SDN Topology Attack

In software-defined networking, the controller builds its map of the network from LLDP packets and trusts what they say. This research project asks: what can an adversary do with that trust? Two attacks, demonstrated against a Floodlight controller on a Mininet testbed.

The first is topology poisoning. I added a hidden physical link between two hosts that the controller can't see, then used Scapy scripts to sniff LLDP packets on one side and replay them out the other. From the controller's perspective, a switch-to-switch link now exists where there is none, and it routes accordingly. The fabricated link shows up in the Floodlight GUI, which made verification visual. I extended this with an injection variant, crafting LLDP packets from scratch to manipulate routing decisions further.

The second is resource exhaustion. A script makes a host change its IP continuously while flooding pings, forcing the controller to install new flow rules on every switch at high frequency. Measuring with ovs-ofctl showed 650+ rules accumulated at 100 pings per second, with measurable latency degradation on LLDP packets. That last part is the interesting finding: flow table pressure doesn't only slow forwarding, it delays the packets the controller depends on to keep its topology view current. The two attacks compound.

The planned next step was integrating TopoGuard+ into Floodlight and implementing stealth link probing, moving from attack to defense.