We are interested in OpenFlow networks security as OpenFlow is currently the most deployed SDN technology by hardware and software vendors. We demonstrate some techniques allowing an attacker placed in the data plane, which is supposed to be physically separate from the control plane, to detect which SDN controller is managing the network. SDN controllers are considered as Network Operating Systems (NOSs) and often viewed as single point of failure. Detecting which SDN controller is managing the target network is a big step for an attacker to launch effective attacks on it. To our best knowledge, this is the first work on fingerprinting SDN controllers, with as primary goal to emphasize the necessity to highly secure the controller in an SDN network. We study the common case where the attacker is in the data plane. Otherwise, if the attacker can get into the control network, the detection of the OpenFlow controller may be simpler by using traditional remote-service fingerpirinting techniques.

1. Fingerprinting OpenFlow Controllers: First step to
attack an SDN control-plane
Abdelhadi Azzouni 1 Othman Braham 2 Nguyen Thi Mai Trang 1
Guy Pujolle 1 Raouf Boutaba 3
1Universit´e Pierre et Marie Curie, France
2VirtuOR, France 3University of Waterloo, Canada
GLOBECOM, 2016
shortname (LIp6, UPMC) Fingerprinting OpenFlow Controllers: First step to attack an SDN control-planeGLOBECOM, 2016 1 / 1

2. Outline
shortname (LIp6, UPMC) Fingerprinting OpenFlow Controllers: First step to attack an SDN control-planeGLOBECOM, 2016 2 / 1

3. Outline
shortname (LIp6, UPMC) Fingerprinting OpenFlow Controllers: First step to attack an SDN control-planeGLOBECOM, 2016 3 / 1

4. Introduction
Fingerprinting remote systems - Story 1
shortname (LIp6, UPMC) Fingerprinting OpenFlow Controllers: First step to attack an SDN control-planeGLOBECOM, 2016 4 / 1

5. Introduction
Fingerprinting remote systems - Story 1
Mirai
shortname (LIp6, UPMC) Fingerprinting OpenFlow Controllers: First step to attack an SDN control-planeGLOBECOM, 2016 4 / 1

6. Introduction
Fingerprinting remote systems - Story 1
Mirai
Mirai is also a malware that
turns computer systems running
Linux into bots
shortname (LIp6, UPMC) Fingerprinting OpenFlow Controllers: First step to attack an SDN control-planeGLOBECOM, 2016 4 / 1

7. Introduction
Fingerprinting remote systems - Story 1
Mirai
Mirai is also a malware that
turns computer systems running
Linux into bots
It primarily targets IoT devices
such as DVRs, remote cameras
and home routers
shortname (LIp6, UPMC) Fingerprinting OpenFlow Controllers: First step to attack an SDN control-planeGLOBECOM, 2016 4 / 1

8. Introduction
Fingerprinting remote systems - Story 1
Mirai
Mirai is also a malware that
turns computer systems running
Linux into bots
It primarily targets IoT devices
such as DVRs, remote cameras
and home routers
shortname (LIp6, UPMC) Fingerprinting OpenFlow Controllers: First step to attack an SDN control-planeGLOBECOM, 2016 4 / 1

9. Introduction
Fingerprinting remote systems - Story 1
Mirai
Mirai is also a malware that
turns computer systems running
Linux into bots
It primarily targets IoT devices
such as DVRs, remote cameras
and home routers
shortname (LIp6, UPMC) Fingerprinting OpenFlow Controllers: First step to attack an SDN control-planeGLOBECOM, 2016 4 / 1

10. Introduction
Fingerprinting remote systems - Story 1
Mirai
Mirai is also a malware that
turns computer systems running
Linux into bots
It primarily targets IoT devices
such as DVRs, remote cameras
and home routers
Source: downdetector.com
Mirai botnet has been used in
some of the largest DDoS
attacks, including the one on
Dyn last October 2016
shortname (LIp6, UPMC) Fingerprinting OpenFlow Controllers: First step to attack an SDN control-planeGLOBECOM, 2016 4 / 1

11. Introduction
Fingerprinting remote systems - Story 1
Mirai
Mirai is also a malware that
turns computer systems running
Linux into bots
It primarily targets IoT devices
such as DVRs, remote cameras
and home routers
Source: downdetector.com
Mirai botnet has been used in
some of the largest DDoS
attacks, including the one on
Dyn last October 2016
Mirai targets only BusyBox
equipped devices
shortname (LIp6, UPMC) Fingerprinting OpenFlow Controllers: First step to attack an SDN control-planeGLOBECOM, 2016 4 / 1

12. Introduction
Fingerprinting remote systems - Story 1
Mirai
Mirai is also a malware that
turns computer systems running
Linux into bots
It primarily targets IoT devices
such as DVRs, remote cameras
and home routers
Source: downdetector.com
Mirai botnet has been used in
some of the largest DDoS
attacks, including the one on
Dyn last October 2016
Mirai targets only BusyBox
equipped devices
shortname (LIp6, UPMC) Fingerprinting OpenFlow Controllers: First step to attack an SDN control-planeGLOBECOM, 2016 4 / 1

13. Introduction
Fingerprinting remote systems - OS fingerprinting
Linux
Solaris Windows
XP
Windows
Vista
OS X
Fingerprinting is used to identify:
operating systems of hosts
versions of software on hosts
hosts running versions with
vulnerabilities
shortname (LIp6, UPMC) Fingerprinting OpenFlow Controllers: First step to attack an SDN control-planeGLOBECOM, 2016 5 / 1

14. Outline
shortname (LIp6, UPMC) Fingerprinting OpenFlow Controllers: First step to attack an SDN control-planeGLOBECOM, 2016 6 / 1

15. Introduction
Fingerprinting SDN controllers
ODL
POX
NOX
Open
Floodlight
ONOS
Fingerprinting is used to identify:
If the network is SDN or not
The controller managing the
network
Vulnerable SDN software
running on the controller
shortname (LIp6, UPMC) Fingerprinting OpenFlow Controllers: First step to attack an SDN control-planeGLOBECOM, 2016 7 / 1

16. Motivation & Background
SDN vs Traditional Networks
Software-Defined Networking
(SDN) offers a great flexibility
to control networks
SDN is a cost-effective solution
SDN will dominate most of the
networking market in the next
few years
shortname (LIp6, UPMC) Fingerprinting OpenFlow Controllers: First step to attack an SDN control-planeGLOBECOM, 2016 8 / 1

17. Motivation & Background
Future networks are SDN
Source: SDN and NFV forecast report 2015 sdxcentral.com
shortname (LIp6, UPMC) Fingerprinting OpenFlow Controllers: First step to attack an SDN control-planeGLOBECOM, 2016 9 / 1

18. Motivation & Background
Future networks are SDN
Source: SDN and NFV forecast report 2015 sdxcentral.com
shortname (LIp6, UPMC) Fingerprinting OpenFlow Controllers: First step to attack an SDN control-planeGLOBECOM, 2016 10 / 1

19. Motivation & Background
Future networks are SDN
shortname (LIp6, UPMC) Fingerprinting OpenFlow Controllers: First step to attack an SDN control-planeGLOBECOM, 2016 11 / 1

20. Motivation & Background
SDN are not secure yet
SDN security is not proven yet
shortname (LIp6, UPMC) Fingerprinting OpenFlow Controllers: First step to attack an SDN control-planeGLOBECOM, 2016 12 / 1

21. Motivation & Background
SDN are not secure yet
SDN security is not proven yet
SDN controllers are potentially subject to a new set of risks and
threats compared to conventional network architectures
shortname (LIp6, UPMC) Fingerprinting OpenFlow Controllers: First step to attack an SDN control-planeGLOBECOM, 2016 12 / 1

22. Motivation & Background
SDN are not secure yet
SDN security is not proven yet
SDN controllers are potentially subject to a new set of risks and
threats compared to conventional network architectures
networkworld.com
SDN controller is a single point of failure
shortname (LIp6, UPMC) Fingerprinting OpenFlow Controllers: First step to attack an SDN control-planeGLOBECOM, 2016 12 / 1

23. Motivation & Background
SDN are not secure yet
SDN security is not proven yet
SDN controllers are potentially subject to a new set of risks and
threats compared to conventional network architectures
networkworld.com
SDN controller is a single point of failure
Any information of any type could be highly useful for an adversary to take down
the controller
shortname (LIp6, UPMC) Fingerprinting OpenFlow Controllers: First step to attack an SDN control-planeGLOBECOM, 2016 12 / 1

24. Our objective
Prove the feasibility of getting some controller’s information (such as
the controller’s type and other control parameters) from the data
plane.
shortname (LIp6, UPMC) Fingerprinting OpenFlow Controllers: First step to attack an SDN control-planeGLOBECOM, 2016 13 / 1

25. Outline
shortname (LIp6, UPMC) Fingerprinting OpenFlow Controllers: First step to attack an SDN control-planeGLOBECOM, 2016 14 / 1

26. Timing-Analysis based techniques
Timeout values inference
This is an OpenFlow entry
The Timeout values differ between controllers
shortname (LIp6, UPMC) Fingerprinting OpenFlow Controllers: First step to attack an SDN control-planeGLOBECOM, 2016 15 / 1

27. Timing-Analysis based techniques
Timeout values inference 2
Idle timeout inference
Flow rule installed in the switch
shortname (LIp6, UPMC) Fingerprinting OpenFlow Controllers: First step to attack an SDN control-planeGLOBECOM, 2016 16 / 1

28. Timing-Analysis based techniques
Timeout values inference 2
Idle timeout inference
Flow rule installed in the switch
after 200 measurements of RTT,
RTT avg=0.350ms
shortname (LIp6, UPMC) Fingerprinting OpenFlow Controllers: First step to attack an SDN control-planeGLOBECOM, 2016 16 / 1

29. Timing-Analysis based techniques
Timeout values inference 2
Idle timeout inference
Flow rule installed in the switch
after 200 measurements of RTT,
RTT avg=0.350ms
Every ”wait” seconds, measure
RTTx until
RTTx − RTTavg >> threshold
shortname (LIp6, UPMC) Fingerprinting OpenFlow Controllers: First step to attack an SDN control-planeGLOBECOM, 2016 16 / 1

30. Timing-Analysis based techniques
Timeout values inference 2
Idle timeout inference
Flow rule installed in the switch
after 200 measurements of RTT,
RTT avg=0.350ms
Every ”wait” seconds, measure
RTTx until
RTTx − RTTavg >> threshold
Idle timeout = wait
shortname (LIp6, UPMC) Fingerprinting OpenFlow Controllers: First step to attack an SDN control-planeGLOBECOM, 2016 16 / 1

31. Timing-Analysis based techniques
Timeout values inference 2
Idle timeout inference
Flow rule installed in the switch
after 200 measurements of RTT,
RTT avg=0.350ms
Every ”wait” seconds, measure
RTTx until
RTTx − RTTavg >> threshold
Idle timeout = wait
shortname (LIp6, UPMC) Fingerprinting OpenFlow Controllers: First step to attack an SDN control-planeGLOBECOM, 2016 16 / 1

32. Timing-Analysis based techniques
Timeout values inference 3
Hard timeout inference
RTT avg and idle timeout computed
and flow rule installed in the switch
shortname (LIp6, UPMC) Fingerprinting OpenFlow Controllers: First step to attack an SDN control-planeGLOBECOM, 2016 17 / 1

33. Timing-Analysis based techniques
Timeout values inference 3
Hard timeout inference
RTT avg and idle timeout computed
and flow rule installed in the switch
Every ”wait” seconds, measure
RTTx until
RTTx − RTTavg >> threshold
shortname (LIp6, UPMC) Fingerprinting OpenFlow Controllers: First step to attack an SDN control-planeGLOBECOM, 2016 17 / 1

34. Timing-Analysis based techniques
Timeout values inference 3
Hard timeout inference
RTT avg and idle timeout computed
and flow rule installed in the switch
Every ”wait” seconds, measure
RTTx until
RTTx − RTTavg >> threshold
”wait” value must be less than
idle timeout
shortname (LIp6, UPMC) Fingerprinting OpenFlow Controllers: First step to attack an SDN control-planeGLOBECOM, 2016 17 / 1

35. Timing-Analysis based techniques
Timeout values inference 3
Hard timeout inference
RTT avg and idle timeout computed
and flow rule installed in the switch
Every ”wait” seconds, measure
RTTx until
RTTx − RTTavg >> threshold
”wait” value must be less than
idle timeout
hard timeout = hard timeout + wait
when RTTx − RTTavg threshold
shortname (LIp6, UPMC) Fingerprinting OpenFlow Controllers: First step to attack an SDN control-planeGLOBECOM, 2016 17 / 1

36. Timing-Analysis based techniques
Timeout values inference 3
Hard timeout inference
RTT avg and idle timeout computed
and flow rule installed in the switch
Every ”wait” seconds, measure
RTTx until
RTTx − RTTavg >> threshold
”wait” value must be less than
idle timeout
hard timeout = hard timeout + wait
when RTTx − RTTavg threshold
shortname (LIp6, UPMC) Fingerprinting OpenFlow Controllers: First step to attack an SDN control-planeGLOBECOM, 2016 17 / 1

37. Timing-Analysis based techniques
Processing-time inference
The main idea is to measure the response time of the target controller and
compare it to the processing-time database created beforehand
shortname (LIp6, UPMC) Fingerprinting OpenFlow Controllers: First step to attack an SDN control-planeGLOBECOM, 2016 18 / 1

38. Timing-Analysis based techniques
Processing-time inference
The main idea is to measure the response time of the target controller and
compare it to the processing-time database created beforehand
(t1 + t6) ∗ 2 + t7 = RTT
shortname (LIp6, UPMC) Fingerprinting OpenFlow Controllers: First step to attack an SDN control-planeGLOBECOM, 2016 18 / 1

39. Timing-Analysis based techniques
Processing-time inference
The main idea is to measure the response time of the target controller and
compare it to the processing-time database created beforehand
(t1 + t6) ∗ 2 + t7 = RTT
t2, t3 and t7 can be neglected
shortname (LIp6, UPMC) Fingerprinting OpenFlow Controllers: First step to attack an SDN control-planeGLOBECOM, 2016 19 / 1

40. Timing-Analysis based techniques
Processing-time inference
The main idea is to measure the response time of the target controller and
compare it to the processing-time database created beforehand
(t1 + t6) ∗ 2 + t7 = RTT
t2, t3 and t7 can be neglected
t3 can be neglected too
shortname (LIp6, UPMC) Fingerprinting OpenFlow Controllers: First step to attack an SDN control-planeGLOBECOM, 2016 20 / 1

41. Timing-Analysis based techniques
Processing-time inference
The main idea is to measure the response time of the target controller and
compare it to the processing-time database created beforehand
(t1 + t6) ∗ 2 + t7 = RTT
t2, t3 and t7 can be neglected
t3 can be neglected too
t4 can be used to guess the controller
How to infer t4?
shortname (LIp6, UPMC) Fingerprinting OpenFlow Controllers: First step to attack an SDN control-planeGLOBECOM, 2016 21 / 1

42. Timing-Analysis based techniques
Processing-time inference
The main idea is to measure the response time of the target controller and
compare it to the processing-time database created beforehand
Step 1: build the Processing-Time Database
shortname (LIp6, UPMC) Fingerprinting OpenFlow Controllers: First step to attack an SDN control-planeGLOBECOM, 2016 22 / 1

43. Timing-Analysis based techniques
Processing-time inference (Step1: Building the processing-time database)
for each controller
Send N pings in such a way each ping
(ping i) invokes the controller to install
a rule (wait > idle timeout)
shortname (LIp6, UPMC) Fingerprinting OpenFlow Controllers: First step to attack an SDN control-planeGLOBECOM, 2016 23 / 1

44. Timing-Analysis based techniques
Processing-time inference (Step1: Building the processing-time database)
for each controller
Send N pings in such a way each ping
(ping i) invokes the controller to install
a rule (wait > idle timeout)
Compute average(RTT i) then compute
processing time =
average(RTT i) − RTT avg)
shortname (LIp6, UPMC) Fingerprinting OpenFlow Controllers: First step to attack an SDN control-planeGLOBECOM, 2016 23 / 1

45. Timing-Analysis based techniques
Processing-time inference (Step1: Building the processing-time database)
for each controller
Send N pings in such a way each ping
(ping i) invokes the controller to install
a rule (wait > idle timeout)
Compute average(RTT i) then compute
processing time =
average(RTT i) − RTT avg)
shortname (LIp6, UPMC) Fingerprinting OpenFlow Controllers: First step to attack an SDN control-planeGLOBECOM, 2016 23 / 1

46. Timing-Analysis based techniques
Processing-time inference
Step 2: Fingerprint the target controller using the processing-time
database
Infer the processing time of the target
controller
shortname (LIp6, UPMC) Fingerprinting OpenFlow Controllers: First step to attack an SDN control-planeGLOBECOM, 2016 24 / 1

47. Timing-Analysis based techniques
Processing-time inference
Step 2: Fingerprint the target controller using the processing-time
database
Infer the processing time of the target
controller
Compare the inferred processing time to
the Processing-time database
shortname (LIp6, UPMC) Fingerprinting OpenFlow Controllers: First step to attack an SDN control-planeGLOBECOM, 2016 24 / 1

48. Timing-Analysis based techniques
Processing-time inference
Step 2: Fingerprint the target controller using the processing-time
database
Infer the processing time of the target
controller
Compare the inferred processing time to
the Processing-time database
shortname (LIp6, UPMC) Fingerprinting OpenFlow Controllers: First step to attack an SDN control-planeGLOBECOM, 2016 24 / 1

49. Outline
shortname (LIp6, UPMC) Fingerprinting OpenFlow Controllers: First step to attack an SDN control-planeGLOBECOM, 2016 25 / 1

50. Packet-Analysis based techniques
OpenFlow Discovery Protocol (OFDP) packet analysis:
How OFDP works:
In order to discover the link
s1 → s2
The controller sends a OFDP
packet to s1
s1 forwards the OFDP packet
through all its ports
s2 receives the OFDP packet
s2 forwards the OFDP packet to
the controller
The controller concludes there is
a link between s1 and s2
shortname (LIp6, UPMC) Fingerprinting OpenFlow Controllers: First step to attack an SDN control-planeGLOBECOM, 2016 26 / 1

51. Packet-Analysis based techniques
OpenFlow Discovery Protocol (OFDP) packet analysis:
The attacker in VM1 intercepts OFDP packets and analyses them in
order to guess the controller
shortname (LIp6, UPMC) Fingerprinting OpenFlow Controllers: First step to attack an SDN control-planeGLOBECOM, 2016 27 / 1

52. Packet-Analysis based techniques
OpenFlow Discovery Protocol (OFDP) packet analysis:
shortname (LIp6, UPMC) Fingerprinting OpenFlow Controllers: First step to attack an SDN control-planeGLOBECOM, 2016 28 / 1

53. Test environment
Four physical machines (only three are shown above)
Carrying 4 virtual machines each
Connected using Open vSwitch
Random traffic to random destinations is generated using ping and
iperf
shortname (LIp6, UPMC) Fingerprinting OpenFlow Controllers: First step to attack an SDN control-planeGLOBECOM, 2016 29 / 1

54. Results
Processing-time inference - Results:
shortname (LIp6, UPMC) Fingerprinting OpenFlow Controllers: First step to attack an SDN control-planeGLOBECOM, 2016 30 / 1

55. Results
OFDP packet analysis - Results:
shortname (LIp6, UPMC) Fingerprinting OpenFlow Controllers: First step to attack an SDN control-planeGLOBECOM, 2016 31 / 1

56. Summary
The first main message of your talk in one or two lines.
The second main message of your talk in one or two lines.
Perhaps a third message, but not more than that.
Outlook
Something you haven’t solved.
Something else you haven’t solved.
shortname (LIp6, UPMC) Fingerprinting OpenFlow Controllers: First step to attack an SDN control-planeGLOBECOM, 2016 32 / 1

57. For Further Reading I
A. Author.
Handbook of Everything.
Some Press, 1990.
S. Someone.
On this and that.
Journal of This and That, 2(1):50–100, 2000.
shortname (LIp6, UPMC) Fingerprinting OpenFlow Controllers: First step to attack an SDN control-planeGLOBECOM, 2016 33 / 1