Security analysis of SDN controller-based DHCP services and attack mitigation with DHCPguard

Abstract

Software defined networking (SDN) presents opportunities for improving network management, mainly thanks to the centralized controller separated from forwarding devices. On the other hand, security in SDN is a complicated issue: SDN both inherits vulnerabilities from traditional networks through common protocols and introduces new problems due to the risks associated with softwarization. Dynamic host configuration protocol (DHCP) is an essential protocol in SDNs as well and the security risks of DHCP also menace SDNs. In this study, we have analyzed the security of the built-in DHCP services on three popular SDN controllers: POX, ONOS and Floodlight. Our results indicate that they are vulnerable to starvation attacks, and DHCP discovery message floods can also be used to launch denial-of-service attacks, slowing down networks and overloading controllers. To counter these issues, we examined state-of-the-art DHCP security methodologies and assessed their applicability to the built-in DHCP servers of SDN controllers. Considering our assessment, we have designed and implemented a DHCP security module on the POX controller, DHCPguard, utilizing DHCP snooping, rate limiting, and IP pool recovery functions. Our findings show that DHCPguard successfully blocks malicious DHCP messages, recovers the IP address pool, and alleviates the negative effects of DHCP related attacks on the network without significant overhead. DHCPguard is able to increase throughput by up to 94% and decrease CPU usage by up to 92% compared to plain POX under DHCP attack scenarios performed on simple and complex topologies.