Utilizing NFV for Effective Moving Target Defense Against Link Flooding Reconnaissance Attacks

Moving target defense (MTD) is becoming popular with the advancements in Software Defined Networking (SDN) technologies. With centralized management through SDN, changing the network attributes such as routes to escape from attacks is simple and fast. Yet, the available alternate routes are bounded by the network topology, and a persistent attacker that continuously perform the reconnaissance can extract the whole link-map of the network. To address this issue, we propose to use virtual shadow networks (VSNs) by applying Network Function Virtualization (NFV) abilities to the network in order to deceive attacker with the fake topology information and not reveal the actual network topology and characteristics. We design this approach under a formal framework for Internet Service Provider (ISP) networks and apply it to the recently emerged indirect DDoS attacks, namely Crossfire, for evaluation. The results show that attacker spends more time to figure out the network behavior while the costs on the defender and network operations are negligible until reaching a certain network size.

[1]  Sean Peisert,et al.  Techniques for the dynamic randomization of network attributes , 2015, 2015 International Carnahan Conference on Security Technology (ICCST).

[2]  Seungjoon Lee,et al.  Network function virtualization: Challenges and opportunities for innovations , 2015, IEEE Communications Magazine.

[3]  Ehab Al-Shaer,et al.  Formal Approach for Resilient Reachability based on End-System Route Agility , 2016, MTD@CCS.

[4]  Vyas Sekar,et al.  Bohatei: Flexible and Elastic DDoS Defense , 2015, USENIX Security Symposium.

[5]  W. Buck,et al.  MININET , 1979, Prax. Inf.verarb. Kommun..

[6]  Martin Roesch,et al.  Snort - Lightweight Intrusion Detection for Networks , 1999 .

[7]  Saman Taghavi Zargar,et al.  A Survey of Defense Mechanisms Against Distributed Denial of Service (DDoS) Flooding Attacks , 2013, IEEE Communications Surveys & Tutorials.

[8]  Kemal Akkaya,et al.  Mitigating Crossfire Attacks Using SDN-Based Moving Target Defense , 2016, 2016 IEEE 41st Conference on Local Computer Networks (LCN).

[9]  Ehab Al-Shaer,et al.  Efficient Random Route Mutation considering flow and network constraints , 2013, 2013 IEEE Conference on Communications and Network Security (CNS).

[10]  David Ha Random Network Generator , 2015 .

[11]  Dino Farinacci,et al.  Generic Routing Encapsulation (GRE) , 2000, RFC.

[12]  Li Wang,et al.  Moving Target Defense Against Network Reconnaissance with Software Defined Networking , 2016, ISC.

[13]  Virgil D. Gligor,et al.  The Crossfire Attack , 2013, 2013 IEEE Symposium on Security and Privacy.

[14]  Thomas E. Carroll,et al.  Analysis of network address shuffling as a moving target defense , 2014, 2014 IEEE International Conference on Communications (ICC).