Cloud-based Deception against Network Reconnaissance Attacks using SDN and NFV

An attacker's success crucially depends on the reconnaissance phase of Distributed Denial of Service (DDoS) attacks, which is the first step to gather intelligence. Although several solutions have been proposed against network reconnaissance attacks, they fail to address the needs of legitimate users' requests. Thus, we propose a cloud-based deception framework which aims to confuse the attacker with reconnaissance replies while allowing legitimate uses. The deception is based on for-warding the reconnaissance packets to a cloud infrastructure through tunneling and SDN so that the returned IP addresses to the attacker will not be genuine. For handling legitimate requests, we create a reflected virtual topology in the cloud to match any changes in the original physical network to the cloud topology using SDN. Through experimentations on GENI platform, we show that our framework can provide reconnaissance responses with negligible delays to the network clients while also reducing the management costs significantly.

[1]  Yue-Bin Luo,et al.  Effectiveness of Port Hopping as a Moving Target Defense , 2014, 2014 7th International Conference on Security Technology.

[2]  Adrian Perrig,et al.  The Coremelt Attack , 2009, ESORICS.

[3]  Andreas Terzis,et al.  A multifaceted approach to understanding the botnet phenomenon , 2006, IMC '06.

[4]  Ehab Al-Shaer,et al.  An Effective Address Mutation Approach for Disrupting Reconnaissance Attacks , 2015, IEEE Transactions on Information Forensics and Security.

[5]  Virgil D. Gligor,et al.  The Crossfire Attack , 2013, 2013 IEEE Symposium on Security and Privacy.

[6]  Vyas Sekar,et al.  Bohatei: Flexible and Elastic DDoS Defense , 2015, USENIX Security Symposium.

[7]  Saman Taghavi Zargar,et al.  A Survey of Defense Mechanisms Against Distributed Denial of Service (DDoS) Flooding Attacks , 2013, IEEE Communications Surveys & Tutorials.

[8]  Kemal Akkaya,et al.  Utilizing NFV for Effective Moving Target Defense Against Link Flooding Reconnaissance Attacks , 2018, MILCOM 2018 - 2018 IEEE Military Communications Conference (MILCOM).

[9]  Dino Farinacci,et al.  Generic Routing Encapsulation (GRE) , 2000, RFC.

[10]  Harry G. Perros,et al.  SDN-based solutions for Moving Target Defense network protection , 2014, Proceeding of IEEE International Symposium on a World of Wireless, Mobile and Multimedia Networks 2014.

[11]  Wei Yang,et al.  VFence: A Defense against Distributed Denial of Service Attacks Using Network Function Virtualization , 2016, 2016 IEEE 40th Annual Computer Software and Applications Conference (COMPSAC).

[12]  F. Richard Yu,et al.  Software-Defined Networking (SDN) and Distributed Denial of Service (DDoS) Attacks in Cloud Computing Environments: A Survey, Some Research Issues, and Challenges , 2016, IEEE Communications Surveys & Tutorials.

[13]  Robert Ricci,et al.  Getting started with GENI: a user tutorial , 2012, CCRV.

[14]  Thomas E. Carroll,et al.  Analysis of network address shuffling as a moving target defense , 2014, 2014 IEEE International Conference on Communications (ICC).

[15]  Kemal Akkaya,et al.  A moving target defense and network forensics framework for ISP networks using SDN and NFV , 2019, Future Gener. Comput. Syst..