Junchi Xing,Mingliang Yang,Haifeng Zhou,Chunming Wu,Wei Ruan

DOI: https://doi.org/10.1109/IPCCC47392.2019.8958776

2019-01-01

Abstract:Network reconnaissance aims at gathering as much information as possible before an attack is launched. Meanwhile, static host address configuration facilitates network reconnaissance. Currently, more sophisticated network reconnaissance has been emerged with the adaptive and cooperative features. To address this, in this paper, we present Hiding and Trapping (HaT), which is a deceptive approach to disrupt adversarial network reconnaissance with the help of the software-defined networking (SDN) paradigm. HaT is able to hide valuable hosts from attackers and to trap them into decoy nodes through strategic and holistic host address mutation according to characteristic of adversaries. We implement a prototype of HaT, and evaluate its performance by experiments. The experimental results show that HaT is capable to effectively disrupt adversarial network reconnaissance with better deceptive performance than the existing address randomization approach.

Xinyue Jiang,Risheng Deng,Dong Zhang,Chunming Wu

DOI: https://doi.org/10.1109/iThings-GreenCom-CPSCom-SmartData-Cybermatics53846.2021.00035

2021-01-01

Abstract:The large-scale distributed network has exposed increasing attack surfaces to cyber attackers. In this paper, we present a refined network measurement mechanism, called DDoS Collaborative Mitigation Mechanism (DDoSCCM). Based on former achievements in the programmable network, our work aims at capturing the characters of abnormal traffic and presenting an antedating reaction, constrained by limited resources of the switching ASIC. In-band Network Telemetry (INT) technique achieves real-time monitoring of the network by utilizing the device data acquisition on the data plane. Our work helps the network operator not only to learn the status of the network but also to issue an appropriate mitigation strategy faster and more accurately. DDoSCCM aims at delegating both detection and mitigation processes to the programmable switch. Consequently, the theoretical analysis and experimental results show that DDoSCCM can meet practical requirements and have a certain application value.

Yi Shen,Chunming Wu,Dezhang Kong,Qiumei Cheng

DOI: https://doi.org/10.3390/app13127210

2023-01-01

Applied Sciences

Abstract:Software-defined networking (SDN) enables dynamic management and flexible network control by employing reactive rule installation. Due to high power consumption and cost, current OpenFlow switches only support a limited number of flow rules, which is a major limitation for deploying massive fine-grained policies. This bottleneck can be exploited by attackers to launch saturation attacks to overflow the flow table. Moreover, flow table overflow can occur in the absence of malicious attackers. To cope with this, researchers have developed many proposals to relieve the load under benign conditions. Among them, the dynamic timeout mechanism is one of the most effective solutions. We notice that when the SDN controller adopts dynamic timeouts, existing flow table saturation attacks can fail, or even expose the attackers, due to inaccurate inferring results. In this paper, we extract the common features of dynamic timeout strategies and propose an advanced flow table saturation attack. We explore the definition of flow rule lifetime and use a timing-based side-channel to infer the timeout of flow rules. Moreover, we leverage the dynamic timeout mechanisms to proactively interfere with the decision of timeout values and perform an attack. We conduct extensive experiments in various settings to demonstrate its effectiveness. We also notice that some replacement strategies work differently when the controller assigns dynamic timeouts. The experiment results show that the attack can incur significant network performance degradation and carry out the attack in a stealthy manner.

XU Lei,XU Ke

DOI: https://doi.org/10.16511/j.cnki.qhdxxb.2018.21.019

2018-01-01

Abstract:Router security has become more important with the increasing number of programmable routers.This paper presents a pattern router that codes the modularized dataplane and pre-combines the result to monitor and regulate the dynamic actions in the dataplane.This method uses an action identifier (AID) for each action in the dataplane and puts the normal AID into a regulated action table (RAT) before running the router.When the router is working, all the dynamic actions are verified by the RAT to secure the honesty of each action.The pattern router was implemented in a Click router and in a data plane development kit (DPDK) router with tests showing that the pattern router occupies only 2 MB and uses less than 10％ of the bandwidth to capture all the abnormal actions in the dataplane.

Hongchao Hu,Zhenpeng Wang,Guozhen Cheng,Jiangxing Wu

DOI: https://doi.org/10.1049/iet-ifs.2017.0085

2017-01-01

IET Information Security

Abstract:Software defined networking (SDN) enables the network more flexible, open and programmable. However, as the network control and intelligence lay on the centralised controller, its security becomes even more important, and a minor change may have a direct crucial impact on the entire network. Numerous research results have shown that the SDN controller not only faces traditional security threats, but also has to tackle the challenges introduced by its unique centralised architecture. In this study, the authors present a novel SDN controller framework called mimic network operating system (MNOS). The main ideas behind MNOS are cyberspace mimic defence (CMD), which is proposed by academician Wu's team recently. By introducing the CMD into the design of SDN controllers, they come out with an N-variant controller framework with dynamic, heterogeneous and redundant characteristics. MNOS has a design-in security mechanism, its main features are: (i) effectively protects the controller from the attacks as hijacking and data modification without relying on prior knowledge of vulnerabilities; (ii) constantly monitors the behaviours of variants to detect unknown attacks; (iii) greatly improves the reliability of controllers. Theoretical analysis and experimental results show that MNOS can achieve considerable security gains and effectively improve security performance of SDN controller.

Jingxu Xiao,Chaowen Chang,Yingying Ma,Chenli Yang,Lu Yuan

DOI: https://doi.org/10.3934/mbe.2024148

2024-01-01

Mathematical Biosciences and Engineering

Abstract:In the realm of the Internet of Things (IoT), ensuring the security of communication links and evaluating the safety of nodes within these links remains a significant challenge. The continuous threat of anomalous links, harboring malicious switch nodes, poses risks to data transmission between edge nodes and between edge nodes and cloud data centers. To address this critical issue, we propose a novel trust evaluation based secure multi-path routing (TESM) approach for IoT. Leveraging the software-defined networking (SDN) architecture in the data transmission process between edge nodes, TESM incorporates a controller comprising a security verification module, a multi-path routing module, and an anomaly handling module. The security verification module ensures the ongoing security validation of data packets, deriving trust scores for nodes. Subsequently, the multi-path routing module employs multi-objective reinforcement learning to dynamically generate secure multiple paths based on node trust scores. The anomaly handling module is tasked with handling malicious switch nodes and anomalous paths. Our proposed solution is validated through simulation using the Ryu controller and P4 switches in an SDN environment constructed with Mininet. The results affirm that TESM excels in achieving secure data forwarding, malicious node localization, and the secure selection and updating of transmission paths. Notably, TESM introduces a minimal 12.4% additional forwarding delay and a 5.46% throughput loss compared to traditional networks, establishing itself as a lightweight yet robust IoT security defense solution.

mathematical & computational biology

Ke XU,Yu-Dong ZHAO,Wen-Long CHEN,Meng SHEN,Lei XU

DOI: https://doi.org/10.11897/SP.J.1016.2017.01649

2017-01-01

Abstract:In recent years, the network attacks that adversaries take advantage of router/switch vulnerabilities to perform data interception continue to be exposed, which highlights the importance of secure communication within core networks.As the most affected victims, users and Internet Service Providers have little control on router vulnerabilities, which results in such attacks always being performed in low cost, unidirectional, concealed mechanisms, and being difficult to be recognized let alone restrained.Researchers have proposed many solutions, and most of them are able to prevent or mitigate data interception attacks, however, it is our humble opinion that these solutions are either only fit for specific core networks and specific types of DIAs, or are difficult to implement.To the best of our knowledge, there are still no security complete, universal and easily implementable mechanisms for defending data interception attacks.Based on analyzing all possible abnormal behaviors that vulnerability routers and switches perform, this paper designs and implements a static routing and switching paradigm, a paradigm-based detection algorithm and detector model to recognize the paradigm-violation output-packets.It proves that the routing and switching paradigm is security complete to data interception attacks.Also all rules of the paradigm are universal applicable to TCP/IP networks, the detector is designable, and the paradigm violations are detectable.The detection algorithm is optimized to gain high performance.Based on simulations, we show that not only 100% of normal packets can pass through the optimized paradigm-based detector, but also about 99.92% of intercepting ones would be caught.In addition, the throughout put of the detected routers/switches can reach Gbps level.

Ulf Noring

DOI: https://doi.org/10.1016/j.procs.2018.08.074

2018-01-01

Procedia Computer Science

Abstract:A new networking paradigm known as software-defined networking (SDN) is making managing IP networks easier. As adoption of the paradigm increases, there is an increasing need to adapt existing applications to work with it, and to invent new functionality that was previously not possible. One of the most commonly used tools for testing SDN applications is Mininet, an SDN emulator that uses Linux process groups, CPU bandwidth isolation and network namespaces combined with with link schedulers and virtual Ethernet links to form a virtualized network system. Mininet is designed to run on a single system and resource constraints can be an issue when emulating certain network topologies. The case study looks at the possibility of using Netmap, a framework to give user space applications very fast access to network packets, in order to improve Mininet performance. Due to the lack of a TCP/IP stack in Netmap and the increased complexity that the framework brings, introducing it into Mininet would require a large effort for a possible bandwidth throughput increase of ca. 40%. The study concludes that Netmap is not designed for a use case such as Mininet’s and not worth the effort required to introduce it.

Peng Zhang,Hao Li,Chengchen Hu,Liujia Hu,Lei Xiong,Ruilong Wang,Yuemei Zhang

DOI: https://doi.org/10.1145/2999572.2999605

2016-01-01

Abstract:How to debug large networks is always a challenging task. Software Defined Network (SDN) offers a centralized con- trol platform where operators can statically verify network policies, instead of checking configuration files device-by-device. While such a static verification is useful, it is still not enough: due to data plane faults, packets may not be forwarded according to control plane policies, resulting in network faults at runtime. To address this issue, we present VeriDP, a tool that can continuously monitor what we call control-data plane consistency, defined as the consistency between control plane policies and data plane forwarding behaviors. We prototype VeriDP with small modifications of both hardware and software SDN switches, and show that it can achieve a verification speed of 3 μs per packet, with a false negative rate as low as 0.1%, for the Stanford backbone and Internet2 topologies. In addition, when verification fails, VeriDP can localize faulty switches with a probability as high as 96% for fat tree topologies.

Yan Chen,Zhichun Li

2009-01-01

Abstract:In this thesis, I propose and develop a network-based attack defense system, RAIDM. I focus on network based defense because of the following reasons: (i) network gateways/routers are the vantage points for detecting large scale attacks; (ii) only host based detection/prevention is not enough for modern networks. RAIDM has four components: sketch-based monitoring and detection, polymorphic worm signature generation, signature matching engines and network situational awareness.The first module is sketch-based monitoring and detection. In this thesis, leveraging data streaming techniques such as reversible sketch, we design HiFIND [1], a High-speed Flow-level Intrusion Detection system. We also propose a two-dimensional sketch for attack differentiation. HiFIND (i) is scalable to flow-level detection on high-speed networks; (ii) is DoS resilient; (iii) can distinguish SYN flooding and various port scans (mostly for worm propagation) for effective mitigation; (iv) enables aggregate detection over multiple routers/gateways; and (v) separates anomalies to limit false positives in detection. Both theoretical analysis and evaluation with several router traces show that HiFIND achieves these properties. To the best of our knowledge, HiFIND is the first online DoS resilient flow-level intrusion detection system for high-speed networks (e.g. OC192), even for the worst case traffic of 40-byte-packet streams with each packet forming a flow.The second module is polymorphic worm signature generation. Recently, worms and remote exploits sent by botnets have become the major tools for launching Internet attacks. It is critical to quickly generate signatures in response to those fast propagating threats. To this end, I have developed two types of automated worm signature generation approaches (token-based signature generator and length based signature generator) with different information availability requirement and underlying assumptions. Beside token based signature generator, we design a network-based Length-based Signature Generator (LESG) for worms exploiting buffer overflow vulnerabilities. We further prove the attack resilience bounds even under the worst case attacks with deliberate noise injection. Moreover, LESG is fast and noise-tolerant and has efficient signature matching.The third module is signature matching engines. In this thesis, we design NetShield, a vulnerability signature based NIDS/NIPS which achieves high throughput comparable to that of the state-of-the-art regex-based systems while offering much better accuracy. This is accomplished because of the following contributions: (i) we propose a candidate selection algorithm that efficiently matches thousands of vulnerability signatures simultaneously using a small amount of memory; (ii) we propose a parsing transition state machine that achieves fast protocol parsing; (iii) we implement the NetShield prototype, including rewriting the ruleset of Snort to vulnerability signatures. Experimental results show that the core engine of NetShield achieves 1.9Gbps signature matching throughput for 794 HTTP vulnerability signatures on a 3.8GHz PC.Finally, the fourth module is network situational awareness for botnet probings. Botnets dominate today's attack landscape. In this thesis, we investigate ways to analyze collections of malicious probing traffic in order to understand the significance of large-scale "botnet probes". In such events, an entire collection of remote hosts together probes the address space monitored by a sensor in some sort of coordinated fashion. Our goal is to develop methodologies by which sites receiving such probes can infer—using purely local observation—information about the probing activity: What scanning strategies does the probing employ? Is this an attack that specifically targets the site, or is the site only incidentally probed as part of a larger, indiscriminant attack? Our analysis draws upon extensive honeynet data to explore the prevalence of different types of scanning, including properties such as trend, uniformity, coordination and darknet avoidance. In addition, we design schemes to extrapolate the global properties of scanning events (e.g., total population and target scope) as inferred from the limited local view of a honeynet. (Abstract shortened by UMI.)

Shaoke Xi,Kai Bu,Wensen Mao,Xiaoyu Zhang,Kui Ren,Xinxin Ren

DOI: https://doi.org/10.1109/tnet.2022.3194970

2023-01-01

IEEE/ACM Transactions on Networking

Abstract:Reliable Software-Defined Networking (SDN) should mitigate forwarding anomalies due to cross-plane rule inconsistencies. Most existing countermeasures either inject probe packets to infer forwarding correctness or collect packet traces to detect forwarding anomalies. They, however, cannot detect or filter forwarding anomalies for production packets in real time. In this paper, we propose RuleOut as the first attempt to automatically throttle SDN forwarding anomalies. It disambiguates dependent rules via augmenting their matching fields with unique tags. Leveraging source routing, we further bind each packet with the tag sequence corresponding to rules the packet should match. RuleOut thus renders each packet to match at most one rule on each switch. This completely addresses the root cause of forwarding ambiguity. To implement RuleOut, we develop a non-overlapping rule dependency graph, a series of algorithms for incremental rule update and tag generation upon it, and various optimization techniques toward scalability and efficiency. We prototype RuleOut on the Ryu controller and Open vSwitch and evaluate its performance over public rule sets such as Stanford, Internet2, and Airtel1. RuleOut can use tags of only several bits long to disambiguate thousands to millions of rules and generate tags fairly fast within a few milliseconds.

Yudong Zhao,Ke Xu,Rashid Mijumbi,Meng Shen

DOI: https://doi.org/10.1007/978-3-319-22047-5_15

2015-01-01

Abstract:In recent years, the world has been shocked by the increasing number of network attacks that take advantage of router vulnerabilities to perform data interceptions. Such attacks are generally based on low cost, unidirectional, concealed mechanisms, and are very difficult to recognize let alone restrain. This is especially so, because the most affected parties - the users and Internet Service Providers (ISPs) - have very little control, if any, on router vulnerabilities. In this paper, we design, implement and evaluate a policy-based security system aimed at stopping such attacks from both the routing and switching network functions, by detecting any violations in the set policies. We prove the system's security completeness to data interception attacks. Based on simulations, we show that 100% of normal packets can pass through the policy-based system, and about 99.92% of intercepting ones would be caught. In addition, the performance of the proposed system is acceptable with regard to current TCP/IP networks.

Xin Li,Peng Yi,Yiming Jiang,Jing Yu

DOI: https://doi.org/10.1088/1742-6596/1738/1/012103

2021-01-01

Journal of Physics Conference Series

Abstract:Abstract With the rapid development of network attacks, traditional security protection technology is difficult to deal with unknown threats and persistent attacks. Active defense improves the ability to defend against network attacks by building a dynamic, heterogeneous and redundant endogenous security system. Aiming at the problem of single abnormal arbitrament information of routers in mimic defense, a router abnormal traffic detection strategy based on active defense is proposed. By clustering the traffic information of multiple heterogeneous redundant routing function entities and comparing the distance measurement between them, the routing function entities in abnormal state are determined. The experimental results show that the proposed strategy effectively detects the security threats of routing functional entities and expand the method of mimic router arbitrament.

Ying Xu,Roch Guérin

DOI: https://doi.org/10.1109/SECCOMW.2006.359585

2006-01-01

Abstract:Deploying defense mechanisms in routers holds promises for protecting infrastructure resources such as link bandwidth or router buffers against network denial-of-service (DoS) attacks. However, in spite of their efficacy against brute-force flooding attacks, existing router-based defenses often perform poorly when confronted to more sophisticated attack strategies. This paper presents the design and evaluation of a system aimed at identifying and containing a broad range of malicious traffic patterns. Its main feature is a double time horizon architecture, designed for effective regulation of attacking traffic at both short and long time scales. The short horizon component responds quickly to transient traffic surges that deviate significantly from regular (TCP) traffic, i.e., attackers that generate sporadic short bursts. Conversely, the long horizon mechanism enforces strict conformance with normal TCP behavior, but does so by considering traffic over longer time periods, and is therefore aimed at attackers that attempt to capture a significant amount of link bandwidth. The performance of the proposed system was tested extensively. Our findings suggest that the implementation cost of the system is reasonable, and that it is indeed efficient against various types of attacks while remaining transparent to normal TCP users

Mahmoud Elzoghbi,Hui He

DOI: https://doi.org/10.1016/j.comnet.2024.110723

IF: 5.493

2024-01-01

Computer Networks

Abstract:SDN controllers employ discovery protocols with LLDP packets to discover the network topology; however, this approach is susceptible to topology attacks due to the static reuse of LLDP packets without proper origin verification or integrity checks. This paper proposes a novel form of topology attack called the Roundtrip time Confusion Onslaught (RCO) attack. Our findings showcase the capability of the RCO attack to mislead the discovery service of SDN controllers and bypass the Real-time Link Verification (RLV) defence mechanism, which depends on timing features in Machine Learning (ML) models. The RCO attack significantly reduces the effectiveness of the RLV mechanism in terms of True Positive Rate (TPR), Precision, F1-score, and Cohen's Kappa and increases the False Positive Rate (FPR). These results underscore the difficulties in achieving dependable ML accuracy in topology attack detection. Accordingly, we propose the DIS-Guard framework, designed to protect and improve the efficiency of discovery protocols within SDN controllers. This framework utilizes the mutual Transport Layer Security (mTLS) protocol to discover hosts proactively. Moreover, it employs a novel combination of a chaos-tent map and the proposed statistical method for link discovery. Through extensive evaluation, we illustrate DIS-Guard's superior performance and security over the established Ryu (switches.py) controller and the RLV defence mechanism. Notably, DIS-Guard reduces host- to-host access delays, decreases LLDP packet transmission and reception significantly, and improves control channel efficiency. Collectively, these quantifiable benefits manifest the efficacy of DIS-Guard as a significantly optimized solution for SDN security and performance.

Ping Yi,Futai Zou,Jianhua Li

2007-01-01

Journal of Computational Information Systems

Abstract:Wireless mesh networks is vulnerable to attacks due to the open medium, dynamically changing network topology, cooperative algorithms, lack of centralized monitoring and management point. The traditional way of protecting networks with firewalls and encryption software is no longer sufficient and effective for those features. In this paper, we propose a distributed intrusion detection approach based on timed automata. A cluster-based detection scheme is presented, where periodically a node is elected as the monitor node for a cluster. These monitor nodes can not only make local intrusion detection decisions, but also cooperatively take part in global intrusion detection. And then we construct the timed automata by the way of manually abstracting the correct behaviors of the node according to the routing protocol of Dynamic Source Routing (DSR). The monitor nodes can verify every node's behavior by timed automata, and validly detect real-time attacks without signatures of intrusion or trained data. Compared with the architecture where each node is its own IDS agent, our approach is much more efficient while maintaining the same level of effectiveness. Finally, we evaluate the intrusion detection method through simulation experiments.

XINYU YANG,YI SHI

DOI: https://doi.org/10.1142/S1469026805001520

2005-01-01

International Journal of Computational Intelligence and Applications

Abstract:Multiprotocol label switching (MPLS) is a hybrid solution that combines the advantages of easy forwarding with the ability of guaranteeing quality-of-service (QoS). To deliver reliable service, MPLS requires traffic protection and recovery. Rerouting is one such recovery mechanism. In this paper, we propose a novel rerouting model called DDRAAS that is inspired by the spider and its web in nature. We try to establish an artificial logical spider web in the MPLS network to reorganise it into a structure that is more regular and simple. Based on this, we give the definition of the reroute area. Artificial spiders are then used to explore recovery paths dynamically in the reroute area. DDRAAS can be used to calculate the recovery paths in advance in order to protect the work path, while the improved DDRAAS can be a fast rerouting algorithm to calculate and establish recovery paths when faults occur.We have simulated our mechanism using the MPLS network simulator (MNS) and the performance metrics were compared to those of other proposals. The simulation results show that our mechanism is better in reducing packet loss, disorder and has faster rerouting speed. These improvements help to minimise the effects of link failure and/ or congestion.

Qi Li,Xiaoyue Zou,Qun Huang,Jing Zheng,Patrick P. C. Lee

DOI: https://doi.org/10.1109/tdsc.2018.2810880

2018-01-01

IEEE Transactions on Dependable and Secure Computing

Abstract:Like traditional IP networking, the emerging Software-Defined Networking (SDN) technology is vulnerable to sophisticated attacks against packets and their forwarding behaviors. However, existing proposals of packet forwarding verification for IP networking cannot be directly applied to the current SDN deployment due to the limited functionalities and resources in commercial off-the-shelf (COTS) SDN switches. We propose DynaPFV, a dynamic packet forwarding verification mechanism that is capable of detecting various sophisticated attacks against packet forwarding. DynaPFV leverages the controllability of SDN to examine both packets and flow statistics across a network of switches to detect violation of packet integrity and forwarding behaviors. To mitigate the verification overhead, DynaPFV dynamically adjusts the rates of packet sampling and flow statistics collection based on the prior detection results in order to preserve the verification accuracy. Furthermore, DynaPFV makes changes to the SDN controller only, and is directly deployable atop COTS SDN switches without modifications. We conduct theoretical analysis on the trade-off between performance and accuracy in our dynamic verification approach. We further prototype DynaPFV using the open-source Floodlight controller, and evaluate our DynaPFV prototype using Mininet simulations and hardware testbed experiments. DynaPFV achieves over 97 percent of verification accuracy only with less than 5 percent of throughput degradation and less than 10 percent of additional forwarding delays.

Quan Ren,Tao Hu,Jiangxing Wu,Yuxiang Hu,Lei He,Julong Lan

DOI: https://doi.org/10.1016/j.comnet.2021.108134

IF: 5.493

2021-01-01

Computer Networks

Abstract:SDN improves the flexibility and programmability of the network. However, malicious attacks caused by potential vulnerabilities and backdoors can easily lead to data and rule tampering in the network. To address this problem, this paper proposes an endogenous secure SDN network framework based on multipath resilient routing (MRR). MRR includes multipath comparing forwarding, multipath weighted forwarding, and multipath random forwarding. The framework ensures the correctness of flow rules and data content by dynamically comparing the consistency of multi-heterogeneous path data within a certain period, and multipath can also achieve load balance by weighted forwarding. In the MRR framework, we also present an intermediate information feedback mechanism based on encryption authentication and give a mathematical model to evaluate it. This mechanism can accurately identify and dynamically repair malicious switches. Simulation evaluation and prototype system test show that this framework can achieve high accuracy of flow transmission and high availability of system. At the same time, multipath comparing forwarding will bring some performance costs such as delay, bandwidth, and jitter at initial and attacking time. However, when the appropriate forwarding mode and reasonable period T are selected, the proportion of delay introduced by comparing and ruling can be less than 10%, and the average bandwidth of mixed forwarding is almost the same as traditional multipaths', such as we can guarantee 25% multipath comparing forwarding when the bandwidth requirement is 250 M in prototype system.

Peng Zhang,Hao Li,Chengchen Hu,Liujia Hu,Lei Xiong

DOI: https://doi.org/10.1145/2881025.2881038

2016-01-01

Abstract:Software defined networks provide new opportunities for automating the process of network debugging. Many tools have been developed to verify the correctness of network configurations on the control plane. However, due to software bugs and hardware faults of switches, the correctness of control plane may not readily translate into that of data plane. To bridge this gap, we present VeriDP, which can monitor "whether actual forwarding behaviors are complying with network configurations". Given that policies are well-configured, operators can leverage VeriDP to monitor the correctness of the network data plane. In a nutshell, VeriDP lets switches tag packets that they forward, and report tags together with headers to the verification server before the packets leave the network. The verification server pre-computes all header-to-tag mappings based on the configuration, and checks whether the reported tags agree with the mappings. We prototype VeriDP with both software and hardware OpenFlow switches, and use emulation to show that VeriDP can detect common data plane fault including black holes and access violations, with a minimal impact on the data plane.