End-to-end detection of cloud network IP spoofing attacks on SAASS

Software Defined Networking is a new networking paradigm thus enabling new innovations in network protocols and applications. Our new attacks are somewhat similar in spirit to spoofing attacks in legacy networks however with significant differences in exploiting unique vulnerabilities how current Software Defined Network operates differently from legacy networks. According to our study, all current major Software Defined Network controllers we find in the market are affected i.e., they are subject to the Network Topology Poisoning Attacks. We then investigate the mitigation methods against the Network Topology Poisoning Attacks and present Tope Guard, a new security extension to SDN controllers, which provides automatic and real-time detection of Network Topology Poisoning Attacks. Our evaluation on a prototype implementation of Tope Guard in the Floodlight controller shows that the defense solution can effectively secure network topology while introducing only a minor impact on normal operations of Open Flow controllers.