Securing SDN Infrastructure of IoT-Fog Networks From MitM Attacks

While the Internet of Things (IoT) is making our lives much easier, managing the IoT becomes a big issue due to the huge number of connections, and the lack of protections for devices. Recent work shows that software-defined networking (SDN) has a great capability in automatically and dynamically managing network flows. Besides, switches in SDNs are usually powerful machines, which can be used as fog nodes simultaneously. Therefore, SDN seems a good choice for IoT-Fog networks. However, before deploying to IoT-Fog networks, the security of the OpenFlow channel between the controller and its switches need to be addressed. Since all the controller commands are sent through this channel, once compromised, the network will be completely controlled by an attacker. This is a disaster for both the network service providers and their customers. Previous works on SDN security either protect controllers themselves or make a strong assumption that the OpenFlow channel is already secured. Using TLS to encrypt the channel is not a "silver-bullet" solution due to the known TLS vulnerabilities. In this paper, we specifically investigate the potential threats of man-in-the-middle attacks on the OpenFlow control channel. We first introduce a feasible attack model in an IoT-Fog architecture, and then we implement attack demonstrations to show the severe consequences of such attacks. Additionally, we propose a lightweight countermeasure using Bloom filters. We implement a prototype for this method to monitor stealthy packet modifications. The result of our evaluation shows that our Bloom filter monitoring system is efficient and consumes few resources.