A moving target defense and network forensics framework for ISP networks using SDN and NFV

Abstract With the increasing diversity of network attacks, there is a trend towards building more agile networks that can defend themselves or prevent attackers to easily launch attacks. To this end, moving target defense (MTD) mechanisms have started to be pursued to dynamically change the structure and configuration of the networks not only during an attack but also before an attack so that conducting network reconnaissance will become much more difficult. Furthermore, various network forensics mechanisms are introduced to help locating the source and types of attacks as a reactive defense mechanism. Emerging Software Defined Networking (SDN) and Network Function Virtualization (NFV) provide excellent opportunities to implement these mechanisms efficiently. This paper considers MTD in the context of an Internet Service Provider (ISP) network and proposes an architectural framework that will enable it even at the reconnaissance phase while facilitating forensics investigations. We propose various virtual shadow networks through NFV to be used when implementing MTD mechanisms via route mutation. The idea is to dynamically change the routes for specific reconnaissance packets so that attackers will not be able to easily identify the actual network topologies for potential distributed denial of service attacks (DDoS) such as Crossfire while enabling the defender to store potential attacker’s information through a forensics feature. We present an integrated framework that encompasses these features. The proposed framework is implemented in Mininet to test its effectiveness and overheads. The results demonstrated the effectiveness in terms of failing the attackers at the expense of slightly increased path lengths, end-to-end delay and storage for forensic purposes.

[1]  David Watson,et al.  An Experimental Study of Internet Path Diversity , 2006, IEEE Transactions on Dependable and Secure Computing.

[2]  Éva Tardos,et al.  Algorithm design , 2005 .

[3]  Xenofontas A. Dimitropoulos,et al.  A novel framework for modeling and mitigating distributed link flooding attacks , 2016, IEEE INFOCOM 2016 - The 35th Annual IEEE International Conference on Computer Communications.

[4]  Aditya Akella,et al.  Demystifying configuration challenges and trade-offs in network-based ISP services , 2011, SIGCOMM 2011.

[5]  Ehab Al-Shaer,et al.  Formal Approach for Resilient Reachability based on End-System Route Agility , 2016, MTD@CCS.

[6]  Byung kwan Lee,et al.  An IP Traceback Protocol using a Compressed Hash Table, a Sinkhole Router and Data Mining based on Network Forensics against Network Attacks , 2014, Future Gener. Comput. Syst..

[7]  Lei Xue,et al.  LinkScope: Toward Detecting Target Link Flooding Attacks , 2018, IEEE Transactions on Information Forensics and Security.

[8]  Min Chen,et al.  Software-Defined Network Function Virtualization: A Survey , 2015, IEEE Access.

[9]  Andrew Warfield,et al.  Live migration of virtual machines , 2005, NSDI.

[10]  Sean Peisert,et al.  Techniques for the dynamic randomization of network attributes , 2015, 2015 International Carnahan Conference on Security Technology (ICCST).

[11]  Ramesh Govindan,et al.  Flow-level state transition as a new switch primitive for SDN , 2014, HotSDN.

[12]  Vyas Sekar,et al.  Bohatei: Flexible and Elastic DDoS Defense , 2015, USENIX Security Symposium.

[13]  Minlan Yu,et al.  Rethinking virtual network embedding: substrate support for path splitting and migration , 2008, CCRV.

[14]  David Hausheer,et al.  An SDN-Based CDN/ISP Collaboration Architecture for Managing High-Volume Flows , 2015, IEEE Transactions on Network and Service Management.

[15]  Kemal Akkaya,et al.  Mitigating Crossfire Attacks Using SDN-Based Moving Target Defense , 2016, 2016 IEEE 41st Conference on Local Computer Networks (LCN).

[16]  Ratul Mahajan,et al.  Measuring ISP topologies with rocketfuel , 2002, SIGCOMM 2002.

[17]  Iwao Sasase,et al.  Fast target link flooding attack detection scheme by analyzing traceroute packets flow , 2015, 2015 IEEE International Workshop on Information Forensics and Security (WIFS).

[18]  Li Wang,et al.  Moving Target Defense Against Network Reconnaissance with Software Defined Networking , 2016, ISC.

[19]  David Watson,et al.  Topology aware overlay networks , 2005, Proceedings IEEE 24th Annual Joint Conference of the IEEE Computer and Communications Societies..

[20]  Fernando M. V. Ramos,et al.  Software-Defined Networking: A Comprehensive Survey , 2014, Proceedings of the IEEE.

[21]  Mei Yang,et al.  Minimum cost paths subject to minimum vulnerability for reliable communications , 2005, 8th International Symposium on Parallel Architectures,Algorithms and Networks (ISPAN'05).

[22]  Cesare Tinelli,et al.  Satisfiability Modulo Theories , 2018, Handbook of Model Checking.

[23]  Raouf Boutaba,et al.  ViNEYard: Virtual Network Embedding Algorithms With Coordinated Node and Link Mapping , 2012, IEEE/ACM Transactions on Networking.

[24]  Virgil D. Gligor,et al.  The Crossfire Attack , 2013, 2013 IEEE Symposium on Security and Privacy.

[25]  Rajdeep Niyogi,et al.  Network forensic frameworks: Survey and research challenges , 2010, Digit. Investig..

[26]  Virgil D. Gligor,et al.  CoDef: collaborative defense against large-scale link-flooding attacks , 2013, CoNEXT.

[27]  Andreas Haeberlen,et al.  Let SDN Be Your Eyes: Secure Forensics in Data Center Networks , 2014 .

[28]  Ehab Al-Shaer,et al.  Efficient Random Route Mutation considering flow and network constraints , 2013, 2013 IEEE Conference on Communications and Network Security (CNS).

[29]  Syed Ali Khayam,et al.  Rapid and scalable isp service delivery through a programmable middlebox , 2014, CCRV.

[30]  Vincenzo Mancuso,et al.  QoS Requirements For Multimedia Services , 2007 .

[31]  Zainab Abaid,et al.  SDN-inspired, real-time botnet detection and flow-blocking at ISP and enterprise-level , 2015, 2015 IEEE International Conference on Communications (ICC).

[32]  Kemal Akkaya,et al.  Coverage-based Clustering of Wireless Sensor and Actor Networks , 2007, IEEE International Conference on Pervasive Services.

[33]  Prasant Mohapatra,et al.  On investigating overlay service topologies , 2007, Comput. Networks.

[34]  Ehab Al-Shaer,et al.  Formal Approach for Route Agility against Persistent Attackers , 2013, ESORICS.

[35]  Mohsen Guizani,et al.  Software-Defined Network Forensics: Motivation, Potential Locations, Requirements, and Challenges , 2016, IEEE Network.