NetHide: Secure and Practical Network Topology Obfuscation

Simple path tracing tools such as traceroute allow malicious users to infer network topologies remotely and use that knowledge to craft advanced denial-of-service (DoS) attacks such as Link-Flooding Attacks (LFAs). Yet, despite the risk, most network operators still allow path tracing as it is an essential network debugging tool. In this paper, we present NetHide, a network topology obfuscation framework that mitigates LFAs while preserving the practicality of path tracing tools. The key idea behind NetHide is to formulate network obfuscation as a multi-objective optimization problem that allows for a flexible tradeoff between security (encoded as hard constraints) and usability (encoded as soft constraints). While solving this problem exactly is hard, we show that NetHide can obfuscate topologies at scale by only considering a subset of the candidate solutions and without reducing obfuscation quality. In practice, NetHide obfuscates the topology by intercepting and modifying path tracing probes directly in the data plane. We show that this process can be done at line-rate, in a stateless fashion, by leveraging the latest generation of programmable network devices. We fully implemented NetHide and evaluated it on realistic topologies. Our results show that NetHide is able to obfuscate large topologies (> 150 nodes) while preserving near-perfect debugging capabilities. In particular, we show that operators can still precisely trace back > 90% of link failures despite obfuscation.

[1]  David Wetherall,et al.  Towards IP geolocation using delay and topology measurements , 2006, IMC '06.

[2]  Matthew Roughan,et al.  The Internet Topology Zoo , 2011, IEEE Journal on Selected Areas in Communications.

[3]  Virgil D. Gligor,et al.  The Crossfire Attack , 2013, 2013 IEEE Symposium on Security and Privacy.

[4]  Lei Xue,et al.  Towards Detecting Target Link Flooding Attack , 2014, LISA.

[5]  Vladimir I. Levenshtein,et al.  Binary codes capable of correcting deletions, insertions, and reversals , 1965 .

[6]  Virgil D. Gligor,et al.  CoDef: collaborative defense against large-scale link-flooding attacks , 2013, CoNEXT.

[7]  Seungwon Shin,et al.  Software-Defined HoneyNet: Towards Mitigating Link Flooding Attacks , 2017, 2017 47th Annual IEEE/IFIP International Conference on Dependable Systems and Networks Workshops (DSN-W).

[8]  Yih-Chun Hu,et al.  Lightweight source authentication and path validation , 2015, SIGCOMM 2015.

[9]  Ratul Mahajan,et al.  Measuring ISP topologies with rocketfuel , 2002, TNET.

[10]  Edsger W. Dijkstra,et al.  A note on two problems in connexion with graphs , 1959, Numerische Mathematik.

[11]  Xenofontas A. Dimitropoulos,et al.  A novel framework for modeling and mitigating distributed link flooding attacks , 2016, IEEE INFOCOM 2016 - The 35th Annual IEEE International Conference on Computer Communications.

[12]  Jared M. Smith,et al.  Routing Around Congestion: Defeating DDoS Attacks and Adverse Network Conditions via Reactive BGP Routing , 2018, 2018 IEEE Symposium on Security and Privacy (SP).

[13]  Adrian Perrig,et al.  The Coremelt Attack , 2009, ESORICS.

[14]  Vyas Sekar,et al.  SPIFFY: Inducing Cost-Detectability Tradeoffs for Persistent Link-Flooding Attacks , 2016, NDSS.

[15]  Anja Feldmann,et al.  Inferring BGP blackholing activity in the internet , 2017, Internet Measurement Conference.

[16]  Robert Beverly,et al.  A Technique for Network Topology Deception , 2013, MILCOM 2013 - 2013 IEEE Military Communications Conference.

[17]  George Varghese,et al.  P4: programming protocol-independent packet processors , 2013, CCRV.

[18]  Robert Soulé,et al.  Semi-Oblivious Traffic Engineering: The Road Not Taken , 2018, NSDI.

[19]  Andrei Sabelfeld,et al.  Understanding and Enforcing Opacity , 2015, 2015 IEEE 28th Computer Security Foundations Symposium.

[20]  Christian E. Hopps,et al.  Analysis of an Equal-Cost Multi-Path Algorithm , 2000, RFC.

[21]  Ehab Al-Shaer,et al.  Agile virtualized infrastructure to proactively defend against cyber attacks , 2015, 2015 IEEE Conference on Computer Communications (INFOCOM).

[22]  Yao Zhang,et al.  SIBRA: Scalable Internet Bandwidth Reservation Architecture , 2015, NDSS.

[23]  Randy Bush,et al.  Quantifying Interference between Measurements on the RIPE Atlas Platform , 2015, Internet Measurement Conference.