Towards Crossfire Distributed Denial of Service Attack Protection Using Intent-Based Moving Target Defense Over Software-Defined Networking

Crossfire is an indirect target area link-flooding Distributed Denial of Service (DDoS) attack determined to affect the neighbors of the real target. Currently, Crossfire DDoS attacks are acquiring impetus because of their indistinguishability and undetectability. SDN (Software Defined Networking) is a progressing technique because of its adaptability and programmability. Moving Target Defense (MTD) is an arising security strategy to counter attacks by progressively changing the attacked plane. IBN (Intent-based Networking) is another promising methodology for providing dynamic network management. IBN-based MTD can provide efficient MTD solutions because of the concentrated control and observing capacities of the intents when translated into rules inside the SDN control plane. In this paper, a framework for the security of Crossfire DDoS attacks is proposed by making use of Intent-based Traffic modifications through the Open Networking Operating System (ONOS) Rest API and Domain Name System (DNS) port redirection. In this paper, we exploited Intent-based MTD to divert traffic from the principal host to virtual shadow hosts to counter this attack. Traffic redirection helps in masquerading the attacker headed for shadow host and consequently getting the erroneous path towards the network and, hence, the Crossfire attack couldn’t be executed as expected. The proposed technique is simulated using Mininet and ONOS SDN controllers. The outcomes showed traffic is successfully redirected at a low computational expense. Therefore, Crossfire DDoS is efficiently mitigated as promising results are found.

[1]  Khizar Abbas,et al.  Intent-Based End-to-End Network Service Orchestration System for Multi-Platforms , 2020, Sustainability.

[2]  Muhammad Afaq,et al.  Intent-based networking with proactive load distribution in data center using IBN manager and Smart Path manager , 2020, J. Ambient Intell. Humaniz. Comput..

[3]  Xin He,et al.  CFADefense: A Security Solution to Detect and Mitigate Crossfire Attacks in Software-Defined IoT-Edge Infrastructure , 2019, 2019 IEEE 21st International Conference on High Performance Computing and Communications; IEEE 17th International Conference on Smart City; IEEE 5th International Conference on Data Science and Systems (HPCC/SmartCity/DSS).

[4]  Xinchang Zhang,et al.  A Survey of Networking Applications Applying the Software Defined Networking Concept Based on Machine Learning , 2019, IEEE Access.

[5]  Mykola Beshley,et al.  SDN/Cloud Solutions for Intent-Based Networking , 2019, 2019 3rd International Conference on Advanced Information and Communications Technologies (AICT).

[6]  Kemal Akkaya,et al.  A moving target defense and network forensics framework for ISP networks using SDN and NFV , 2019, Future Gener. Comput. Syst..

[7]  Christian Damsgaard Jensen,et al.  The application of Software Defined Networking on securing computer networks: A survey , 2019, J. Netw. Comput. Appl..

[8]  Guozhen Cheng,et al.  Design and implementation of an SDN-enabled DNS security framework , 2019, China Communications.

[9]  Mathieu Bouet,et al.  Centralized Defense Using Smart Routing Against Link-Flooding Attacks , 2018, 2018 2nd Cyber Security in Networking Conference (CSNet).

[10]  Douglas Comer,et al.  OSDF: An Intent-based Software Defined Network Programming Framework , 2018, 2018 IEEE 43rd Conference on Local Computer Networks (LCN).

[11]  Daniele Moro,et al.  ONOS Intent Monitor and Reroute service: enabling plug&play routing logic , 2018, 2018 4th IEEE Conference on Network Softwarization and Workshops (NetSoft).

[12]  Pascal Bouvry,et al.  Detecting Target-Area Link-Flooding DDoS Attacks using Traffic Analysis and Supervised Learning , 2018, Advances in Intelligent Systems and Computing.

[13]  Wolfgang Kellerer,et al.  Automatic intent-based secure service creation through a multilayer SDN network orchestration , 2018, IEEE/OSA Journal of Optical Communications and Networking.

[14]  David K. Y. Yau,et al.  Realtime DDoS Defense Using COTS SDN Switches via Adaptive Correlation Analysis , 2018, IEEE Transactions on Information Forensics and Security.

[15]  Patrick McDaniel,et al.  Deceiving Network Reconnaissance Using SDN-Based Virtual Topologies , 2017, IEEE Transactions on Network and Service Management.

[16]  Ehab Al-Shaer,et al.  Formal Approach for Resilient Reachability based on End-System Route Agility , 2016, MTD@CCS.

[17]  Magnos Martinello,et al.  A Survey on SDN Programming Languages: Toward a Taxonomy , 2016, IEEE Communications Surveys & Tutorials.

[18]  Sean Peisert,et al.  Techniques for the dynamic randomization of network attributes , 2015, 2015 International Carnahan Conference on Security Technology (ICCST).

[19]  Dongdai Lin,et al.  Defending Blind DDoS Attack on SDN Based on Moving Target Defense , 2014, SecureComm.

[20]  Pavlin Radoslavov,et al.  ONOS: towards an open, distributed SDN OS , 2014, HotSDN.

[21]  H. Kim,et al.  A SDN-oriented DDoS blocking scheme for botnet-based attacks , 2014, 2014 Sixth International Conference on Ubiquitous and Future Networks (ICUFN).

[22]  Ehab Al-Shaer,et al.  Efficient Random Route Mutation considering flow and network constraints , 2013, 2013 IEEE Conference on Communications and Network Security (CNS).

[23]  Ehab Al-Shaer,et al.  Formal Approach for Route Agility against Persistent Attackers , 2013, ESORICS.

[24]  Virgil D. Gligor,et al.  The Crossfire Attack , 2013, 2013 IEEE Symposium on Security and Privacy.

[25]  Jun Li,et al.  Ghost Domain Names: Revoked Yet Still Resolvable , 2012, NDSS.

[26]  Aditya Akella,et al.  Demystifying configuration challenges and trade-offs in network-based ISP services , 2011, SIGCOMM.

[27]  David A. Maltz,et al.  Unraveling the Complexity of Network Management , 2009, NSDI.

[28]  Steven M. Bellovin,et al.  Using the Domain Name System for System Break-ins , 1995, USENIX Security Symposium.

[29]  Yasuo Okabe,et al.  Reactive configuration updating for Intent-Based Networking , 2017, 2017 International Conference on Information Networking (ICOIN).