This document discusses a master's thesis project on SDN security by Paras Hematbhai Dudhatra submitted to Dalhousie University in 2016. It includes an introduction to SDN architecture and security, a comparison of attacks on SDN versus traditional networks, an overview of spoofing and denial of service attack methodologies on SDN, and a discussion of security controls for SDN like firewalls, access control, intrusion detection/prevention, and policies. The document contains acknowledgements, an executive summary, table of contents, and is organized into 5 chapters covering various aspects of SDN security.

1. SDN Security
by
Paras Hematbhai Dudhatra
Submitted in partial fulfilment of the requirements for the degree of
MASTER OF ENGINEERING
Major Subject: Internetworking
at
DALHOUSIE UNIVERSITY
Halifax, Nova Scotia
January, 2016
© Copyright by Paras Hematbhai Dudhatra, 2016

2. ii
Dalhousie University
Faculty of Engineering
Internetworking
The undersigned hereby certify that they have read and award a pass in INWK 6800 for
the seminar project entitled "SDN-Security" by Paras Hematbhai Dudhatra in partial
fulfilment of the requirements for the degree of Master of Engineering.
___________________________
Ali Nafarieh.

3. iii
DALHOUSIE UNIVERSITY
INTERNETWORKING PROGRAM
AUTHORITY TO DISTRIBUTE REPORT
Title:
SDN Security
The Internetworking Program may make available or authorise others to make available
individual photo/microfilm or soft copies of this report without restrictions after 12th Feb
2016.
The author attests that permission has been obtained for the use of any copyrighted
material appearing in this report (other than brief excerpts requiring only proper
acknowledgement in scholarly writing) and that all such use is clearly acknowledged.
Full Name of Author: Paras Hematbhai Dudhatra
Signature of Author: _________________________
Date: _________________________

4. iv
TABLE OF CONTENTS
LIST OF FIGURES .......................................................................................................................................................v
LIST OF SYMBOLS AND ABBREVIATIONS ..................................................................................................vi
ACKNOWLEDGEMENTS ......................................................................................................................................vii
EXECUTIVE SUMMARY ......................................................................................................................................viii
1 INTRODUCTION ..............................................................................................................................................1
1.1 SDN ARCHITECTURE AND ITS IMPORTANCE................................................................................................1
1.2 SECURITY IN SDN ............................................................................................................................................3
1.3 SECURITYPLATFORM IN SDN ........................................................................................................................3
1.3.1 Open-Flow..............................................................................................................................................3
1.4 THREATS ON SDN NETWORKS.......................................................................................................................4
1.5 OUTLINE.............................................................................................................................................................5
2 COMPARISON BETWEEN SDN AND TRADITIONAL ATTACKS ...............................................6
2.1 OPPORTUNITIES AND CHALLENGES................................................................................................................6
2.2 PREVENTION AND GOALS................................................................................................................................6
2.3 ELEVATION OF PRIVILEGE...............................................................................................................................7
2.4 SUMMARY..........................................................................................................................................................7
3 METHODOLOGY .............................................................................................................................................8
3.1 SPOOFING...........................................................................................................................................................8
3.1.1 ARP Spoofing.........................................................................................................................................8
3.1.2 IP Spoofing.............................................................................................................................................9
3.2 DENIAL OF SERVICE ATTACK..........................................................................................................................9
3.2.1 Detection of DoS ...................................................................................................................................9
3.2.2 Types of Dos Attack in SDN environment.......................................................................................10
3.2.2.1 Switch Dos (Attack on Forwarding Plane) ....................................................................................... 10
3.2.2.2 Distributed DoS (Attack on Control Plane)...................................................................................... 10
3.3 SUMMARY........................................................................................................................................................11
4 SECURITY CONTROLS IN SDN...............................................................................................................12
4.1 FIREWALL IN SDN..........................................................................................................................................12
4.1.1 Types of Firewalls...............................................................................................................................12
4.1.1.1 Stateless Firewall .............................................................................................................................. 12
4.1.1.2 Stateful Firewall ................................................................................................................................ 12
4.2 ACCESS CONTROL IN SDN ............................................................................................................................13
4.3 IDS AND IPS....................................................................................................................................................14
4.3.1 IDS integration with tools..................................................................................................................14
4.4 SDN POLICY....................................................................................................................................................14
4.4.1 SDN policy languages........................................................................................................................15
4.5 MONITORING AND AUDITING.......................................................................................................................16
4.6 BYOD SECURITY CONTROLS IN SDN..........................................................................................................16
4.7 SUMMARY........................................................................................................................................................17
5 CONCLUSION..................................................................................................................................................18

5. v
LIST OF FIGURES
Figure 1.1 SDN Architecture .............................................Error! Bookmark not defined.
Figure 1.2 Security issues in SDN and its countermeasures................................................4

6. vi
LIST OF SYMBOLS AND ABBREVIATIONS
SDN Software Defined Network
VAVE Virtual Address Validation Improvement
SAVE Source Address Validation Improvement
ARM Address Resolution Module
ARP Address Resolution Protocol
DNS Domain Name System
ACL Access Control List
IPS Intrusion Prevention System
IDS Intrusion Detection System
FML Flow based Management Language
BYOD Bring Your Own Device
BYON Bring Your Own Network

7. vii
ACKNOWLEDGEMENTS
I might want to express my profound commitment to Prof. Ali Nafarieh for his beneficial
and productive suggestions during the planning and foundation of this exploration work.
His willingness to give his time so abundantly has been all that much acknowledged. I
might likewise want to grow my gratitude Mr. Vishvesh Dave and Mr. Dilip Patel for his
suggestions of several analysis.
At long last, I wish to thank my guardians and parents for their backing and motivation
throughout my work.

8. viii
EXECUTIVE SUMMARY
SDN is considered as a future platform of networking infrastructure and technologies and
studies are conducting actively in this paradigm. Till now the security of SDN is still a big
question if we focus on a network security. Exploration of the enabling the security in
software defined networks are one of its diverse feature. We talk about security threats
indicated by their belonging like spoofing, tampering, repudiation, Denial of
administration and services and Divulgences of information. We also audit an extensive
security controls like firewalls, Intrusion Detection System, Intrusion Prevention System,
access control. we also portray the several path of advancement in this paradigm. we also
discuss the security advantages which is bring by SDN and address some issues which
exploits SDN capabilities.

9. 1 INTRODUCTION
1.1 SDN Architecture and its Importance
SDN (Software Defined Networking), another rising building design of systems for
managing system gadgets and progress by a software control. It also decouples the Data
plane (forwarding plane) and Control plane tends to a centralized network architecture
[4]. As an emerging paradigm, it brings an opportunity for network management from
simplicity, elasticity and programmability point of view. Also many efforts are made
to make standard SDN environment.
SDN is based on idea turning the traditional networks complexity into a simple
switches having functionality to follow the forwarding rules which is designed by a
logically centralized programmable and distributed controller, instead of routing device
to perform the both task. Beside this, devices of SDN network has capability to records
the traffic statistics unlike traditional networks having very less devices to perform this
[4]. It provides open environment, so that developers can develop a Middlebox which
interact with controller platforms. Such open source tools like OpenDayLight,
Floodlight, Ryu and Beacon, which is not a vendor specific and provide users to
experiment their own networking protocols on live networks with real traffic [2].

10. 2
Figure 1.1 SDN Architecture [2]
SDN had shift networks to flow based management and control from IP based. From
above Figure 1.1 it is covered by API’s which plays important role in programming
and maintain software based network. Here forwarding decision are made according
to flow. Switches and firewalls are operated on basis of Record a rules not by
protocol configured in switch. SDN also respond the activities which makes dynamic
decisions and more easy to configure or reconfigure the network.

11. 3
1.2 Security in SDN
While SDN enables new networking applications, security has become an important
aspect as it not yet a built-in-feature of the architecture. According to research, various
security attacks has been possible on SDN networks through different components
present in the network. Code vulnerability also have an important impact as the major
architecture is software dependent [2].
Security may come unintentionally from normal applications or network users
tampering network configuration or its architecture. Risk is also come intentionally
from several hacking methodology which compromises those applications. Many
efforts are currently being made to standardize this emerging paradigm, it is also quite
important to pay attention towards security until it becomes mature.
1.3 Security platform in SDN
There are many Open Source tools available for the designing of controller, which
provides the environment for development and testing on live infrastructure.
1.3.1 Open-Flow
OpenFlow is an open standard and released first for SDN, it is widely deployed by
networking vendors. Many of SDN’s security advantages are exploited well in
OpenFlow. OpenFlow neither enforces switches to support conditional rules nor
specifies how each rules should be handled. Hence, malicious traffic is not directly
triggered by switches but it is handled by rules framed in a controller after analysis of
traffic statistics collected by switches. Open flow has capability of proactive rule
caching through reactive rule caching is more widely used [4].

12. 4
1.4 Threats on SDN Networks
As SDN decouples the network in Data-Plane (Forwarding Plane) and Control-Plane,
this section divide those attack into three categories based on which part of SDN
paradigm they target [4].
Possible targets are :-
 Attack at Data-Plane level.
 Attack at Control-plane level.
 Attack at link between two plane.
Figure 1.2 Security issues in SDN and its countermeasures [2]
There are several counter-measures to the above attacks and addition to this many threat
detection and prevention tools one can design and implement to cop up such situation
on network that we will discuss in upcoming chapters.
Figure 1.2 shows causes behavior and mitigation technique use to prevent such attacks
within different planes in SDN.

13. 5
1.5 Outline
The material in this report is organised into 5 chapters. The chapters deal with the
following topics:
Chapter 2 – Comparison between SDN and Traditional attacks.
Chapter 3 - Security threats and mitigation in SDN.
Chapter 4 – Security controls in SDN
Chapter 5 discusses the results of all experiments and draws conclusions.

14. 6
2 COMPARISON BETWEEN SDN AND TRADITIONAL
ATTACKS
2.1 Opportunities and challenges
As a new architecture, it exposes new security challenges and opportunity. Attacker
exploits network by resolving vulnerabilities and tests the strength and weakness of
network. An attack based on newly discovered loopholes in networks are known as
zero day attack. As a dynamic network, the significant amount of traffic is exchanged
between controller and switches. Hence there is vast difference as compared to
traditional networks from security point of view.
There are several types of attacks and method which is easy to invade SDN
environment as compare to current networks.
DoS attacks are found in larger in numbers in SDN as it frequently exchanges data
between controller and switch. While attacks like spoofing has very less chances of
occurrence due to its dependency on tricking network services like DNS, ARP, etc.
which is based on obsolete information. Along with that, updates are frequent in SDN
so that inclusion and exclusion of host, IP addresses, and MAC addresses should be
quickly discovered and accommodated.
2.2 Prevention and Goals
SDN architecture tries to approach this problem by dedicating a special connection
between controller and switches. Designing a dynamic and programmable security
controls is an ambitious goal which is fully capable to operate with no human
interaction and such controls can respond in real time to network changes and threats.

15. 7
2.3 Elevation of privilege
On entering into a system, attacker try to get the access privilege for accessing the
resources of the running application which require special permission. The method
known as pedigree use to trace the system and tag the running application with special
identity. Scalability is major problem with logging and auditing as they store large bulk
of data which affects storage and bandwidth.
The solution to this type of attack is to give privilege based on flow rather than on host
or user. It reduce problem of escalating privilege because user are frequently screened
for possible privilege. PermOf is also a control management system includes a
comprehensive access level for controller and network resource.
2.4 Summary
In this chapter we discussed the general difference between the security issues of
current network system and SDN which is totally flow based and major control is over
software. Along with this, there are several old type of attacks which can be of no use
in SDN and also the pay off in the new infrastructure. Ease access through tampering
privilege and get the access of system to harm it.

16. 8
3 METHODOLOGY
In this chapter we discuss the several Methodology of attacks on SDN networks and
various techniques to prevent it.
3.1 Spoofing
Principle: The purpose of spoofing is to redirect traffic to illegitimate hosts and it can
be mitigated by proper authentication schemes.
Forging network information like IP, MAC, ARP to hide actual identity of traffic
originator is known as Spoofing. It is a part of larger attack like Smurf, Flooding.
Currently ARP spoofing and IP spoofing threats are primarily included in SDN [2].
In general attacks prevention methods are divided in two categories
i) High resolution methods :- it requires packet level information given as input.
Ex. ARP & IP spoofing, cache poisoning.
ii) Low Resolution methods :- it require the flow level information given as input.
Ex. DoS and DNS amplification.
3.1.1 ARP Spoofing
ARP is use for resolving MAC address to a legitimate IP address. It hijack the traffic
from original receiver such that legitimate user is knock out of network. In SDN,
Address Resolution Mapping (ARM) module use to track MAC addresses from
authorized host. Controller consults this ARM module and discards unauthorized ARP
response.
SSL encryption is used to prevent ARP poisoning between controller and switches in
OpenFlow.

17. 9
ARP spoofing can be prevented by using anti-ARP poisoning switch application in
POX OpenFlow controller. It can also countered by inspecting packet level information
[2].
3.1.2 IP Spoofing
IP spoofing is the initiator of other types of attacks, such as DNS tampering. In this
type of attack the IP addresses are changes to reroute traffic to illegitimate websites by
manipulation with DNS directories [2].
Enforcement of strong password and encryption methods is necessary to avoid it [2].
Also IP address verification method also use to counter it. SAVI (Source Address
Validation Improvement) is a standard formalized by IETF which is use to verify
addresses of packets based on binding validation. VAVI (Virtual Address Validation
Edge) is extension of SAVI and based on Open-Flow. VAVE module is embedded in
controller verifies address of external packets that have no record in flow table.
3.2 Denialof service Attack
Dos attack is the low resolution attack and one of the most serious threat to any network
as it affects the overall performance of network by increasing latency and dropping the
legitimate packets. It may also lead to disable whole network or stop functioning. In
SDN networks, due to continuous flow between controller and switches can tempt
attacker to push their flow between them and interrupt network activity [2].
3.2.1 Detection of DoS
As DoS is one of the flow level resolution attack, the flow level information is use to
detect such attacks. Flow based detection system are rely on flow header which is at
flow level [2]. It has large unbalanced traffic, fan in and fan out where most of traffic
is going in one direction. The main challenge to detect DoS attack is to distinguish
normal packet and DoS flooding packet. A major concern to differentiate them is the

18. 10
maintenance and monitoring much data will degrade network performance. By having
dedicated module such task can be a more helpful to avoid network performance
degradation.
3.2.2 Types of Dos Attack in SDN environment
Mainly on SDN networks three DoS attacks are possible which are,
3.2.2.1 Switch Dos (Attack on Forwarding Plane)
SDN switches have limited storage capacity and rely on the rules framed by the
controller, it is not possible to store all rules in switch. So caching mechanism is
adopted to match rules for incoming packets, if a packet is not in cache it queries
controller. Once rule received packet is processed [4].
This mechanism makes switch vulnerable to DoS attack where a malicious user flood
switch with larger size data packets so that rule cannot be cached in forwarding table
[4].
Solution :- Proactive caching is done where switch do not wait for receive packets, but
cache a priori as many rules as table can fits [4].
3.2.2.2 Distributed DoS (Attack on Control Plane)
Control plane is susceptible to this attack as multiple hosts distributed in network may
flood. As all rules are not already available in switches many query is generated to end
up processing power for legitimate users [4].
Solution: Replication is done to mitigate such attacks, where multiple controllers
manage the network rather than a single one [4].

19. 11
3.3 Summary
In this chapter, we discussed attacks possible on SDN networks which is a basic attacks
but very important to understand as it affects the whole network infrastructure. And
several prevention and solution to mitigate such situation.

20. 12
4 SECURITY CONTROLS IN SDN
4.1 Firewall in SDN
Firewall is a security mechanism and monitor traffic and make decision based on the
basis of access policy specified in it by network administrator or user. It work on Data
link layer and network layer in OSI protocol stack [4].
In SDN based firewall, REST API of northbound is a gateway to interact with
controller. It allow user developed application to communicate with controller which
is beneficiary for firewall to have global view of whole network [4].
4.1.1 Types of Firewalls
SDN differentiate the firewall based on the inspection strategy and several parameters.
On that basis the two types of firewalls are shown below.
4.1.1.1 Stateless Firewall
Stateless firewall analyze the network by studying packet or flow without considering
other packet flow or flow rules and other network system and environment variables.
It does not keep the current traffic situation of network [2].
4.1.1.2 Stateful Firewall
Unlike stateless firewall, its analyze network by combining rules and traffic in network.
It also handles different protocols (TCP, UDP, ARP, ICMP) together. Switch sends all
packet to controller when it trigger stateful packet inspection on switch [2].
As forwarding planes are stateless, the packet level information is only provided in
controller with limited access. Hence without controller, stateful packet inspection is
near to impossible.

21. 13
[Kata et al] presented Flog, having stateful firewall can be built using programming
languages and use to detect malicious code from insiders [2].
[Zhu et al] discovered stateful forwarding abstraction in Data plane provides packets
stateful network processing require upper layer information. It also interact with event
such as topology changes [2].
4.2 Access control in SDN
Access control solution in SDN is dynamic and flexible. Policy of access control is
implemented in firewall as per customize requirement in the controller [2].
There are several architecture in access control proposed by different scientist are as
below.
 [Casudo et al] proposed Ethane SDN architecture which allows manager to enforce
hosts control by fine grained access control policies. It uses flow based networks
and central controller [2].
 [Nayak et al] had discussed dynamic monitoring in SDN ACL. An access control
system called resonance is connected directly with real time monitoring which
accelerate cycle to taking alert from getting information [2].

22. 14
4.3 IDS and IPS
Investigation of packet by existing threat inventory of data mining, pattern
recognition and signature matching to stop or allow packet is done by Intrusion
Detection/Prevention System. SDN IDS utilize flow information in real time, it has
made the security mechanism distributed. It distribute IDS task through switches and
agent in network. This process is done by controller [1].
4.3.1 IDS integration with tools
Snort is an IDS which is integrated with SDN. Such integration has several challenges.
One of the common way to set things is for controller is to receive the first packet or
the first few packet and install rules in switches for the whole flow, hence it reduces
the processing power of controller for an instance.
Another alternatives is to create service inside controller to manage a set of machine
which is running snorts and to install rules that redirect traffic to machines which is
running snort [2].
4.4 SDN policy
SDN expect to facilitate automatic configuration, assessment, and implementation of
network policies. Unlike the policies in traditional network are embedded in firewall
and its ACL, SDN allow policies at different level of abstraction. SDN bring new
opportunity for interpretation, update, evaluation, and enforcement of policies by
automatic tools with least human interaction [2].

23. 15
4.4.1 SDN policy languages
The purpose of policy language is to write formal and semi-formal policies which
bridges the two level of abstraction. When administrator writes policy in high level
language it converts it into machine understandable format.
Several languages of policy language are as below:
 [Hinrichs et al] proposed Flow based Management Language (FML) to express
access list for NOX controller. It is based on DATALOG, a declarative logic
language use for connection with database. Decision tree is use to implement policy
to reach correct matching rule for current flow. FML maintain states related to list
of users and their devices, access control decision is based on value of flow field or
attributes [2].
 [Ballard et al] proposed ALARMS, it is flow based specification language to
interact with OpenFlow flows. It is used as administration tool to enforce policy
through controlling and routing traffic. It also add several attributes to FML related
to flow content which enables access control and manipulation beyond the Data
Link layer and Network layer [2].
 [Foster et al] introduced the frenetic language for programming the switches. It is
not only developed for policies but also to generally assist in network services like
routing, access control and traffic monitoring. It has two level of abstraction, high
level to construct and manipulate network traffic and low level to interact with
switches. It solve the constraint of handling policy [2].

24. 16
4.5 Monitoring and Auditing
Monitoring and auditing tools are important tool for security controls in network. SDN
gives opportunity related to amount of details to be gathered at packet level and flow
level which is difficult and consumes more resource in traditional networks.
Monitoring tool collect flow related information FleXam is an tool of OpenFlow
protocol which allow access to packet level information to controller. Another solution
is to sampling in OpenFlow traffic which differentiate between security and Quality of
Service monitoring. In security monitoring the traffic patterns are analyze for
possibility of attacks while in QoS monitoring sampling shows the incorrect view of
network health [2].
4.6 BYOD security controls in SDN
BYOD (Bring Your Own Device) is very popular in companies, schools and public
places. Accepting and embracing the usage of those device without any security control
lead to risk and also can be hacked by intruders. A security and accountability is two
major concern for allow user to access network and find services. As preventing to use
network is not a proper alternative leads to employ security control which is very agile
and temporal. Apart from this another factor is scalability because of frequent network
and control update information [3].
BYON (Bring Your Own Network) is introduced for a networks when there is a large
number of mobile devices. Its goal is to optimize mobile networks resource utilization,
hence to avoid security compromising, network should align each user or device to a
particular network slice [3].

25. 17
4.7 Summary
In this chapter we discussed several aspects of security control which are firewall and
access control list in SDN infrastructure. We also discussed types of firewall and its
role in the network and security policy of firewall. Apart from this, access control
features and several proposal in SDN environment is also a plays key role to make
networks secure.
Also SDN controls to detect and prevent intrusion in network. Also SDN can embed
security in traffic flows that helps in transport traffic in secure manner.

26. 18
5 CONCLUSION
We discussed about the security in SDN as it possess a new infrastructure and
environment. Obviously the security needs make somewhat difference than traditional
network. It had also changed the global view of security of networks and prototyping
of several security tools.
Along with this we also discussed several types of attacks and threats to the networks
and its prevention in SDN networks and its comparison with traditional network. At
last the network security threats originating from inside the network tend to be more
serious than external threats. Hence to make network more secure, it prototyping and
design should be quite secure from internal users rather than external attackers.

27. 19
REFERENCES
[2] M. Dabbagh, B. Hamdaoui, M. Guizani and A. Rayes. Software-defined networking
security: Pros and cons. Communications Magazine, IEEE 53(6), pp. 73-79. 2015. . DOI:
10.1109/MCOM.2015.7120048.
[1] I. Alsmadi and D. Xu. Security of software defined networks: A survey. Comput. Secur.
53pp. 79-108. 2015. . DOI:
http://dx.doi.org.ezproxy.library.dal.ca/10.1016/j.cose.2015.05.006.
[4] A. Shieha. Application layer firewall using openflow. 2014.
[3] C. Yoon, T. Park, S. Lee, H. Kang, S. Shin and Z. Zhang. Enabling security functions
with SDN: A feasibility study. Computer Networks 85pp. 19-35. 2015. . DOI:
http://dx.doi.org.ezproxy.library.dal.ca/10.1016/j.comnet.2015.05.005.