Proactive routing mutation against stealthy Distributed Denial of Service attacks: metrics, modeling, and analysis

Infrastructure Distributed Denial of Service (IDDoS) attacks continue to be one of the most devastating challenges facing cyber systems. The new generation of IDDoS attacks exploits the inherent weakness of cyber infrastructure, including the deterministic nature of routing, skewed distribution of flows, and Internet ossification to discover the network critical links and launch highly stealthy flooding attacks that are not observable at the victim’s end. In this paper, first, we propose a new metric to quantitatively measure the potential susceptibility of any arbitrary target server or domain to stealthy IDDoS attacks, and estimate the impact of such susceptibility on enterprises. Second, we develop proactive route mutation techniques to minimize the susceptibility to these attacks by dynamically changing the flow paths periodically to invalidate the adversary knowledge about the network and avoid targeted critical links. Our proposed approach actively changes these network paths while satisfying security and Quality of Service requirements. We implemented the proactive path mutation technique on a Software Defined Network using the OpenDaylight controller to demonstrate a feasible deployment of this approach. Our evaluation validates the correctness, effectiveness, and scalability of the proposed approaches.

[1]  Toby Walsh,et al.  Handbook of Constraint Programming (Foundations of Artificial Intelligence) , 2006 .

[2]  Satish K. Tripathi,et al.  A framework for reliable routing in mobile ad hoc networks , 2003, IEEE INFOCOM 2003. Twenty-second Annual Joint Conference of the IEEE Computer and Communications Societies (IEEE Cat. No.03CH37428).

[3]  David A. Maltz,et al.  DSR: the dynamic source routing protocol for multihop wireless ad hoc networks , 2001 .

[4]  Jing Liu,et al.  Secure Routing for Mobile Ad Hoc Networks , 2007, Eighth ACIS International Conference on Software Engineering, Artificial Intelligence, Networking, and Parallel/Distributed Computing (SNPD 2007).

[5]  Panayiotis Kotzanikolaou,et al.  SecMR - a secure multipath routing protocol for ad hoc networks , 2007, Ad Hoc Networks.

[6]  Edsger W. Dijkstra,et al.  A note on two problems in connexion with graphs , 1959, Numerische Mathematik.

[7]  Hilary Putnam,et al.  A Computing Procedure for Quantification Theory , 1960, JACM.

[8]  Ibrahim Matta,et al.  BRITE: A Flexible Generator of Internet Topologies , 2000 .

[9]  Mahesh K. Marina,et al.  On-demand multipath distance vector routing in ad hoc networks , 2001, Proceedings Ninth International Conference on Network Protocols. ICNP 2001.

[10]  Ehab Al-Shaer,et al.  Agile virtualized infrastructure to proactively defend against cyber attacks , 2015, 2015 IEEE Conference on Computer Communications (INFOCOM).

[11]  Ellen W. Zegura,et al.  Virtual network migration on real infrastructure: A PlanetLab case study , 2014, 2014 IFIP Networking Conference.

[12]  Ehab Al-Shaer,et al.  Openflow random host mutation: transparent moving target defense using software defined networking , 2012, HotSDN '12.

[13]  David S. Johnson,et al.  Computers and Intractability: A Guide to the Theory of NP-Completeness , 1978 .

[14]  Ying Zhang,et al.  Low-Rate TCP-Targeted DoS Attack Disrupts Internet Routing , 2007, NDSS.

[15]  Christopher N. Gutierrez,et al.  Denial of Service Elusion (DoSE): Keeping Clients Connected for Less , 2015, 2015 IEEE 34th Symposium on Reliable Distributed Systems (SRDS).

[16]  Sung-Ju Lee,et al.  Split multipath routing with maximally disjoint paths in ad hoc networks , 2001, ICC 2001. IEEE International Conference on Communications. Conference Record (Cat. No.01CH37240).

[17]  Ehab Al-Shaer,et al.  Formal Approach for Route Agility against Persistent Attackers , 2013, ESORICS.

[18]  Virgil D. Gligor,et al.  Routing Bottlenecks in the Internet: Causes, Exploits, and Countermeasures , 2014, CCS.

[19]  Roman Barták,et al.  Constraint Processing , 2009, Encyclopedia of Artificial Intelligence.

[20]  Martin Fränzle,et al.  Efficient Solving of Large Non-linear Arithmetic Constraint Systems with Complex Boolean Structure , 2007, J. Satisf. Boolean Model. Comput..

[21]  Ehab Al-Shaer,et al.  Efficient Random Route Mutation considering flow and network constraints , 2013, 2013 IEEE Conference on Communications and Network Security (CNS).

[22]  Yuguang Fang,et al.  SPREAD: enhancing data confidentiality in mobile ad hoc networks , 2004, IEEE INFOCOM 2004.

[23]  Adrian Perrig,et al.  The Coremelt Attack , 2009, ESORICS.