DDoS defense using MTD and SDN

Distributed large-scale cyber attacks targeting the availability of computing and network resources still remains a serious threat. In order to limit the effects caused by those attacks and to provide a proactive defense, mitigation should move to the networks of Internet Service Providers. In this context, Moving Target Defense (MTD) is a technique that increases uncertainty due to an ever-changing attack surface. In combination with Software Defined Networking (SDN), MTD has the potential to reduce the effects of a large-scale cyber attack. In this paper, we combine the defense techniques moving- target using Software Defined Networking and investigate their effectiveness. We review current moving-target defense strategies and their applicability in context of large-scale cyber attacks and the networks of Internet Service Providers. Further, we enforce the implementation of moving target defense strategies using Software Defined Networks in a collaborative environment. In particular, we focus on ISPs that cooperate among trusted partners. We found that the effects of a large-scale cyber attack can be significantly reduced using the moving-target defense and Software Defined Networking. Moreover, we show that Software Defined Networking is an appropriate approach to enforce implementation of the moving target defense and thus mitigate the effects caused by large-scale cyber attacks.

[1]  Scott A. DeLoach,et al.  A model for analyzing the effect of moving target defenses on enterprise networks , 2014, CISR '14.

[2]  Richard Wang,et al.  OpenFlow-Based Server Load Balancing Gone Wild , 2011, Hot-ICE.

[3]  Aiko Pras,et al.  Collaborative DDoS defense using flow-based security event information , 2016, NOMS 2016 - 2016 IEEE/IFIP Network Operations and Management Symposium.

[4]  Aiko Pras,et al.  Collaborative attack mitigation and response: A survey , 2015, 2015 IFIP/IEEE International Symposium on Integrated Network Management (IM).

[5]  Michael P. Wellman,et al.  Moving Target Defense against DDoS Attacks: An Empirical Game-Theoretic Analysis , 2016, MTD@CCS.

[6]  Aiko Pras,et al.  Flow Monitoring Explained: From Packet Capture to Data Analysis With NetFlow and IPFIX , 2014, IEEE Communications Surveys & Tutorials.

[7]  Fei Li,et al.  Catch Me If You Can: A Cloud-Enabled DDoS Defense , 2014, 2014 44th Annual IEEE/IFIP International Conference on Dependable Systems and Networks.

[8]  Ruby B. Lee,et al.  National Cyber Leap Year Summit 2009 Co-Chairs ’ Report , 2009 .

[9]  Sushil Jajodia,et al.  A moving target defense approach to mitigate DDoS attacks against proxy-based architectures , 2016, 2016 IEEE Conference on Communications and Network Security (CNS).

[10]  Nick McKeown,et al.  OpenFlow: enabling innovation in campus networks , 2008, CCRV.

[11]  Fei Li,et al.  Towards Cost-Effective Moving Target Defense Against DDoS and Covert Channel Attacks , 2016, MTD@CCS.

[12]  Aiko Pras,et al.  Booters — An analysis of DDoS-as-a-service attacks , 2015, 2015 IFIP/IEEE International Symposium on Integrated Network Management (IM).

[13]  Prasad Calyam,et al.  Frequency-minimal moving target defense using software-defined networking , 2016, 2016 International Conference on Computing, Networking and Communications (ICNC).

[14]  Gunjan Tank,et al.  Software-Defined Networking-The New Norm for Networks , 2012 .

[15]  Avinatan Hassidim,et al.  Network utilization: The flow view , 2013, 2013 Proceedings IEEE INFOCOM.

[16]  Fei Li,et al.  A moving target DDoS defense mechanism , 2014, Comput. Commun..

[17]  Scott A. DeLoach,et al.  A Theory of Cyber Attacks: A Step Towards Analyzing MTD Systems , 2015, MTD@CCS.

[18]  Scott A. DeLoach,et al.  Towards a Theory of Moving Target Defense , 2014, MTD '14.

[19]  Craig A. Shue,et al.  The SDN Shuffle: Creating a Moving-Target Defense using Host-based Software-Defined Networking , 2015, MTD@CCS.

[20]  Renata Teixeira,et al.  Impact of hot-potato routing changes in IP networks , 2008, TNET.

[21]  Angelos Stavrou,et al.  MOTAG: Moving Target Defense against Internet Denial of Service Attacks , 2013, 2013 22nd International Conference on Computer Communication and Networks (ICCCN).

[22]  Dijiang Huang,et al.  SDN based Scalable MTD solution in Cloud Network , 2016, MTD@CCS.

[23]  Masayuki Murata,et al.  Traffic prediction for dynamic traffic engineering , 2015, Comput. Networks.

[24]  William W. Streilein,et al.  Finding Focus in the Blur of Moving-Target Techniques , 2014, IEEE Security & Privacy.