Spook in Your Network: Attacking an SDN with a Compromised OpenFlow Switch - NSA's FIREWALK Software defined networking (SDN) and OpenFlow as one of its key technologies have received a lot of attention from the networking community. While SDN enables complex network applications and easier network management, the paradigm change comes along with new security threats. In this paper, we analyze attacks against a software-defined network in a scenario where the attacker has been able to compromise one or more OpenFlow-capable switches. We find out that such attacker can in suitable environments perform a wide range of attacks, including man-in-the-middle attacks against control-plane traffic, by using only the standard OpenFlow functionality of the switch. Furthermore, we show that in certain scenarios it is nearly impossible to detect that some switch has been compromised. We conclude that while the existing security mechanisms, such as TLS, give protection against many of the presented attacks, the threats should not be overlooked when moving to SDN and OpenFlow.

https://www.researchgate.net/publication/290618019_Spook_in_Your_Network_Attacking_an_SDN_with_a_Compromised_OpenFlow_Switch