Virtual Patching: Fighting Brute Force Attacks in a Software Defined Network

Abstract

A new design for virtual patching applications is presented for software defined network environments. Based on OpenFlow implementation, a software defined network can be programmed to intelligently detect threats and handle them accordingly. By implementing a virtual patching solution with the Floodlight OpenFlow API, these networks can detect malicious traffic before it reaches the vulnerable device, based on common signs like packet size or destinations of open but unused ports. A controller hosts an Intrusion Detection Service (IDS) on the network would track signs of malicious data, and scan incoming traffic for any of those signs. If a packet is reasonably suspicious, it is not allowed to continue on it’s path, while all other traffic continues as normal. Because software defined networks are inherently programmable, a general solution can be put in place that network administrators can use to create virtual patching rules on the fly. This allows for vast flexibility and efficiency, which is critical when dealing with a live exploitation on the network. Experimental results for both the attack specific solution and the general, programmable solution have not yet been obtained.