SDN Rootkits: Subverting Network Operating Systems of Software-Defined Networks

Christian Röpke, Thorsten Holz

Research in Attacks, Intrusions and Defenses (RAID) Symposium, Kyoto, Japan, November 2015


The new paradigm of Software-Defined Networking (SDN) enables exciting new functionality for building networks. Its core component, i. e., the SDN controller (also called as network operating system), is logically centralized and crucially important, thus, exploiting it can significantly harm SDN-based networks. As recent work considers only flaws and rudimentary malicious logic inside SDN applications, we focus on rootkit techniques which enable attackers to subvert such network operating systems. We present two prototype implementations: a SDN rootkit for the industry’s leading open source controller OpenDaylight as well as a version with basic rootkit functions for the commercial and non-OpenDaylight-based HP controller. Our SDN rootkit is capable of actively hiding itself and malicious network programming as well as providing remote access. Since OpenDaylight intends to establish a reference framework for network operating systems (both open source and commercial), our work demonstrates potential threats for a wide range of network operating systems.


tags: Rootkits, Software-Defined Networks