Securing Software Defined Network Infrastructure in Cloud Data Centers
Cloud data centers are experiencing a shift in their network infrastructure deployment. Traffic generated by Server-to-Server communication accounts for majority of traffic volume transmitted over cloud data centers network infrastructure. This requires performant, scalable, and highly available network infrastructures which are agile enough to handle sophisticated networking scenarios. Software Defined Network (SDN) is a promising networking paradigm through which cloud data centers can fulfill their advanced networking requirements with lower capital and operational expenditures (aka CapEx and OpEx) compared to the legacy network infrastructures. While boundaries of data centers are heavily guarded by multi layer defense mechanism, the security of SDN infrastructure within a cloud data center does not receive the attention it deserves. Accordingly, this dissertation contributes to enhancing the security of SDN infrastructure in cloud data centers. It first investigates how SDN introduces new timing attack vectors which can be exploited by adversaries. However, maliciously leveraging these new attack vectors is a challenging process. While this dissertation studies these challenges, it also investigates how they can be used in a successful defense mechanism against time inference attacks in SDN. Appropriately, this dissertation proposes, implements, and tests two countermeasures against such attacks. Furthermore, a successful countermeasure against time based reconnaissance attacks in cloud data centers has to impose very low overhead on the SDN infrastructure components. One possible solution to reduce possible overhead of the proposed mitigation solutions is bypassing the kernel in virtual data planes. Proposing a new mitigation technique implemented in a kernel bypassing framework can enhance the network throughput while disrupting time inference attacks on SDN. Designing and implementing innovative defense mechanisms is one way of securing SDN infrastructures in cloud data centers. Another way could be raise awareness in the community to new threats on SDN infrastructure. Through white box analysis of packet processing in virtual data plane, this dissertation introduces a low rate saturation attack which can effectively target SDN infrastructure. Imitating packet processing in the cache hierarchy of a software switch, attackers can gradually disrupt a virtual switch functionality and finally slowdown traffic flow in SDN infrastructure in the cloud. Finally, this dissertation addresses a defense mechanism to cope with situation in which a massive malicious traffic aims at overwhelming SDN infrastructure in a cloud data center. If existing defense solutions cannot stop such attack, live migration of overlay SDN running virtually on top of physical SDN infrastructure can be considered as a promising mitigation technique. However, there are certain challenges to be addressed. These challenges discussed in this dissertation through conducting extensive experiments in a research cloud data center test bed.