A Lightweight SDN Fingerprint Attack Defense Mechanism Based on Probabilistic Scrambling and Controller Dynamic Scheduling Strategies

Abstract

Software-defined networking (SDN) decouples the control plane from the data plane, which increases network flexibility and programmability. However, the “three-layer two-interface” architecture of SDN introduces new security issues. Attackers can collect fingerprint information (such as network types, controller types, and critical flow rules) by analyzing round-trip time (RTT) distribution of test packets. In order to defend against the fingerprint attack with limited attack time, we first design a probabilistic scrambling strategy. This strategy not only interferes with the delay distribution of probe packets in attack flow but also reduces the negative impact on the performance of legal packets in normal flow. However, if fingerprint attackers have unlimited attack time, it is not enough to defend against the attack only by this strategy. Therefore, we further propose a controller dynamic scheduling strategy to change SDN fingerprint information actively. Because scheduling different types of controllers to work in different periods will generate costs, the scheduling strategy is also responsible for determining the optimal switching time point to balance security benefits and costs. At last, we implement the defense mechanism on different types of controllers and verify its effectiveness in experimental scenarios. The experimental results show that the mechanism can effectively hide the SDN fingerprint information while reducing the negative impact on network performance.