SDN rootkits: Subverting network operating systems of software-defined networks

Abstract

The new paradigm of Software-Defined Networking (SDN) enables exciting new functionality for building networks. Its core component is the so called SDN controller (also termed network operating system). An SDN controller is logically centralized and crucially important, thus, exploiting it can significantly harm SDN-based networks. As recent work considers only flaws and rudimentary malicious logic inside SDN applications, we focus on rootkit techniques which enable attackers to subvert network operating systems. We present two prototype implementations: a SDN rootkit for the industry’s leading open source controller OpenDaylight as well as a version with basic rootkit functions for the commercial and non-OpenDaylight-based HP controller. Our SDN rootkit is capable of actively hiding itself and malicious network programming as well as providing remote access. Since OpenDaylight intends to establish a reference framework for network operating systems (both open source and commercial), our work demonstrates potential threats for a wide range of network operating systems.