In order for programs to communicate with the
desired network requirements, they must access the SDN controller via API; this
takes place at the SDN application plane. Applications can cause crucial
security challenges on network resources, services and functions. However,
there are no standard security applications. Security threats in the
application plane falls under:
Authentication & Authorization:
Control and Accountability
Lack of proper authentication and
authorization and also legitimate application accessing the application layer
can also open gateway for many attacks. Applications on the SDN
network that provide access control, firewall or intrusion-detection services
for the network also needs to be scrutinized for vulnerabilities.
Crucial attacks and their Countermeasures
Attack on Centralized Controller
The centralized controller is most vulnerable
as it serves as a potential single point of attack and failure for the network.
As a result, attacks and vulnerabilities in controllers are deemed as the most
severe threats to SDN architecture as the entire network could go down if the
controller is compromised. The controller layer is the central point of the
network control that allocates security information constantly throughout the whole
By using multiple controllers on the network,
one can help prevent failure of the network, even though using multiple
controllers does not prevent a single point of failure, however, with multiple
controllers in place, the entire network would not be compromised.
Saturation Attack is an attack in which the
attacker floods the control plane with data packets by launching a denial of
service attack. The attacker carries out this attack by generating a large
number of fake packets in which each packet is spoofed with random value. These
packets once on the control plane, triggers a table-miss and send a lot of
packet-in messages to controller. As a result, this attack overload the buffer
memory of network devices which then generate amplified traffic to occupy the
data-to-control plane bandwidth and shut the down controller from responding.
The network can be guarded from saturation
attack by using a proposed framework called OF-GUARD. This framework prevents
data-to-control plane saturation attack by using packet migration and data
plane cache. This works by having control plane and data plane continuously
working. It helps the data plane cache differentiate between fake and normal
packets and also stores proactive flow rules and cache table miss.