group

Real usageMeasured usage

0

200

400

600

800

1000

Usa

ge

100 120

200 184

300 322

400 378

500 492

600 617

700 723

800

900 895

1000976

809

Figure 12 FIFO flow table usage

We also conducted the flow table usage inference attackwith background traffic Experiment results with testbedbackground traffic are shown in Figures 14 and 15 Ourinference algorithm can smoothly handle the impact ofbackground traffic which ensures the stability and robustnessdemonstrated in the experiment results

The relative errors are shown in Figure 16 We emulate5 groups of different flow table usage values and conducted10 times of flow table usage inference for every single valueFor both FIFO and LRU replacement algorithm the relativeerrors of flow table usage inference stay in a quite small rangeThe results prove that our algorithm can infer other tenantsrsquoflow table usage condition in high accuracy

5 Defense

From the previous sections we can conclude that the infer-ence attack is rooted in the flow table overflow To defendthat kind of inference attack we have to prevent flow tableoverflow in two aspects one aspect is to compress the flow

10 3 6 5 8 9 4 7 2 1 Group

Real usageMeasured usage

0

200

400

600

800

1000

Usa

ge

10080

200 195

300 278

400

500466

600 602

700731

800 783

900 882

1000 976

378

Figure 13 LRU flow table usage

10 3 6 5 8 9 4 7 2 1 Group

Real usageMeasured usage

0

200

400

600

800

1000 U

sage

100 107

200163

300 301

400357

500468

600 590

700 694

800 780

900865

1000

935

Figure 14 FIFO flow table usage with testbed background traffic

entries to save flow table space and the other one is toimplement a larger flow table to store more flow entries

51 Routing Aggregation Routing aggregation is to combinemultiple entries in the flow table without changing the nexthops for packet forwarding This approach is particularlyappealing because it can be done by a software upgrade at theOpenFlow switch and its impact is limited within that switchRouting aggregation has already been used in traditionalnetworks but it has not been deployed in SDNOpenFlownetworks To fully utilize the flexibility of SDNOpenFlownetwork under certain scenarios like load balancing we pro-posed a global routing schedule using packing optimizationalgorithms

Traditional routing aggregation algorithms [18] can beused to compress the flow table but their effectiveness cannotbe ensured If thematching fields and next hops are dispersedenough chances are that we may not be able to performany routing aggregation because we cannot find flow entriessharing commonmatching fields and next hopsThis is often

Security and Communication Networks 11

10 3 6 5 8 9 4 7 2 1 Group

Real usageMeasured usage

0

200

400

600

800

1000

Usa

ge100

200168

300251

400346

500

433

600566

700

57

693

800745

900842

1000

935

Figure 15 LRU flow table usage with testbed background traffic

Capacity = 1000

Capacity = 800

Capacity = 600

Capacity = 400

Capacity = 200

Capacity = 1000

Capacity = 800

Capacity = 600

Capacity = 400

Capacity = 200

minus10

0

10

20

30

Rela

tive e

rror

minus10

0

10

20

30

Rela

tive e

rror

2 4 6 8 10Group

2 4 6 8 10Group

FIFO usage relative error LRU usage relative error

Figure 16 Flow table usage relative error

the case when dealing with web traffic for example load bal-ancing services For that reason we introduced an extra stageof routing aggregation global routing schedule optimizationFirst we model this routing aggregation problem as a packingoptimization problem and solve it then we perform globalrouting reschedule by rewriting the flow entries accordingto the optimization result and finally we perform anothertime of traditional routing aggregation on these new flowentries After the global routing reschedule there will be

much more aggregatable flow entries so the effectiveness ofrouting aggregation is ensured

52 Multilevel Flow Table Architecture It is important to notethat routing aggregation is not a replacement for the long-term architectural solutions because it does not address theroot causes of the flow table scalability problem and thefollowing inference attack To eliminate the inference attackvulnerability a flow table architecture with larger capacity is

12 Security and Communication Networks

Table0

Table1

Tablem

Executeaction

set

Packetin

Packetout

TCAM

Figure 17 Single-level flow table architecture

Table0

Table1

Tablem

Executeaction

set

Packetin

Packetout

TCAM

Match

Table0

Table1

Tablen

SRAM

Match

Table miss

Executeaction

set

Packetout

Flow tablereplacement

Figure 18 Multilevel flow table architecture

required which can be achieved throughmultilevel flow tableconsisting of both TCAM and SRAM

The original single-level flow table architecture is shownin Figure 17 In this architecture the flow table is completelyimplemented using TCAM An input packet will traversefrom table 0 to table119898 and add corresponding actions to theaction set Then all actions in the action set are executed andthe packet is forwarded according to these actions

Our proposed multilevel flow table architecture is shownin Figure 18 Besides flow table implemented using TCAMwe add another flow table implemented using SRAM whichis cheaper and can provide larger flow table space Underthis multilevel flow table architecture the packet processingpipeline will be different first an input packet will findmatching flow entries in TCAM flow table just like in theoriginal single-level flow table architecture If there is amatchthe packet will execute the corresponding actions and getforwarded If there is no match the packet will continueits lookup in the SRAM flow table If there is a match inthe SRAM flow table the packet can then be forwardedotherwise it will be sent to the controller

From the process above we can see that if the capacityof TCAM flow table is 119898 the capacity of SRAM flow table is119899 and then the multilevel flow table will have a capacity of119898 + 119899 Actually 119899 is far more larger than 119898 so this approachcan greatly increase the flow table capacity thus preventingflow table overflow

6 Discussion

SDNOpenFlow has become a competitive solution for next-generation network and is being more and more widelyused in modern datacenters But considering its key role asthe fundamental infrastructure we have to admit that thesecurity issues of SDNOpenFlow have not been exploredto a large extent Particularly the flow table capacity ofSDNOpenFlow switch is only considered as a vulnerable partfor DDoS and flooding attacks in published researches Butaccording to our analysis in previous sections the flow tablecapacity can lead to potential inference attack if combinedwith reasonable assumptions and RTT measurements

Firstly we found in Section 2 that exactmatch flow entriesas well as the lack of route aggregation would consume a lot

Security and Communication Networks 13

of flow table space making it impossible to process millionsof flows per seconding using SDNOpenFlow Secondly wefound in Section 4 that assigning the decision making jobof flow table replacement to the controller would lead tosignificant network performance decrease which had to bechanged in time Thirdly there is currently no mature attackdetection mechanism for SDNOpenFlow network so it isquite easy for criminals to exploit system vulnerabilities orinvoke DDoS attacks

The inference method proposed in this paper just usessome basic elements and parameters of OpenFlow such asidle timeout and hard timeout which are significant for theimplementation of SDN These features will not be removedexcept very huge changes made On the other hand althoughsome security frameworks [3] were proposed to detect themalicious insertion of flow rules attackers can also bypass thedetection by some well-designed insertion strategies

All these security issues call for improvements to currentOpenFlow switch and flow table design The improvementsshould at least contain the following aspects (1) New Open-Flow switch architecture like embedding local caches inthe switch or implementing multilevel flow table to achievea much larger flow table capacity With larger flow tablecapacity the switch will not have to query the controller forflow entries which will reduce the interaction latency to alarge extent (2) New flow table maintaining mechanism liketransferring the flow entry deleting workload from controllerto switch Switch itself can decide which flow entry to deleteand then sync state with controller and during the flowentry deleting process the controllerrsquos intervention is notneeded In the widely used OpenFlow Switch Specification140 [19] this mechanism has been added as an optionalfeature but without any mature implementation so far (3)Routing aggregation Routing aggregation canmatch a groupof flows using one flow entry which will reduce the flowtable consuming significantly comparedwith exactmatch (4)Inference attack detection Administrators can develop infer-ence attack detecting applications and then perform defenseslike portspeed limiting or network address validation

From the discussion above we can see that there is stilla long road to go before SDNOpenFlow becomes a trulymature and reliable network paradigm There are still urgentand severe issues to solve which have been neglected in thepast Only by solving these security issues and architecturalvulnerabilities can SDNOpenFlow be widely deployed inreal-world commercial datacenters and fully demonstrate itsrevolutionary flexibility and intelligence

7 Related Work

The inference attack proposed in this paper is motivated bythe limited flow table capacity of SDNOpenFlow switchesThe flow table capacity issue has been presented in manyprevious works like [20ndash24] They all point out the limitationof switch flow table memory and potential scalability andsecurity issue However these works do not give furtheranalysis on the inference attack and information leakagecaused by the limited flow table capacity

Kloti et al [25] present potentially problematic issues inSDNOpenFlow including information disclosure throughtiming analysis However this information disclosurerequires disclosing existing flows with side channel attackwhich is hard to perform in real world Compared with theirapproach our inference attack is self-contained and requiresno prior knowledge

Gong et al [26] present a kind of inference attackusing RTT measurement to infer which website the victimis browsing They recover victimsrsquo network traffic patternsbased on the queuing side channel happened at the Internetrouter However the scenario of their work is in the publicInternet while our approach focuses on SDNOpenFlowinfrastructures in cloud computing network Compared withpublic Internet and website inference the inference attackand information leakage in modern data centers are moresensitive and valuable

Shin and Gu [27] demonstrate a novel attack targetingat SDN networks This attack includes fingerprinting SDNnetworks and further flooding the data plane flow table bysending specifically crafted fake flow requests in high speedIn the fingerprinting phase header field change scanning isused to collect the different response time (RTT) for new flowand existing flow The fingerprinting result is then analyzedto estimate if the target network used SDN technology TheRTT measurement and analysis they used in fingerprintingare similar to our approach But they just perform DoSattacks to the SDN network without performing any furtherinformation leakage or network parameter inference

As for flow table overflow defending strategy Shelly etal [28] and Katta et al [29] introduce flow entry cachingmechanism into SDNOpenflow network by inserting atransparent intermediate layer between controller and switchYan et al [9] use CAB to generate wildcard flow entriesdynamically and reactively to handle bursting network trafficKannan and Banerjee [30] present a flow entry compactionalgorithm to saveTCAMflow table spaceThis algorithmusesflow entry tags instead of matching fields as forwarding rulesKim et al [31] develop a new flow entry management schemeto reduce the controller overhead

8 Conclusion

In this paper we have explored the structure of SDNOpenFlow network and some of the possible security issues itbrings After our detailed analysis of the SDNOpenFlow net-work we proposed a novel inference attack model targetingat the SDNOpenFlow network which is the first proposedinference attack model of this kind in the SDNOpenFlowarea This inference attack is introduced by the OpenFlowswitch especially by its limited flow table capacity The infer-ence attack can be done in a completely passive waymaking ithard to detect and defendWe also implemented the inferenceattack framework and examined the efficiency and accuracyof it using network traffic data from different sources Thesimulation results show that the inference attack frameworkcan infer the network parameter (flow table capacity and flowtable usage) with an accuracy of up to 80 or higher We alsoproposed two possible defense strategies for the discovered

14 Security and Communication Networks

vulnerability including routing aggregation algorithm andmultilevel flow table architecture

Conflicts of Interest

The authors declare that they have no conflicts of interest

Acknowledgments

The research presented in this paper is supported in partby the National Key Research and Development Program ofChina (no 2016YFB0800100) the Fund of China NationalAeronautical Radio Electronics Research Institute (PM-12210-2016-001) the National Natural Science Foundation(61572397 U1766215 U1736205 61502383 61672425 and61702407) and State Grid Corporation of China (DZ71-16-030)

References

[1] W Li W Meng and L F Kwok ldquoA survey on OpenFlow-basedSoftware Defined Networks Security challenges and counter-measuresrdquo Journal of Network and Computer Applications vol68 pp 126ndash139 2016

[2] M Brooks and B Yang ldquoA Man-in-the-Middle attack againstOpenDayLight SDN controllerrdquo in Proceedings of the 4thAnnual Conference on Research in Information TechnologyAssociation for Computing Machinery Chicago IL USASeptember 2015

[3] P Porras S Shin V Yegneswaran M Fong M Tyson and GGu ldquoA security enforcement kernel for OpenFlow networksrdquoin Proceedings of the 1st ACM International Workshop on HotTopics in Software Defined Networks HotSDN 2012 pp 121ndash126 Association for Computing Machinery Helsinki FinlandAugust 2012

[4] N Gude T Koponen and J Pettit ldquoNOX towards an operatingsystem for networksrdquoACM SIGCOMMComputer Communica-tion Review vol 38 no 3 pp 105ndash110 2008

[5] A Khurshid W Zhou M Caesar and P B Godfrey ldquoVeriflowVerifying network-wide invariants in real timerdquo in Proceedingsof the Annual Conference of the ACM Special Interest Group onData Communication on the Applications Technologies Archi-tectures and Protocols for Computer Communication ACMSIGCOMM 2012 pp 467ndash472 Finland August 2012

[6] G Zhao L Huang Z Yu H Xu and P Wang ldquoOn the effectof flow table size and controller capacity on SDN networkthroughputrdquo in Proceedings of the 2017 IEEE InternationalConference on Communications (ICC) pp 1ndash6 Paris FranceMay 2017

[7] A RoyH Zengy J BaggayG Porter andAC Snoeren ldquoInsidethe social networkrsquos (Datacenter) networkrdquo in Proceedings of theACM Conference on Special Interest Group on Data Communi-cation SIGCOMM 2015 pp 123ndash137 UK August 2015

[8] N Shelly E J Jackson T Koponen N McKeown and JRajahalme ldquoFlow caching for high entropy packet fieldsrdquo inProceedings of the 3rd ACM SIGCOMM 2014 Workshop on HotTopics in Software Defined Networking HotSDN 2014 pp 151ndash156 Chicago Illinois USA August 2014

[9] B Yan Y Xu H Xing K Xi and H J Chao ldquoCAB A reactivewildcard rule caching system for software-defined networksrdquo inProceedings of the 3rd ACM SIGCOMM 2014 Workshop on Hot

Topics in Software Defined Networking HotSDN 2014 pp 163ndash168 Chicago Illinois USA August 2014

[10] Katta Naga Jennifer Rexford and David Walker ldquoInfinitecacheflow in software-defined networksrdquo Princeton School ofEngineering and Applied Science 2013

[11] Yanwen Wang Hainan Chen Hainan Chen and Lei ShuldquoAn energy-efficient SDN based sleep scheduling algorithm forWSNsrdquo Journal of Network and Computer Applications vol 59pp 39ndash45 2016 httpdxdoiorg101016jjnca201505002

[12] S-N Yang S-W Ho Y-B Lin and C-H Gan ldquoA multi-RATbandwidth aggregation mechanism with software-defined net-workingrdquo Journal ofNetwork andComputerApplications vol 61pp 189ndash198 2016 httpdxdoiorg101016jjnca201511003

[13] M Dehghan L Massoulie D Towsley D Menasche andY C Tay ldquoA utility optimization approach to network cachedesignrdquo in Proceedings of the 35th Annual IEEE InternationalConference on Computer Communications IEEE INFOCOM2016 San Francisco CA USA April 2016

[14] ldquoMininetrdquo httpmininetorg[15] ldquoPOX Controllerrdquo httpwwwnoxrepoorgpoxabout-pox[16] ldquolibnet-devrdquo httpsgithubcomsam-githublibnet[17] ldquolibpcaprdquo httpwwwtcpdumporg[18] X Zhao Y Liu L Wang and B Zhang ldquoOn the aggregatability

of router forwarding tablesrdquo in Proceedings of IEEE INFOCOM2010 Institute of Electrical and Electronics Engineers SanDiego CA USA March 2010

[19] ldquoOpenFlow Switch Specification 140rdquo httpswwwopennet-workingorgimagesstoriesdownloadssdn-resourcesonf-spec-ificationsopenflowopenflow-spec-v140pdf

[20] S Sezer S Scott-Hayward P Chouhan et al ldquoAre we readyfor SDN Implementation challenges for software-defined net-worksrdquo IEEE Communications Magazine vol 51 no 7 pp 36ndash43 2013

[21] D Kreutz F M V Ramos P E Verissimo C E RothenbergS Azodolmolky and S Uhlig ldquoSoftware-defined networking acomprehensive surveyrdquo Proceedings of the IEEE vol 103 no 1pp 14ndash76 2015

[22] S Scott-Hayward G OrsquoCallaghan and S Sezer ldquoSDN securityA surveyrdquo in Proceedings of the 2013 Workshop on SoftwareDefined Networks for Future Networks and Services SDN4FNS2013 Trento Italy November 2013

[23] A Akhunzada E Ahmed A Gani M K Khan M Imran andS Guizani ldquoSecuring software defined networks Taxonomyrequirements and open issuesrdquo IEEE Communications Maga-zine vol 53 no 4 pp 36ndash44 2015

[24] M Tsugawa A Matsunaga and J A B Fortes ldquoCloud comput-ing securityWhat changes with software-defined networkingrdquoSecure Cloud Computing pp 77ndash93 2014

[25] R Kloti V Kotronis and P Smith ldquoOpenFlow A securityanalysisrdquo in Proceedings of the 2013 21st IEEE International Con-ference on Network Protocols ICNP 2013 Institute of ElectricalandElectronics EngineersGoettingenGermanyOctober 2013

[26] X Gong N Borisov N Kiyavash and N Schear ldquoWebsiteDetection Using Remote Traffic Analysisrdquo in Privacy EnhancingTechnologies vol 7384 of Lecture Notes in Computer Science pp58ndash78 Springer Berlin Heidelberg 2012

[27] S Shin and G Gu ldquoAttacking software-defined networks afirst feasibility studyrdquo in Proceedings of the 2nd ACM SIG-COMMWorkshop onHot Topics in SoftwareDefinedNetworking(HotSDN rsquo13) pp 165-166 Association for Computing Machin-ery Hong Kong China August 2013

Security and Communication Networks 5

Require(1) Packet-Sending Function 119878119890119899119889119875119886119888119896119890119905()(2) List of IP 119868119875Ensure(3) The flow table capacity 119865capacity(4) The number of other usersrsquo flow entries 119865other(5) 119865capacity larr 0(6) 119865other larr 0(7) 119873 larr 0(8) 119873

1larr 0

(9) 1198732larr 0

(10) while 119873 lt length(119868119875) do(11) 119894119901 larr 119868119875[119873](12) SendPacket(119894119901)(13) 119873 larr 119873 + 1(14) if Flow table is full then(15) 119873

1larr 119873

(16) continue(17) end if(18) if One of our flow entries is deleted then(19) 119873

2larr 119873

(20) break(21) end if(22) end while(23) 119865capacity larr 1198732(24) 119865other larr 1198732 minus 1198731(25) return 119865capacity 119865other

Algorithm 1 FIFO inference algorithm

Figure 4 (119862) shows the timewhenwe detect the flow tableis full At this point of time flow entries from us and otherusers add up to fill the whole flow table precisely We have

119865our (119879119862) + 119865other (119879119862) = 119862 (1)

Figure 4 (119863) shows the time when we detect that one ofour inserted flow entries has been deleted That means theflow table is now full of our flow entries without any flowentries from other users We have

119865our (119879119863) = 119862 (2)

Combine the two equations above we have

119865other (119879119860) = 119865other (119879119862) = 119862 minus 119865our (119879119862)

= 119865our (119879119863) minus 119865our (119879119862) (3)

According to the analysis above we describe the inferenceprocess for FIFO algorithm as shown in Algorithm 1

The main error of the inference comes from the flowentries inserted by other users when our insertion is inprogressWe assume that our flow entry insertion speed is fastenough so that during the period of experiment the newlyinserted flow entries are all from us But that is not alwaysthe truth Ignoring the possible flow entries inserted by otherusers will make our inference result smaller than the actualvalue

Considering the flow entries inserted by other users theactual equations are listed below

When we detect the flow table is full if we use 119864(119860 119861)to represent the number of just inserted flow entries fromother users from time point 119860 to time point 119861 the equationbecomes

119865our (119879119862) + 119865other (119879119862) + 119864 (119879119860 119879119862) = 119862 (4)

And when we detect that one of our inserted flow entriesis deleted the equation becomes

119865our (119879119863) + 119864 (119879119860 119879119862) + 119864 (119879119862 119879119863) = 119862 (5)

Combine the two equations above we have

119865other (119879119862) = 119865our (119879119863) minus 119865our (119879119862) + 119864 (119879119862 119879119863) (6)

So the actual equation considering flow entry insertionsduring inference should be

119862 = 119865our (119879119863) + 119864 (119879119860 119879119862) + 119864 (119879119862 119879119863)

119865other (119879119862) = 119865our (119879119863) minus 119865our (119879119862) + 119864 (119879119862 119879119863) (7)

Compared with our former equation ignoring flow entryinsertions

119862 = 119865our (119879119863)

119865other (119879119862) = 119865our (119879119863) minus 119865our (119879119862) (8)

We can see that the inferred flow table usage119865other and theinferred flow table capacity 119865capacity will both be smaller thanthe actual value

32 LRU Inference Algorithm The experiment principle ofLRU algorithm has something in common with that of FIFOalgorithm because under these two circumstances we canboth keep our flow entries stay in the back of the cache queueusing certain operations However there are still differenceslies in the flow entry maintaining process

The nature of FIFO algorithm ensures that the position ofthe flow entries only depends on the time they are insertedThe earlier inserted flow entries are sure to be nearer to thefront of the cache queue comparedwith the later inserted flowentries But in LRUalgorithm the positions of the flow entriesdepend not only on the time they are inserted but also on thelast time they are accessed In order to keep our flow entriesstay in the back of the cache queue we need to continuouslyaccess the previously inserted flow entries

During the maintain process every time we insert anew flow entry we need to access all previously insertedflow entries for one time to ldquoliftrdquo them to the backof the cache queue The access history may be like1198751 1198751 1198752 1198751 1198752 1198753 1198751 1198752 1198753 1198754 and we call it aldquorollingrdquo maintaining process The maintaining algorithm isshown in Algorithm 2 According to the analysis above wedescribe the inference process for LRU in Algorithm 3

The feasibility and error analysis of LRU algorithm issimilar to that of FIFO algorithm The inferred flow tableusage 119865other and the inferred flow table capacity 119865capacity willboth be smaller than the actual value because of ignoring theflow entries inserted by other users during the experiment

6 Security and Communication Networks

Require(1) Packet-Sending Function 119878119890119899119889119875119886119888119896119890119905()(2) List of Inserted IP 119868119875inserted(3) function RollingPacketSender(119868119875inserted)(4) 119894 larr 1(5) while 119894 lt length(119868119875inserted) do(6) for 119895 larr 0 119895 lt 119894 119895 + + do(7) 119894119901 larr 119868119875inserted[119895](8) SendPacket(119894119901)(9) end for(10) 119894 larr 119894 + 1(11) end while(12) end function

Algorithm 2 Rolling maintaining algorithm

Require(1) Packet-Sending Function 119878119890119899119889119875119886119888119896119890119905()(2) List of IP 119868119875Ensure(3) The flow table capacity 119865capacity(4) The number of other usersrsquo flow entries 119865other(5) 119865capacity larr 0(6) 119865other larr 0(7) 119873 larr 0(8) 119873

1larr 0

(9) 1198732larr 0

(10) 119868119875inserted larr [](11) while 119873 lt length(119868119875) do(12) 119894119901 larr 119868119875[119873](13) 119868119875inserted larr 119868119875inserted + 119894119901(14) RollingPacketSender(119868119875inserted)(15) 119873 larr 119873 + 1(16) if Flow table is full then(17) 119873

1larr 119873

(18) continue(19) end if(20) if One of our flow entries is deleted then(21) 119873

2larr 119873

(22) break(23) end if(24) end while(25) 119865capacity larr 1198732(26) 119865other larr 1198732 minus 1198731(27) return 119865capacity 119865other

Algorithm 3 LRU inference algorithm

4 Evaluation

41 Implementation The emulation environment of ourexperiment consists of three parts a network prototypingsystem used to emulate host and switch a network controllerand our inference attack toolkit

We choose Mininet [14] as the network prototypingsystem because it encapsulates host and switch emulationand thus easy to use Our emulated network prototype

for evaluation uses a star topology consisting of 20 hostsconnected to a single OpenFlow switch We build FIFO andLRUcontroller applications using Python on the basis of POX[15] OpenFlow controller As for the inference attack toolkitwe use libnet [16] to generate probing packets and libpcap[17] to capture replied packets To simulate the backgroundtraffic in real network we built a SDN testbed using Mininetand POX On the SDN testbed we performed a series ofbasic SDN operations These operations include buildinga customized SDN network topology setting up the linkbetween SDN switches and performing the ping test betweenall SDN nodes We captured the network traffic generatedduring these operations and use them as the backgroundnetwork traffic sample

42 RTT Measurement As we have mentioned in Sec-tion 2 the difference between traditional network andSDNOpenFlow network in handling previously unseenpackets gives us a possible indicator of the flow table stateand the flow entry living state RTT When there is notcorresponding flow entry existing in the flow table the RTTof a packet will significantly increase due to the interactionsbetween controller and switch in order to acquire new flowentries That is the case when there is still space in the flowtable Once the flow table is full the RTT of a packet willfurther increase as a result of extra flow table replacementoperations To prove the effectiveness of using RTT as theflow table state and flow entry state indicator we measuredpacket RTTs corresponding to different flow table state andflow entry state

Figure 5 gives the RTT measurement result showing thedifference The points with different symbols represent thetotal 300 times of RTTmeasurements we have conducted 100times ofmeasurement for each combination of flow table stateand flow entry state The square points stand for RTTs whenflow entry exists in flow table The circle points and trianglepoints both stand for RTTs when flow entry does not exist inflow table the circle points are measured when the flow tableis full and the triangle points are measured when the flowtable is not full

As can be seen from the figure when flow entry existsin flow table the packet RTTs are highly concentrated in the

Security and Communication Networks 7

50 100Group

8

7

6

5

4

3

2

1

00

RTT

(ms)

Flow entry exists in flow tableFlow entry does not exist and flow table is not fullFlow entry does not exist and flow table is full

Figure 5 RTT measurement

Table 1 Default timeout values

Controller Hard timeout Idle timeoutRyu 0 0Beacon 0 5 sFloodlight 0 5 sNOX 0 5 sPOX 30 s 10 sTrema 0 60 sMaestro 180 s 30 s

range of 02sim03ms when flow entry does not exist in flowtable and flow table is not full the packet RTTswill increase toabout 3sim5ms when flow entry does not exist in flow table andflow table is full the packet RTTs will be the highest rangingfrom 6ms to 8ms These three groups of RTTs all distributeintensively in a small rangewithout overlapping other groupsshowing the excellent discrimination of using RTT as a flowtable state and flow entry state indicator

43 Timeout

431 Default Timeout Values According to our previousanalysis the feasibility of our inference attack depends onwhether we can generate enough flow entries to fulfill theflow table within a single timeout cycle That means wemust have the ability to generate as many flow entries as theflow entry can hold during a timeout period So we analyzeseveral popular open-source controllers and search for theirdefault timeout values in the built-in applications The resultis presented in Table 1 The zero values in the table mean thecorresponding timeout will not take effect or in other wordsthe timeout value is ldquopermanentrdquo As can be seen from thetable most available controllers have timeout values in therange of 5 s to 30 s

If we take the flow table capacity of 2000 flow entries asan example the minimum packet generating speed requiredwill be 20005 = 400 packets per second while libnet can

generate tens of thousand packets per second So the defaulttimeout values ensure the feasibility of our inference attack

432 Timeout Measurement Though default timeout valuesof mainstream OpenFlow controllers can be read from theirsource codes it is still possible for SDN network administra-tors to manually change the default timeout values In orderto handle nondefault timeout values and provide basis foradjusting packet generating speed it is essential to examinethe accuracy of passive timeout measurement

Figure 6 illustrates relative errors (see equation (9)) ofhard timeout and idle timeout measurement respectivelyWemanuallymodify hard timeout and idle timeout values ofPOX OpenFlow controller to 5 s 10 s 15 s 20 s 25 s and 30 sand then we use timeout measurement algorithmmentionedin Section 2 to measure these timeout values and calculaterelative errors

relative error =1003816100381610038161003816valuedetected minus valuetrue

1003816100381610038161003816valuetrue

lowast 100 (9)

Every line in Figures 6(a) and 6(b) corresponds to 10times of repeated measurements conducted under a certaintimeout setting from 5 s to 30 sThemargin stays in the rangeof plus-or-minus 10 percent showing the effectiveness andhigh accuracy of our timeout measurement algorithm

44 Flow Table Capacity Flow capacity is the primary targetof our inference attack It reflects the hardware specificationof an OpenFlow switch Figure 7 illustrates the flow tablecapacity measurement result when controller adopts FIFOreplacement algorithm We manually limited the switch flowtable capacity to 10 different values from 100 flow entries to1000 flow entries and used our framework to perform theinference

The dark bars represent the manually set flow tablecapacities or real capacities The light bars represent themeasured flow table capacities For every manually set flowtable capacity we conduct 10 times of repeatedmeasurementsand take their mean value as the final result From thefigure we can see that the measured capacities are quite closeto the real capacities indicating the high accuracy of ourinference framework For example when the real capacity is400 flow entries our measured capacity is 408 flow entrieswith an error of only 8 flow entries As the real capacitygrows the packet generating speed required becomes fasterplacing higher requirements on packet sending receivingsynchronization and accurate timing But our inferencealgorithm shows unbelievable stability and accuracy whenthe real capacity is 1000 flow entries our measured capacityis 973 flow entries with an error of just 27 flow entries

Like Figure 7 Figure 8 also illustrates the flow tablecapacity measurement results with the only difference ofbeing performed under LRU replacement algorithm insteadof FIFO

According to our previous analysis the inference princi-ple of LRU replacement algorithm is more complex becauseof the unavoidable mixed nature of flow entries in the flowtable and the rolling maintaining process But our inference

8 Security and Communication Networks

Hard timeout = 30

Hard timeout = 25

Hard timeout = 20

Hard timeout = 15

Hard timeout = 10

Hard timeout = 5

minus10

0

10

20

30

Rela

tive e

rror

2 4 6 8 10Group

Hard timeout relative error

(a)

Idle timeout = 30

Idle timeout = 25

Idle timeout = 20

Idle timeout = 15

Idle timeout = 10

Idle timeout = 5

minus10

0

10

20

30

Rela

tive e

rror

2 4 6 8 10Group

Idle timeout relative error

(b)

Figure 6 Timeout relative error

100 95

200 192

300 315

400 408

500 486

600 619

700666

800831

900 883

1000973

0

200

400

600

800

1000

Capa

city

10 3 6 5 8 9 4 7 2 1 Group

Real capacityMeasured capacity

Figure 7 FIFO flow table capacity

framework still shows high accuracy and reliability Evenwhen the real flow table capacities are set to be rather largevalues like 900 and 1000 the errors of our measure capacitiesare just around 20 flow entries

Only illustrating the mean value of measured flow tablecapacities may not be enough the mean value may bethe result of error compensations and hide the detailed

0

200

400

600

800

1000

Capa

city

10 3 6 5 8 9 4 7 2 1 Group

Real capacityMeasured capacity

100 120

200 180

350300

400 422

500 475

600630

700

788 800828

900 880

10001021

Figure 8 LRU flow table capacity

measurement errors of every separate experiment So inFigure 9 we illustrate the relative error of every single flowtable capacity measurement

We choose 5 groups of different flow table capacitiesfrom 200 flow entries to 1000 flow entries and perform 10times of measurements under every single flow table capacityvalue Figure 9(a) stands for relative error of flow tablecapacity measurements conducted under FIFO replacement

Security and Communication Networks 9

Capacity = 1000

Capacity = 800

Capacity = 600

Capacity = 400

Capacity = 200

minus10

0

10

20

30

Rela

tive e

rror

2 4 6 8 10Group

FIFO capacity relative error

(a)

Capacity = 1000

Capacity = 800

Capacity = 600

Capacity = 400

Capacity = 200

minus10

0

10

20

30

Rela

tive e

rror

2 4 6 8 10Group

LRU capacity relative error

(b)

Figure 9 Flow table capacity relative error

algorithm showing that the margin is no larger than plus-or-minus 10 percent Figure 9(b) stands for relative errorof flow table capacity measurements conducted under LRUreplacement algorithm Due to the more complex inferenceprinciple and the rolling maintaining process the marginbecomes larger but still has not exceeded 15 percent even inthe worst case

The above inference attacks are performed without anybackground network traffic When performing inferenceattack in real networks the impact of background networktraffic cannot be ignored So it is necessary to examine the effi-ciency of our inference algorithm under these circumstances

In this evaluation we choose the background networktraffic dataset from a SDN testbed Figures 10 and 11 havethe same experiment setting with Figures 7 and 8 with theonly difference of replaying background traffic captured fromSDN testbed during the inference attack process Even withthe impact of background traffic our inference algorithm stillshows high accuracy

45 Flow Table Usage In this section we evaluated ourframeworkrsquos efficiency of inferring the number of flow entriesfrom other users sharing the same flow table or the flow tableusage Flow table usage is our secondary inference target andit reflects the network resource consuming condition of othertenants in the same SDN network Figures 12 and 13 illustratethe flow table usage measurement results conducted underFIFO and LRU replacement algorithm respectively

100 81

200174

300 295

1000

931900

852800 805

700 641

600 595

500 463

400 385

0

200

400

600

800

1000

Capa

city

10 3 6 5 8 9 4 7 2 1 Group

Real capacityMeasured capacity

Figure 10 FIFO flow table capacity with testbed background traffic

Again wemanually set 10 different flow table usage valuesfrom 100 to 1000 flow entries by manually generating andinserting corresponding number of flow entries into the flowtable beforehand Then we use our inference algorithm toinfer the flow table usage and take mean values of every 10times of measurements as the final results The errors of allthese measurements show the high accuracy stability andreliability of our inference algorithm

10 Security and Communication Networks

0

200

400

600

800

1000

Capa

city

10 3 6 5 8 9 4 7 2 1 Group

Real capacityMeasured capacity

100 99

200158

300328

400 399

500447

600 595

700752

800 790

900841

1000 978

Figure 11 LRU flow table capacity with testbed background traffic

10 3 6 5 8 9 4 7 2 1 Group

Real usageMeasured usage

0

200

400

600

800

1000

Usa

ge

100 120

200 184

300 322

400 378

500 492

600 617

700 723

800

900 895

1000976

809

Figure 12 FIFO flow table usage

We also conducted the flow table usage inference attackwith background traffic Experiment results with testbedbackground traffic are shown in Figures 14 and 15 Ourinference algorithm can smoothly handle the impact ofbackground traffic which ensures the stability and robustnessdemonstrated in the experiment results

The relative errors are shown in Figure 16 We emulate5 groups of different flow table usage values and conducted10 times of flow table usage inference for every single valueFor both FIFO and LRU replacement algorithm the relativeerrors of flow table usage inference stay in a quite small rangeThe results prove that our algorithm can infer other tenantsrsquoflow table usage condition in high accuracy

5 Defense

From the previous sections we can conclude that the infer-ence attack is rooted in the flow table overflow To defendthat kind of inference attack we have to prevent flow tableoverflow in two aspects one aspect is to compress the flow

10 3 6 5 8 9 4 7 2 1 Group

Real usageMeasured usage

0

200

400

600

800

1000

Usa

ge

10080

200 195

300 278

400

500466

600 602

700731

800 783

900 882

1000 976

378

Figure 13 LRU flow table usage

10 3 6 5 8 9 4 7 2 1 Group

Real usageMeasured usage

0

200

400

600

800

1000 U

sage

100 107

200163

300 301

400357

500468

600 590

700 694

800 780

900865

1000

935

Figure 14 FIFO flow table usage with testbed background traffic

entries to save flow table space and the other one is toimplement a larger flow table to store more flow entries

51 Routing Aggregation Routing aggregation is to combinemultiple entries in the flow table without changing the nexthops for packet forwarding This approach is particularlyappealing because it can be done by a software upgrade at theOpenFlow switch and its impact is limited within that switchRouting aggregation has already been used in traditionalnetworks but it has not been deployed in SDNOpenFlownetworks To fully utilize the flexibility of SDNOpenFlownetwork under certain scenarios like load balancing we pro-posed a global routing schedule using packing optimizationalgorithms

Traditional routing aggregation algorithms [18] can beused to compress the flow table but their effectiveness cannotbe ensured If thematching fields and next hops are dispersedenough chances are that we may not be able to performany routing aggregation because we cannot find flow entriessharing commonmatching fields and next hopsThis is often

Security and Communication Networks 11

10 3 6 5 8 9 4 7 2 1 Group

Real usageMeasured usage

0

200

400

600

800

1000

Usa

ge100

200168

300251

400346

500

433

600566

700

57

693

800745

900842

1000

935

Figure 15 LRU flow table usage with testbed background traffic

Capacity = 1000

Capacity = 800

Capacity = 600

Capacity = 400

Capacity = 200

Capacity = 1000

Capacity = 800

Capacity = 600

Capacity = 400

Capacity = 200

minus10

0

10

20

30

Rela

tive e

rror

minus10

0

10

20

30

Rela

tive e

rror

2 4 6 8 10Group

2 4 6 8 10Group

FIFO usage relative error LRU usage relative error

Figure 16 Flow table usage relative error

the case when dealing with web traffic for example load bal-ancing services For that reason we introduced an extra stageof routing aggregation global routing schedule optimizationFirst we model this routing aggregation problem as a packingoptimization problem and solve it then we perform globalrouting reschedule by rewriting the flow entries accordingto the optimization result and finally we perform anothertime of traditional routing aggregation on these new flowentries After the global routing reschedule there will be

much more aggregatable flow entries so the effectiveness ofrouting aggregation is ensured

52 Multilevel Flow Table Architecture It is important to notethat routing aggregation is not a replacement for the long-term architectural solutions because it does not address theroot causes of the flow table scalability problem and thefollowing inference attack To eliminate the inference attackvulnerability a flow table architecture with larger capacity is

12 Security and Communication Networks

Table0

Table1

Tablem

Executeaction

set

Packetin

Packetout

TCAM

Figure 17 Single-level flow table architecture

Table0

Table1

Tablem

Executeaction

set

Packetin

Packetout

TCAM

Match

Table0

Table1

Tablen

SRAM

Match

Table miss

Executeaction

set

Packetout

Flow tablereplacement

Figure 18 Multilevel flow table architecture

required which can be achieved throughmultilevel flow tableconsisting of both TCAM and SRAM

The original single-level flow table architecture is shownin Figure 17 In this architecture the flow table is completelyimplemented using TCAM An input packet will traversefrom table 0 to table119898 and add corresponding actions to theaction set Then all actions in the action set are executed andthe packet is forwarded according to these actions

Our proposed multilevel flow table architecture is shownin Figure 18 Besides flow table implemented using TCAMwe add another flow table implemented using SRAM whichis cheaper and can provide larger flow table space Underthis multilevel flow table architecture the packet processingpipeline will be different first an input packet will findmatching flow entries in TCAM flow table just like in theoriginal single-level flow table architecture If there is amatchthe packet will execute the corresponding actions and getforwarded If there is no match the packet will continueits lookup in the SRAM flow table If there is a match inthe SRAM flow table the packet can then be forwardedotherwise it will be sent to the controller

From the process above we can see that if the capacityof TCAM flow table is 119898 the capacity of SRAM flow table is119899 and then the multilevel flow table will have a capacity of119898 + 119899 Actually 119899 is far more larger than 119898 so this approachcan greatly increase the flow table capacity thus preventingflow table overflow

6 Discussion

SDNOpenFlow has become a competitive solution for next-generation network and is being more and more widelyused in modern datacenters But considering its key role asthe fundamental infrastructure we have to admit that thesecurity issues of SDNOpenFlow have not been exploredto a large extent Particularly the flow table capacity ofSDNOpenFlow switch is only considered as a vulnerable partfor DDoS and flooding attacks in published researches Butaccording to our analysis in previous sections the flow tablecapacity can lead to potential inference attack if combinedwith reasonable assumptions and RTT measurements

Firstly we found in Section 2 that exactmatch flow entriesas well as the lack of route aggregation would consume a lot

Security and Communication Networks 13

of flow table space making it impossible to process millionsof flows per seconding using SDNOpenFlow Secondly wefound in Section 4 that assigning the decision making jobof flow table replacement to the controller would lead tosignificant network performance decrease which had to bechanged in time Thirdly there is currently no mature attackdetection mechanism for SDNOpenFlow network so it isquite easy for criminals to exploit system vulnerabilities orinvoke DDoS attacks

The inference method proposed in this paper just usessome basic elements and parameters of OpenFlow such asidle timeout and hard timeout which are significant for theimplementation of SDN These features will not be removedexcept very huge changes made On the other hand althoughsome security frameworks [3] were proposed to detect themalicious insertion of flow rules attackers can also bypass thedetection by some well-designed insertion strategies

All these security issues call for improvements to currentOpenFlow switch and flow table design The improvementsshould at least contain the following aspects (1) New Open-Flow switch architecture like embedding local caches inthe switch or implementing multilevel flow table to achievea much larger flow table capacity With larger flow tablecapacity the switch will not have to query the controller forflow entries which will reduce the interaction latency to alarge extent (2) New flow table maintaining mechanism liketransferring the flow entry deleting workload from controllerto switch Switch itself can decide which flow entry to deleteand then sync state with controller and during the flowentry deleting process the controllerrsquos intervention is notneeded In the widely used OpenFlow Switch Specification140 [19] this mechanism has been added as an optionalfeature but without any mature implementation so far (3)Routing aggregation Routing aggregation canmatch a groupof flows using one flow entry which will reduce the flowtable consuming significantly comparedwith exactmatch (4)Inference attack detection Administrators can develop infer-ence attack detecting applications and then perform defenseslike portspeed limiting or network address validation

From the discussion above we can see that there is stilla long road to go before SDNOpenFlow becomes a trulymature and reliable network paradigm There are still urgentand severe issues to solve which have been neglected in thepast Only by solving these security issues and architecturalvulnerabilities can SDNOpenFlow be widely deployed inreal-world commercial datacenters and fully demonstrate itsrevolutionary flexibility and intelligence

7 Related Work

The inference attack proposed in this paper is motivated bythe limited flow table capacity of SDNOpenFlow switchesThe flow table capacity issue has been presented in manyprevious works like [20ndash24] They all point out the limitationof switch flow table memory and potential scalability andsecurity issue However these works do not give furtheranalysis on the inference attack and information leakagecaused by the limited flow table capacity

Kloti et al [25] present potentially problematic issues inSDNOpenFlow including information disclosure throughtiming analysis However this information disclosurerequires disclosing existing flows with side channel attackwhich is hard to perform in real world Compared with theirapproach our inference attack is self-contained and requiresno prior knowledge

Gong et al [26] present a kind of inference attackusing RTT measurement to infer which website the victimis browsing They recover victimsrsquo network traffic patternsbased on the queuing side channel happened at the Internetrouter However the scenario of their work is in the publicInternet while our approach focuses on SDNOpenFlowinfrastructures in cloud computing network Compared withpublic Internet and website inference the inference attackand information leakage in modern data centers are moresensitive and valuable

Shin and Gu [27] demonstrate a novel attack targetingat SDN networks This attack includes fingerprinting SDNnetworks and further flooding the data plane flow table bysending specifically crafted fake flow requests in high speedIn the fingerprinting phase header field change scanning isused to collect the different response time (RTT) for new flowand existing flow The fingerprinting result is then analyzedto estimate if the target network used SDN technology TheRTT measurement and analysis they used in fingerprintingare similar to our approach But they just perform DoSattacks to the SDN network without performing any furtherinformation leakage or network parameter inference

As for flow table overflow defending strategy Shelly etal [28] and Katta et al [29] introduce flow entry cachingmechanism into SDNOpenflow network by inserting atransparent intermediate layer between controller and switchYan et al [9] use CAB to generate wildcard flow entriesdynamically and reactively to handle bursting network trafficKannan and Banerjee [30] present a flow entry compactionalgorithm to saveTCAMflow table spaceThis algorithmusesflow entry tags instead of matching fields as forwarding rulesKim et al [31] develop a new flow entry management schemeto reduce the controller overhead

8 Conclusion

In this paper we have explored the structure of SDNOpenFlow network and some of the possible security issues itbrings After our detailed analysis of the SDNOpenFlow net-work we proposed a novel inference attack model targetingat the SDNOpenFlow network which is the first proposedinference attack model of this kind in the SDNOpenFlowarea This inference attack is introduced by the OpenFlowswitch especially by its limited flow table capacity The infer-ence attack can be done in a completely passive waymaking ithard to detect and defendWe also implemented the inferenceattack framework and examined the efficiency and accuracyof it using network traffic data from different sources Thesimulation results show that the inference attack frameworkcan infer the network parameter (flow table capacity and flowtable usage) with an accuracy of up to 80 or higher We alsoproposed two possible defense strategies for the discovered

14 Security and Communication Networks

vulnerability including routing aggregation algorithm andmultilevel flow table architecture

Conflicts of Interest

The authors declare that they have no conflicts of interest

Acknowledgments

The research presented in this paper is supported in partby the National Key Research and Development Program ofChina (no 2016YFB0800100) the Fund of China NationalAeronautical Radio Electronics Research Institute (PM-12210-2016-001) the National Natural Science Foundation(61572397 U1766215 U1736205 61502383 61672425 and61702407) and State Grid Corporation of China (DZ71-16-030)

References

[1] W Li W Meng and L F Kwok ldquoA survey on OpenFlow-basedSoftware Defined Networks Security challenges and counter-measuresrdquo Journal of Network and Computer Applications vol68 pp 126ndash139 2016

[2] M Brooks and B Yang ldquoA Man-in-the-Middle attack againstOpenDayLight SDN controllerrdquo in Proceedings of the 4thAnnual Conference on Research in Information TechnologyAssociation for Computing Machinery Chicago IL USASeptember 2015

[3] P Porras S Shin V Yegneswaran M Fong M Tyson and GGu ldquoA security enforcement kernel for OpenFlow networksrdquoin Proceedings of the 1st ACM International Workshop on HotTopics in Software Defined Networks HotSDN 2012 pp 121ndash126 Association for Computing Machinery Helsinki FinlandAugust 2012

[4] N Gude T Koponen and J Pettit ldquoNOX towards an operatingsystem for networksrdquoACM SIGCOMMComputer Communica-tion Review vol 38 no 3 pp 105ndash110 2008

[5] A Khurshid W Zhou M Caesar and P B Godfrey ldquoVeriflowVerifying network-wide invariants in real timerdquo in Proceedingsof the Annual Conference of the ACM Special Interest Group onData Communication on the Applications Technologies Archi-tectures and Protocols for Computer Communication ACMSIGCOMM 2012 pp 467ndash472 Finland August 2012

[6] G Zhao L Huang Z Yu H Xu and P Wang ldquoOn the effectof flow table size and controller capacity on SDN networkthroughputrdquo in Proceedings of the 2017 IEEE InternationalConference on Communications (ICC) pp 1ndash6 Paris FranceMay 2017

[7] A RoyH Zengy J BaggayG Porter andAC Snoeren ldquoInsidethe social networkrsquos (Datacenter) networkrdquo in Proceedings of theACM Conference on Special Interest Group on Data Communi-cation SIGCOMM 2015 pp 123ndash137 UK August 2015

[8] N Shelly E J Jackson T Koponen N McKeown and JRajahalme ldquoFlow caching for high entropy packet fieldsrdquo inProceedings of the 3rd ACM SIGCOMM 2014 Workshop on HotTopics in Software Defined Networking HotSDN 2014 pp 151ndash156 Chicago Illinois USA August 2014

[9] B Yan Y Xu H Xing K Xi and H J Chao ldquoCAB A reactivewildcard rule caching system for software-defined networksrdquo inProceedings of the 3rd ACM SIGCOMM 2014 Workshop on Hot

Topics in Software Defined Networking HotSDN 2014 pp 163ndash168 Chicago Illinois USA August 2014

[10] Katta Naga Jennifer Rexford and David Walker ldquoInfinitecacheflow in software-defined networksrdquo Princeton School ofEngineering and Applied Science 2013

[11] Yanwen Wang Hainan Chen Hainan Chen and Lei ShuldquoAn energy-efficient SDN based sleep scheduling algorithm forWSNsrdquo Journal of Network and Computer Applications vol 59pp 39ndash45 2016 httpdxdoiorg101016jjnca201505002

[12] S-N Yang S-W Ho Y-B Lin and C-H Gan ldquoA multi-RATbandwidth aggregation mechanism with software-defined net-workingrdquo Journal ofNetwork andComputerApplications vol 61pp 189ndash198 2016 httpdxdoiorg101016jjnca201511003

[13] M Dehghan L Massoulie D Towsley D Menasche andY C Tay ldquoA utility optimization approach to network cachedesignrdquo in Proceedings of the 35th Annual IEEE InternationalConference on Computer Communications IEEE INFOCOM2016 San Francisco CA USA April 2016

[14] ldquoMininetrdquo httpmininetorg[15] ldquoPOX Controllerrdquo httpwwwnoxrepoorgpoxabout-pox[16] ldquolibnet-devrdquo httpsgithubcomsam-githublibnet[17] ldquolibpcaprdquo httpwwwtcpdumporg[18] X Zhao Y Liu L Wang and B Zhang ldquoOn the aggregatability

of router forwarding tablesrdquo in Proceedings of IEEE INFOCOM2010 Institute of Electrical and Electronics Engineers SanDiego CA USA March 2010

[19] ldquoOpenFlow Switch Specification 140rdquo httpswwwopennet-workingorgimagesstoriesdownloadssdn-resourcesonf-spec-ificationsopenflowopenflow-spec-v140pdf

[20] S Sezer S Scott-Hayward P Chouhan et al ldquoAre we readyfor SDN Implementation challenges for software-defined net-worksrdquo IEEE Communications Magazine vol 51 no 7 pp 36ndash43 2013

[21] D Kreutz F M V Ramos P E Verissimo C E RothenbergS Azodolmolky and S Uhlig ldquoSoftware-defined networking acomprehensive surveyrdquo Proceedings of the IEEE vol 103 no 1pp 14ndash76 2015

[22] S Scott-Hayward G OrsquoCallaghan and S Sezer ldquoSDN securityA surveyrdquo in Proceedings of the 2013 Workshop on SoftwareDefined Networks for Future Networks and Services SDN4FNS2013 Trento Italy November 2013

[23] A Akhunzada E Ahmed A Gani M K Khan M Imran andS Guizani ldquoSecuring software defined networks Taxonomyrequirements and open issuesrdquo IEEE Communications Maga-zine vol 53 no 4 pp 36ndash44 2015

[24] M Tsugawa A Matsunaga and J A B Fortes ldquoCloud comput-ing securityWhat changes with software-defined networkingrdquoSecure Cloud Computing pp 77ndash93 2014

[25] R Kloti V Kotronis and P Smith ldquoOpenFlow A securityanalysisrdquo in Proceedings of the 2013 21st IEEE International Con-ference on Network Protocols ICNP 2013 Institute of ElectricalandElectronics EngineersGoettingenGermanyOctober 2013

[26] X Gong N Borisov N Kiyavash and N Schear ldquoWebsiteDetection Using Remote Traffic Analysisrdquo in Privacy EnhancingTechnologies vol 7384 of Lecture Notes in Computer Science pp58ndash78 Springer Berlin Heidelberg 2012

[27] S Shin and G Gu ldquoAttacking software-defined networks afirst feasibility studyrdquo in Proceedings of the 2nd ACM SIG-COMMWorkshop onHot Topics in SoftwareDefinedNetworking(HotSDN rsquo13) pp 165-166 Association for Computing Machin-ery Hong Kong China August 2013

6 Security and Communication Networks

Require(1) Packet-Sending Function 119878119890119899119889119875119886119888119896119890119905()(2) List of Inserted IP 119868119875inserted(3) function RollingPacketSender(119868119875inserted)(4) 119894 larr 1(5) while 119894 lt length(119868119875inserted) do(6) for 119895 larr 0 119895 lt 119894 119895 + + do(7) 119894119901 larr 119868119875inserted[119895](8) SendPacket(119894119901)(9) end for(10) 119894 larr 119894 + 1(11) end while(12) end function

Algorithm 2 Rolling maintaining algorithm

Require(1) Packet-Sending Function 119878119890119899119889119875119886119888119896119890119905()(2) List of IP 119868119875Ensure(3) The flow table capacity 119865capacity(4) The number of other usersrsquo flow entries 119865other(5) 119865capacity larr 0(6) 119865other larr 0(7) 119873 larr 0(8) 119873

1larr 0

(9) 1198732larr 0

(10) 119868119875inserted larr [](11) while 119873 lt length(119868119875) do(12) 119894119901 larr 119868119875[119873](13) 119868119875inserted larr 119868119875inserted + 119894119901(14) RollingPacketSender(119868119875inserted)(15) 119873 larr 119873 + 1(16) if Flow table is full then(17) 119873

1larr 119873

(18) continue(19) end if(20) if One of our flow entries is deleted then(21) 119873

2larr 119873

(22) break(23) end if(24) end while(25) 119865capacity larr 1198732(26) 119865other larr 1198732 minus 1198731(27) return 119865capacity 119865other

Algorithm 3 LRU inference algorithm

4 Evaluation

41 Implementation The emulation environment of ourexperiment consists of three parts a network prototypingsystem used to emulate host and switch a network controllerand our inference attack toolkit

We choose Mininet [14] as the network prototypingsystem because it encapsulates host and switch emulationand thus easy to use Our emulated network prototype

for evaluation uses a star topology consisting of 20 hostsconnected to a single OpenFlow switch We build FIFO andLRUcontroller applications using Python on the basis of POX[15] OpenFlow controller As for the inference attack toolkitwe use libnet [16] to generate probing packets and libpcap[17] to capture replied packets To simulate the backgroundtraffic in real network we built a SDN testbed using Mininetand POX On the SDN testbed we performed a series ofbasic SDN operations These operations include buildinga customized SDN network topology setting up the linkbetween SDN switches and performing the ping test betweenall SDN nodes We captured the network traffic generatedduring these operations and use them as the backgroundnetwork traffic sample

42 RTT Measurement As we have mentioned in Sec-tion 2 the difference between traditional network andSDNOpenFlow network in handling previously unseenpackets gives us a possible indicator of the flow table stateand the flow entry living state RTT When there is notcorresponding flow entry existing in the flow table the RTTof a packet will significantly increase due to the interactionsbetween controller and switch in order to acquire new flowentries That is the case when there is still space in the flowtable Once the flow table is full the RTT of a packet willfurther increase as a result of extra flow table replacementoperations To prove the effectiveness of using RTT as theflow table state and flow entry state indicator we measuredpacket RTTs corresponding to different flow table state andflow entry state

Figure 5 gives the RTT measurement result showing thedifference The points with different symbols represent thetotal 300 times of RTTmeasurements we have conducted 100times ofmeasurement for each combination of flow table stateand flow entry state The square points stand for RTTs whenflow entry exists in flow table The circle points and trianglepoints both stand for RTTs when flow entry does not exist inflow table the circle points are measured when the flow tableis full and the triangle points are measured when the flowtable is not full

As can be seen from the figure when flow entry existsin flow table the packet RTTs are highly concentrated in the

Security and Communication Networks 7

50 100Group

8

7

6

5

4

3

2

1

00

RTT

(ms)

Flow entry exists in flow tableFlow entry does not exist and flow table is not fullFlow entry does not exist and flow table is full

Figure 5 RTT measurement

Table 1 Default timeout values

Controller Hard timeout Idle timeoutRyu 0 0Beacon 0 5 sFloodlight 0 5 sNOX 0 5 sPOX 30 s 10 sTrema 0 60 sMaestro 180 s 30 s

range of 02sim03ms when flow entry does not exist in flowtable and flow table is not full the packet RTTswill increase toabout 3sim5ms when flow entry does not exist in flow table andflow table is full the packet RTTs will be the highest rangingfrom 6ms to 8ms These three groups of RTTs all distributeintensively in a small rangewithout overlapping other groupsshowing the excellent discrimination of using RTT as a flowtable state and flow entry state indicator

43 Timeout

431 Default Timeout Values According to our previousanalysis the feasibility of our inference attack depends onwhether we can generate enough flow entries to fulfill theflow table within a single timeout cycle That means wemust have the ability to generate as many flow entries as theflow entry can hold during a timeout period So we analyzeseveral popular open-source controllers and search for theirdefault timeout values in the built-in applications The resultis presented in Table 1 The zero values in the table mean thecorresponding timeout will not take effect or in other wordsthe timeout value is ldquopermanentrdquo As can be seen from thetable most available controllers have timeout values in therange of 5 s to 30 s

If we take the flow table capacity of 2000 flow entries asan example the minimum packet generating speed requiredwill be 20005 = 400 packets per second while libnet can

generate tens of thousand packets per second So the defaulttimeout values ensure the feasibility of our inference attack

432 Timeout Measurement Though default timeout valuesof mainstream OpenFlow controllers can be read from theirsource codes it is still possible for SDN network administra-tors to manually change the default timeout values In orderto handle nondefault timeout values and provide basis foradjusting packet generating speed it is essential to examinethe accuracy of passive timeout measurement

Figure 6 illustrates relative errors (see equation (9)) ofhard timeout and idle timeout measurement respectivelyWemanuallymodify hard timeout and idle timeout values ofPOX OpenFlow controller to 5 s 10 s 15 s 20 s 25 s and 30 sand then we use timeout measurement algorithmmentionedin Section 2 to measure these timeout values and calculaterelative errors

relative error =1003816100381610038161003816valuedetected minus valuetrue

1003816100381610038161003816valuetrue

lowast 100 (9)

Every line in Figures 6(a) and 6(b) corresponds to 10times of repeated measurements conducted under a certaintimeout setting from 5 s to 30 sThemargin stays in the rangeof plus-or-minus 10 percent showing the effectiveness andhigh accuracy of our timeout measurement algorithm

44 Flow Table Capacity Flow capacity is the primary targetof our inference attack It reflects the hardware specificationof an OpenFlow switch Figure 7 illustrates the flow tablecapacity measurement result when controller adopts FIFOreplacement algorithm We manually limited the switch flowtable capacity to 10 different values from 100 flow entries to1000 flow entries and used our framework to perform theinference

The dark bars represent the manually set flow tablecapacities or real capacities The light bars represent themeasured flow table capacities For every manually set flowtable capacity we conduct 10 times of repeatedmeasurementsand take their mean value as the final result From thefigure we can see that the measured capacities are quite closeto the real capacities indicating the high accuracy of ourinference framework For example when the real capacity is400 flow entries our measured capacity is 408 flow entrieswith an error of only 8 flow entries As the real capacitygrows the packet generating speed required becomes fasterplacing higher requirements on packet sending receivingsynchronization and accurate timing But our inferencealgorithm shows unbelievable stability and accuracy whenthe real capacity is 1000 flow entries our measured capacityis 973 flow entries with an error of just 27 flow entries

Like Figure 7 Figure 8 also illustrates the flow tablecapacity measurement results with the only difference ofbeing performed under LRU replacement algorithm insteadof FIFO

According to our previous analysis the inference princi-ple of LRU replacement algorithm is more complex becauseof the unavoidable mixed nature of flow entries in the flowtable and the rolling maintaining process But our inference

8 Security and Communication Networks

Hard timeout = 30

Hard timeout = 25

Hard timeout = 20

Hard timeout = 15

Hard timeout = 10

Hard timeout = 5

minus10

0

10

20

30

Rela

tive e

rror

2 4 6 8 10Group

Hard timeout relative error

(a)

Idle timeout = 30

Idle timeout = 25

Idle timeout = 20

Idle timeout = 15

Idle timeout = 10

Idle timeout = 5

minus10

0

10

20

30

Rela

tive e

rror

2 4 6 8 10Group

Idle timeout relative error

(b)

Figure 6 Timeout relative error

100 95

200 192

300 315

400 408

500 486

600 619

700666

800831

900 883

1000973

0

200

400

600

800

1000

Capa

city

10 3 6 5 8 9 4 7 2 1 Group

Real capacityMeasured capacity

Figure 7 FIFO flow table capacity

framework still shows high accuracy and reliability Evenwhen the real flow table capacities are set to be rather largevalues like 900 and 1000 the errors of our measure capacitiesare just around 20 flow entries

Only illustrating the mean value of measured flow tablecapacities may not be enough the mean value may bethe result of error compensations and hide the detailed

0

200

400

600

800

1000

Capa

city

10 3 6 5 8 9 4 7 2 1 Group

Real capacityMeasured capacity

100 120

200 180

350300

400 422

500 475

600630

700

788 800828

900 880

10001021

Figure 8 LRU flow table capacity

measurement errors of every separate experiment So inFigure 9 we illustrate the relative error of every single flowtable capacity measurement

We choose 5 groups of different flow table capacitiesfrom 200 flow entries to 1000 flow entries and perform 10times of measurements under every single flow table capacityvalue Figure 9(a) stands for relative error of flow tablecapacity measurements conducted under FIFO replacement

Security and Communication Networks 9

Capacity = 1000

Capacity = 800

Capacity = 600

Capacity = 400

Capacity = 200

minus10

0

10

20

30

Rela

tive e

rror

2 4 6 8 10Group

FIFO capacity relative error

(a)

Capacity = 1000

Capacity = 800

Capacity = 600

Capacity = 400

Capacity = 200

minus10

0

10

20

30

Rela

tive e

rror

2 4 6 8 10Group

LRU capacity relative error

(b)

Figure 9 Flow table capacity relative error

algorithm showing that the margin is no larger than plus-or-minus 10 percent Figure 9(b) stands for relative errorof flow table capacity measurements conducted under LRUreplacement algorithm Due to the more complex inferenceprinciple and the rolling maintaining process the marginbecomes larger but still has not exceeded 15 percent even inthe worst case

The above inference attacks are performed without anybackground network traffic When performing inferenceattack in real networks the impact of background networktraffic cannot be ignored So it is necessary to examine the effi-ciency of our inference algorithm under these circumstances

In this evaluation we choose the background networktraffic dataset from a SDN testbed Figures 10 and 11 havethe same experiment setting with Figures 7 and 8 with theonly difference of replaying background traffic captured fromSDN testbed during the inference attack process Even withthe impact of background traffic our inference algorithm stillshows high accuracy

45 Flow Table Usage In this section we evaluated ourframeworkrsquos efficiency of inferring the number of flow entriesfrom other users sharing the same flow table or the flow tableusage Flow table usage is our secondary inference target andit reflects the network resource consuming condition of othertenants in the same SDN network Figures 12 and 13 illustratethe flow table usage measurement results conducted underFIFO and LRU replacement algorithm respectively

100 81

200174

300 295

1000

931900

852800 805

700 641

600 595

500 463

400 385

0

200

400

600

800

1000

Capa

city

10 3 6 5 8 9 4 7 2 1 Group

Real capacityMeasured capacity

Figure 10 FIFO flow table capacity with testbed background traffic

Again wemanually set 10 different flow table usage valuesfrom 100 to 1000 flow entries by manually generating andinserting corresponding number of flow entries into the flowtable beforehand Then we use our inference algorithm toinfer the flow table usage and take mean values of every 10times of measurements as the final results The errors of allthese measurements show the high accuracy stability andreliability of our inference algorithm

10 Security and Communication Networks

0

200

400

600

800

1000

Capa

city

10 3 6 5 8 9 4 7 2 1 Group

Real capacityMeasured capacity

100 99

200158

300328

400 399

500447

600 595

700752

800 790

900841

1000 978

Figure 11 LRU flow table capacity with testbed background traffic

10 3 6 5 8 9 4 7 2 1 Group

Real usageMeasured usage

0

200

400

600

800

1000

Usa

ge

100 120

200 184

300 322

400 378

500 492

600 617

700 723

800

900 895

1000976

809

Figure 12 FIFO flow table usage

We also conducted the flow table usage inference attackwith background traffic Experiment results with testbedbackground traffic are shown in Figures 14 and 15 Ourinference algorithm can smoothly handle the impact ofbackground traffic which ensures the stability and robustnessdemonstrated in the experiment results

The relative errors are shown in Figure 16 We emulate5 groups of different flow table usage values and conducted10 times of flow table usage inference for every single valueFor both FIFO and LRU replacement algorithm the relativeerrors of flow table usage inference stay in a quite small rangeThe results prove that our algorithm can infer other tenantsrsquoflow table usage condition in high accuracy

5 Defense

From the previous sections we can conclude that the infer-ence attack is rooted in the flow table overflow To defendthat kind of inference attack we have to prevent flow tableoverflow in two aspects one aspect is to compress the flow

10 3 6 5 8 9 4 7 2 1 Group

Real usageMeasured usage

0

200

400

600

800

1000

Usa

ge

10080

200 195

300 278

400

500466

600 602

700731

800 783

900 882

1000 976

378

Figure 13 LRU flow table usage

10 3 6 5 8 9 4 7 2 1 Group

Real usageMeasured usage

0

200

400

600

800

1000 U

sage

100 107

200163

300 301

400357

500468

600 590

700 694

800 780

900865

1000

935

Figure 14 FIFO flow table usage with testbed background traffic

entries to save flow table space and the other one is toimplement a larger flow table to store more flow entries

51 Routing Aggregation Routing aggregation is to combinemultiple entries in the flow table without changing the nexthops for packet forwarding This approach is particularlyappealing because it can be done by a software upgrade at theOpenFlow switch and its impact is limited within that switchRouting aggregation has already been used in traditionalnetworks but it has not been deployed in SDNOpenFlownetworks To fully utilize the flexibility of SDNOpenFlownetwork under certain scenarios like load balancing we pro-posed a global routing schedule using packing optimizationalgorithms

Traditional routing aggregation algorithms [18] can beused to compress the flow table but their effectiveness cannotbe ensured If thematching fields and next hops are dispersedenough chances are that we may not be able to performany routing aggregation because we cannot find flow entriessharing commonmatching fields and next hopsThis is often

Security and Communication Networks 11

10 3 6 5 8 9 4 7 2 1 Group

Real usageMeasured usage

0

200

400

600

800

1000

Usa

ge100

200168

300251

400346

500

433

600566

700

57

693

800745

900842

1000

935

Figure 15 LRU flow table usage with testbed background traffic

Capacity = 1000

Capacity = 800

Capacity = 600

Capacity = 400

Capacity = 200

Capacity = 1000

Capacity = 800

Capacity = 600

Capacity = 400

Capacity = 200

minus10

0

10

20

30

Rela

tive e

rror

minus10

0

10

20

30

Rela

tive e

rror

2 4 6 8 10Group

2 4 6 8 10Group

FIFO usage relative error LRU usage relative error

Figure 16 Flow table usage relative error

the case when dealing with web traffic for example load bal-ancing services For that reason we introduced an extra stageof routing aggregation global routing schedule optimizationFirst we model this routing aggregation problem as a packingoptimization problem and solve it then we perform globalrouting reschedule by rewriting the flow entries accordingto the optimization result and finally we perform anothertime of traditional routing aggregation on these new flowentries After the global routing reschedule there will be

much more aggregatable flow entries so the effectiveness ofrouting aggregation is ensured

52 Multilevel Flow Table Architecture It is important to notethat routing aggregation is not a replacement for the long-term architectural solutions because it does not address theroot causes of the flow table scalability problem and thefollowing inference attack To eliminate the inference attackvulnerability a flow table architecture with larger capacity is

12 Security and Communication Networks

Table0

Table1

Tablem

Executeaction

set

Packetin

Packetout

TCAM

Figure 17 Single-level flow table architecture

Table0

Table1

Tablem

Executeaction

set

Packetin

Packetout

TCAM

Match

Table0

Table1

Tablen

SRAM

Match

Table miss

Executeaction

set

Packetout

Flow tablereplacement

Figure 18 Multilevel flow table architecture

required which can be achieved throughmultilevel flow tableconsisting of both TCAM and SRAM

The original single-level flow table architecture is shownin Figure 17 In this architecture the flow table is completelyimplemented using TCAM An input packet will traversefrom table 0 to table119898 and add corresponding actions to theaction set Then all actions in the action set are executed andthe packet is forwarded according to these actions

Our proposed multilevel flow table architecture is shownin Figure 18 Besides flow table implemented using TCAMwe add another flow table implemented using SRAM whichis cheaper and can provide larger flow table space Underthis multilevel flow table architecture the packet processingpipeline will be different first an input packet will findmatching flow entries in TCAM flow table just like in theoriginal single-level flow table architecture If there is amatchthe packet will execute the corresponding actions and getforwarded If there is no match the packet will continueits lookup in the SRAM flow table If there is a match inthe SRAM flow table the packet can then be forwardedotherwise it will be sent to the controller

From the process above we can see that if the capacityof TCAM flow table is 119898 the capacity of SRAM flow table is119899 and then the multilevel flow table will have a capacity of119898 + 119899 Actually 119899 is far more larger than 119898 so this approachcan greatly increase the flow table capacity thus preventingflow table overflow

6 Discussion

SDNOpenFlow has become a competitive solution for next-generation network and is being more and more widelyused in modern datacenters But considering its key role asthe fundamental infrastructure we have to admit that thesecurity issues of SDNOpenFlow have not been exploredto a large extent Particularly the flow table capacity ofSDNOpenFlow switch is only considered as a vulnerable partfor DDoS and flooding attacks in published researches Butaccording to our analysis in previous sections the flow tablecapacity can lead to potential inference attack if combinedwith reasonable assumptions and RTT measurements

Firstly we found in Section 2 that exactmatch flow entriesas well as the lack of route aggregation would consume a lot

Security and Communication Networks 13

of flow table space making it impossible to process millionsof flows per seconding using SDNOpenFlow Secondly wefound in Section 4 that assigning the decision making jobof flow table replacement to the controller would lead tosignificant network performance decrease which had to bechanged in time Thirdly there is currently no mature attackdetection mechanism for SDNOpenFlow network so it isquite easy for criminals to exploit system vulnerabilities orinvoke DDoS attacks

The inference method proposed in this paper just usessome basic elements and parameters of OpenFlow such asidle timeout and hard timeout which are significant for theimplementation of SDN These features will not be removedexcept very huge changes made On the other hand althoughsome security frameworks [3] were proposed to detect themalicious insertion of flow rules attackers can also bypass thedetection by some well-designed insertion strategies

All these security issues call for improvements to currentOpenFlow switch and flow table design The improvementsshould at least contain the following aspects (1) New Open-Flow switch architecture like embedding local caches inthe switch or implementing multilevel flow table to achievea much larger flow table capacity With larger flow tablecapacity the switch will not have to query the controller forflow entries which will reduce the interaction latency to alarge extent (2) New flow table maintaining mechanism liketransferring the flow entry deleting workload from controllerto switch Switch itself can decide which flow entry to deleteand then sync state with controller and during the flowentry deleting process the controllerrsquos intervention is notneeded In the widely used OpenFlow Switch Specification140 [19] this mechanism has been added as an optionalfeature but without any mature implementation so far (3)Routing aggregation Routing aggregation canmatch a groupof flows using one flow entry which will reduce the flowtable consuming significantly comparedwith exactmatch (4)Inference attack detection Administrators can develop infer-ence attack detecting applications and then perform defenseslike portspeed limiting or network address validation

From the discussion above we can see that there is stilla long road to go before SDNOpenFlow becomes a trulymature and reliable network paradigm There are still urgentand severe issues to solve which have been neglected in thepast Only by solving these security issues and architecturalvulnerabilities can SDNOpenFlow be widely deployed inreal-world commercial datacenters and fully demonstrate itsrevolutionary flexibility and intelligence

7 Related Work

The inference attack proposed in this paper is motivated bythe limited flow table capacity of SDNOpenFlow switchesThe flow table capacity issue has been presented in manyprevious works like [20ndash24] They all point out the limitationof switch flow table memory and potential scalability andsecurity issue However these works do not give furtheranalysis on the inference attack and information leakagecaused by the limited flow table capacity

Kloti et al [25] present potentially problematic issues inSDNOpenFlow including information disclosure throughtiming analysis However this information disclosurerequires disclosing existing flows with side channel attackwhich is hard to perform in real world Compared with theirapproach our inference attack is self-contained and requiresno prior knowledge

Gong et al [26] present a kind of inference attackusing RTT measurement to infer which website the victimis browsing They recover victimsrsquo network traffic patternsbased on the queuing side channel happened at the Internetrouter However the scenario of their work is in the publicInternet while our approach focuses on SDNOpenFlowinfrastructures in cloud computing network Compared withpublic Internet and website inference the inference attackand information leakage in modern data centers are moresensitive and valuable

Shin and Gu [27] demonstrate a novel attack targetingat SDN networks This attack includes fingerprinting SDNnetworks and further flooding the data plane flow table bysending specifically crafted fake flow requests in high speedIn the fingerprinting phase header field change scanning isused to collect the different response time (RTT) for new flowand existing flow The fingerprinting result is then analyzedto estimate if the target network used SDN technology TheRTT measurement and analysis they used in fingerprintingare similar to our approach But they just perform DoSattacks to the SDN network without performing any furtherinformation leakage or network parameter inference

As for flow table overflow defending strategy Shelly etal [28] and Katta et al [29] introduce flow entry cachingmechanism into SDNOpenflow network by inserting atransparent intermediate layer between controller and switchYan et al [9] use CAB to generate wildcard flow entriesdynamically and reactively to handle bursting network trafficKannan and Banerjee [30] present a flow entry compactionalgorithm to saveTCAMflow table spaceThis algorithmusesflow entry tags instead of matching fields as forwarding rulesKim et al [31] develop a new flow entry management schemeto reduce the controller overhead

8 Conclusion

In this paper we have explored the structure of SDNOpenFlow network and some of the possible security issues itbrings After our detailed analysis of the SDNOpenFlow net-work we proposed a novel inference attack model targetingat the SDNOpenFlow network which is the first proposedinference attack model of this kind in the SDNOpenFlowarea This inference attack is introduced by the OpenFlowswitch especially by its limited flow table capacity The infer-ence attack can be done in a completely passive waymaking ithard to detect and defendWe also implemented the inferenceattack framework and examined the efficiency and accuracyof it using network traffic data from different sources Thesimulation results show that the inference attack frameworkcan infer the network parameter (flow table capacity and flowtable usage) with an accuracy of up to 80 or higher We alsoproposed two possible defense strategies for the discovered

14 Security and Communication Networks

vulnerability including routing aggregation algorithm andmultilevel flow table architecture

Conflicts of Interest

The authors declare that they have no conflicts of interest

Acknowledgments

The research presented in this paper is supported in partby the National Key Research and Development Program ofChina (no 2016YFB0800100) the Fund of China NationalAeronautical Radio Electronics Research Institute (PM-12210-2016-001) the National Natural Science Foundation(61572397 U1766215 U1736205 61502383 61672425 and61702407) and State Grid Corporation of China (DZ71-16-030)

References

[1] W Li W Meng and L F Kwok ldquoA survey on OpenFlow-basedSoftware Defined Networks Security challenges and counter-measuresrdquo Journal of Network and Computer Applications vol68 pp 126ndash139 2016

[2] M Brooks and B Yang ldquoA Man-in-the-Middle attack againstOpenDayLight SDN controllerrdquo in Proceedings of the 4thAnnual Conference on Research in Information TechnologyAssociation for Computing Machinery Chicago IL USASeptember 2015

[3] P Porras S Shin V Yegneswaran M Fong M Tyson and GGu ldquoA security enforcement kernel for OpenFlow networksrdquoin Proceedings of the 1st ACM International Workshop on HotTopics in Software Defined Networks HotSDN 2012 pp 121ndash126 Association for Computing Machinery Helsinki FinlandAugust 2012

[4] N Gude T Koponen and J Pettit ldquoNOX towards an operatingsystem for networksrdquoACM SIGCOMMComputer Communica-tion Review vol 38 no 3 pp 105ndash110 2008

[5] A Khurshid W Zhou M Caesar and P B Godfrey ldquoVeriflowVerifying network-wide invariants in real timerdquo in Proceedingsof the Annual Conference of the ACM Special Interest Group onData Communication on the Applications Technologies Archi-tectures and Protocols for Computer Communication ACMSIGCOMM 2012 pp 467ndash472 Finland August 2012

[6] G Zhao L Huang Z Yu H Xu and P Wang ldquoOn the effectof flow table size and controller capacity on SDN networkthroughputrdquo in Proceedings of the 2017 IEEE InternationalConference on Communications (ICC) pp 1ndash6 Paris FranceMay 2017

[7] A RoyH Zengy J BaggayG Porter andAC Snoeren ldquoInsidethe social networkrsquos (Datacenter) networkrdquo in Proceedings of theACM Conference on Special Interest Group on Data Communi-cation SIGCOMM 2015 pp 123ndash137 UK August 2015

[8] N Shelly E J Jackson T Koponen N McKeown and JRajahalme ldquoFlow caching for high entropy packet fieldsrdquo inProceedings of the 3rd ACM SIGCOMM 2014 Workshop on HotTopics in Software Defined Networking HotSDN 2014 pp 151ndash156 Chicago Illinois USA August 2014

[9] B Yan Y Xu H Xing K Xi and H J Chao ldquoCAB A reactivewildcard rule caching system for software-defined networksrdquo inProceedings of the 3rd ACM SIGCOMM 2014 Workshop on Hot

Topics in Software Defined Networking HotSDN 2014 pp 163ndash168 Chicago Illinois USA August 2014

[10] Katta Naga Jennifer Rexford and David Walker ldquoInfinitecacheflow in software-defined networksrdquo Princeton School ofEngineering and Applied Science 2013

[11] Yanwen Wang Hainan Chen Hainan Chen and Lei ShuldquoAn energy-efficient SDN based sleep scheduling algorithm forWSNsrdquo Journal of Network and Computer Applications vol 59pp 39ndash45 2016 httpdxdoiorg101016jjnca201505002

[12] S-N Yang S-W Ho Y-B Lin and C-H Gan ldquoA multi-RATbandwidth aggregation mechanism with software-defined net-workingrdquo Journal ofNetwork andComputerApplications vol 61pp 189ndash198 2016 httpdxdoiorg101016jjnca201511003

[13] M Dehghan L Massoulie D Towsley D Menasche andY C Tay ldquoA utility optimization approach to network cachedesignrdquo in Proceedings of the 35th Annual IEEE InternationalConference on Computer Communications IEEE INFOCOM2016 San Francisco CA USA April 2016

[14] ldquoMininetrdquo httpmininetorg[15] ldquoPOX Controllerrdquo httpwwwnoxrepoorgpoxabout-pox[16] ldquolibnet-devrdquo httpsgithubcomsam-githublibnet[17] ldquolibpcaprdquo httpwwwtcpdumporg[18] X Zhao Y Liu L Wang and B Zhang ldquoOn the aggregatability

of router forwarding tablesrdquo in Proceedings of IEEE INFOCOM2010 Institute of Electrical and Electronics Engineers SanDiego CA USA March 2010

[19] ldquoOpenFlow Switch Specification 140rdquo httpswwwopennet-workingorgimagesstoriesdownloadssdn-resourcesonf-spec-ificationsopenflowopenflow-spec-v140pdf

[20] S Sezer S Scott-Hayward P Chouhan et al ldquoAre we readyfor SDN Implementation challenges for software-defined net-worksrdquo IEEE Communications Magazine vol 51 no 7 pp 36ndash43 2013

[21] D Kreutz F M V Ramos P E Verissimo C E RothenbergS Azodolmolky and S Uhlig ldquoSoftware-defined networking acomprehensive surveyrdquo Proceedings of the IEEE vol 103 no 1pp 14ndash76 2015

[22] S Scott-Hayward G OrsquoCallaghan and S Sezer ldquoSDN securityA surveyrdquo in Proceedings of the 2013 Workshop on SoftwareDefined Networks for Future Networks and Services SDN4FNS2013 Trento Italy November 2013

[23] A Akhunzada E Ahmed A Gani M K Khan M Imran andS Guizani ldquoSecuring software defined networks Taxonomyrequirements and open issuesrdquo IEEE Communications Maga-zine vol 53 no 4 pp 36ndash44 2015

[24] M Tsugawa A Matsunaga and J A B Fortes ldquoCloud comput-ing securityWhat changes with software-defined networkingrdquoSecure Cloud Computing pp 77ndash93 2014

[25] R Kloti V Kotronis and P Smith ldquoOpenFlow A securityanalysisrdquo in Proceedings of the 2013 21st IEEE International Con-ference on Network Protocols ICNP 2013 Institute of ElectricalandElectronics EngineersGoettingenGermanyOctober 2013

[26] X Gong N Borisov N Kiyavash and N Schear ldquoWebsiteDetection Using Remote Traffic Analysisrdquo in Privacy EnhancingTechnologies vol 7384 of Lecture Notes in Computer Science pp58ndash78 Springer Berlin Heidelberg 2012

[27] S Shin and G Gu ldquoAttacking software-defined networks afirst feasibility studyrdquo in Proceedings of the 2nd ACM SIG-COMMWorkshop onHot Topics in SoftwareDefinedNetworking(HotSDN rsquo13) pp 165-166 Association for Computing Machin-ery Hong Kong China August 2013

Security and Communication Networks 7

50 100Group

8

7

6

5

4

3

2

1

00

RTT

(ms)

Flow entry exists in flow tableFlow entry does not exist and flow table is not fullFlow entry does not exist and flow table is full

Figure 5 RTT measurement

Table 1 Default timeout values

Controller Hard timeout Idle timeoutRyu 0 0Beacon 0 5 sFloodlight 0 5 sNOX 0 5 sPOX 30 s 10 sTrema 0 60 sMaestro 180 s 30 s

range of 02sim03ms when flow entry does not exist in flowtable and flow table is not full the packet RTTswill increase toabout 3sim5ms when flow entry does not exist in flow table andflow table is full the packet RTTs will be the highest rangingfrom 6ms to 8ms These three groups of RTTs all distributeintensively in a small rangewithout overlapping other groupsshowing the excellent discrimination of using RTT as a flowtable state and flow entry state indicator

43 Timeout

431 Default Timeout Values According to our previousanalysis the feasibility of our inference attack depends onwhether we can generate enough flow entries to fulfill theflow table within a single timeout cycle That means wemust have the ability to generate as many flow entries as theflow entry can hold during a timeout period So we analyzeseveral popular open-source controllers and search for theirdefault timeout values in the built-in applications The resultis presented in Table 1 The zero values in the table mean thecorresponding timeout will not take effect or in other wordsthe timeout value is ldquopermanentrdquo As can be seen from thetable most available controllers have timeout values in therange of 5 s to 30 s

If we take the flow table capacity of 2000 flow entries asan example the minimum packet generating speed requiredwill be 20005 = 400 packets per second while libnet can

generate tens of thousand packets per second So the defaulttimeout values ensure the feasibility of our inference attack

432 Timeout Measurement Though default timeout valuesof mainstream OpenFlow controllers can be read from theirsource codes it is still possible for SDN network administra-tors to manually change the default timeout values In orderto handle nondefault timeout values and provide basis foradjusting packet generating speed it is essential to examinethe accuracy of passive timeout measurement

Figure 6 illustrates relative errors (see equation (9)) ofhard timeout and idle timeout measurement respectivelyWemanuallymodify hard timeout and idle timeout values ofPOX OpenFlow controller to 5 s 10 s 15 s 20 s 25 s and 30 sand then we use timeout measurement algorithmmentionedin Section 2 to measure these timeout values and calculaterelative errors

relative error =1003816100381610038161003816valuedetected minus valuetrue

1003816100381610038161003816valuetrue

lowast 100 (9)

Every line in Figures 6(a) and 6(b) corresponds to 10times of repeated measurements conducted under a certaintimeout setting from 5 s to 30 sThemargin stays in the rangeof plus-or-minus 10 percent showing the effectiveness andhigh accuracy of our timeout measurement algorithm

44 Flow Table Capacity Flow capacity is the primary targetof our inference attack It reflects the hardware specificationof an OpenFlow switch Figure 7 illustrates the flow tablecapacity measurement result when controller adopts FIFOreplacement algorithm We manually limited the switch flowtable capacity to 10 different values from 100 flow entries to1000 flow entries and used our framework to perform theinference

The dark bars represent the manually set flow tablecapacities or real capacities The light bars represent themeasured flow table capacities For every manually set flowtable capacity we conduct 10 times of repeatedmeasurementsand take their mean value as the final result From thefigure we can see that the measured capacities are quite closeto the real capacities indicating the high accuracy of ourinference framework For example when the real capacity is400 flow entries our measured capacity is 408 flow entrieswith an error of only 8 flow entries As the real capacitygrows the packet generating speed required becomes fasterplacing higher requirements on packet sending receivingsynchronization and accurate timing But our inferencealgorithm shows unbelievable stability and accuracy whenthe real capacity is 1000 flow entries our measured capacityis 973 flow entries with an error of just 27 flow entries

Like Figure 7 Figure 8 also illustrates the flow tablecapacity measurement results with the only difference ofbeing performed under LRU replacement algorithm insteadof FIFO

According to our previous analysis the inference princi-ple of LRU replacement algorithm is more complex becauseof the unavoidable mixed nature of flow entries in the flowtable and the rolling maintaining process But our inference

8 Security and Communication Networks

Hard timeout = 30

Hard timeout = 25

Hard timeout = 20

Hard timeout = 15

Hard timeout = 10

Hard timeout = 5

minus10

0

10

20

30

Rela

tive e

rror

2 4 6 8 10Group

Hard timeout relative error

(a)

Idle timeout = 30

Idle timeout = 25

Idle timeout = 20

Idle timeout = 15

Idle timeout = 10

Idle timeout = 5

minus10

0

10

20

30

Rela

tive e

rror

2 4 6 8 10Group

Idle timeout relative error

(b)

Figure 6 Timeout relative error

100 95

200 192

300 315

400 408

500 486

600 619

700666

800831

900 883

1000973

0

200

400

600

800

1000

Capa

city

10 3 6 5 8 9 4 7 2 1 Group

Real capacityMeasured capacity

Figure 7 FIFO flow table capacity

framework still shows high accuracy and reliability Evenwhen the real flow table capacities are set to be rather largevalues like 900 and 1000 the errors of our measure capacitiesare just around 20 flow entries

Only illustrating the mean value of measured flow tablecapacities may not be enough the mean value may bethe result of error compensations and hide the detailed

0

200

400

600

800

1000

Capa

city

10 3 6 5 8 9 4 7 2 1 Group

Real capacityMeasured capacity

100 120

200 180

350300

400 422

500 475

600630

700

788 800828

900 880

10001021

Figure 8 LRU flow table capacity

measurement errors of every separate experiment So inFigure 9 we illustrate the relative error of every single flowtable capacity measurement

We choose 5 groups of different flow table capacitiesfrom 200 flow entries to 1000 flow entries and perform 10times of measurements under every single flow table capacityvalue Figure 9(a) stands for relative error of flow tablecapacity measurements conducted under FIFO replacement

Security and Communication Networks 9

Capacity = 1000

Capacity = 800

Capacity = 600

Capacity = 400

Capacity = 200

minus10

0

10

20

30

Rela

tive e

rror

2 4 6 8 10Group

FIFO capacity relative error

(a)

Capacity = 1000

Capacity = 800

Capacity = 600

Capacity = 400

Capacity = 200

minus10

0

10

20

30

Rela

tive e

rror

2 4 6 8 10Group

LRU capacity relative error

(b)

Figure 9 Flow table capacity relative error

algorithm showing that the margin is no larger than plus-or-minus 10 percent Figure 9(b) stands for relative errorof flow table capacity measurements conducted under LRUreplacement algorithm Due to the more complex inferenceprinciple and the rolling maintaining process the marginbecomes larger but still has not exceeded 15 percent even inthe worst case

The above inference attacks are performed without anybackground network traffic When performing inferenceattack in real networks the impact of background networktraffic cannot be ignored So it is necessary to examine the effi-ciency of our inference algorithm under these circumstances

In this evaluation we choose the background networktraffic dataset from a SDN testbed Figures 10 and 11 havethe same experiment setting with Figures 7 and 8 with theonly difference of replaying background traffic captured fromSDN testbed during the inference attack process Even withthe impact of background traffic our inference algorithm stillshows high accuracy

45 Flow Table Usage In this section we evaluated ourframeworkrsquos efficiency of inferring the number of flow entriesfrom other users sharing the same flow table or the flow tableusage Flow table usage is our secondary inference target andit reflects the network resource consuming condition of othertenants in the same SDN network Figures 12 and 13 illustratethe flow table usage measurement results conducted underFIFO and LRU replacement algorithm respectively

100 81

200174

300 295

1000

931900

852800 805

700 641

600 595

500 463

400 385

0

200

400

600

800

1000

Capa

city

10 3 6 5 8 9 4 7 2 1 Group

Real capacityMeasured capacity

Figure 10 FIFO flow table capacity with testbed background traffic

Again wemanually set 10 different flow table usage valuesfrom 100 to 1000 flow entries by manually generating andinserting corresponding number of flow entries into the flowtable beforehand Then we use our inference algorithm toinfer the flow table usage and take mean values of every 10times of measurements as the final results The errors of allthese measurements show the high accuracy stability andreliability of our inference algorithm

10 Security and Communication Networks

0

200

400

600

800

1000

Capa

city

10 3 6 5 8 9 4 7 2 1 Group

Real capacityMeasured capacity

100 99

200158

300328

400 399

500447

600 595

700752

800 790

900841

1000 978

Figure 11 LRU flow table capacity with testbed background traffic

10 3 6 5 8 9 4 7 2 1 Group

Real usageMeasured usage

0

200

400

600

800

1000

Usa

ge

100 120

200 184

300 322

400 378

500 492

600 617

700 723

800

900 895

1000976

809

Figure 12 FIFO flow table usage

We also conducted the flow table usage inference attackwith background traffic Experiment results with testbedbackground traffic are shown in Figures 14 and 15 Ourinference algorithm can smoothly handle the impact ofbackground traffic which ensures the stability and robustnessdemonstrated in the experiment results

The relative errors are shown in Figure 16 We emulate5 groups of different flow table usage values and conducted10 times of flow table usage inference for every single valueFor both FIFO and LRU replacement algorithm the relativeerrors of flow table usage inference stay in a quite small rangeThe results prove that our algorithm can infer other tenantsrsquoflow table usage condition in high accuracy

5 Defense

From the previous sections we can conclude that the infer-ence attack is rooted in the flow table overflow To defendthat kind of inference attack we have to prevent flow tableoverflow in two aspects one aspect is to compress the flow

10 3 6 5 8 9 4 7 2 1 Group

Real usageMeasured usage

0

200

400

600

800

1000

Usa

ge

10080

200 195

300 278

400

500466

600 602

700731

800 783

900 882

1000 976

378

Figure 13 LRU flow table usage

10 3 6 5 8 9 4 7 2 1 Group

Real usageMeasured usage

0

200

400

600

800

1000 U

sage

100 107

200163

300 301

400357

500468

600 590

700 694

800 780

900865

1000

935

Figure 14 FIFO flow table usage with testbed background traffic

entries to save flow table space and the other one is toimplement a larger flow table to store more flow entries

51 Routing Aggregation Routing aggregation is to combinemultiple entries in the flow table without changing the nexthops for packet forwarding This approach is particularlyappealing because it can be done by a software upgrade at theOpenFlow switch and its impact is limited within that switchRouting aggregation has already been used in traditionalnetworks but it has not been deployed in SDNOpenFlownetworks To fully utilize the flexibility of SDNOpenFlownetwork under certain scenarios like load balancing we pro-posed a global routing schedule using packing optimizationalgorithms

Traditional routing aggregation algorithms [18] can beused to compress the flow table but their effectiveness cannotbe ensured If thematching fields and next hops are dispersedenough chances are that we may not be able to performany routing aggregation because we cannot find flow entriessharing commonmatching fields and next hopsThis is often

Security and Communication Networks 11

10 3 6 5 8 9 4 7 2 1 Group

Real usageMeasured usage

0

200

400

600

800

1000

Usa

ge100

200168

300251

400346

500

433

600566

700

57

693

800745

900842

1000

935

Figure 15 LRU flow table usage with testbed background traffic

Capacity = 1000

Capacity = 800

Capacity = 600

Capacity = 400

Capacity = 200

Capacity = 1000

Capacity = 800

Capacity = 600

Capacity = 400

Capacity = 200

minus10

0

10

20

30

Rela

tive e

rror

minus10

0

10

20

30

Rela

tive e

rror

2 4 6 8 10Group

2 4 6 8 10Group

FIFO usage relative error LRU usage relative error

Figure 16 Flow table usage relative error

the case when dealing with web traffic for example load bal-ancing services For that reason we introduced an extra stageof routing aggregation global routing schedule optimizationFirst we model this routing aggregation problem as a packingoptimization problem and solve it then we perform globalrouting reschedule by rewriting the flow entries accordingto the optimization result and finally we perform anothertime of traditional routing aggregation on these new flowentries After the global routing reschedule there will be

much more aggregatable flow entries so the effectiveness ofrouting aggregation is ensured

52 Multilevel Flow Table Architecture It is important to notethat routing aggregation is not a replacement for the long-term architectural solutions because it does not address theroot causes of the flow table scalability problem and thefollowing inference attack To eliminate the inference attackvulnerability a flow table architecture with larger capacity is

12 Security and Communication Networks

Table0

Table1

Tablem

Executeaction

set

Packetin

Packetout

TCAM

Figure 17 Single-level flow table architecture

Table0

Table1

Tablem

Executeaction

set

Packetin

Packetout

TCAM

Match

Table0

Table1

Tablen

SRAM

Match

Table miss

Executeaction

set

Packetout

Flow tablereplacement

Figure 18 Multilevel flow table architecture

required which can be achieved throughmultilevel flow tableconsisting of both TCAM and SRAM

The original single-level flow table architecture is shownin Figure 17 In this architecture the flow table is completelyimplemented using TCAM An input packet will traversefrom table 0 to table119898 and add corresponding actions to theaction set Then all actions in the action set are executed andthe packet is forwarded according to these actions

Our proposed multilevel flow table architecture is shownin Figure 18 Besides flow table implemented using TCAMwe add another flow table implemented using SRAM whichis cheaper and can provide larger flow table space Underthis multilevel flow table architecture the packet processingpipeline will be different first an input packet will findmatching flow entries in TCAM flow table just like in theoriginal single-level flow table architecture If there is amatchthe packet will execute the corresponding actions and getforwarded If there is no match the packet will continueits lookup in the SRAM flow table If there is a match inthe SRAM flow table the packet can then be forwardedotherwise it will be sent to the controller

From the process above we can see that if the capacityof TCAM flow table is 119898 the capacity of SRAM flow table is119899 and then the multilevel flow table will have a capacity of119898 + 119899 Actually 119899 is far more larger than 119898 so this approachcan greatly increase the flow table capacity thus preventingflow table overflow

6 Discussion

SDNOpenFlow has become a competitive solution for next-generation network and is being more and more widelyused in modern datacenters But considering its key role asthe fundamental infrastructure we have to admit that thesecurity issues of SDNOpenFlow have not been exploredto a large extent Particularly the flow table capacity ofSDNOpenFlow switch is only considered as a vulnerable partfor DDoS and flooding attacks in published researches Butaccording to our analysis in previous sections the flow tablecapacity can lead to potential inference attack if combinedwith reasonable assumptions and RTT measurements

Firstly we found in Section 2 that exactmatch flow entriesas well as the lack of route aggregation would consume a lot

Security and Communication Networks 13

of flow table space making it impossible to process millionsof flows per seconding using SDNOpenFlow Secondly wefound in Section 4 that assigning the decision making jobof flow table replacement to the controller would lead tosignificant network performance decrease which had to bechanged in time Thirdly there is currently no mature attackdetection mechanism for SDNOpenFlow network so it isquite easy for criminals to exploit system vulnerabilities orinvoke DDoS attacks

The inference method proposed in this paper just usessome basic elements and parameters of OpenFlow such asidle timeout and hard timeout which are significant for theimplementation of SDN These features will not be removedexcept very huge changes made On the other hand althoughsome security frameworks [3] were proposed to detect themalicious insertion of flow rules attackers can also bypass thedetection by some well-designed insertion strategies

All these security issues call for improvements to currentOpenFlow switch and flow table design The improvementsshould at least contain the following aspects (1) New Open-Flow switch architecture like embedding local caches inthe switch or implementing multilevel flow table to achievea much larger flow table capacity With larger flow tablecapacity the switch will not have to query the controller forflow entries which will reduce the interaction latency to alarge extent (2) New flow table maintaining mechanism liketransferring the flow entry deleting workload from controllerto switch Switch itself can decide which flow entry to deleteand then sync state with controller and during the flowentry deleting process the controllerrsquos intervention is notneeded In the widely used OpenFlow Switch Specification140 [19] this mechanism has been added as an optionalfeature but without any mature implementation so far (3)Routing aggregation Routing aggregation canmatch a groupof flows using one flow entry which will reduce the flowtable consuming significantly comparedwith exactmatch (4)Inference attack detection Administrators can develop infer-ence attack detecting applications and then perform defenseslike portspeed limiting or network address validation

From the discussion above we can see that there is stilla long road to go before SDNOpenFlow becomes a trulymature and reliable network paradigm There are still urgentand severe issues to solve which have been neglected in thepast Only by solving these security issues and architecturalvulnerabilities can SDNOpenFlow be widely deployed inreal-world commercial datacenters and fully demonstrate itsrevolutionary flexibility and intelligence

7 Related Work

The inference attack proposed in this paper is motivated bythe limited flow table capacity of SDNOpenFlow switchesThe flow table capacity issue has been presented in manyprevious works like [20ndash24] They all point out the limitationof switch flow table memory and potential scalability andsecurity issue However these works do not give furtheranalysis on the inference attack and information leakagecaused by the limited flow table capacity

Kloti et al [25] present potentially problematic issues inSDNOpenFlow including information disclosure throughtiming analysis However this information disclosurerequires disclosing existing flows with side channel attackwhich is hard to perform in real world Compared with theirapproach our inference attack is self-contained and requiresno prior knowledge

Gong et al [26] present a kind of inference attackusing RTT measurement to infer which website the victimis browsing They recover victimsrsquo network traffic patternsbased on the queuing side channel happened at the Internetrouter However the scenario of their work is in the publicInternet while our approach focuses on SDNOpenFlowinfrastructures in cloud computing network Compared withpublic Internet and website inference the inference attackand information leakage in modern data centers are moresensitive and valuable

Shin and Gu [27] demonstrate a novel attack targetingat SDN networks This attack includes fingerprinting SDNnetworks and further flooding the data plane flow table bysending specifically crafted fake flow requests in high speedIn the fingerprinting phase header field change scanning isused to collect the different response time (RTT) for new flowand existing flow The fingerprinting result is then analyzedto estimate if the target network used SDN technology TheRTT measurement and analysis they used in fingerprintingare similar to our approach But they just perform DoSattacks to the SDN network without performing any furtherinformation leakage or network parameter inference

As for flow table overflow defending strategy Shelly etal [28] and Katta et al [29] introduce flow entry cachingmechanism into SDNOpenflow network by inserting atransparent intermediate layer between controller and switchYan et al [9] use CAB to generate wildcard flow entriesdynamically and reactively to handle bursting network trafficKannan and Banerjee [30] present a flow entry compactionalgorithm to saveTCAMflow table spaceThis algorithmusesflow entry tags instead of matching fields as forwarding rulesKim et al [31] develop a new flow entry management schemeto reduce the controller overhead

8 Conclusion

In this paper we have explored the structure of SDNOpenFlow network and some of the possible security issues itbrings After our detailed analysis of the SDNOpenFlow net-work we proposed a novel inference attack model targetingat the SDNOpenFlow network which is the first proposedinference attack model of this kind in the SDNOpenFlowarea This inference attack is introduced by the OpenFlowswitch especially by its limited flow table capacity The infer-ence attack can be done in a completely passive waymaking ithard to detect and defendWe also implemented the inferenceattack framework and examined the efficiency and accuracyof it using network traffic data from different sources Thesimulation results show that the inference attack frameworkcan infer the network parameter (flow table capacity and flowtable usage) with an accuracy of up to 80 or higher We alsoproposed two possible defense strategies for the discovered

14 Security and Communication Networks

vulnerability including routing aggregation algorithm andmultilevel flow table architecture

Conflicts of Interest

The authors declare that they have no conflicts of interest

Acknowledgments

The research presented in this paper is supported in partby the National Key Research and Development Program ofChina (no 2016YFB0800100) the Fund of China NationalAeronautical Radio Electronics Research Institute (PM-12210-2016-001) the National Natural Science Foundation(61572397 U1766215 U1736205 61502383 61672425 and61702407) and State Grid Corporation of China (DZ71-16-030)

References

[1] W Li W Meng and L F Kwok ldquoA survey on OpenFlow-basedSoftware Defined Networks Security challenges and counter-measuresrdquo Journal of Network and Computer Applications vol68 pp 126ndash139 2016

[2] M Brooks and B Yang ldquoA Man-in-the-Middle attack againstOpenDayLight SDN controllerrdquo in Proceedings of the 4thAnnual Conference on Research in Information TechnologyAssociation for Computing Machinery Chicago IL USASeptember 2015

[3] P Porras S Shin V Yegneswaran M Fong M Tyson and GGu ldquoA security enforcement kernel for OpenFlow networksrdquoin Proceedings of the 1st ACM International Workshop on HotTopics in Software Defined Networks HotSDN 2012 pp 121ndash126 Association for Computing Machinery Helsinki FinlandAugust 2012

[4] N Gude T Koponen and J Pettit ldquoNOX towards an operatingsystem for networksrdquoACM SIGCOMMComputer Communica-tion Review vol 38 no 3 pp 105ndash110 2008

[5] A Khurshid W Zhou M Caesar and P B Godfrey ldquoVeriflowVerifying network-wide invariants in real timerdquo in Proceedingsof the Annual Conference of the ACM Special Interest Group onData Communication on the Applications Technologies Archi-tectures and Protocols for Computer Communication ACMSIGCOMM 2012 pp 467ndash472 Finland August 2012

[6] G Zhao L Huang Z Yu H Xu and P Wang ldquoOn the effectof flow table size and controller capacity on SDN networkthroughputrdquo in Proceedings of the 2017 IEEE InternationalConference on Communications (ICC) pp 1ndash6 Paris FranceMay 2017

[7] A RoyH Zengy J BaggayG Porter andAC Snoeren ldquoInsidethe social networkrsquos (Datacenter) networkrdquo in Proceedings of theACM Conference on Special Interest Group on Data Communi-cation SIGCOMM 2015 pp 123ndash137 UK August 2015

[8] N Shelly E J Jackson T Koponen N McKeown and JRajahalme ldquoFlow caching for high entropy packet fieldsrdquo inProceedings of the 3rd ACM SIGCOMM 2014 Workshop on HotTopics in Software Defined Networking HotSDN 2014 pp 151ndash156 Chicago Illinois USA August 2014

[9] B Yan Y Xu H Xing K Xi and H J Chao ldquoCAB A reactivewildcard rule caching system for software-defined networksrdquo inProceedings of the 3rd ACM SIGCOMM 2014 Workshop on Hot

Topics in Software Defined Networking HotSDN 2014 pp 163ndash168 Chicago Illinois USA August 2014

[10] Katta Naga Jennifer Rexford and David Walker ldquoInfinitecacheflow in software-defined networksrdquo Princeton School ofEngineering and Applied Science 2013

[11] Yanwen Wang Hainan Chen Hainan Chen and Lei ShuldquoAn energy-efficient SDN based sleep scheduling algorithm forWSNsrdquo Journal of Network and Computer Applications vol 59pp 39ndash45 2016 httpdxdoiorg101016jjnca201505002

[12] S-N Yang S-W Ho Y-B Lin and C-H Gan ldquoA multi-RATbandwidth aggregation mechanism with software-defined net-workingrdquo Journal ofNetwork andComputerApplications vol 61pp 189ndash198 2016 httpdxdoiorg101016jjnca201511003

[13] M Dehghan L Massoulie D Towsley D Menasche andY C Tay ldquoA utility optimization approach to network cachedesignrdquo in Proceedings of the 35th Annual IEEE InternationalConference on Computer Communications IEEE INFOCOM2016 San Francisco CA USA April 2016

[14] ldquoMininetrdquo httpmininetorg[15] ldquoPOX Controllerrdquo httpwwwnoxrepoorgpoxabout-pox[16] ldquolibnet-devrdquo httpsgithubcomsam-githublibnet[17] ldquolibpcaprdquo httpwwwtcpdumporg[18] X Zhao Y Liu L Wang and B Zhang ldquoOn the aggregatability

of router forwarding tablesrdquo in Proceedings of IEEE INFOCOM2010 Institute of Electrical and Electronics Engineers SanDiego CA USA March 2010

[19] ldquoOpenFlow Switch Specification 140rdquo httpswwwopennet-workingorgimagesstoriesdownloadssdn-resourcesonf-spec-ificationsopenflowopenflow-spec-v140pdf

[20] S Sezer S Scott-Hayward P Chouhan et al ldquoAre we readyfor SDN Implementation challenges for software-defined net-worksrdquo IEEE Communications Magazine vol 51 no 7 pp 36ndash43 2013

[21] D Kreutz F M V Ramos P E Verissimo C E RothenbergS Azodolmolky and S Uhlig ldquoSoftware-defined networking acomprehensive surveyrdquo Proceedings of the IEEE vol 103 no 1pp 14ndash76 2015

[22] S Scott-Hayward G OrsquoCallaghan and S Sezer ldquoSDN securityA surveyrdquo in Proceedings of the 2013 Workshop on SoftwareDefined Networks for Future Networks and Services SDN4FNS2013 Trento Italy November 2013

[23] A Akhunzada E Ahmed A Gani M K Khan M Imran andS Guizani ldquoSecuring software defined networks Taxonomyrequirements and open issuesrdquo IEEE Communications Maga-zine vol 53 no 4 pp 36ndash44 2015

[24] M Tsugawa A Matsunaga and J A B Fortes ldquoCloud comput-ing securityWhat changes with software-defined networkingrdquoSecure Cloud Computing pp 77ndash93 2014

[25] R Kloti V Kotronis and P Smith ldquoOpenFlow A securityanalysisrdquo in Proceedings of the 2013 21st IEEE International Con-ference on Network Protocols ICNP 2013 Institute of ElectricalandElectronics EngineersGoettingenGermanyOctober 2013

[26] X Gong N Borisov N Kiyavash and N Schear ldquoWebsiteDetection Using Remote Traffic Analysisrdquo in Privacy EnhancingTechnologies vol 7384 of Lecture Notes in Computer Science pp58ndash78 Springer Berlin Heidelberg 2012

[27] S Shin and G Gu ldquoAttacking software-defined networks afirst feasibility studyrdquo in Proceedings of the 2nd ACM SIG-COMMWorkshop onHot Topics in SoftwareDefinedNetworking(HotSDN rsquo13) pp 165-166 Association for Computing Machin-ery Hong Kong China August 2013

8 Security and Communication Networks

Hard timeout = 30

Hard timeout = 25

Hard timeout = 20

Hard timeout = 15

Hard timeout = 10

Hard timeout = 5

minus10

0

10

20

30

Rela

tive e

rror

2 4 6 8 10Group

Hard timeout relative error

(a)

Idle timeout = 30

Idle timeout = 25

Idle timeout = 20

Idle timeout = 15

Idle timeout = 10

Idle timeout = 5

minus10

0

10

20

30

Rela

tive e

rror

2 4 6 8 10Group

Idle timeout relative error

(b)

Figure 6 Timeout relative error

100 95

200 192

300 315

400 408

500 486

600 619

700666

800831

900 883

1000973

0

200

400

600

800

1000

Capa

city

10 3 6 5 8 9 4 7 2 1 Group

Real capacityMeasured capacity

Figure 7 FIFO flow table capacity

framework still shows high accuracy and reliability Evenwhen the real flow table capacities are set to be rather largevalues like 900 and 1000 the errors of our measure capacitiesare just around 20 flow entries

Only illustrating the mean value of measured flow tablecapacities may not be enough the mean value may bethe result of error compensations and hide the detailed

0

200

400

600

800

1000

Capa

city

10 3 6 5 8 9 4 7 2 1 Group

Real capacityMeasured capacity

100 120

200 180

350300

400 422

500 475

600630

700

788 800828

900 880

10001021

Figure 8 LRU flow table capacity

measurement errors of every separate experiment So inFigure 9 we illustrate the relative error of every single flowtable capacity measurement

We choose 5 groups of different flow table capacitiesfrom 200 flow entries to 1000 flow entries and perform 10times of measurements under every single flow table capacityvalue Figure 9(a) stands for relative error of flow tablecapacity measurements conducted under FIFO replacement

Security and Communication Networks 9

Capacity = 1000

Capacity = 800

Capacity = 600

Capacity = 400

Capacity = 200

minus10

0

10

20

30

Rela

tive e

rror

2 4 6 8 10Group

FIFO capacity relative error

(a)

Capacity = 1000

Capacity = 800

Capacity = 600

Capacity = 400

Capacity = 200

minus10

0

10

20

30

Rela

tive e

rror

2 4 6 8 10Group

LRU capacity relative error

(b)

Figure 9 Flow table capacity relative error

algorithm showing that the margin is no larger than plus-or-minus 10 percent Figure 9(b) stands for relative errorof flow table capacity measurements conducted under LRUreplacement algorithm Due to the more complex inferenceprinciple and the rolling maintaining process the marginbecomes larger but still has not exceeded 15 percent even inthe worst case

The above inference attacks are performed without anybackground network traffic When performing inferenceattack in real networks the impact of background networktraffic cannot be ignored So it is necessary to examine the effi-ciency of our inference algorithm under these circumstances

In this evaluation we choose the background networktraffic dataset from a SDN testbed Figures 10 and 11 havethe same experiment setting with Figures 7 and 8 with theonly difference of replaying background traffic captured fromSDN testbed during the inference attack process Even withthe impact of background traffic our inference algorithm stillshows high accuracy

45 Flow Table Usage In this section we evaluated ourframeworkrsquos efficiency of inferring the number of flow entriesfrom other users sharing the same flow table or the flow tableusage Flow table usage is our secondary inference target andit reflects the network resource consuming condition of othertenants in the same SDN network Figures 12 and 13 illustratethe flow table usage measurement results conducted underFIFO and LRU replacement algorithm respectively

100 81

200174

300 295

1000

931900

852800 805

700 641

600 595

500 463

400 385

0

200

400

600

800

1000

Capa

city

10 3 6 5 8 9 4 7 2 1 Group

Real capacityMeasured capacity

Figure 10 FIFO flow table capacity with testbed background traffic

Again wemanually set 10 different flow table usage valuesfrom 100 to 1000 flow entries by manually generating andinserting corresponding number of flow entries into the flowtable beforehand Then we use our inference algorithm toinfer the flow table usage and take mean values of every 10times of measurements as the final results The errors of allthese measurements show the high accuracy stability andreliability of our inference algorithm

10 Security and Communication Networks

0

200

400

600

800

1000

Capa

city

10 3 6 5 8 9 4 7 2 1 Group

Real capacityMeasured capacity

100 99

200158

300328

400 399

500447

600 595

700752

800 790

900841

1000 978

Figure 11 LRU flow table capacity with testbed background traffic

10 3 6 5 8 9 4 7 2 1 Group

Real usageMeasured usage

0

200

400

600

800

1000

Usa

ge

100 120

200 184

300 322

400 378

500 492

600 617

700 723

800

900 895

1000976

809

Figure 12 FIFO flow table usage

We also conducted the flow table usage inference attackwith background traffic Experiment results with testbedbackground traffic are shown in Figures 14 and 15 Ourinference algorithm can smoothly handle the impact ofbackground traffic which ensures the stability and robustnessdemonstrated in the experiment results

The relative errors are shown in Figure 16 We emulate5 groups of different flow table usage values and conducted10 times of flow table usage inference for every single valueFor both FIFO and LRU replacement algorithm the relativeerrors of flow table usage inference stay in a quite small rangeThe results prove that our algorithm can infer other tenantsrsquoflow table usage condition in high accuracy

5 Defense

From the previous sections we can conclude that the infer-ence attack is rooted in the flow table overflow To defendthat kind of inference attack we have to prevent flow tableoverflow in two aspects one aspect is to compress the flow

10 3 6 5 8 9 4 7 2 1 Group

Real usageMeasured usage

0

200

400

600

800

1000

Usa

ge

10080

200 195

300 278

400

500466

600 602

700731

800 783

900 882

1000 976

378

Figure 13 LRU flow table usage

10 3 6 5 8 9 4 7 2 1 Group

Real usageMeasured usage

0

200

400

600

800

1000 U

sage

100 107

200163

300 301

400357

500468

600 590

700 694

800 780

900865

1000

935

Figure 14 FIFO flow table usage with testbed background traffic

entries to save flow table space and the other one is toimplement a larger flow table to store more flow entries

51 Routing Aggregation Routing aggregation is to combinemultiple entries in the flow table without changing the nexthops for packet forwarding This approach is particularlyappealing because it can be done by a software upgrade at theOpenFlow switch and its impact is limited within that switchRouting aggregation has already been used in traditionalnetworks but it has not been deployed in SDNOpenFlownetworks To fully utilize the flexibility of SDNOpenFlownetwork under certain scenarios like load balancing we pro-posed a global routing schedule using packing optimizationalgorithms

Traditional routing aggregation algorithms [18] can beused to compress the flow table but their effectiveness cannotbe ensured If thematching fields and next hops are dispersedenough chances are that we may not be able to performany routing aggregation because we cannot find flow entriessharing commonmatching fields and next hopsThis is often

Security and Communication Networks 11

10 3 6 5 8 9 4 7 2 1 Group

Real usageMeasured usage

0

200

400

600

800

1000

Usa

ge100

200168

300251

400346

500

433

600566

700

57

693

800745

900842

1000

935

Figure 15 LRU flow table usage with testbed background traffic

Capacity = 1000

Capacity = 800

Capacity = 600

Capacity = 400

Capacity = 200

Capacity = 1000

Capacity = 800

Capacity = 600

Capacity = 400

Capacity = 200

minus10

0

10

20

30

Rela

tive e

rror

minus10

0

10

20

30

Rela

tive e

rror

2 4 6 8 10Group

2 4 6 8 10Group

FIFO usage relative error LRU usage relative error

Figure 16 Flow table usage relative error

the case when dealing with web traffic for example load bal-ancing services For that reason we introduced an extra stageof routing aggregation global routing schedule optimizationFirst we model this routing aggregation problem as a packingoptimization problem and solve it then we perform globalrouting reschedule by rewriting the flow entries accordingto the optimization result and finally we perform anothertime of traditional routing aggregation on these new flowentries After the global routing reschedule there will be

much more aggregatable flow entries so the effectiveness ofrouting aggregation is ensured

52 Multilevel Flow Table Architecture It is important to notethat routing aggregation is not a replacement for the long-term architectural solutions because it does not address theroot causes of the flow table scalability problem and thefollowing inference attack To eliminate the inference attackvulnerability a flow table architecture with larger capacity is

12 Security and Communication Networks

Table0

Table1

Tablem

Executeaction

set

Packetin

Packetout

TCAM

Figure 17 Single-level flow table architecture

Table0

Table1

Tablem

Executeaction

set

Packetin

Packetout

TCAM

Match

Table0

Table1

Tablen

SRAM

Match

Table miss

Executeaction

set

Packetout

Flow tablereplacement

Figure 18 Multilevel flow table architecture

required which can be achieved throughmultilevel flow tableconsisting of both TCAM and SRAM

The original single-level flow table architecture is shownin Figure 17 In this architecture the flow table is completelyimplemented using TCAM An input packet will traversefrom table 0 to table119898 and add corresponding actions to theaction set Then all actions in the action set are executed andthe packet is forwarded according to these actions

Our proposed multilevel flow table architecture is shownin Figure 18 Besides flow table implemented using TCAMwe add another flow table implemented using SRAM whichis cheaper and can provide larger flow table space Underthis multilevel flow table architecture the packet processingpipeline will be different first an input packet will findmatching flow entries in TCAM flow table just like in theoriginal single-level flow table architecture If there is amatchthe packet will execute the corresponding actions and getforwarded If there is no match the packet will continueits lookup in the SRAM flow table If there is a match inthe SRAM flow table the packet can then be forwardedotherwise it will be sent to the controller

From the process above we can see that if the capacityof TCAM flow table is 119898 the capacity of SRAM flow table is119899 and then the multilevel flow table will have a capacity of119898 + 119899 Actually 119899 is far more larger than 119898 so this approachcan greatly increase the flow table capacity thus preventingflow table overflow

6 Discussion

SDNOpenFlow has become a competitive solution for next-generation network and is being more and more widelyused in modern datacenters But considering its key role asthe fundamental infrastructure we have to admit that thesecurity issues of SDNOpenFlow have not been exploredto a large extent Particularly the flow table capacity ofSDNOpenFlow switch is only considered as a vulnerable partfor DDoS and flooding attacks in published researches Butaccording to our analysis in previous sections the flow tablecapacity can lead to potential inference attack if combinedwith reasonable assumptions and RTT measurements

Firstly we found in Section 2 that exactmatch flow entriesas well as the lack of route aggregation would consume a lot

Security and Communication Networks 13

of flow table space making it impossible to process millionsof flows per seconding using SDNOpenFlow Secondly wefound in Section 4 that assigning the decision making jobof flow table replacement to the controller would lead tosignificant network performance decrease which had to bechanged in time Thirdly there is currently no mature attackdetection mechanism for SDNOpenFlow network so it isquite easy for criminals to exploit system vulnerabilities orinvoke DDoS attacks

The inference method proposed in this paper just usessome basic elements and parameters of OpenFlow such asidle timeout and hard timeout which are significant for theimplementation of SDN These features will not be removedexcept very huge changes made On the other hand althoughsome security frameworks [3] were proposed to detect themalicious insertion of flow rules attackers can also bypass thedetection by some well-designed insertion strategies

All these security issues call for improvements to currentOpenFlow switch and flow table design The improvementsshould at least contain the following aspects (1) New Open-Flow switch architecture like embedding local caches inthe switch or implementing multilevel flow table to achievea much larger flow table capacity With larger flow tablecapacity the switch will not have to query the controller forflow entries which will reduce the interaction latency to alarge extent (2) New flow table maintaining mechanism liketransferring the flow entry deleting workload from controllerto switch Switch itself can decide which flow entry to deleteand then sync state with controller and during the flowentry deleting process the controllerrsquos intervention is notneeded In the widely used OpenFlow Switch Specification140 [19] this mechanism has been added as an optionalfeature but without any mature implementation so far (3)Routing aggregation Routing aggregation canmatch a groupof flows using one flow entry which will reduce the flowtable consuming significantly comparedwith exactmatch (4)Inference attack detection Administrators can develop infer-ence attack detecting applications and then perform defenseslike portspeed limiting or network address validation

From the discussion above we can see that there is stilla long road to go before SDNOpenFlow becomes a trulymature and reliable network paradigm There are still urgentand severe issues to solve which have been neglected in thepast Only by solving these security issues and architecturalvulnerabilities can SDNOpenFlow be widely deployed inreal-world commercial datacenters and fully demonstrate itsrevolutionary flexibility and intelligence

7 Related Work

The inference attack proposed in this paper is motivated bythe limited flow table capacity of SDNOpenFlow switchesThe flow table capacity issue has been presented in manyprevious works like [20ndash24] They all point out the limitationof switch flow table memory and potential scalability andsecurity issue However these works do not give furtheranalysis on the inference attack and information leakagecaused by the limited flow table capacity

Kloti et al [25] present potentially problematic issues inSDNOpenFlow including information disclosure throughtiming analysis However this information disclosurerequires disclosing existing flows with side channel attackwhich is hard to perform in real world Compared with theirapproach our inference attack is self-contained and requiresno prior knowledge

Gong et al [26] present a kind of inference attackusing RTT measurement to infer which website the victimis browsing They recover victimsrsquo network traffic patternsbased on the queuing side channel happened at the Internetrouter However the scenario of their work is in the publicInternet while our approach focuses on SDNOpenFlowinfrastructures in cloud computing network Compared withpublic Internet and website inference the inference attackand information leakage in modern data centers are moresensitive and valuable

Shin and Gu [27] demonstrate a novel attack targetingat SDN networks This attack includes fingerprinting SDNnetworks and further flooding the data plane flow table bysending specifically crafted fake flow requests in high speedIn the fingerprinting phase header field change scanning isused to collect the different response time (RTT) for new flowand existing flow The fingerprinting result is then analyzedto estimate if the target network used SDN technology TheRTT measurement and analysis they used in fingerprintingare similar to our approach But they just perform DoSattacks to the SDN network without performing any furtherinformation leakage or network parameter inference

As for flow table overflow defending strategy Shelly etal [28] and Katta et al [29] introduce flow entry cachingmechanism into SDNOpenflow network by inserting atransparent intermediate layer between controller and switchYan et al [9] use CAB to generate wildcard flow entriesdynamically and reactively to handle bursting network trafficKannan and Banerjee [30] present a flow entry compactionalgorithm to saveTCAMflow table spaceThis algorithmusesflow entry tags instead of matching fields as forwarding rulesKim et al [31] develop a new flow entry management schemeto reduce the controller overhead

8 Conclusion

In this paper we have explored the structure of SDNOpenFlow network and some of the possible security issues itbrings After our detailed analysis of the SDNOpenFlow net-work we proposed a novel inference attack model targetingat the SDNOpenFlow network which is the first proposedinference attack model of this kind in the SDNOpenFlowarea This inference attack is introduced by the OpenFlowswitch especially by its limited flow table capacity The infer-ence attack can be done in a completely passive waymaking ithard to detect and defendWe also implemented the inferenceattack framework and examined the efficiency and accuracyof it using network traffic data from different sources Thesimulation results show that the inference attack frameworkcan infer the network parameter (flow table capacity and flowtable usage) with an accuracy of up to 80 or higher We alsoproposed two possible defense strategies for the discovered

14 Security and Communication Networks

vulnerability including routing aggregation algorithm andmultilevel flow table architecture

Conflicts of Interest

The authors declare that they have no conflicts of interest

Acknowledgments

The research presented in this paper is supported in partby the National Key Research and Development Program ofChina (no 2016YFB0800100) the Fund of China NationalAeronautical Radio Electronics Research Institute (PM-12210-2016-001) the National Natural Science Foundation(61572397 U1766215 U1736205 61502383 61672425 and61702407) and State Grid Corporation of China (DZ71-16-030)

References

[1] W Li W Meng and L F Kwok ldquoA survey on OpenFlow-basedSoftware Defined Networks Security challenges and counter-measuresrdquo Journal of Network and Computer Applications vol68 pp 126ndash139 2016

[2] M Brooks and B Yang ldquoA Man-in-the-Middle attack againstOpenDayLight SDN controllerrdquo in Proceedings of the 4thAnnual Conference on Research in Information TechnologyAssociation for Computing Machinery Chicago IL USASeptember 2015

[3] P Porras S Shin V Yegneswaran M Fong M Tyson and GGu ldquoA security enforcement kernel for OpenFlow networksrdquoin Proceedings of the 1st ACM International Workshop on HotTopics in Software Defined Networks HotSDN 2012 pp 121ndash126 Association for Computing Machinery Helsinki FinlandAugust 2012

[4] N Gude T Koponen and J Pettit ldquoNOX towards an operatingsystem for networksrdquoACM SIGCOMMComputer Communica-tion Review vol 38 no 3 pp 105ndash110 2008

[5] A Khurshid W Zhou M Caesar and P B Godfrey ldquoVeriflowVerifying network-wide invariants in real timerdquo in Proceedingsof the Annual Conference of the ACM Special Interest Group onData Communication on the Applications Technologies Archi-tectures and Protocols for Computer Communication ACMSIGCOMM 2012 pp 467ndash472 Finland August 2012

[6] G Zhao L Huang Z Yu H Xu and P Wang ldquoOn the effectof flow table size and controller capacity on SDN networkthroughputrdquo in Proceedings of the 2017 IEEE InternationalConference on Communications (ICC) pp 1ndash6 Paris FranceMay 2017

[7] A RoyH Zengy J BaggayG Porter andAC Snoeren ldquoInsidethe social networkrsquos (Datacenter) networkrdquo in Proceedings of theACM Conference on Special Interest Group on Data Communi-cation SIGCOMM 2015 pp 123ndash137 UK August 2015

[8] N Shelly E J Jackson T Koponen N McKeown and JRajahalme ldquoFlow caching for high entropy packet fieldsrdquo inProceedings of the 3rd ACM SIGCOMM 2014 Workshop on HotTopics in Software Defined Networking HotSDN 2014 pp 151ndash156 Chicago Illinois USA August 2014

[9] B Yan Y Xu H Xing K Xi and H J Chao ldquoCAB A reactivewildcard rule caching system for software-defined networksrdquo inProceedings of the 3rd ACM SIGCOMM 2014 Workshop on Hot

Topics in Software Defined Networking HotSDN 2014 pp 163ndash168 Chicago Illinois USA August 2014

[10] Katta Naga Jennifer Rexford and David Walker ldquoInfinitecacheflow in software-defined networksrdquo Princeton School ofEngineering and Applied Science 2013

[11] Yanwen Wang Hainan Chen Hainan Chen and Lei ShuldquoAn energy-efficient SDN based sleep scheduling algorithm forWSNsrdquo Journal of Network and Computer Applications vol 59pp 39ndash45 2016 httpdxdoiorg101016jjnca201505002

[12] S-N Yang S-W Ho Y-B Lin and C-H Gan ldquoA multi-RATbandwidth aggregation mechanism with software-defined net-workingrdquo Journal ofNetwork andComputerApplications vol 61pp 189ndash198 2016 httpdxdoiorg101016jjnca201511003

[13] M Dehghan L Massoulie D Towsley D Menasche andY C Tay ldquoA utility optimization approach to network cachedesignrdquo in Proceedings of the 35th Annual IEEE InternationalConference on Computer Communications IEEE INFOCOM2016 San Francisco CA USA April 2016

[14] ldquoMininetrdquo httpmininetorg[15] ldquoPOX Controllerrdquo httpwwwnoxrepoorgpoxabout-pox[16] ldquolibnet-devrdquo httpsgithubcomsam-githublibnet[17] ldquolibpcaprdquo httpwwwtcpdumporg[18] X Zhao Y Liu L Wang and B Zhang ldquoOn the aggregatability

of router forwarding tablesrdquo in Proceedings of IEEE INFOCOM2010 Institute of Electrical and Electronics Engineers SanDiego CA USA March 2010

[19] ldquoOpenFlow Switch Specification 140rdquo httpswwwopennet-workingorgimagesstoriesdownloadssdn-resourcesonf-spec-ificationsopenflowopenflow-spec-v140pdf

[20] S Sezer S Scott-Hayward P Chouhan et al ldquoAre we readyfor SDN Implementation challenges for software-defined net-worksrdquo IEEE Communications Magazine vol 51 no 7 pp 36ndash43 2013

[21] D Kreutz F M V Ramos P E Verissimo C E RothenbergS Azodolmolky and S Uhlig ldquoSoftware-defined networking acomprehensive surveyrdquo Proceedings of the IEEE vol 103 no 1pp 14ndash76 2015

[22] S Scott-Hayward G OrsquoCallaghan and S Sezer ldquoSDN securityA surveyrdquo in Proceedings of the 2013 Workshop on SoftwareDefined Networks for Future Networks and Services SDN4FNS2013 Trento Italy November 2013

[23] A Akhunzada E Ahmed A Gani M K Khan M Imran andS Guizani ldquoSecuring software defined networks Taxonomyrequirements and open issuesrdquo IEEE Communications Maga-zine vol 53 no 4 pp 36ndash44 2015

[24] M Tsugawa A Matsunaga and J A B Fortes ldquoCloud comput-ing securityWhat changes with software-defined networkingrdquoSecure Cloud Computing pp 77ndash93 2014

[25] R Kloti V Kotronis and P Smith ldquoOpenFlow A securityanalysisrdquo in Proceedings of the 2013 21st IEEE International Con-ference on Network Protocols ICNP 2013 Institute of ElectricalandElectronics EngineersGoettingenGermanyOctober 2013

[26] X Gong N Borisov N Kiyavash and N Schear ldquoWebsiteDetection Using Remote Traffic Analysisrdquo in Privacy EnhancingTechnologies vol 7384 of Lecture Notes in Computer Science pp58ndash78 Springer Berlin Heidelberg 2012

[27] S Shin and G Gu ldquoAttacking software-defined networks afirst feasibility studyrdquo in Proceedings of the 2nd ACM SIG-COMMWorkshop onHot Topics in SoftwareDefinedNetworking(HotSDN rsquo13) pp 165-166 Association for Computing Machin-ery Hong Kong China August 2013

Security and Communication Networks 9

Capacity = 1000

Capacity = 800

Capacity = 600

Capacity = 400

Capacity = 200

minus10

0

10

20

30

Rela

tive e

rror

2 4 6 8 10Group

FIFO capacity relative error

(a)

Capacity = 1000

Capacity = 800

Capacity = 600

Capacity = 400

Capacity = 200

minus10

0

10

20

30

Rela

tive e

rror

2 4 6 8 10Group

LRU capacity relative error

(b)

Figure 9 Flow table capacity relative error

algorithm showing that the margin is no larger than plus-or-minus 10 percent Figure 9(b) stands for relative errorof flow table capacity measurements conducted under LRUreplacement algorithm Due to the more complex inferenceprinciple and the rolling maintaining process the marginbecomes larger but still has not exceeded 15 percent even inthe worst case

The above inference attacks are performed without anybackground network traffic When performing inferenceattack in real networks the impact of background networktraffic cannot be ignored So it is necessary to examine the effi-ciency of our inference algorithm under these circumstances

In this evaluation we choose the background networktraffic dataset from a SDN testbed Figures 10 and 11 havethe same experiment setting with Figures 7 and 8 with theonly difference of replaying background traffic captured fromSDN testbed during the inference attack process Even withthe impact of background traffic our inference algorithm stillshows high accuracy

45 Flow Table Usage In this section we evaluated ourframeworkrsquos efficiency of inferring the number of flow entriesfrom other users sharing the same flow table or the flow tableusage Flow table usage is our secondary inference target andit reflects the network resource consuming condition of othertenants in the same SDN network Figures 12 and 13 illustratethe flow table usage measurement results conducted underFIFO and LRU replacement algorithm respectively

100 81

200174

300 295

1000

931900

852800 805

700 641

600 595

500 463

400 385

0

200

400

600

800

1000

Capa

city

10 3 6 5 8 9 4 7 2 1 Group

Real capacityMeasured capacity

Figure 10 FIFO flow table capacity with testbed background traffic

Again wemanually set 10 different flow table usage valuesfrom 100 to 1000 flow entries by manually generating andinserting corresponding number of flow entries into the flowtable beforehand Then we use our inference algorithm toinfer the flow table usage and take mean values of every 10times of measurements as the final results The errors of allthese measurements show the high accuracy stability andreliability of our inference algorithm

10 Security and Communication Networks

0

200

400

600

800

1000

Capa

city

10 3 6 5 8 9 4 7 2 1 Group

Real capacityMeasured capacity

100 99

200158

300328

400 399

500447

600 595

700752

800 790

900841

1000 978

Figure 11 LRU flow table capacity with testbed background traffic

10 3 6 5 8 9 4 7 2 1 Group

Real usageMeasured usage

0

200

400

600

800

1000

Usa

ge

100 120

200 184

300 322

400 378

500 492

600 617

700 723

800

900 895

1000976

809

Figure 12 FIFO flow table usage

We also conducted the flow table usage inference attackwith background traffic Experiment results with testbedbackground traffic are shown in Figures 14 and 15 Ourinference algorithm can smoothly handle the impact ofbackground traffic which ensures the stability and robustnessdemonstrated in the experiment results

The relative errors are shown in Figure 16 We emulate5 groups of different flow table usage values and conducted10 times of flow table usage inference for every single valueFor both FIFO and LRU replacement algorithm the relativeerrors of flow table usage inference stay in a quite small rangeThe results prove that our algorithm can infer other tenantsrsquoflow table usage condition in high accuracy

5 Defense

From the previous sections we can conclude that the infer-ence attack is rooted in the flow table overflow To defendthat kind of inference attack we have to prevent flow tableoverflow in two aspects one aspect is to compress the flow

10 3 6 5 8 9 4 7 2 1 Group

Real usageMeasured usage

0

200

400

600

800

1000

Usa

ge

10080

200 195

300 278

400

500466

600 602

700731

800 783

900 882

1000 976

378

Figure 13 LRU flow table usage

10 3 6 5 8 9 4 7 2 1 Group

Real usageMeasured usage

0

200

400

600

800

1000 U

sage

100 107

200163

300 301

400357

500468

600 590

700 694

800 780

900865

1000

935

Figure 14 FIFO flow table usage with testbed background traffic

entries to save flow table space and the other one is toimplement a larger flow table to store more flow entries

51 Routing Aggregation Routing aggregation is to combinemultiple entries in the flow table without changing the nexthops for packet forwarding This approach is particularlyappealing because it can be done by a software upgrade at theOpenFlow switch and its impact is limited within that switchRouting aggregation has already been used in traditionalnetworks but it has not been deployed in SDNOpenFlownetworks To fully utilize the flexibility of SDNOpenFlownetwork under certain scenarios like load balancing we pro-posed a global routing schedule using packing optimizationalgorithms

Traditional routing aggregation algorithms [18] can beused to compress the flow table but their effectiveness cannotbe ensured If thematching fields and next hops are dispersedenough chances are that we may not be able to performany routing aggregation because we cannot find flow entriessharing commonmatching fields and next hopsThis is often

Security and Communication Networks 11

10 3 6 5 8 9 4 7 2 1 Group

Real usageMeasured usage

0

200

400

600

800

1000

Usa

ge100

200168

300251

400346

500

433

600566

700

57

693

800745

900842

1000

935

Figure 15 LRU flow table usage with testbed background traffic

Capacity = 1000

Capacity = 800

Capacity = 600

Capacity = 400

Capacity = 200

Capacity = 1000

Capacity = 800

Capacity = 600

Capacity = 400

Capacity = 200

minus10

0

10

20

30

Rela

tive e

rror

minus10

0

10

20

30

Rela

tive e

rror

2 4 6 8 10Group

2 4 6 8 10Group

FIFO usage relative error LRU usage relative error

Figure 16 Flow table usage relative error

the case when dealing with web traffic for example load bal-ancing services For that reason we introduced an extra stageof routing aggregation global routing schedule optimizationFirst we model this routing aggregation problem as a packingoptimization problem and solve it then we perform globalrouting reschedule by rewriting the flow entries accordingto the optimization result and finally we perform anothertime of traditional routing aggregation on these new flowentries After the global routing reschedule there will be

much more aggregatable flow entries so the effectiveness ofrouting aggregation is ensured

52 Multilevel Flow Table Architecture It is important to notethat routing aggregation is not a replacement for the long-term architectural solutions because it does not address theroot causes of the flow table scalability problem and thefollowing inference attack To eliminate the inference attackvulnerability a flow table architecture with larger capacity is

12 Security and Communication Networks

Table0

Table1

Tablem

Executeaction

set

Packetin

Packetout

TCAM

Figure 17 Single-level flow table architecture

Table0

Table1

Tablem

Executeaction

set

Packetin

Packetout

TCAM

Match

Table0

Table1

Tablen

SRAM

Match

Table miss

Executeaction

set

Packetout

Flow tablereplacement

Figure 18 Multilevel flow table architecture

required which can be achieved throughmultilevel flow tableconsisting of both TCAM and SRAM

The original single-level flow table architecture is shownin Figure 17 In this architecture the flow table is completelyimplemented using TCAM An input packet will traversefrom table 0 to table119898 and add corresponding actions to theaction set Then all actions in the action set are executed andthe packet is forwarded according to these actions

Our proposed multilevel flow table architecture is shownin Figure 18 Besides flow table implemented using TCAMwe add another flow table implemented using SRAM whichis cheaper and can provide larger flow table space Underthis multilevel flow table architecture the packet processingpipeline will be different first an input packet will findmatching flow entries in TCAM flow table just like in theoriginal single-level flow table architecture If there is amatchthe packet will execute the corresponding actions and getforwarded If there is no match the packet will continueits lookup in the SRAM flow table If there is a match inthe SRAM flow table the packet can then be forwardedotherwise it will be sent to the controller

From the process above we can see that if the capacityof TCAM flow table is 119898 the capacity of SRAM flow table is119899 and then the multilevel flow table will have a capacity of119898 + 119899 Actually 119899 is far more larger than 119898 so this approachcan greatly increase the flow table capacity thus preventingflow table overflow

6 Discussion

SDNOpenFlow has become a competitive solution for next-generation network and is being more and more widelyused in modern datacenters But considering its key role asthe fundamental infrastructure we have to admit that thesecurity issues of SDNOpenFlow have not been exploredto a large extent Particularly the flow table capacity ofSDNOpenFlow switch is only considered as a vulnerable partfor DDoS and flooding attacks in published researches Butaccording to our analysis in previous sections the flow tablecapacity can lead to potential inference attack if combinedwith reasonable assumptions and RTT measurements

Firstly we found in Section 2 that exactmatch flow entriesas well as the lack of route aggregation would consume a lot

Security and Communication Networks 13

of flow table space making it impossible to process millionsof flows per seconding using SDNOpenFlow Secondly wefound in Section 4 that assigning the decision making jobof flow table replacement to the controller would lead tosignificant network performance decrease which had to bechanged in time Thirdly there is currently no mature attackdetection mechanism for SDNOpenFlow network so it isquite easy for criminals to exploit system vulnerabilities orinvoke DDoS attacks

The inference method proposed in this paper just usessome basic elements and parameters of OpenFlow such asidle timeout and hard timeout which are significant for theimplementation of SDN These features will not be removedexcept very huge changes made On the other hand althoughsome security frameworks [3] were proposed to detect themalicious insertion of flow rules attackers can also bypass thedetection by some well-designed insertion strategies

All these security issues call for improvements to currentOpenFlow switch and flow table design The improvementsshould at least contain the following aspects (1) New Open-Flow switch architecture like embedding local caches inthe switch or implementing multilevel flow table to achievea much larger flow table capacity With larger flow tablecapacity the switch will not have to query the controller forflow entries which will reduce the interaction latency to alarge extent (2) New flow table maintaining mechanism liketransferring the flow entry deleting workload from controllerto switch Switch itself can decide which flow entry to deleteand then sync state with controller and during the flowentry deleting process the controllerrsquos intervention is notneeded In the widely used OpenFlow Switch Specification140 [19] this mechanism has been added as an optionalfeature but without any mature implementation so far (3)Routing aggregation Routing aggregation canmatch a groupof flows using one flow entry which will reduce the flowtable consuming significantly comparedwith exactmatch (4)Inference attack detection Administrators can develop infer-ence attack detecting applications and then perform defenseslike portspeed limiting or network address validation

From the discussion above we can see that there is stilla long road to go before SDNOpenFlow becomes a trulymature and reliable network paradigm There are still urgentand severe issues to solve which have been neglected in thepast Only by solving these security issues and architecturalvulnerabilities can SDNOpenFlow be widely deployed inreal-world commercial datacenters and fully demonstrate itsrevolutionary flexibility and intelligence

7 Related Work

The inference attack proposed in this paper is motivated bythe limited flow table capacity of SDNOpenFlow switchesThe flow table capacity issue has been presented in manyprevious works like [20ndash24] They all point out the limitationof switch flow table memory and potential scalability andsecurity issue However these works do not give furtheranalysis on the inference attack and information leakagecaused by the limited flow table capacity

Kloti et al [25] present potentially problematic issues inSDNOpenFlow including information disclosure throughtiming analysis However this information disclosurerequires disclosing existing flows with side channel attackwhich is hard to perform in real world Compared with theirapproach our inference attack is self-contained and requiresno prior knowledge

Gong et al [26] present a kind of inference attackusing RTT measurement to infer which website the victimis browsing They recover victimsrsquo network traffic patternsbased on the queuing side channel happened at the Internetrouter However the scenario of their work is in the publicInternet while our approach focuses on SDNOpenFlowinfrastructures in cloud computing network Compared withpublic Internet and website inference the inference attackand information leakage in modern data centers are moresensitive and valuable

Shin and Gu [27] demonstrate a novel attack targetingat SDN networks This attack includes fingerprinting SDNnetworks and further flooding the data plane flow table bysending specifically crafted fake flow requests in high speedIn the fingerprinting phase header field change scanning isused to collect the different response time (RTT) for new flowand existing flow The fingerprinting result is then analyzedto estimate if the target network used SDN technology TheRTT measurement and analysis they used in fingerprintingare similar to our approach But they just perform DoSattacks to the SDN network without performing any furtherinformation leakage or network parameter inference

As for flow table overflow defending strategy Shelly etal [28] and Katta et al [29] introduce flow entry cachingmechanism into SDNOpenflow network by inserting atransparent intermediate layer between controller and switchYan et al [9] use CAB to generate wildcard flow entriesdynamically and reactively to handle bursting network trafficKannan and Banerjee [30] present a flow entry compactionalgorithm to saveTCAMflow table spaceThis algorithmusesflow entry tags instead of matching fields as forwarding rulesKim et al [31] develop a new flow entry management schemeto reduce the controller overhead

8 Conclusion

In this paper we have explored the structure of SDNOpenFlow network and some of the possible security issues itbrings After our detailed analysis of the SDNOpenFlow net-work we proposed a novel inference attack model targetingat the SDNOpenFlow network which is the first proposedinference attack model of this kind in the SDNOpenFlowarea This inference attack is introduced by the OpenFlowswitch especially by its limited flow table capacity The infer-ence attack can be done in a completely passive waymaking ithard to detect and defendWe also implemented the inferenceattack framework and examined the efficiency and accuracyof it using network traffic data from different sources Thesimulation results show that the inference attack frameworkcan infer the network parameter (flow table capacity and flowtable usage) with an accuracy of up to 80 or higher We alsoproposed two possible defense strategies for the discovered

14 Security and Communication Networks

vulnerability including routing aggregation algorithm andmultilevel flow table architecture

Conflicts of Interest

The authors declare that they have no conflicts of interest

Acknowledgments

The research presented in this paper is supported in partby the National Key Research and Development Program ofChina (no 2016YFB0800100) the Fund of China NationalAeronautical Radio Electronics Research Institute (PM-12210-2016-001) the National Natural Science Foundation(61572397 U1766215 U1736205 61502383 61672425 and61702407) and State Grid Corporation of China (DZ71-16-030)

References

[1] W Li W Meng and L F Kwok ldquoA survey on OpenFlow-basedSoftware Defined Networks Security challenges and counter-measuresrdquo Journal of Network and Computer Applications vol68 pp 126ndash139 2016

[2] M Brooks and B Yang ldquoA Man-in-the-Middle attack againstOpenDayLight SDN controllerrdquo in Proceedings of the 4thAnnual Conference on Research in Information TechnologyAssociation for Computing Machinery Chicago IL USASeptember 2015

[3] P Porras S Shin V Yegneswaran M Fong M Tyson and GGu ldquoA security enforcement kernel for OpenFlow networksrdquoin Proceedings of the 1st ACM International Workshop on HotTopics in Software Defined Networks HotSDN 2012 pp 121ndash126 Association for Computing Machinery Helsinki FinlandAugust 2012

[4] N Gude T Koponen and J Pettit ldquoNOX towards an operatingsystem for networksrdquoACM SIGCOMMComputer Communica-tion Review vol 38 no 3 pp 105ndash110 2008

[5] A Khurshid W Zhou M Caesar and P B Godfrey ldquoVeriflowVerifying network-wide invariants in real timerdquo in Proceedingsof the Annual Conference of the ACM Special Interest Group onData Communication on the Applications Technologies Archi-tectures and Protocols for Computer Communication ACMSIGCOMM 2012 pp 467ndash472 Finland August 2012

[6] G Zhao L Huang Z Yu H Xu and P Wang ldquoOn the effectof flow table size and controller capacity on SDN networkthroughputrdquo in Proceedings of the 2017 IEEE InternationalConference on Communications (ICC) pp 1ndash6 Paris FranceMay 2017

[7] A RoyH Zengy J BaggayG Porter andAC Snoeren ldquoInsidethe social networkrsquos (Datacenter) networkrdquo in Proceedings of theACM Conference on Special Interest Group on Data Communi-cation SIGCOMM 2015 pp 123ndash137 UK August 2015

[8] N Shelly E J Jackson T Koponen N McKeown and JRajahalme ldquoFlow caching for high entropy packet fieldsrdquo inProceedings of the 3rd ACM SIGCOMM 2014 Workshop on HotTopics in Software Defined Networking HotSDN 2014 pp 151ndash156 Chicago Illinois USA August 2014

[9] B Yan Y Xu H Xing K Xi and H J Chao ldquoCAB A reactivewildcard rule caching system for software-defined networksrdquo inProceedings of the 3rd ACM SIGCOMM 2014 Workshop on Hot

Topics in Software Defined Networking HotSDN 2014 pp 163ndash168 Chicago Illinois USA August 2014

[10] Katta Naga Jennifer Rexford and David Walker ldquoInfinitecacheflow in software-defined networksrdquo Princeton School ofEngineering and Applied Science 2013

[11] Yanwen Wang Hainan Chen Hainan Chen and Lei ShuldquoAn energy-efficient SDN based sleep scheduling algorithm forWSNsrdquo Journal of Network and Computer Applications vol 59pp 39ndash45 2016 httpdxdoiorg101016jjnca201505002

[12] S-N Yang S-W Ho Y-B Lin and C-H Gan ldquoA multi-RATbandwidth aggregation mechanism with software-defined net-workingrdquo Journal ofNetwork andComputerApplications vol 61pp 189ndash198 2016 httpdxdoiorg101016jjnca201511003

[13] M Dehghan L Massoulie D Towsley D Menasche andY C Tay ldquoA utility optimization approach to network cachedesignrdquo in Proceedings of the 35th Annual IEEE InternationalConference on Computer Communications IEEE INFOCOM2016 San Francisco CA USA April 2016

[14] ldquoMininetrdquo httpmininetorg[15] ldquoPOX Controllerrdquo httpwwwnoxrepoorgpoxabout-pox[16] ldquolibnet-devrdquo httpsgithubcomsam-githublibnet[17] ldquolibpcaprdquo httpwwwtcpdumporg[18] X Zhao Y Liu L Wang and B Zhang ldquoOn the aggregatability

of router forwarding tablesrdquo in Proceedings of IEEE INFOCOM2010 Institute of Electrical and Electronics Engineers SanDiego CA USA March 2010

[19] ldquoOpenFlow Switch Specification 140rdquo httpswwwopennet-workingorgimagesstoriesdownloadssdn-resourcesonf-spec-ificationsopenflowopenflow-spec-v140pdf

[20] S Sezer S Scott-Hayward P Chouhan et al ldquoAre we readyfor SDN Implementation challenges for software-defined net-worksrdquo IEEE Communications Magazine vol 51 no 7 pp 36ndash43 2013

[21] D Kreutz F M V Ramos P E Verissimo C E RothenbergS Azodolmolky and S Uhlig ldquoSoftware-defined networking acomprehensive surveyrdquo Proceedings of the IEEE vol 103 no 1pp 14ndash76 2015

[22] S Scott-Hayward G OrsquoCallaghan and S Sezer ldquoSDN securityA surveyrdquo in Proceedings of the 2013 Workshop on SoftwareDefined Networks for Future Networks and Services SDN4FNS2013 Trento Italy November 2013

[23] A Akhunzada E Ahmed A Gani M K Khan M Imran andS Guizani ldquoSecuring software defined networks Taxonomyrequirements and open issuesrdquo IEEE Communications Maga-zine vol 53 no 4 pp 36ndash44 2015

[24] M Tsugawa A Matsunaga and J A B Fortes ldquoCloud comput-ing securityWhat changes with software-defined networkingrdquoSecure Cloud Computing pp 77ndash93 2014

[25] R Kloti V Kotronis and P Smith ldquoOpenFlow A securityanalysisrdquo in Proceedings of the 2013 21st IEEE International Con-ference on Network Protocols ICNP 2013 Institute of ElectricalandElectronics EngineersGoettingenGermanyOctober 2013

[26] X Gong N Borisov N Kiyavash and N Schear ldquoWebsiteDetection Using Remote Traffic Analysisrdquo in Privacy EnhancingTechnologies vol 7384 of Lecture Notes in Computer Science pp58ndash78 Springer Berlin Heidelberg 2012

[27] S Shin and G Gu ldquoAttacking software-defined networks afirst feasibility studyrdquo in Proceedings of the 2nd ACM SIG-COMMWorkshop onHot Topics in SoftwareDefinedNetworking(HotSDN rsquo13) pp 165-166 Association for Computing Machin-ery Hong Kong China August 2013

10 Security and Communication Networks

0

200

400

600

800

1000

Capa

city

10 3 6 5 8 9 4 7 2 1 Group

Real capacityMeasured capacity

100 99

200158

300328

400 399

500447

600 595

700752

800 790

900841

1000 978

Figure 11 LRU flow table capacity with testbed background traffic

10 3 6 5 8 9 4 7 2 1 Group

Real usageMeasured usage

0

200

400

600

800

1000

Usa

ge

100 120

200 184

300 322

400 378

500 492

600 617

700 723

800

900 895

1000976

809

Figure 12 FIFO flow table usage

We also conducted the flow table usage inference attackwith background traffic Experiment results with testbedbackground traffic are shown in Figures 14 and 15 Ourinference algorithm can smoothly handle the impact ofbackground traffic which ensures the stability and robustnessdemonstrated in the experiment results

The relative errors are shown in Figure 16 We emulate5 groups of different flow table usage values and conducted10 times of flow table usage inference for every single valueFor both FIFO and LRU replacement algorithm the relativeerrors of flow table usage inference stay in a quite small rangeThe results prove that our algorithm can infer other tenantsrsquoflow table usage condition in high accuracy

5 Defense

From the previous sections we can conclude that the infer-ence attack is rooted in the flow table overflow To defendthat kind of inference attack we have to prevent flow tableoverflow in two aspects one aspect is to compress the flow

10 3 6 5 8 9 4 7 2 1 Group

Real usageMeasured usage

0

200

400

600

800

1000

Usa

ge

10080

200 195

300 278

400

500466

600 602

700731

800 783

900 882

1000 976

378

Figure 13 LRU flow table usage

10 3 6 5 8 9 4 7 2 1 Group

Real usageMeasured usage

0

200

400

600

800

1000 U

sage

100 107

200163

300 301

400357

500468

600 590

700 694

800 780

900865

1000

935

Figure 14 FIFO flow table usage with testbed background traffic

entries to save flow table space and the other one is toimplement a larger flow table to store more flow entries

51 Routing Aggregation Routing aggregation is to combinemultiple entries in the flow table without changing the nexthops for packet forwarding This approach is particularlyappealing because it can be done by a software upgrade at theOpenFlow switch and its impact is limited within that switchRouting aggregation has already been used in traditionalnetworks but it has not been deployed in SDNOpenFlownetworks To fully utilize the flexibility of SDNOpenFlownetwork under certain scenarios like load balancing we pro-posed a global routing schedule using packing optimizationalgorithms

Traditional routing aggregation algorithms [18] can beused to compress the flow table but their effectiveness cannotbe ensured If thematching fields and next hops are dispersedenough chances are that we may not be able to performany routing aggregation because we cannot find flow entriessharing commonmatching fields and next hopsThis is often

Security and Communication Networks 11

10 3 6 5 8 9 4 7 2 1 Group

Real usageMeasured usage

0

200

400

600

800

1000

Usa

ge100

200168

300251

400346

500

433

600566

700

57

693

800745

900842

1000

935

Figure 15 LRU flow table usage with testbed background traffic

Capacity = 1000

Capacity = 800

Capacity = 600

Capacity = 400

Capacity = 200

Capacity = 1000

Capacity = 800

Capacity = 600

Capacity = 400

Capacity = 200

minus10

0

10

20

30

Rela

tive e

rror

minus10

0

10

20

30

Rela

tive e

rror

2 4 6 8 10Group

2 4 6 8 10Group

FIFO usage relative error LRU usage relative error

Figure 16 Flow table usage relative error

the case when dealing with web traffic for example load bal-ancing services For that reason we introduced an extra stageof routing aggregation global routing schedule optimizationFirst we model this routing aggregation problem as a packingoptimization problem and solve it then we perform globalrouting reschedule by rewriting the flow entries accordingto the optimization result and finally we perform anothertime of traditional routing aggregation on these new flowentries After the global routing reschedule there will be

much more aggregatable flow entries so the effectiveness ofrouting aggregation is ensured

52 Multilevel Flow Table Architecture It is important to notethat routing aggregation is not a replacement for the long-term architectural solutions because it does not address theroot causes of the flow table scalability problem and thefollowing inference attack To eliminate the inference attackvulnerability a flow table architecture with larger capacity is

12 Security and Communication Networks

Table0

Table1

Tablem

Executeaction

set

Packetin

Packetout

TCAM

Figure 17 Single-level flow table architecture

Table0

Table1

Tablem

Executeaction

set

Packetin

Packetout

TCAM

Match

Table0

Table1

Tablen

SRAM

Match

Table miss

Executeaction

set

Packetout

Flow tablereplacement

Figure 18 Multilevel flow table architecture

required which can be achieved throughmultilevel flow tableconsisting of both TCAM and SRAM

The original single-level flow table architecture is shownin Figure 17 In this architecture the flow table is completelyimplemented using TCAM An input packet will traversefrom table 0 to table119898 and add corresponding actions to theaction set Then all actions in the action set are executed andthe packet is forwarded according to these actions

Our proposed multilevel flow table architecture is shownin Figure 18 Besides flow table implemented using TCAMwe add another flow table implemented using SRAM whichis cheaper and can provide larger flow table space Underthis multilevel flow table architecture the packet processingpipeline will be different first an input packet will findmatching flow entries in TCAM flow table just like in theoriginal single-level flow table architecture If there is amatchthe packet will execute the corresponding actions and getforwarded If there is no match the packet will continueits lookup in the SRAM flow table If there is a match inthe SRAM flow table the packet can then be forwardedotherwise it will be sent to the controller

From the process above we can see that if the capacityof TCAM flow table is 119898 the capacity of SRAM flow table is119899 and then the multilevel flow table will have a capacity of119898 + 119899 Actually 119899 is far more larger than 119898 so this approachcan greatly increase the flow table capacity thus preventingflow table overflow

6 Discussion

SDNOpenFlow has become a competitive solution for next-generation network and is being more and more widelyused in modern datacenters But considering its key role asthe fundamental infrastructure we have to admit that thesecurity issues of SDNOpenFlow have not been exploredto a large extent Particularly the flow table capacity ofSDNOpenFlow switch is only considered as a vulnerable partfor DDoS and flooding attacks in published researches Butaccording to our analysis in previous sections the flow tablecapacity can lead to potential inference attack if combinedwith reasonable assumptions and RTT measurements

Firstly we found in Section 2 that exactmatch flow entriesas well as the lack of route aggregation would consume a lot

Security and Communication Networks 13

of flow table space making it impossible to process millionsof flows per seconding using SDNOpenFlow Secondly wefound in Section 4 that assigning the decision making jobof flow table replacement to the controller would lead tosignificant network performance decrease which had to bechanged in time Thirdly there is currently no mature attackdetection mechanism for SDNOpenFlow network so it isquite easy for criminals to exploit system vulnerabilities orinvoke DDoS attacks

The inference method proposed in this paper just usessome basic elements and parameters of OpenFlow such asidle timeout and hard timeout which are significant for theimplementation of SDN These features will not be removedexcept very huge changes made On the other hand althoughsome security frameworks [3] were proposed to detect themalicious insertion of flow rules attackers can also bypass thedetection by some well-designed insertion strategies

All these security issues call for improvements to currentOpenFlow switch and flow table design The improvementsshould at least contain the following aspects (1) New Open-Flow switch architecture like embedding local caches inthe switch or implementing multilevel flow table to achievea much larger flow table capacity With larger flow tablecapacity the switch will not have to query the controller forflow entries which will reduce the interaction latency to alarge extent (2) New flow table maintaining mechanism liketransferring the flow entry deleting workload from controllerto switch Switch itself can decide which flow entry to deleteand then sync state with controller and during the flowentry deleting process the controllerrsquos intervention is notneeded In the widely used OpenFlow Switch Specification140 [19] this mechanism has been added as an optionalfeature but without any mature implementation so far (3)Routing aggregation Routing aggregation canmatch a groupof flows using one flow entry which will reduce the flowtable consuming significantly comparedwith exactmatch (4)Inference attack detection Administrators can develop infer-ence attack detecting applications and then perform defenseslike portspeed limiting or network address validation

From the discussion above we can see that there is stilla long road to go before SDNOpenFlow becomes a trulymature and reliable network paradigm There are still urgentand severe issues to solve which have been neglected in thepast Only by solving these security issues and architecturalvulnerabilities can SDNOpenFlow be widely deployed inreal-world commercial datacenters and fully demonstrate itsrevolutionary flexibility and intelligence

7 Related Work

The inference attack proposed in this paper is motivated bythe limited flow table capacity of SDNOpenFlow switchesThe flow table capacity issue has been presented in manyprevious works like [20ndash24] They all point out the limitationof switch flow table memory and potential scalability andsecurity issue However these works do not give furtheranalysis on the inference attack and information leakagecaused by the limited flow table capacity

Kloti et al [25] present potentially problematic issues inSDNOpenFlow including information disclosure throughtiming analysis However this information disclosurerequires disclosing existing flows with side channel attackwhich is hard to perform in real world Compared with theirapproach our inference attack is self-contained and requiresno prior knowledge

Gong et al [26] present a kind of inference attackusing RTT measurement to infer which website the victimis browsing They recover victimsrsquo network traffic patternsbased on the queuing side channel happened at the Internetrouter However the scenario of their work is in the publicInternet while our approach focuses on SDNOpenFlowinfrastructures in cloud computing network Compared withpublic Internet and website inference the inference attackand information leakage in modern data centers are moresensitive and valuable

Shin and Gu [27] demonstrate a novel attack targetingat SDN networks This attack includes fingerprinting SDNnetworks and further flooding the data plane flow table bysending specifically crafted fake flow requests in high speedIn the fingerprinting phase header field change scanning isused to collect the different response time (RTT) for new flowand existing flow The fingerprinting result is then analyzedto estimate if the target network used SDN technology TheRTT measurement and analysis they used in fingerprintingare similar to our approach But they just perform DoSattacks to the SDN network without performing any furtherinformation leakage or network parameter inference

As for flow table overflow defending strategy Shelly etal [28] and Katta et al [29] introduce flow entry cachingmechanism into SDNOpenflow network by inserting atransparent intermediate layer between controller and switchYan et al [9] use CAB to generate wildcard flow entriesdynamically and reactively to handle bursting network trafficKannan and Banerjee [30] present a flow entry compactionalgorithm to saveTCAMflow table spaceThis algorithmusesflow entry tags instead of matching fields as forwarding rulesKim et al [31] develop a new flow entry management schemeto reduce the controller overhead

8 Conclusion

In this paper we have explored the structure of SDNOpenFlow network and some of the possible security issues itbrings After our detailed analysis of the SDNOpenFlow net-work we proposed a novel inference attack model targetingat the SDNOpenFlow network which is the first proposedinference attack model of this kind in the SDNOpenFlowarea This inference attack is introduced by the OpenFlowswitch especially by its limited flow table capacity The infer-ence attack can be done in a completely passive waymaking ithard to detect and defendWe also implemented the inferenceattack framework and examined the efficiency and accuracyof it using network traffic data from different sources Thesimulation results show that the inference attack frameworkcan infer the network parameter (flow table capacity and flowtable usage) with an accuracy of up to 80 or higher We alsoproposed two possible defense strategies for the discovered

14 Security and Communication Networks

vulnerability including routing aggregation algorithm andmultilevel flow table architecture

Conflicts of Interest

The authors declare that they have no conflicts of interest

Acknowledgments

The research presented in this paper is supported in partby the National Key Research and Development Program ofChina (no 2016YFB0800100) the Fund of China NationalAeronautical Radio Electronics Research Institute (PM-12210-2016-001) the National Natural Science Foundation(61572397 U1766215 U1736205 61502383 61672425 and61702407) and State Grid Corporation of China (DZ71-16-030)

References

[1] W Li W Meng and L F Kwok ldquoA survey on OpenFlow-basedSoftware Defined Networks Security challenges and counter-measuresrdquo Journal of Network and Computer Applications vol68 pp 126ndash139 2016

[2] M Brooks and B Yang ldquoA Man-in-the-Middle attack againstOpenDayLight SDN controllerrdquo in Proceedings of the 4thAnnual Conference on Research in Information TechnologyAssociation for Computing Machinery Chicago IL USASeptember 2015

[3] P Porras S Shin V Yegneswaran M Fong M Tyson and GGu ldquoA security enforcement kernel for OpenFlow networksrdquoin Proceedings of the 1st ACM International Workshop on HotTopics in Software Defined Networks HotSDN 2012 pp 121ndash126 Association for Computing Machinery Helsinki FinlandAugust 2012

[4] N Gude T Koponen and J Pettit ldquoNOX towards an operatingsystem for networksrdquoACM SIGCOMMComputer Communica-tion Review vol 38 no 3 pp 105ndash110 2008

[5] A Khurshid W Zhou M Caesar and P B Godfrey ldquoVeriflowVerifying network-wide invariants in real timerdquo in Proceedingsof the Annual Conference of the ACM Special Interest Group onData Communication on the Applications Technologies Archi-tectures and Protocols for Computer Communication ACMSIGCOMM 2012 pp 467ndash472 Finland August 2012

[6] G Zhao L Huang Z Yu H Xu and P Wang ldquoOn the effectof flow table size and controller capacity on SDN networkthroughputrdquo in Proceedings of the 2017 IEEE InternationalConference on Communications (ICC) pp 1ndash6 Paris FranceMay 2017

[7] A RoyH Zengy J BaggayG Porter andAC Snoeren ldquoInsidethe social networkrsquos (Datacenter) networkrdquo in Proceedings of theACM Conference on Special Interest Group on Data Communi-cation SIGCOMM 2015 pp 123ndash137 UK August 2015

[8] N Shelly E J Jackson T Koponen N McKeown and JRajahalme ldquoFlow caching for high entropy packet fieldsrdquo inProceedings of the 3rd ACM SIGCOMM 2014 Workshop on HotTopics in Software Defined Networking HotSDN 2014 pp 151ndash156 Chicago Illinois USA August 2014

[9] B Yan Y Xu H Xing K Xi and H J Chao ldquoCAB A reactivewildcard rule caching system for software-defined networksrdquo inProceedings of the 3rd ACM SIGCOMM 2014 Workshop on Hot

Topics in Software Defined Networking HotSDN 2014 pp 163ndash168 Chicago Illinois USA August 2014

[10] Katta Naga Jennifer Rexford and David Walker ldquoInfinitecacheflow in software-defined networksrdquo Princeton School ofEngineering and Applied Science 2013

[11] Yanwen Wang Hainan Chen Hainan Chen and Lei ShuldquoAn energy-efficient SDN based sleep scheduling algorithm forWSNsrdquo Journal of Network and Computer Applications vol 59pp 39ndash45 2016 httpdxdoiorg101016jjnca201505002

[12] S-N Yang S-W Ho Y-B Lin and C-H Gan ldquoA multi-RATbandwidth aggregation mechanism with software-defined net-workingrdquo Journal ofNetwork andComputerApplications vol 61pp 189ndash198 2016 httpdxdoiorg101016jjnca201511003

[13] M Dehghan L Massoulie D Towsley D Menasche andY C Tay ldquoA utility optimization approach to network cachedesignrdquo in Proceedings of the 35th Annual IEEE InternationalConference on Computer Communications IEEE INFOCOM2016 San Francisco CA USA April 2016

[14] ldquoMininetrdquo httpmininetorg[15] ldquoPOX Controllerrdquo httpwwwnoxrepoorgpoxabout-pox[16] ldquolibnet-devrdquo httpsgithubcomsam-githublibnet[17] ldquolibpcaprdquo httpwwwtcpdumporg[18] X Zhao Y Liu L Wang and B Zhang ldquoOn the aggregatability

of router forwarding tablesrdquo in Proceedings of IEEE INFOCOM2010 Institute of Electrical and Electronics Engineers SanDiego CA USA March 2010

[19] ldquoOpenFlow Switch Specification 140rdquo httpswwwopennet-workingorgimagesstoriesdownloadssdn-resourcesonf-spec-ificationsopenflowopenflow-spec-v140pdf

[20] S Sezer S Scott-Hayward P Chouhan et al ldquoAre we readyfor SDN Implementation challenges for software-defined net-worksrdquo IEEE Communications Magazine vol 51 no 7 pp 36ndash43 2013

[21] D Kreutz F M V Ramos P E Verissimo C E RothenbergS Azodolmolky and S Uhlig ldquoSoftware-defined networking acomprehensive surveyrdquo Proceedings of the IEEE vol 103 no 1pp 14ndash76 2015

[22] S Scott-Hayward G OrsquoCallaghan and S Sezer ldquoSDN securityA surveyrdquo in Proceedings of the 2013 Workshop on SoftwareDefined Networks for Future Networks and Services SDN4FNS2013 Trento Italy November 2013

[23] A Akhunzada E Ahmed A Gani M K Khan M Imran andS Guizani ldquoSecuring software defined networks Taxonomyrequirements and open issuesrdquo IEEE Communications Maga-zine vol 53 no 4 pp 36ndash44 2015

[24] M Tsugawa A Matsunaga and J A B Fortes ldquoCloud comput-ing securityWhat changes with software-defined networkingrdquoSecure Cloud Computing pp 77ndash93 2014

[25] R Kloti V Kotronis and P Smith ldquoOpenFlow A securityanalysisrdquo in Proceedings of the 2013 21st IEEE International Con-ference on Network Protocols ICNP 2013 Institute of ElectricalandElectronics EngineersGoettingenGermanyOctober 2013

[26] X Gong N Borisov N Kiyavash and N Schear ldquoWebsiteDetection Using Remote Traffic Analysisrdquo in Privacy EnhancingTechnologies vol 7384 of Lecture Notes in Computer Science pp58ndash78 Springer Berlin Heidelberg 2012

[27] S Shin and G Gu ldquoAttacking software-defined networks afirst feasibility studyrdquo in Proceedings of the 2nd ACM SIG-COMMWorkshop onHot Topics in SoftwareDefinedNetworking(HotSDN rsquo13) pp 165-166 Association for Computing Machin-ery Hong Kong China August 2013

Security and Communication Networks 11

10 3 6 5 8 9 4 7 2 1 Group

Real usageMeasured usage

0

200

400

600

800

1000

Usa

ge100

200168

300251

400346

500

433

600566

700

57

693

800745

900842

1000

935

Figure 15 LRU flow table usage with testbed background traffic

Capacity = 1000

Capacity = 800

Capacity = 600

Capacity = 400

Capacity = 200

Capacity = 1000

Capacity = 800

Capacity = 600

Capacity = 400

Capacity = 200

minus10

0

10

20

30

Rela

tive e

rror

minus10

0

10

20

30

Rela

tive e

rror

2 4 6 8 10Group

2 4 6 8 10Group

FIFO usage relative error LRU usage relative error

Figure 16 Flow table usage relative error

the case when dealing with web traffic for example load bal-ancing services For that reason we introduced an extra stageof routing aggregation global routing schedule optimizationFirst we model this routing aggregation problem as a packingoptimization problem and solve it then we perform globalrouting reschedule by rewriting the flow entries accordingto the optimization result and finally we perform anothertime of traditional routing aggregation on these new flowentries After the global routing reschedule there will be

much more aggregatable flow entries so the effectiveness ofrouting aggregation is ensured

52 Multilevel Flow Table Architecture It is important to notethat routing aggregation is not a replacement for the long-term architectural solutions because it does not address theroot causes of the flow table scalability problem and thefollowing inference attack To eliminate the inference attackvulnerability a flow table architecture with larger capacity is

12 Security and Communication Networks

Table0

Table1

Tablem

Executeaction

set

Packetin

Packetout

TCAM

Figure 17 Single-level flow table architecture

Table0

Table1

Tablem

Executeaction

set

Packetin

Packetout

TCAM

Match

Table0

Table1

Tablen

SRAM

Match

Table miss

Executeaction

set

Packetout

Flow tablereplacement

Figure 18 Multilevel flow table architecture

required which can be achieved throughmultilevel flow tableconsisting of both TCAM and SRAM

The original single-level flow table architecture is shownin Figure 17 In this architecture the flow table is completelyimplemented using TCAM An input packet will traversefrom table 0 to table119898 and add corresponding actions to theaction set Then all actions in the action set are executed andthe packet is forwarded according to these actions

Our proposed multilevel flow table architecture is shownin Figure 18 Besides flow table implemented using TCAMwe add another flow table implemented using SRAM whichis cheaper and can provide larger flow table space Underthis multilevel flow table architecture the packet processingpipeline will be different first an input packet will findmatching flow entries in TCAM flow table just like in theoriginal single-level flow table architecture If there is amatchthe packet will execute the corresponding actions and getforwarded If there is no match the packet will continueits lookup in the SRAM flow table If there is a match inthe SRAM flow table the packet can then be forwardedotherwise it will be sent to the controller

From the process above we can see that if the capacityof TCAM flow table is 119898 the capacity of SRAM flow table is119899 and then the multilevel flow table will have a capacity of119898 + 119899 Actually 119899 is far more larger than 119898 so this approachcan greatly increase the flow table capacity thus preventingflow table overflow

6 Discussion

SDNOpenFlow has become a competitive solution for next-generation network and is being more and more widelyused in modern datacenters But considering its key role asthe fundamental infrastructure we have to admit that thesecurity issues of SDNOpenFlow have not been exploredto a large extent Particularly the flow table capacity ofSDNOpenFlow switch is only considered as a vulnerable partfor DDoS and flooding attacks in published researches Butaccording to our analysis in previous sections the flow tablecapacity can lead to potential inference attack if combinedwith reasonable assumptions and RTT measurements

Firstly we found in Section 2 that exactmatch flow entriesas well as the lack of route aggregation would consume a lot

Security and Communication Networks 13

of flow table space making it impossible to process millionsof flows per seconding using SDNOpenFlow Secondly wefound in Section 4 that assigning the decision making jobof flow table replacement to the controller would lead tosignificant network performance decrease which had to bechanged in time Thirdly there is currently no mature attackdetection mechanism for SDNOpenFlow network so it isquite easy for criminals to exploit system vulnerabilities orinvoke DDoS attacks

The inference method proposed in this paper just usessome basic elements and parameters of OpenFlow such asidle timeout and hard timeout which are significant for theimplementation of SDN These features will not be removedexcept very huge changes made On the other hand althoughsome security frameworks [3] were proposed to detect themalicious insertion of flow rules attackers can also bypass thedetection by some well-designed insertion strategies

All these security issues call for improvements to currentOpenFlow switch and flow table design The improvementsshould at least contain the following aspects (1) New Open-Flow switch architecture like embedding local caches inthe switch or implementing multilevel flow table to achievea much larger flow table capacity With larger flow tablecapacity the switch will not have to query the controller forflow entries which will reduce the interaction latency to alarge extent (2) New flow table maintaining mechanism liketransferring the flow entry deleting workload from controllerto switch Switch itself can decide which flow entry to deleteand then sync state with controller and during the flowentry deleting process the controllerrsquos intervention is notneeded In the widely used OpenFlow Switch Specification140 [19] this mechanism has been added as an optionalfeature but without any mature implementation so far (3)Routing aggregation Routing aggregation canmatch a groupof flows using one flow entry which will reduce the flowtable consuming significantly comparedwith exactmatch (4)Inference attack detection Administrators can develop infer-ence attack detecting applications and then perform defenseslike portspeed limiting or network address validation

From the discussion above we can see that there is stilla long road to go before SDNOpenFlow becomes a trulymature and reliable network paradigm There are still urgentand severe issues to solve which have been neglected in thepast Only by solving these security issues and architecturalvulnerabilities can SDNOpenFlow be widely deployed inreal-world commercial datacenters and fully demonstrate itsrevolutionary flexibility and intelligence

7 Related Work

The inference attack proposed in this paper is motivated bythe limited flow table capacity of SDNOpenFlow switchesThe flow table capacity issue has been presented in manyprevious works like [20ndash24] They all point out the limitationof switch flow table memory and potential scalability andsecurity issue However these works do not give furtheranalysis on the inference attack and information leakagecaused by the limited flow table capacity

Kloti et al [25] present potentially problematic issues inSDNOpenFlow including information disclosure throughtiming analysis However this information disclosurerequires disclosing existing flows with side channel attackwhich is hard to perform in real world Compared with theirapproach our inference attack is self-contained and requiresno prior knowledge

Gong et al [26] present a kind of inference attackusing RTT measurement to infer which website the victimis browsing They recover victimsrsquo network traffic patternsbased on the queuing side channel happened at the Internetrouter However the scenario of their work is in the publicInternet while our approach focuses on SDNOpenFlowinfrastructures in cloud computing network Compared withpublic Internet and website inference the inference attackand information leakage in modern data centers are moresensitive and valuable

Shin and Gu [27] demonstrate a novel attack targetingat SDN networks This attack includes fingerprinting SDNnetworks and further flooding the data plane flow table bysending specifically crafted fake flow requests in high speedIn the fingerprinting phase header field change scanning isused to collect the different response time (RTT) for new flowand existing flow The fingerprinting result is then analyzedto estimate if the target network used SDN technology TheRTT measurement and analysis they used in fingerprintingare similar to our approach But they just perform DoSattacks to the SDN network without performing any furtherinformation leakage or network parameter inference

As for flow table overflow defending strategy Shelly etal [28] and Katta et al [29] introduce flow entry cachingmechanism into SDNOpenflow network by inserting atransparent intermediate layer between controller and switchYan et al [9] use CAB to generate wildcard flow entriesdynamically and reactively to handle bursting network trafficKannan and Banerjee [30] present a flow entry compactionalgorithm to saveTCAMflow table spaceThis algorithmusesflow entry tags instead of matching fields as forwarding rulesKim et al [31] develop a new flow entry management schemeto reduce the controller overhead

8 Conclusion

In this paper we have explored the structure of SDNOpenFlow network and some of the possible security issues itbrings After our detailed analysis of the SDNOpenFlow net-work we proposed a novel inference attack model targetingat the SDNOpenFlow network which is the first proposedinference attack model of this kind in the SDNOpenFlowarea This inference attack is introduced by the OpenFlowswitch especially by its limited flow table capacity The infer-ence attack can be done in a completely passive waymaking ithard to detect and defendWe also implemented the inferenceattack framework and examined the efficiency and accuracyof it using network traffic data from different sources Thesimulation results show that the inference attack frameworkcan infer the network parameter (flow table capacity and flowtable usage) with an accuracy of up to 80 or higher We alsoproposed two possible defense strategies for the discovered

14 Security and Communication Networks

vulnerability including routing aggregation algorithm andmultilevel flow table architecture

Conflicts of Interest

The authors declare that they have no conflicts of interest

Acknowledgments

The research presented in this paper is supported in partby the National Key Research and Development Program ofChina (no 2016YFB0800100) the Fund of China NationalAeronautical Radio Electronics Research Institute (PM-12210-2016-001) the National Natural Science Foundation(61572397 U1766215 U1736205 61502383 61672425 and61702407) and State Grid Corporation of China (DZ71-16-030)

References

[1] W Li W Meng and L F Kwok ldquoA survey on OpenFlow-basedSoftware Defined Networks Security challenges and counter-measuresrdquo Journal of Network and Computer Applications vol68 pp 126ndash139 2016

[2] M Brooks and B Yang ldquoA Man-in-the-Middle attack againstOpenDayLight SDN controllerrdquo in Proceedings of the 4thAnnual Conference on Research in Information TechnologyAssociation for Computing Machinery Chicago IL USASeptember 2015

[3] P Porras S Shin V Yegneswaran M Fong M Tyson and GGu ldquoA security enforcement kernel for OpenFlow networksrdquoin Proceedings of the 1st ACM International Workshop on HotTopics in Software Defined Networks HotSDN 2012 pp 121ndash126 Association for Computing Machinery Helsinki FinlandAugust 2012

[4] N Gude T Koponen and J Pettit ldquoNOX towards an operatingsystem for networksrdquoACM SIGCOMMComputer Communica-tion Review vol 38 no 3 pp 105ndash110 2008

[5] A Khurshid W Zhou M Caesar and P B Godfrey ldquoVeriflowVerifying network-wide invariants in real timerdquo in Proceedingsof the Annual Conference of the ACM Special Interest Group onData Communication on the Applications Technologies Archi-tectures and Protocols for Computer Communication ACMSIGCOMM 2012 pp 467ndash472 Finland August 2012

[6] G Zhao L Huang Z Yu H Xu and P Wang ldquoOn the effectof flow table size and controller capacity on SDN networkthroughputrdquo in Proceedings of the 2017 IEEE InternationalConference on Communications (ICC) pp 1ndash6 Paris FranceMay 2017

[7] A RoyH Zengy J BaggayG Porter andAC Snoeren ldquoInsidethe social networkrsquos (Datacenter) networkrdquo in Proceedings of theACM Conference on Special Interest Group on Data Communi-cation SIGCOMM 2015 pp 123ndash137 UK August 2015

[8] N Shelly E J Jackson T Koponen N McKeown and JRajahalme ldquoFlow caching for high entropy packet fieldsrdquo inProceedings of the 3rd ACM SIGCOMM 2014 Workshop on HotTopics in Software Defined Networking HotSDN 2014 pp 151ndash156 Chicago Illinois USA August 2014

[9] B Yan Y Xu H Xing K Xi and H J Chao ldquoCAB A reactivewildcard rule caching system for software-defined networksrdquo inProceedings of the 3rd ACM SIGCOMM 2014 Workshop on Hot

Topics in Software Defined Networking HotSDN 2014 pp 163ndash168 Chicago Illinois USA August 2014

[10] Katta Naga Jennifer Rexford and David Walker ldquoInfinitecacheflow in software-defined networksrdquo Princeton School ofEngineering and Applied Science 2013

[11] Yanwen Wang Hainan Chen Hainan Chen and Lei ShuldquoAn energy-efficient SDN based sleep scheduling algorithm forWSNsrdquo Journal of Network and Computer Applications vol 59pp 39ndash45 2016 httpdxdoiorg101016jjnca201505002

[12] S-N Yang S-W Ho Y-B Lin and C-H Gan ldquoA multi-RATbandwidth aggregation mechanism with software-defined net-workingrdquo Journal ofNetwork andComputerApplications vol 61pp 189ndash198 2016 httpdxdoiorg101016jjnca201511003

[13] M Dehghan L Massoulie D Towsley D Menasche andY C Tay ldquoA utility optimization approach to network cachedesignrdquo in Proceedings of the 35th Annual IEEE InternationalConference on Computer Communications IEEE INFOCOM2016 San Francisco CA USA April 2016

[14] ldquoMininetrdquo httpmininetorg[15] ldquoPOX Controllerrdquo httpwwwnoxrepoorgpoxabout-pox[16] ldquolibnet-devrdquo httpsgithubcomsam-githublibnet[17] ldquolibpcaprdquo httpwwwtcpdumporg[18] X Zhao Y Liu L Wang and B Zhang ldquoOn the aggregatability

of router forwarding tablesrdquo in Proceedings of IEEE INFOCOM2010 Institute of Electrical and Electronics Engineers SanDiego CA USA March 2010

[19] ldquoOpenFlow Switch Specification 140rdquo httpswwwopennet-workingorgimagesstoriesdownloadssdn-resourcesonf-spec-ificationsopenflowopenflow-spec-v140pdf

[20] S Sezer S Scott-Hayward P Chouhan et al ldquoAre we readyfor SDN Implementation challenges for software-defined net-worksrdquo IEEE Communications Magazine vol 51 no 7 pp 36ndash43 2013

[21] D Kreutz F M V Ramos P E Verissimo C E RothenbergS Azodolmolky and S Uhlig ldquoSoftware-defined networking acomprehensive surveyrdquo Proceedings of the IEEE vol 103 no 1pp 14ndash76 2015

[22] S Scott-Hayward G OrsquoCallaghan and S Sezer ldquoSDN securityA surveyrdquo in Proceedings of the 2013 Workshop on SoftwareDefined Networks for Future Networks and Services SDN4FNS2013 Trento Italy November 2013

[23] A Akhunzada E Ahmed A Gani M K Khan M Imran andS Guizani ldquoSecuring software defined networks Taxonomyrequirements and open issuesrdquo IEEE Communications Maga-zine vol 53 no 4 pp 36ndash44 2015

[24] M Tsugawa A Matsunaga and J A B Fortes ldquoCloud comput-ing securityWhat changes with software-defined networkingrdquoSecure Cloud Computing pp 77ndash93 2014

[25] R Kloti V Kotronis and P Smith ldquoOpenFlow A securityanalysisrdquo in Proceedings of the 2013 21st IEEE International Con-ference on Network Protocols ICNP 2013 Institute of ElectricalandElectronics EngineersGoettingenGermanyOctober 2013

[26] X Gong N Borisov N Kiyavash and N Schear ldquoWebsiteDetection Using Remote Traffic Analysisrdquo in Privacy EnhancingTechnologies vol 7384 of Lecture Notes in Computer Science pp58ndash78 Springer Berlin Heidelberg 2012

[27] S Shin and G Gu ldquoAttacking software-defined networks afirst feasibility studyrdquo in Proceedings of the 2nd ACM SIG-COMMWorkshop onHot Topics in SoftwareDefinedNetworking(HotSDN rsquo13) pp 165-166 Association for Computing Machin-ery Hong Kong China August 2013

12 Security and Communication Networks

Table0

Table1

Tablem

Executeaction

set

Packetin

Packetout

TCAM

Figure 17 Single-level flow table architecture

Table0

Table1

Tablem

Executeaction

set

Packetin

Packetout

TCAM

Match

Table0

Table1

Tablen

SRAM

Match

Table miss

Executeaction

set

Packetout

Flow tablereplacement

Figure 18 Multilevel flow table architecture

required which can be achieved throughmultilevel flow tableconsisting of both TCAM and SRAM

The original single-level flow table architecture is shownin Figure 17 In this architecture the flow table is completelyimplemented using TCAM An input packet will traversefrom table 0 to table119898 and add corresponding actions to theaction set Then all actions in the action set are executed andthe packet is forwarded according to these actions

Our proposed multilevel flow table architecture is shownin Figure 18 Besides flow table implemented using TCAMwe add another flow table implemented using SRAM whichis cheaper and can provide larger flow table space Underthis multilevel flow table architecture the packet processingpipeline will be different first an input packet will findmatching flow entries in TCAM flow table just like in theoriginal single-level flow table architecture If there is amatchthe packet will execute the corresponding actions and getforwarded If there is no match the packet will continueits lookup in the SRAM flow table If there is a match inthe SRAM flow table the packet can then be forwardedotherwise it will be sent to the controller

From the process above we can see that if the capacityof TCAM flow table is 119898 the capacity of SRAM flow table is119899 and then the multilevel flow table will have a capacity of119898 + 119899 Actually 119899 is far more larger than 119898 so this approachcan greatly increase the flow table capacity thus preventingflow table overflow

6 Discussion

SDNOpenFlow has become a competitive solution for next-generation network and is being more and more widelyused in modern datacenters But considering its key role asthe fundamental infrastructure we have to admit that thesecurity issues of SDNOpenFlow have not been exploredto a large extent Particularly the flow table capacity ofSDNOpenFlow switch is only considered as a vulnerable partfor DDoS and flooding attacks in published researches Butaccording to our analysis in previous sections the flow tablecapacity can lead to potential inference attack if combinedwith reasonable assumptions and RTT measurements

Firstly we found in Section 2 that exactmatch flow entriesas well as the lack of route aggregation would consume a lot

Security and Communication Networks 13

of flow table space making it impossible to process millionsof flows per seconding using SDNOpenFlow Secondly wefound in Section 4 that assigning the decision making jobof flow table replacement to the controller would lead tosignificant network performance decrease which had to bechanged in time Thirdly there is currently no mature attackdetection mechanism for SDNOpenFlow network so it isquite easy for criminals to exploit system vulnerabilities orinvoke DDoS attacks

The inference method proposed in this paper just usessome basic elements and parameters of OpenFlow such asidle timeout and hard timeout which are significant for theimplementation of SDN These features will not be removedexcept very huge changes made On the other hand althoughsome security frameworks [3] were proposed to detect themalicious insertion of flow rules attackers can also bypass thedetection by some well-designed insertion strategies

All these security issues call for improvements to currentOpenFlow switch and flow table design The improvementsshould at least contain the following aspects (1) New Open-Flow switch architecture like embedding local caches inthe switch or implementing multilevel flow table to achievea much larger flow table capacity With larger flow tablecapacity the switch will not have to query the controller forflow entries which will reduce the interaction latency to alarge extent (2) New flow table maintaining mechanism liketransferring the flow entry deleting workload from controllerto switch Switch itself can decide which flow entry to deleteand then sync state with controller and during the flowentry deleting process the controllerrsquos intervention is notneeded In the widely used OpenFlow Switch Specification140 [19] this mechanism has been added as an optionalfeature but without any mature implementation so far (3)Routing aggregation Routing aggregation canmatch a groupof flows using one flow entry which will reduce the flowtable consuming significantly comparedwith exactmatch (4)Inference attack detection Administrators can develop infer-ence attack detecting applications and then perform defenseslike portspeed limiting or network address validation

From the discussion above we can see that there is stilla long road to go before SDNOpenFlow becomes a trulymature and reliable network paradigm There are still urgentand severe issues to solve which have been neglected in thepast Only by solving these security issues and architecturalvulnerabilities can SDNOpenFlow be widely deployed inreal-world commercial datacenters and fully demonstrate itsrevolutionary flexibility and intelligence

7 Related Work

The inference attack proposed in this paper is motivated bythe limited flow table capacity of SDNOpenFlow switchesThe flow table capacity issue has been presented in manyprevious works like [20ndash24] They all point out the limitationof switch flow table memory and potential scalability andsecurity issue However these works do not give furtheranalysis on the inference attack and information leakagecaused by the limited flow table capacity

Kloti et al [25] present potentially problematic issues inSDNOpenFlow including information disclosure throughtiming analysis However this information disclosurerequires disclosing existing flows with side channel attackwhich is hard to perform in real world Compared with theirapproach our inference attack is self-contained and requiresno prior knowledge

Gong et al [26] present a kind of inference attackusing RTT measurement to infer which website the victimis browsing They recover victimsrsquo network traffic patternsbased on the queuing side channel happened at the Internetrouter However the scenario of their work is in the publicInternet while our approach focuses on SDNOpenFlowinfrastructures in cloud computing network Compared withpublic Internet and website inference the inference attackand information leakage in modern data centers are moresensitive and valuable

Shin and Gu [27] demonstrate a novel attack targetingat SDN networks This attack includes fingerprinting SDNnetworks and further flooding the data plane flow table bysending specifically crafted fake flow requests in high speedIn the fingerprinting phase header field change scanning isused to collect the different response time (RTT) for new flowand existing flow The fingerprinting result is then analyzedto estimate if the target network used SDN technology TheRTT measurement and analysis they used in fingerprintingare similar to our approach But they just perform DoSattacks to the SDN network without performing any furtherinformation leakage or network parameter inference

As for flow table overflow defending strategy Shelly etal [28] and Katta et al [29] introduce flow entry cachingmechanism into SDNOpenflow network by inserting atransparent intermediate layer between controller and switchYan et al [9] use CAB to generate wildcard flow entriesdynamically and reactively to handle bursting network trafficKannan and Banerjee [30] present a flow entry compactionalgorithm to saveTCAMflow table spaceThis algorithmusesflow entry tags instead of matching fields as forwarding rulesKim et al [31] develop a new flow entry management schemeto reduce the controller overhead

8 Conclusion

In this paper we have explored the structure of SDNOpenFlow network and some of the possible security issues itbrings After our detailed analysis of the SDNOpenFlow net-work we proposed a novel inference attack model targetingat the SDNOpenFlow network which is the first proposedinference attack model of this kind in the SDNOpenFlowarea This inference attack is introduced by the OpenFlowswitch especially by its limited flow table capacity The infer-ence attack can be done in a completely passive waymaking ithard to detect and defendWe also implemented the inferenceattack framework and examined the efficiency and accuracyof it using network traffic data from different sources Thesimulation results show that the inference attack frameworkcan infer the network parameter (flow table capacity and flowtable usage) with an accuracy of up to 80 or higher We alsoproposed two possible defense strategies for the discovered

14 Security and Communication Networks

vulnerability including routing aggregation algorithm andmultilevel flow table architecture

Conflicts of Interest

The authors declare that they have no conflicts of interest

Acknowledgments

The research presented in this paper is supported in partby the National Key Research and Development Program ofChina (no 2016YFB0800100) the Fund of China NationalAeronautical Radio Electronics Research Institute (PM-12210-2016-001) the National Natural Science Foundation(61572397 U1766215 U1736205 61502383 61672425 and61702407) and State Grid Corporation of China (DZ71-16-030)

References

[1] W Li W Meng and L F Kwok ldquoA survey on OpenFlow-basedSoftware Defined Networks Security challenges and counter-measuresrdquo Journal of Network and Computer Applications vol68 pp 126ndash139 2016

[2] M Brooks and B Yang ldquoA Man-in-the-Middle attack againstOpenDayLight SDN controllerrdquo in Proceedings of the 4thAnnual Conference on Research in Information TechnologyAssociation for Computing Machinery Chicago IL USASeptember 2015

[3] P Porras S Shin V Yegneswaran M Fong M Tyson and GGu ldquoA security enforcement kernel for OpenFlow networksrdquoin Proceedings of the 1st ACM International Workshop on HotTopics in Software Defined Networks HotSDN 2012 pp 121ndash126 Association for Computing Machinery Helsinki FinlandAugust 2012

[4] N Gude T Koponen and J Pettit ldquoNOX towards an operatingsystem for networksrdquoACM SIGCOMMComputer Communica-tion Review vol 38 no 3 pp 105ndash110 2008

[5] A Khurshid W Zhou M Caesar and P B Godfrey ldquoVeriflowVerifying network-wide invariants in real timerdquo in Proceedingsof the Annual Conference of the ACM Special Interest Group onData Communication on the Applications Technologies Archi-tectures and Protocols for Computer Communication ACMSIGCOMM 2012 pp 467ndash472 Finland August 2012

[6] G Zhao L Huang Z Yu H Xu and P Wang ldquoOn the effectof flow table size and controller capacity on SDN networkthroughputrdquo in Proceedings of the 2017 IEEE InternationalConference on Communications (ICC) pp 1ndash6 Paris FranceMay 2017

[7] A RoyH Zengy J BaggayG Porter andAC Snoeren ldquoInsidethe social networkrsquos (Datacenter) networkrdquo in Proceedings of theACM Conference on Special Interest Group on Data Communi-cation SIGCOMM 2015 pp 123ndash137 UK August 2015

[8] N Shelly E J Jackson T Koponen N McKeown and JRajahalme ldquoFlow caching for high entropy packet fieldsrdquo inProceedings of the 3rd ACM SIGCOMM 2014 Workshop on HotTopics in Software Defined Networking HotSDN 2014 pp 151ndash156 Chicago Illinois USA August 2014

[9] B Yan Y Xu H Xing K Xi and H J Chao ldquoCAB A reactivewildcard rule caching system for software-defined networksrdquo inProceedings of the 3rd ACM SIGCOMM 2014 Workshop on Hot

Topics in Software Defined Networking HotSDN 2014 pp 163ndash168 Chicago Illinois USA August 2014

[10] Katta Naga Jennifer Rexford and David Walker ldquoInfinitecacheflow in software-defined networksrdquo Princeton School ofEngineering and Applied Science 2013

[11] Yanwen Wang Hainan Chen Hainan Chen and Lei ShuldquoAn energy-efficient SDN based sleep scheduling algorithm forWSNsrdquo Journal of Network and Computer Applications vol 59pp 39ndash45 2016 httpdxdoiorg101016jjnca201505002

[12] S-N Yang S-W Ho Y-B Lin and C-H Gan ldquoA multi-RATbandwidth aggregation mechanism with software-defined net-workingrdquo Journal ofNetwork andComputerApplications vol 61pp 189ndash198 2016 httpdxdoiorg101016jjnca201511003

[13] M Dehghan L Massoulie D Towsley D Menasche andY C Tay ldquoA utility optimization approach to network cachedesignrdquo in Proceedings of the 35th Annual IEEE InternationalConference on Computer Communications IEEE INFOCOM2016 San Francisco CA USA April 2016

[14] ldquoMininetrdquo httpmininetorg[15] ldquoPOX Controllerrdquo httpwwwnoxrepoorgpoxabout-pox[16] ldquolibnet-devrdquo httpsgithubcomsam-githublibnet[17] ldquolibpcaprdquo httpwwwtcpdumporg[18] X Zhao Y Liu L Wang and B Zhang ldquoOn the aggregatability

of router forwarding tablesrdquo in Proceedings of IEEE INFOCOM2010 Institute of Electrical and Electronics Engineers SanDiego CA USA March 2010

[19] ldquoOpenFlow Switch Specification 140rdquo httpswwwopennet-workingorgimagesstoriesdownloadssdn-resourcesonf-spec-ificationsopenflowopenflow-spec-v140pdf

[20] S Sezer S Scott-Hayward P Chouhan et al ldquoAre we readyfor SDN Implementation challenges for software-defined net-worksrdquo IEEE Communications Magazine vol 51 no 7 pp 36ndash43 2013

[21] D Kreutz F M V Ramos P E Verissimo C E RothenbergS Azodolmolky and S Uhlig ldquoSoftware-defined networking acomprehensive surveyrdquo Proceedings of the IEEE vol 103 no 1pp 14ndash76 2015

[22] S Scott-Hayward G OrsquoCallaghan and S Sezer ldquoSDN securityA surveyrdquo in Proceedings of the 2013 Workshop on SoftwareDefined Networks for Future Networks and Services SDN4FNS2013 Trento Italy November 2013

[23] A Akhunzada E Ahmed A Gani M K Khan M Imran andS Guizani ldquoSecuring software defined networks Taxonomyrequirements and open issuesrdquo IEEE Communications Maga-zine vol 53 no 4 pp 36ndash44 2015

[24] M Tsugawa A Matsunaga and J A B Fortes ldquoCloud comput-ing securityWhat changes with software-defined networkingrdquoSecure Cloud Computing pp 77ndash93 2014

[25] R Kloti V Kotronis and P Smith ldquoOpenFlow A securityanalysisrdquo in Proceedings of the 2013 21st IEEE International Con-ference on Network Protocols ICNP 2013 Institute of ElectricalandElectronics EngineersGoettingenGermanyOctober 2013

[26] X Gong N Borisov N Kiyavash and N Schear ldquoWebsiteDetection Using Remote Traffic Analysisrdquo in Privacy EnhancingTechnologies vol 7384 of Lecture Notes in Computer Science pp58ndash78 Springer Berlin Heidelberg 2012

[27] S Shin and G Gu ldquoAttacking software-defined networks afirst feasibility studyrdquo in Proceedings of the 2nd ACM SIG-COMMWorkshop onHot Topics in SoftwareDefinedNetworking(HotSDN rsquo13) pp 165-166 Association for Computing Machin-ery Hong Kong China August 2013

Security and Communication Networks 13

of flow table space making it impossible to process millionsof flows per seconding using SDNOpenFlow Secondly wefound in Section 4 that assigning the decision making jobof flow table replacement to the controller would lead tosignificant network performance decrease which had to bechanged in time Thirdly there is currently no mature attackdetection mechanism for SDNOpenFlow network so it isquite easy for criminals to exploit system vulnerabilities orinvoke DDoS attacks

The inference method proposed in this paper just usessome basic elements and parameters of OpenFlow such asidle timeout and hard timeout which are significant for theimplementation of SDN These features will not be removedexcept very huge changes made On the other hand althoughsome security frameworks [3] were proposed to detect themalicious insertion of flow rules attackers can also bypass thedetection by some well-designed insertion strategies

All these security issues call for improvements to currentOpenFlow switch and flow table design The improvementsshould at least contain the following aspects (1) New Open-Flow switch architecture like embedding local caches inthe switch or implementing multilevel flow table to achievea much larger flow table capacity With larger flow tablecapacity the switch will not have to query the controller forflow entries which will reduce the interaction latency to alarge extent (2) New flow table maintaining mechanism liketransferring the flow entry deleting workload from controllerto switch Switch itself can decide which flow entry to deleteand then sync state with controller and during the flowentry deleting process the controllerrsquos intervention is notneeded In the widely used OpenFlow Switch Specification140 [19] this mechanism has been added as an optionalfeature but without any mature implementation so far (3)Routing aggregation Routing aggregation canmatch a groupof flows using one flow entry which will reduce the flowtable consuming significantly comparedwith exactmatch (4)Inference attack detection Administrators can develop infer-ence attack detecting applications and then perform defenseslike portspeed limiting or network address validation

From the discussion above we can see that there is stilla long road to go before SDNOpenFlow becomes a trulymature and reliable network paradigm There are still urgentand severe issues to solve which have been neglected in thepast Only by solving these security issues and architecturalvulnerabilities can SDNOpenFlow be widely deployed inreal-world commercial datacenters and fully demonstrate itsrevolutionary flexibility and intelligence

7 Related Work

The inference attack proposed in this paper is motivated bythe limited flow table capacity of SDNOpenFlow switchesThe flow table capacity issue has been presented in manyprevious works like [20ndash24] They all point out the limitationof switch flow table memory and potential scalability andsecurity issue However these works do not give furtheranalysis on the inference attack and information leakagecaused by the limited flow table capacity

Kloti et al [25] present potentially problematic issues inSDNOpenFlow including information disclosure throughtiming analysis However this information disclosurerequires disclosing existing flows with side channel attackwhich is hard to perform in real world Compared with theirapproach our inference attack is self-contained and requiresno prior knowledge

Gong et al [26] present a kind of inference attackusing RTT measurement to infer which website the victimis browsing They recover victimsrsquo network traffic patternsbased on the queuing side channel happened at the Internetrouter However the scenario of their work is in the publicInternet while our approach focuses on SDNOpenFlowinfrastructures in cloud computing network Compared withpublic Internet and website inference the inference attackand information leakage in modern data centers are moresensitive and valuable

Shin and Gu [27] demonstrate a novel attack targetingat SDN networks This attack includes fingerprinting SDNnetworks and further flooding the data plane flow table bysending specifically crafted fake flow requests in high speedIn the fingerprinting phase header field change scanning isused to collect the different response time (RTT) for new flowand existing flow The fingerprinting result is then analyzedto estimate if the target network used SDN technology TheRTT measurement and analysis they used in fingerprintingare similar to our approach But they just perform DoSattacks to the SDN network without performing any furtherinformation leakage or network parameter inference

As for flow table overflow defending strategy Shelly etal [28] and Katta et al [29] introduce flow entry cachingmechanism into SDNOpenflow network by inserting atransparent intermediate layer between controller and switchYan et al [9] use CAB to generate wildcard flow entriesdynamically and reactively to handle bursting network trafficKannan and Banerjee [30] present a flow entry compactionalgorithm to saveTCAMflow table spaceThis algorithmusesflow entry tags instead of matching fields as forwarding rulesKim et al [31] develop a new flow entry management schemeto reduce the controller overhead

8 Conclusion

In this paper we have explored the structure of SDNOpenFlow network and some of the possible security issues itbrings After our detailed analysis of the SDNOpenFlow net-work we proposed a novel inference attack model targetingat the SDNOpenFlow network which is the first proposedinference attack model of this kind in the SDNOpenFlowarea This inference attack is introduced by the OpenFlowswitch especially by its limited flow table capacity The infer-ence attack can be done in a completely passive waymaking ithard to detect and defendWe also implemented the inferenceattack framework and examined the efficiency and accuracyof it using network traffic data from different sources Thesimulation results show that the inference attack frameworkcan infer the network parameter (flow table capacity and flowtable usage) with an accuracy of up to 80 or higher We alsoproposed two possible defense strategies for the discovered

14 Security and Communication Networks

vulnerability including routing aggregation algorithm andmultilevel flow table architecture

Conflicts of Interest

The authors declare that they have no conflicts of interest

Acknowledgments

The research presented in this paper is supported in partby the National Key Research and Development Program ofChina (no 2016YFB0800100) the Fund of China NationalAeronautical Radio Electronics Research Institute (PM-12210-2016-001) the National Natural Science Foundation(61572397 U1766215 U1736205 61502383 61672425 and61702407) and State Grid Corporation of China (DZ71-16-030)

References

[1] W Li W Meng and L F Kwok ldquoA survey on OpenFlow-basedSoftware Defined Networks Security challenges and counter-measuresrdquo Journal of Network and Computer Applications vol68 pp 126ndash139 2016

[2] M Brooks and B Yang ldquoA Man-in-the-Middle attack againstOpenDayLight SDN controllerrdquo in Proceedings of the 4thAnnual Conference on Research in Information TechnologyAssociation for Computing Machinery Chicago IL USASeptember 2015

[3] P Porras S Shin V Yegneswaran M Fong M Tyson and GGu ldquoA security enforcement kernel for OpenFlow networksrdquoin Proceedings of the 1st ACM International Workshop on HotTopics in Software Defined Networks HotSDN 2012 pp 121ndash126 Association for Computing Machinery Helsinki FinlandAugust 2012

[4] N Gude T Koponen and J Pettit ldquoNOX towards an operatingsystem for networksrdquoACM SIGCOMMComputer Communica-tion Review vol 38 no 3 pp 105ndash110 2008

[5] A Khurshid W Zhou M Caesar and P B Godfrey ldquoVeriflowVerifying network-wide invariants in real timerdquo in Proceedingsof the Annual Conference of the ACM Special Interest Group onData Communication on the Applications Technologies Archi-tectures and Protocols for Computer Communication ACMSIGCOMM 2012 pp 467ndash472 Finland August 2012

[6] G Zhao L Huang Z Yu H Xu and P Wang ldquoOn the effectof flow table size and controller capacity on SDN networkthroughputrdquo in Proceedings of the 2017 IEEE InternationalConference on Communications (ICC) pp 1ndash6 Paris FranceMay 2017

[7] A RoyH Zengy J BaggayG Porter andAC Snoeren ldquoInsidethe social networkrsquos (Datacenter) networkrdquo in Proceedings of theACM Conference on Special Interest Group on Data Communi-cation SIGCOMM 2015 pp 123ndash137 UK August 2015

[8] N Shelly E J Jackson T Koponen N McKeown and JRajahalme ldquoFlow caching for high entropy packet fieldsrdquo inProceedings of the 3rd ACM SIGCOMM 2014 Workshop on HotTopics in Software Defined Networking HotSDN 2014 pp 151ndash156 Chicago Illinois USA August 2014

[9] B Yan Y Xu H Xing K Xi and H J Chao ldquoCAB A reactivewildcard rule caching system for software-defined networksrdquo inProceedings of the 3rd ACM SIGCOMM 2014 Workshop on Hot

Topics in Software Defined Networking HotSDN 2014 pp 163ndash168 Chicago Illinois USA August 2014

[10] Katta Naga Jennifer Rexford and David Walker ldquoInfinitecacheflow in software-defined networksrdquo Princeton School ofEngineering and Applied Science 2013

[11] Yanwen Wang Hainan Chen Hainan Chen and Lei ShuldquoAn energy-efficient SDN based sleep scheduling algorithm forWSNsrdquo Journal of Network and Computer Applications vol 59pp 39ndash45 2016 httpdxdoiorg101016jjnca201505002

[12] S-N Yang S-W Ho Y-B Lin and C-H Gan ldquoA multi-RATbandwidth aggregation mechanism with software-defined net-workingrdquo Journal ofNetwork andComputerApplications vol 61pp 189ndash198 2016 httpdxdoiorg101016jjnca201511003

[13] M Dehghan L Massoulie D Towsley D Menasche andY C Tay ldquoA utility optimization approach to network cachedesignrdquo in Proceedings of the 35th Annual IEEE InternationalConference on Computer Communications IEEE INFOCOM2016 San Francisco CA USA April 2016

[14] ldquoMininetrdquo httpmininetorg[15] ldquoPOX Controllerrdquo httpwwwnoxrepoorgpoxabout-pox[16] ldquolibnet-devrdquo httpsgithubcomsam-githublibnet[17] ldquolibpcaprdquo httpwwwtcpdumporg[18] X Zhao Y Liu L Wang and B Zhang ldquoOn the aggregatability

of router forwarding tablesrdquo in Proceedings of IEEE INFOCOM2010 Institute of Electrical and Electronics Engineers SanDiego CA USA March 2010

[19] ldquoOpenFlow Switch Specification 140rdquo httpswwwopennet-workingorgimagesstoriesdownloadssdn-resourcesonf-spec-ificationsopenflowopenflow-spec-v140pdf

[20] S Sezer S Scott-Hayward P Chouhan et al ldquoAre we readyfor SDN Implementation challenges for software-defined net-worksrdquo IEEE Communications Magazine vol 51 no 7 pp 36ndash43 2013

[21] D Kreutz F M V Ramos P E Verissimo C E RothenbergS Azodolmolky and S Uhlig ldquoSoftware-defined networking acomprehensive surveyrdquo Proceedings of the IEEE vol 103 no 1pp 14ndash76 2015

[22] S Scott-Hayward G OrsquoCallaghan and S Sezer ldquoSDN securityA surveyrdquo in Proceedings of the 2013 Workshop on SoftwareDefined Networks for Future Networks and Services SDN4FNS2013 Trento Italy November 2013

[23] A Akhunzada E Ahmed A Gani M K Khan M Imran andS Guizani ldquoSecuring software defined networks Taxonomyrequirements and open issuesrdquo IEEE Communications Maga-zine vol 53 no 4 pp 36ndash44 2015

[24] M Tsugawa A Matsunaga and J A B Fortes ldquoCloud comput-ing securityWhat changes with software-defined networkingrdquoSecure Cloud Computing pp 77ndash93 2014

[25] R Kloti V Kotronis and P Smith ldquoOpenFlow A securityanalysisrdquo in Proceedings of the 2013 21st IEEE International Con-ference on Network Protocols ICNP 2013 Institute of ElectricalandElectronics EngineersGoettingenGermanyOctober 2013

[26] X Gong N Borisov N Kiyavash and N Schear ldquoWebsiteDetection Using Remote Traffic Analysisrdquo in Privacy EnhancingTechnologies vol 7384 of Lecture Notes in Computer Science pp58ndash78 Springer Berlin Heidelberg 2012

[27] S Shin and G Gu ldquoAttacking software-defined networks afirst feasibility studyrdquo in Proceedings of the 2nd ACM SIG-COMMWorkshop onHot Topics in SoftwareDefinedNetworking(HotSDN rsquo13) pp 165-166 Association for Computing Machin-ery Hong Kong China August 2013

14 Security and Communication Networks

vulnerability including routing aggregation algorithm andmultilevel flow table architecture

Conflicts of Interest

The authors declare that they have no conflicts of interest

Acknowledgments

The research presented in this paper is supported in partby the National Key Research and Development Program ofChina (no 2016YFB0800100) the Fund of China NationalAeronautical Radio Electronics Research Institute (PM-12210-2016-001) the National Natural Science Foundation(61572397 U1766215 U1736205 61502383 61672425 and61702407) and State Grid Corporation of China (DZ71-16-030)

References

[1] W Li W Meng and L F Kwok ldquoA survey on OpenFlow-basedSoftware Defined Networks Security challenges and counter-measuresrdquo Journal of Network and Computer Applications vol68 pp 126ndash139 2016

[2] M Brooks and B Yang ldquoA Man-in-the-Middle attack againstOpenDayLight SDN controllerrdquo in Proceedings of the 4thAnnual Conference on Research in Information TechnologyAssociation for Computing Machinery Chicago IL USASeptember 2015

[3] P Porras S Shin V Yegneswaran M Fong M Tyson and GGu ldquoA security enforcement kernel for OpenFlow networksrdquoin Proceedings of the 1st ACM International Workshop on HotTopics in Software Defined Networks HotSDN 2012 pp 121ndash126 Association for Computing Machinery Helsinki FinlandAugust 2012

[4] N Gude T Koponen and J Pettit ldquoNOX towards an operatingsystem for networksrdquoACM SIGCOMMComputer Communica-tion Review vol 38 no 3 pp 105ndash110 2008

[5] A Khurshid W Zhou M Caesar and P B Godfrey ldquoVeriflowVerifying network-wide invariants in real timerdquo in Proceedingsof the Annual Conference of the ACM Special Interest Group onData Communication on the Applications Technologies Archi-tectures and Protocols for Computer Communication ACMSIGCOMM 2012 pp 467ndash472 Finland August 2012

[6] G Zhao L Huang Z Yu H Xu and P Wang ldquoOn the effectof flow table size and controller capacity on SDN networkthroughputrdquo in Proceedings of the 2017 IEEE InternationalConference on Communications (ICC) pp 1ndash6 Paris FranceMay 2017

[7] A RoyH Zengy J BaggayG Porter andAC Snoeren ldquoInsidethe social networkrsquos (Datacenter) networkrdquo in Proceedings of theACM Conference on Special Interest Group on Data Communi-cation SIGCOMM 2015 pp 123ndash137 UK August 2015

[8] N Shelly E J Jackson T Koponen N McKeown and JRajahalme ldquoFlow caching for high entropy packet fieldsrdquo inProceedings of the 3rd ACM SIGCOMM 2014 Workshop on HotTopics in Software Defined Networking HotSDN 2014 pp 151ndash156 Chicago Illinois USA August 2014

[9] B Yan Y Xu H Xing K Xi and H J Chao ldquoCAB A reactivewildcard rule caching system for software-defined networksrdquo inProceedings of the 3rd ACM SIGCOMM 2014 Workshop on Hot

Topics in Software Defined Networking HotSDN 2014 pp 163ndash168 Chicago Illinois USA August 2014

[10] Katta Naga Jennifer Rexford and David Walker ldquoInfinitecacheflow in software-defined networksrdquo Princeton School ofEngineering and Applied Science 2013

[11] Yanwen Wang Hainan Chen Hainan Chen and Lei ShuldquoAn energy-efficient SDN based sleep scheduling algorithm forWSNsrdquo Journal of Network and Computer Applications vol 59pp 39ndash45 2016 httpdxdoiorg101016jjnca201505002

[12] S-N Yang S-W Ho Y-B Lin and C-H Gan ldquoA multi-RATbandwidth aggregation mechanism with software-defined net-workingrdquo Journal ofNetwork andComputerApplications vol 61pp 189ndash198 2016 httpdxdoiorg101016jjnca201511003

[13] M Dehghan L Massoulie D Towsley D Menasche andY C Tay ldquoA utility optimization approach to network cachedesignrdquo in Proceedings of the 35th Annual IEEE InternationalConference on Computer Communications IEEE INFOCOM2016 San Francisco CA USA April 2016

[14] ldquoMininetrdquo httpmininetorg[15] ldquoPOX Controllerrdquo httpwwwnoxrepoorgpoxabout-pox[16] ldquolibnet-devrdquo httpsgithubcomsam-githublibnet[17] ldquolibpcaprdquo httpwwwtcpdumporg[18] X Zhao Y Liu L Wang and B Zhang ldquoOn the aggregatability

of router forwarding tablesrdquo in Proceedings of IEEE INFOCOM2010 Institute of Electrical and Electronics Engineers SanDiego CA USA March 2010

[19] ldquoOpenFlow Switch Specification 140rdquo httpswwwopennet-workingorgimagesstoriesdownloadssdn-resourcesonf-spec-ificationsopenflowopenflow-spec-v140pdf

[20] S Sezer S Scott-Hayward P Chouhan et al ldquoAre we readyfor SDN Implementation challenges for software-defined net-worksrdquo IEEE Communications Magazine vol 51 no 7 pp 36ndash43 2013

[21] D Kreutz F M V Ramos P E Verissimo C E RothenbergS Azodolmolky and S Uhlig ldquoSoftware-defined networking acomprehensive surveyrdquo Proceedings of the IEEE vol 103 no 1pp 14ndash76 2015

[22] S Scott-Hayward G OrsquoCallaghan and S Sezer ldquoSDN securityA surveyrdquo in Proceedings of the 2013 Workshop on SoftwareDefined Networks for Future Networks and Services SDN4FNS2013 Trento Italy November 2013

[23] A Akhunzada E Ahmed A Gani M K Khan M Imran andS Guizani ldquoSecuring software defined networks Taxonomyrequirements and open issuesrdquo IEEE Communications Maga-zine vol 53 no 4 pp 36ndash44 2015

[24] M Tsugawa A Matsunaga and J A B Fortes ldquoCloud comput-ing securityWhat changes with software-defined networkingrdquoSecure Cloud Computing pp 77ndash93 2014

[25] R Kloti V Kotronis and P Smith ldquoOpenFlow A securityanalysisrdquo in Proceedings of the 2013 21st IEEE International Con-ference on Network Protocols ICNP 2013 Institute of ElectricalandElectronics EngineersGoettingenGermanyOctober 2013

[26] X Gong N Borisov N Kiyavash and N Schear ldquoWebsiteDetection Using Remote Traffic Analysisrdquo in Privacy EnhancingTechnologies vol 7384 of Lecture Notes in Computer Science pp58ndash78 Springer Berlin Heidelberg 2012

[27] S Shin and G Gu ldquoAttacking software-defined networks afirst feasibility studyrdquo in Proceedings of the 2nd ACM SIG-COMMWorkshop onHot Topics in SoftwareDefinedNetworking(HotSDN rsquo13) pp 165-166 Association for Computing Machin-ery Hong Kong China August 2013

Security and Communication Networks 15

[28] N Shelly E J Jackson T Koponen N McKeown and JRajahalme ldquoFlow caching for high entropy packet fieldsrdquo ACMSIGCOMMComputer CommunicationReview vol 44 no 4 pp663ndash668 2014

[29] N Katta O Alipourfard J Rexford and D Walker ldquoInfiniteCacheFlow in software-defined networksrdquo in Proceedings of the3rd ACM SIGCOMM 2014 Workshop on Hot Topics in SoftwareDefined Networking HotSDN 2014 pp 175ndash180 Association forComputing Machinery Chicago Illinois USA August 2014

[30] K Kannan and S Banerjee ldquoCompact TCAM Flow entrycompaction in TCAM for power aware SDNrdquo in Proceedings ofthe 14th International Conference on Distributed Computing andNetworking vol 7730 of Lecture Notes in Computer Science pp439ndash444 Springer Mumbai India 2013

[31] E-D Kim S-I Lee Y Choi M-K Shin and H-J KimldquoA flow entry management scheme for reducing controlleroverheadrdquo in Proceedings of the 16th International Conference onAdvanced Communication Technology Content Centric NetworkInnovation ICACT 2014 pp 754ndash757 Institute of Electrical andElectronics Engineers Pyeongchang South Korea February2014

International Journal of

AerospaceEngineeringHindawiwwwhindawicom Volume 2018

RoboticsJournal of

Hindawiwwwhindawicom Volume 2018

Hindawiwwwhindawicom Volume 2018

Active and Passive Electronic Components

VLSI Design

Hindawiwwwhindawicom Volume 2018

Hindawiwwwhindawicom Volume 2018

Shock and Vibration

Hindawiwwwhindawicom Volume 2018

Civil EngineeringAdvances in

Acoustics and VibrationAdvances in

Hindawiwwwhindawicom Volume 2018

Hindawiwwwhindawicom Volume 2018

Electrical and Computer Engineering

Journal of

Advances inOptoElectronics

Hindawiwwwhindawicom

Volume 2018

Hindawi Publishing Corporation httpwwwhindawicom Volume 2013Hindawiwwwhindawicom

The Scientific World Journal

Volume 2018

Control Scienceand Engineering

Journal of

Hindawiwwwhindawicom Volume 2018

Hindawiwwwhindawicom

Journal ofEngineeringVolume 2018

SensorsJournal of

Hindawiwwwhindawicom Volume 2018

International Journal of

RotatingMachinery

Hindawiwwwhindawicom Volume 2018

Modelling ampSimulationin EngineeringHindawiwwwhindawicom Volume 2018

Hindawiwwwhindawicom Volume 2018

Chemical EngineeringInternational Journal of Antennas and

Propagation

International Journal of

Hindawiwwwhindawicom Volume 2018

Hindawiwwwhindawicom Volume 2018

Navigation and Observation

International Journal of

Hindawi

wwwhindawicom Volume 2018

Advances in

Multimedia

Submit your manuscripts atwwwhindawicom

International Journal of

AerospaceEngineeringHindawiwwwhindawicom Volume 2018

RoboticsJournal of

Hindawiwwwhindawicom Volume 2018

Hindawiwwwhindawicom Volume 2018

Active and Passive Electronic Components

VLSI Design

Hindawiwwwhindawicom Volume 2018

Hindawiwwwhindawicom Volume 2018

Shock and Vibration

Hindawiwwwhindawicom Volume 2018

Civil EngineeringAdvances in

Acoustics and VibrationAdvances in

Hindawiwwwhindawicom Volume 2018

Hindawiwwwhindawicom Volume 2018

Electrical and Computer Engineering

Journal of

Advances inOptoElectronics

Hindawiwwwhindawicom

Volume 2018

Hindawi Publishing Corporation httpwwwhindawicom Volume 2013Hindawiwwwhindawicom

The Scientific World Journal

Volume 2018

Control Scienceand Engineering

Journal of

Hindawiwwwhindawicom Volume 2018

Hindawiwwwhindawicom

Journal ofEngineeringVolume 2018

SensorsJournal of

Hindawiwwwhindawicom Volume 2018

International Journal of

RotatingMachinery

Hindawiwwwhindawicom Volume 2018

Modelling ampSimulationin EngineeringHindawiwwwhindawicom Volume 2018

Hindawiwwwhindawicom Volume 2018

Chemical EngineeringInternational Journal of Antennas and

Propagation

International Journal of

Hindawiwwwhindawicom Volume 2018

Hindawiwwwhindawicom Volume 2018

Navigation and Observation

International Journal of

Hindawi

wwwhindawicom Volume 2018

Advances in

Multimedia

Submit your manuscripts atwwwhindawicom