Packet Injection Exploiting Attack and Mitigation in Software-Defined Networks

Software-defined networking (SDN) decouples the control plane and data plane through OpenFlow technology and allows flexible network control. It has been widely applied in different areas and has become a focus of attention in the future network. With SDN's development, its security problem has become a necessary point of research to be solved urgently. In this paper, we propose a novel attack, namely, the packet injection exploiting attack. By maliciously injecting false hosts into SDN network topology, attackers can further use them to launch a denial of service (DoS) attack. The consequences affect the throughput and processing capabilities of the controller, severely consume data plane resources, and ultimately affect the entire network. To prevent the packet-injection exploiting attack, we designed PIEDefender, an efficient, protocol-independent component built on SDN controllers to detect and mitigate attacks effectively. We implement the PIEDefender prototype on the Floodlight controller and assess the effectiveness in the software environment. Experimental results show that PIEDefender achieves a 97.8% injection detection precision and a 97.96% DoS detection precision, incurring an average CPU consumption of 10%. The evaluation demonstrates that the PIEDefender can effectively mitigate the attack against SDN with limited overhead.