Abusing Software Defined Networks

DEF CON 22

Presented by: Gregory Pickett
Date: Saturday August 09, 2014
Time: 16:00 - 16:50
Location: Track 3

Software Defined Networking (SDN) transfers all forwarding decisions to a single controller and provides the network with the same degree of control and flexibility as the cloud. And with all the major vendors onboard, it will soon be supporting networks everywhere. But current implementations are full of weaknesses that could easily turn this utopian dream of the future into a nightmare and leave networks world-wide exposed.

With clear-text wire protocol implementations, little support for switch TLS, no authentication for nodes, poorly conceived rate-limiting features in the controllers, controller APIs that don’t require authentication , and back-door netconf access, the leading platforms Floodlight and OpenDaylight, are ripe for attack.

And in this session, using a new toolkit that I developed, I’ll demonstrate by showing you how to locate and identify these controllers, impersonate switches to DoS them, and engage their wide-open APIs and backdoors to map the network, locate targets, and control access to the network … even hide from sensors. But all is not lost, because I’ll show how to protect them too. Because dream or nightmare, SDN can make a difference in the real world if we just protect it right.

Gregory Pickett

Gregory Pickett CISSP, GCIA, GPEN has a background in intrusion analysis for Fortune 100 companies but now heads up Hellfire Security’s Managed Security Services efforts and participates in their assessment practice as a network security subject matter expert. As a security professional, his primary area of focus and occasional research is networks with an interest in using network traffic to better understand, to better defend, and sometimes to better exploit the hosts that live on them. He holds a B.S. in Psychology which is completely unrelated but interesting to know. While it does nothing to contribute to how he makes a living, it does demonstrate how screwed up he actually is. site: www.hellfiresecurity.com projects: sourceforge.net/users/shogun7273 twitter: @shogun7273


KhanFu - Mobile schedules for INFOSEC conferences.
Mobile interface | Alternate Formats