Floodlight Denial-of-Service Vulnerability via Topology and Routing Modules

A denial-of-service vulnerability has been identified in Floodlight version 1.2. This issue allows a local attacker to disrupt network topology management by exploiting the Topology Manager, Topology Instance, and Routing modules. The vulnerability arises when a malicious host connected to a legacy switch manipulates network packets to remove external links from the SDN topology, causing data streams to be improperly forwarded.

Impact

Exploitation of this vulnerability can lead to persistent disruption of network communication, as removed links remain inactive unless manually restored.

Reproduction

The vulnerability can be reproduced by starting the Floodlight controller and a Mininet network with legacy switches. After the controller builds the SDN topology, the malicious host can capture and modify packets to remove external links from the topology. This disruption can be automated with a Python script that sends the modified packets, effectively severing communication across the affected link.