Software-Defined Networking and zero-day network attacks

In examining software defined networking (SDN) as a possible solution to zero-day network attacks we must first look at zero-day attacks as a separate entity in order to fully understand the concept. Due to a lack of current research we do not know exactly how SDN will stand up to a zero-day attack and if it is possible to automate against them in real time. It is import however to explore what a zero-day attack is and what are the strengths and weakness of SDN and its capabilities to either aid or hinder the future defense of modern day networks. Most known successful zero-day attacks take the form of  polymorphic worms, viruses, Trojans, and other malware. According to Kaur & Singh(2014) “the most effective attacks that avoid detection are polymorphic worms which show distinct behaviors. This includes: complex mutation to evade defenses, multi-vulnerability scanning to identify potential targets and targeted exploitation that launches directed attacks against vulnerable hosts”, and that is just to mention a few of the capabilities that this type of an exploit is capable of.

The majority of these attacks on your average user may cause hardware damage and at most there aim is to try to steal sensitive data or turn the infected machine into a zombie computer that can be used in a denial of service attack (DDoS), however the impact is mostly minimal. The problem arises when these attacks take place on large organizations that hold major information such as banks, social media corporations or resources such as nuclear power etc. If a zero-day attack is successful in this regard then the scope for malicious damage and theft of sensitive information increases significantly. A number of years ago this wasn't as big an issue but now that the world is more connected than every all of a sudden security and networking has become a major issue.

In the past few years researchers have been trying to find ways to make computer networks more programmable. The reason for this is that computer networks are complex and hard to manage most of the hardware used across networks is also proprietary which can sometimes limit the resources of companies when it comes to expansion of a network.

It also limits the types of protocols that can be used on a network and different vendors may also have different security gaps in their network infrastructures that can be exploited so it makes patching against new and emerging threats harder. This is an issue in modern networks as there are many different layers of network infrastructure running many different protocols at all levels so the scope to exploit a flaw either digitally or by gaining physical access to a network remains a large threat. There are some network-management tools on the market that offer a central point for network configuration, however these systems still operate at a level that uses individual protocols, mechanisms and configuration interfaces. This is one of the main reasons that modern day networks suffer from slowed innovation, increased complexity and higher operational costs.

This is where the emergence of SDN as a possible major future player in networking is coming from. The SDN model is a possible way to solve the legacy issues that plague modern day networking. SDN operates by separating the control plane (how traffic is handled) from the data plane (how traffic is forwarded by using decisions made by the control plane). Next SDN consolidates the control plane, so that a single software control program such as (Floodlight or OpenDaylight) has control of multiple data-plane elements. The controller can now exercise direct control over the state of the networks elements such as router, switches, firewalls etc. All of this can be monitored using an application programmed interface (API). The state of the network can now be granularly monitored and distribution of patches and resources can now be centralized. Programs can be written and automatically distributed across the entire network to enforce new polices. This granular nature can also respond in real-time to changes in network traffic and in theory may be the solution to preventing future zero-day attacks. 

In recent years there has been a significant increase in the number of zero-day attacks occurring. (Hammerberg, 2014) notes that “There were more zero-day vulnerabilities discovered in 2013 than in any previous year according to Symantec’s Internet Security Report of 2014”.  This significant increase represented a total of 23 zero-day attacks which indicated a 61% increase in attacks from 2012. Another key statistic highlight by (Hammerberg, 2014) was the fact that the average exploit goes undetected for 312 days. This is a revelation that must warrant serious consideration if a potential attacker carries out a successful breach on a company or individual and is left undetected for 312 days the scope to carry out harmful and unlawful activities is enormous. It can be deducted from this that the current safeguards that are in place are not fit for purpose and need to rapidly change to have a place in the defense procedures of the future. In order for these defenses to change however by using a new technology such as SDN we must first ensure that this new technology is an adequate replacement.

(Sandra Scott-Hayward, Gemma O’Callaghan and Sakir Sezer, 2013) ask the question “As the benefits of network visibility and network device programmability are discussed who exactly will benefit? Will it be the network operator or will it, in fact be the network intruder?” These are questions that may seem obligatory but are extremely significant, in a world where the term cyber-warfare is starting to make news headlines the network defenses of the future must stand up to attacks that could pose significant threats to human life and standards of living. This of course means if SDN were to be a possible solution it must not just work better than the current technology it must work faster and smarter; therefore the decisions made to strengthen the network security infrastructures of the future need to be well thought out and heavily tested.

It is apt to reference the Stuxnet worm the world’s first every cyber-warfare attack when we speak about the possible implications of cyber-warfare and zero-day attacks. This worm used a combination of four-zero day vulnerabilities to target industrial control systems in Iran to slow down there nuclear program. Stuxnet did not cause any human loss of life but it is widely reported that this worm ruined almost one-fifth of Iran’s nuclear centrifuges. Imagine a different scenario a nuclear power plant for instance where the command set of the worm was to overheat a reactor the outcome of an attack like this if successful would be catastrophic. According to Kreutz, Ramos and Verissimo (2013) “An attack similar to Stuxnet, could have dramatic consequences in a highly configurable and programmable network.

 (Scott-Hayward et al, 2013) state that “While security as an advantage of the SDN framework has been recognized, solutions to tackle the challenges of securing the SDN networks are fewer in number.” What we can take from this is that by implementing an SDN network infrastructure we may be able to implement more stringent and granular security features, however the attributes of centralized control associated with the SDN platform may lead to other security issues such as the potential for Denial-of-service (DoS) attacks that would take advantage of this centralized infrastructure.

This concern has been addressed by (Scott-Hayward et al, 2013) when they explain one possible defense technique that could be used to thwart scanning techniques used by attackers to discover vulnerabilities. They state that one defense presented to thwart these attacks is the use of random virtual Internet Protocol (IP) addresses using SDN. This technique uses the OpenFlow controller to manage a pool of virtual IP addresses, which are assigned to hosts within the network, hiding the real IP addresses from the outside world”.  

According to Kreutz et al, (2013) “SDNs bring a very fascinating dilemma: an extremely promising evolution of networking architectures’, versus a dangerous increase in the threat surface”. This again deducts that the possible advantages of SDN may be significant but again the threat that may come with their implementation is also an unknown quantity. One potential danger that (Kreutz et al, 2013) highlights is that anyone who gains access to the servers that host the network access control software have the potential to control the entire network. While this may be another potential problem we must remember that there is always a fit solution. According to Kreutz et al, (2013) there are a number of key solutions that can be used to help secure SDN infrastructures to include “replication, diversity, self-healing mechanisms, dynamic device association, trust between controllers and devices, trust between controllers and apps, security domains, secure components and fast and reliable update and patching”.

The above concepts are currently only recommended possible solutions and the technology still needs to be developed and evolved to facilitate their implementation.

This again opens the debate to the implementation of SDN as a future network infrastructure. According to Kreutz et al, (2013) “the capabilities of SDN actually introduce new fault and attack planes, which open the doors for new threats that did not exist before and were harder to exploit”. This however does in no way mean that SDN is not the future of networking it just means that like the suggestions above we face new challenges in securing the technology which of course can be achieved by implementing and designing safeguards similar to those mentioned.

 If we look at replication of the controller for example this is a very important concept to improve the dependability of a system. The concept would be that the main controller is replicated a number of times along with the applications that run on the controller, this would make it possible to mask failures and to isolate instances of faults or malicious behavior in a network. If we go back and look at a zero-day exploit similar to Stuxnet as it infects the controller unusual network traffic is detected in real time with replication this controller could then be automatically segmented from the network. The replicated controllers would then simply take its place and normal network activity would resume with minimal disruption to network services.

This type of defense does not exist in our current network infrastructures and as we have seen previously most zero-day attacks currently go undetected for 312 days. It can be concluded that SDN will play a major role in the future of networking, it may currently have a number of weakness that need to be addressed but so does our current network infrastructure. As stated by (Kreutz et al, 2013) “by separating the complexity of state distribution from network specification, SDN provides new ways to solve long-standing problems in networking”. The capabilities of SDN to thwart zero-day attacks needs to be a field of research into the future as it may finally be possible to stem such attacks at the root before they have a chance to embed in a network. This research needs to continue to be done in an open and shared forum as is currently happening, by doing this it is insured that the best solutions are brought forward and implemented into the networks of the future.

This future implementation may not be as far away as some may think on Tuesday the 10^th of March 2015 the University of Bristol and the Bristol city council announced that Bristol is constructing the world’s first software-defined city. The CTO and managing Director of the initiative named Bristol is Open Paul Wilson is quoted as saying “We want to go beyond ‘smart’ to an open, programmable city with an infrastructure that could be directly programmed and customized.” This will be considered as one of the most significant real world test beds for SDN to date Wilson is also quoted as saying “This is a research and development test bed for any city to learn from, we’re doing work here that could be replicated in cities around the world.”

By generating greater discussion and awareness of SDN with projects like Bristol is Open and looking closely at its pros and cons we can only generate securer infrastructure models and open new avenues of possibilities. This technology can be summed up by stating the potential possibilities of SDN as a major player in the future of the world’s networks is limitless, along with its possible potential to stop zero-day attacks in real-time it can only be assumed that SDN is here to stay.

References:

Sandra Scott-Hayward, Gemma O’Callaghan, Sakir Sezer (2013). Sdn Security: A Survey. Future Networks and Services (SDN4FNS).

David Hammarberg (2014). The Best Defences Against Zero-day Exploits for Various-sized Organizations. SANS Institute InfoSec Reading Room.

Kim Zetter (2014).  Countdown to Zero Day: Stuxnet and the Launch of the World’s First Digital Weapon. ISBN 0-77043-617-X. ed. American: Crown.

Wired [online]. (2015). Available from: http://www.wired.com/2015/01/german-steel-mill-hack-destruction/. [Accessed 20/01/2015].

Sdx central [online]. (2015) Available from:

https://www.sdxcentral.com/articles/news/englands-bristol-is-building-the-first-software-defined-city/2015/03/. [Accessed 25/03/2015] 

Diego Kreutz, Fernando M. V. Ramos, Paula Verissimo (2013). Towards Secure and Dependable Software-Defined Networks. ISBN: 978-1-4503-2178-5.

Leyla Bilge, Tudor Dumitras (2012). Before we knew it: an empirical study of  zero-day attacks in the real world. ISBN: 978-1-4503-1651-4.