In order for programs to communicate with thedesired network requirements, they must access the SDN controller via API; thistakes place at the SDN application plane. Applications can cause crucialsecurity challenges on network resources, services and functions. However,there are no standard security applications. Security threats in theapplication plane falls under:1. Application,Authentication & Authorization: 2. AccessControl and AccountabilityLack of proper authentication andauthorization and also legitimate application accessing the application layercan also open gateway for many attacks. Applications on the SDNnetwork that provide access control, firewall or intrusion-detection servicesfor the network also needs to be scrutinized for vulnerabilities.
Crucial attacks and their CountermeasuresAttack on Centralized Controller The centralized controller is most vulnerableas it serves as a potential single point of attack and failure for the network.As a result, attacks and vulnerabilities in controllers are deemed as the mostsevere threats to SDN architecture as the entire network could go down if thecontroller is compromised. The controller layer is the central point of thenetwork control that allocates security information constantly throughout the wholenetwork.CounterMeasuresBy using multiple controllers on the network,one can help prevent failure of the network, even though using multiplecontrollers does not prevent a single point of failure, however, with multiplecontrollers in place, the entire network would not be compromised. SaturationAttacks Saturation Attack is an attack in which theattacker floods the control plane with data packets by launching a denial ofservice attack. The attacker carries out this attack by generating a largenumber of fake packets in which each packet is spoofed with random value. Thesepackets once on the control plane, triggers a table-miss and send a lot ofpacket-in messages to controller.
As a result, this attack overload the buffermemory of network devices which then generate amplified traffic to occupy thedata-to-control plane bandwidth and shut the down controller from responding.CounterMeasuresThe network can be guarded from saturationattack by using a proposed framework called OF-GUARD. This framework preventsdata-to-control plane saturation attack by using packet migration and dataplane cache. This works by having control plane and data plane continuouslyworking.
It helps the data plane cache differentiate between fake and normalpackets and also stores proactive flow rules and cache table miss.