TopoSleuth: A Context-Aware, Multi-Layered Defense Framework Using Decoy Links and Behavioral Profiling Against SDN Topology Discovery Attacks

Software Defined Networking (SDN) is a diversified networking paradigm that is centralized, dynamic, and enables traffic control and administration through flexible network programmability. The controller and its applications have a holistic view of the underlying physical topology, including switches, ports, hosts, and links. With the increasing significance and popularity of SDN, novel attacks have arisen that can distort the controller’s view of topology. A corrupt topology view can have a catastrophic effect on the controller and topologically dependent services, resulting in falsified routing and forwarding decisions. In this paper, we have proposed a multi-layered, context-aware defense framework called TopoSleuth, that complements the current controller services, Link Discovery Service (LDS) and Host Tracking Service (HTS), with four lightweight modules: (i) Topology Monitor (TM) for correlation and escalation logic; (ii) Decoy Engine (DE) for deception-based tripwires called decoy links; (iii) Behavioral Profiler (BP) for temporal/structural anomalies; and (iv) Multi-hop Validator (MV) for on-demand active probing. The current controllers are seamlessly integrated with TopoSleuth. Because of its defense-in-depth methodology, our solution is effective against topology poisoning attacks, including combination attacks and even topology freezing attacks, for which there is currently no known countermeasure.