TARN: A SDN-based traffic analysis resistant network architecture

Destination IP prefix-based routing protocols are core to Internet routing today. Internet autonomous systems (AS) possess fixed IP prefixes, while packets carry the intended destination AS's prefix in their headers, in clear text. As a result, network communications can be easily identified using IP addresses and become targets of a wide variety of attacks, such as DNS/IP filtering, distributed Denial-of-Service (DDoS) attacks, man-in-the-middle (MITM) attacks, etc. In this work, we explore an alternative network architecture that fundamentally removes such vulnerabilities by disassociating the relationship between IP prefixes and destination networks, and by allowing any end-to-end communication session to have dynamic, short-lived, and pseudo-random IP addresses drawn from a range of IP prefixes rather than one. The concept is seemingly impossible to realize in todays Internet. We demonstrate how this is doable today with three different strategies using software defined networking (SDN), and how this can be done at scale to transform the Internet addressing and routing paradigms with the novel concept of a distributed software defined Internet exchange (SDX). The solution works with both IPv4 and IPv6, whereas the latter provides higher degrees of IP addressing freedom. Prototypes based on Open vSwitches (OVS) have been implemented for experimentation across the PEERING BGP testbed. The SDX solution not only provides a technically sustainable pathway towards large-scale traffic analysis resistant network (TARN) support, it also unveils a new business model for customer-driven, customizable and trustable end-to-end network services.

[1]  R. Gastil,et al.  Freedom in the World , 1998 .

[2]  Chip Elliott,et al.  GENI - global environment for network innovations , 2008, LCN.

[3]  John G. Palfrey,et al.  2007 Circumvention landscape report: methods, uses, and tools , 2009 .

[4]  Decoy Routing: Toward Unblockable Internet Communication , 2011, FOCI.

[5]  Lu Yu,et al.  Stochastic Tools for Network Security: Anonymity Protocol Analysis and Network Intrusion Detection , 2012 .

[6]  Yu Fu,et al.  DoS Detection is Easier Now , 2013, 2013 Second GENI Research and Educational Experiment Workshop.

[7]  Jason M. Schwier,et al.  Inferring Statistically Significant Hidden Markov Models , 2013, IEEE Transactions on Knowledge and Data Engineering.

[8]  Chen Lu,et al.  A Normalized Statistical Metric Space for Hidden Markov Models , 2013, IEEE Transactions on Cybernetics.

[9]  Anja Feldmann,et al.  On the benefits of using a large IXP as an internet vantage point , 2013, Internet Measurement Conference.

[10]  Nikita Borisov,et al.  I want my voice to be heard: IP over Voice-over-IP for unobservable censorship circumvention , 2013, NDSS.

[11]  Russell J. Clark,et al.  SDX , 2014 .

[12]  Richard Brooks,et al.  A survey of electric power synchrophasor network cyber security , 2014, IEEE PES Innovative Smart Grid Technologies, Europe.

[13]  Joe Mambretti,et al.  Software-Defined Network Exchanges (SDXs): Architecture, services, capabilities, and foundation technologies , 2014, 2014 26th International Teletraffic Congress (ITC).

[14]  Harry G. Perros,et al.  SDN-based solutions for Moving Target Defense network protection , 2014, Proceeding of IEEE International Symposium on a World of Wireless, Mobile and Multimedia Networks 2014.

[15]  Ganesh Kumar Venayagamoorthy,et al.  Side channel analysis of multiple PMU data in electric power systems , 2015, 2015 Clemson University Power Systems Conference (PSC).

[16]  Yu Fu,et al.  Analysis of Botnet Counter-Counter-Measures , 2015, CISR.

[17]  Yu Fu,et al.  Stealthy malware traffic - Not as innocent as it looks , 2015, 2015 10th International Conference on Malicious and Unwanted Software (MALWARE).

[18]  C. Tang,et al.  In-depth analysis of the Great Firewall of China , 2016 .

[19]  Yu Fu,et al.  A covert data transport protocol , 2016, 2016 11th International Conference on Malicious and Unwanted Software (MALWARE).

[20]  Richard R. Brooks,et al.  Denial of Service Attack on Tie-Line Bias Control in a Power System With PV Plant , 2017, IEEE Transactions on Emerging Topics in Computational Intelligence.

[21]  Jingxuan Sun,et al.  Stealthy Domain Generation Algorithms , 2017, IEEE Transactions on Information Forensics and Security.