Go to DBLP homepageInvestigating Vulnerabilities in OpenFlow Discovery Protocol: Novel Attacks and Their Defense
Abstract: Software-defined networking (SDN) enables network visibility and intelligence by providing a global topology view. The controller maintains and updates the real-time topology using the OpenFlow Discovery Protocol (OFDP). However, without robust security mechanisms, OFDP introduces new security threats to the network. This article investigates the security threats of OFDP packets, focusing specifically on their header fields and data units. We propose novel methods to implement existing attacks and bypass current defenses. In addition, we identify two new vulnerabilities that allow for the manipulation of link information and the exhaustion of network resources. Through a series of experiments, we demonstrate the feasibility of these attacks. Our findings have been responsibly disclosed to Floodlight, and two CVEs (CVE-2024-57672 and CVE-2024-57673) were assigned. To defend against such attacks, we design LOFDP to enhance the security of OFDP by thoroughly inspecting the header fields and encrypting the data units. As a lightweight extension of existing controllers, LOFDP can filter malformed packets to prevent attacks, balancing scalability and security. We implement a prototype of LOFDP and evaluate its effectiveness and performance in a simulated environment. The results show that LOFDP can effectively prevent attacks with negligible latency.
External IDs:dblp:journals/tdsc/DengYG25
Loading