Abstract
DDoS attacks have been a persistent threat to network availability for many years. Most of the existing mitigation techniques attempt to protect against DDoS by filtering out attack traffic. However, as critical network resources are usually static, adversaries are able to bypass filtering by sending stealthy low traffic from large number of bots that mimic benign traffic behavior. Sophisticated stealthy attacks on critical links can cause a devastating effect such as partitioning domains and networks. Our proposed approach, called MoveNet, defend against DDoS attacks by proactively and reactively changing the footprint of critical resources in an unpredictable fashion to deceive attacker’s knowledge about critical network resources. MoveNet employs virtual networks (VNs) to offer constant, dynamic and threat-aware reallocation of critical network resources (VN migration). Our approach has two components: (1) a correct-by-construction VN migration planning that significantly increases the uncertainty about critical links of multiple VNs while preserving the VN properties, and (2) an efficient VN migration mechanism that identifies the appropriate configuration sequence to enable node migration while maintaining the network integrity (e.g., avoiding session disconnection). We formulate and implement this framework using Satisfiability Modulo Theory (SMT) logic. We also demonstrate the effectiveness of our implemented framework on both PlanetLab and Mininet-based experimentations.
Access this chapter
Tax calculation will be finalised at checkout
Purchases are for personal use only
Notes
- 1.
This research was supported in part by National Science Foundation under Grants No. CNS-1320662 and CNS-1319490. Any opinions, findings, conclusions or recommendations stated in this material are those of the authors and do not necessarily reflect the views of the funding sources.
- 2.
- 3.
After each iteration, the counter is decremented by one.
- 4.
Due to limited space, we skip the technical details of our controller extensions and implementation.
- 5.
Due to anonymous submission, we are not disclosing this information.
References
M. S. Kang, S. B. Lee, and V. D. Gilgor, “The crossfire attack.” in Proceedings of IEEE Symposium on Security and Privacy, 2013.
A. D. Keromytis, V. Misra, and D. Rubenstein, “Sos: Secure overlay services.” in Proc. ACM SIGCOMM, August 2002.
“Akamai,” http://www.akamai.com.
M. Faloutsos, P. Faloutsos, and C. Faloutsos, “On power law relationships on the internet topology.” in In Proc. ACM SIGCOMM, 1999.
T. Anderson, L. Peterson, S. Shenker, and J. Turner, “Overcoming the internet impasse through virtualization,” IEEE Computer, 2005.
A. Gupta, J. Kleinberg, A. Kumar, R. Rastogi, and B. Yener, “Provisioning a virtual private network: a network design problem for multicommodity flow.” in Proc. ACM symposium on Theory of computing (STOC),, 2001, pp. 389–398.
Y. Zhu and M. Ammar, “Algorithms for assigning substrate network resources to virtual network components.” in INFOCOM, 2006.
A. Haque and P.-H. Ho, “Design of survivable optical virtual private networks (o-vpns).” in Proc. 1st IEEE International Workshop on Provisioning and Transport for Hybrid Networks, 2004.
W. Szeto, Y. Iraqi, and R. Boutaba, “A multi-commodity flow based approach to virtual network resource allocation.” in Proc. GLOBECOM: IEEE Global Telecommunications Conference,, 2003.
M. Demirci, S. Lo, S. Seetharaman, and M. Ammar, “Multi-layer monitoring of overlay networks,” in Proceedings of the PAM, 2009.
“Virtela,” http://www.virtela.net/platforms/virtualized-overlay-networking/.
“Aryaka,” http://www.aryaka.com/.
L. D. Moura and N. Bjorner, Satisfiability Modulo Theories: Introduction and Applications. CACM, 2011.
“Z3 theorm prover,” http://research.microsoft.com/en-us/um/redmond/projects/z3/.
“Yices: An smt solver,” http://yices.csl.sri.com/.
“Planetlab,” http://www.planet-lab.org.
S. Lo, M. Ammar, E. Zegura, and M. Fayed, “Virtual Network Migration on Real Infrastructure: A PlanetLab Case Study,” in Proceedings of the 12th International IFIP TC 6 Conference on Networking, 2014.
T. Anderson, T. Roscoe, and DavidWetherall, “Preventing internet denial-of-service with capabilities.” in Proceedings of Hotnets-II, November 2003.
A. Yaar, A. Perrig, and D. Song, “An endhost capability mechanism to mitigate ddos flooding attacks.” in Proceedings of the IEEE Symposium on Security and Privacy,, May 2004.
X. Yang, D. Wetherall, and T. Anderson, “An endhost capability mechanism to mitigate ddos flooding attacks.” in Proc. ACM SIGCOMM,, August 2005.
J. Ioannidis and S. M. Bellovin, “Implementing pushback: Router-based defense against ddos attacks.” in In Proc. Network and Distributed System Security Symposium (NDSS), February 2002.
R. Mahajan, S. M. Bellovin, S. Floyd, J. Ioannidis, V. Paxson, and S. Shenker, “Controlling high bandwidth aggregates in the network.” Computer Communication Review, vol. 32(3), pp. 62–73, 2002.
A. C. Snoeren, C. Partridge, L. A. Sanchez, C. E. Jones, F. Tchakountio, B. Schwartz, S. T. Kent, and W. T. Strayer, “Single-packet ip traceback.” IEEE/ACM Transactions on Networking, vol. 10(6), pp. 295–306, December 2002.
D. G. Andersen, “Mayday: Distributed filtering for internet services.” in Proc. 4th USENIX Symposium on Internet Technologies and Systems (USITS), March 2003.
J. Kurian and K. Sarac, “Fonet: A federated overlay network for dos defense in the internet,” University of Texas at Dallas, Technical Report, 2005.
K. Lakshminarayanan, D. Adkins, A. Perrig, and I. Stoica, “Taming ip packet flooding attacks.” in In Proceedings of the HotNets-II, 2003.
A. Stavrou and A. D. Keromytis, “Countering dos attacks with stateless multipath overlays.” in CCS 05: Proceedings of the 12th ACM conference on Computer and communications security, 2005, pp. 249–259.
A. Stavrou, D. L. Cook, W. G. Morein, A. D. Keromytis, V. Misra, and D. Rubenstein, “Websos: an overlay-based system for protecting web servers from denial of service attacks.” Computer Networks, 2005.
J. Fan and M. H. Ammar, “Dynamic topology configuration in service overlay networks: A study of reconfiguration policies,” in Proc. IEEE INFOCOM, 2006.
Y. Wang, E. Keller, B. Biskeborn, J. van der Merwe, and J. Rexford, “Virtual routers on the move: Live router migration as a network-management primitive,” in SIGCOMM, Seattle, WA, Aug. 2008.
S. Lo, M. Ammar, and E. Zegura, “Design and analysis of schedules for virtual network migration,” Georgia Institute of Technology SCS Technical Report, vol. GT-CS-12-05, July 2012.
E. Keller, D. Arora, D. P. Botero, and J. Rexford, “Live migration of an entire network (and its hosts),” Princeton University Computer Science Technical Report, vol. TR-926-12, June 2012.
S. Nedevschi, L. Popa, G. Iannaccone, S. Ratnasamy, and D. Wetherall, “Reducing network energy consumption via sleeping and rate-adaptation.” in NSDI, vol. 8, 2008, pp. 323–336.
B. Peng, A. H. Kemp, and S. Boussakta, “Qos routing with bandwidth and hop-count consideration: A performance perspective,” Journal of Communications, vol. 1, no. 2, pp. 1–11, 2006.
“Geolite free geo IP database.” http://dev.maxmind.com/geoip/legacy/geolite/.
“Geographical distance.” http://en.wikipedia.org/wiki/Geographical_distance.
F. Gillani, E. Al-Shaer, S. Lo, Q. Duan, M. Ammar, and E. Zegura, “Agile virtualized infrastructure to proactively defend against cyber attacks.” in Infocom. IEEE, 2015.
“Brite topology generator,” http://www.cs.bu.edu/brite/.
“Technical details behind a 400gbps ntp amplification ddos attack.” http://blog.cloudflare.com/technical-details-behind-a-400gbps-ntp-amplification-ddos-attack.
Author information
Authors and Affiliations
Corresponding author
Editor information
Editors and Affiliations
Rights and permissions
Copyright information
© 2016 Springer International Publishing Switzerland
About this chapter
Cite this chapter
Al-Shaer, E., Gillani, S.F. (2016). Agile Virtual Infrastructure for Cyber Deception Against Stealthy DDoS Attacks. In: Jajodia, S., Subrahmanian, V., Swarup, V., Wang, C. (eds) Cyber Deception. Springer, Cham. https://doi.org/10.1007/978-3-319-32699-3_10
Download citation
DOI: https://doi.org/10.1007/978-3-319-32699-3_10
Published:
Publisher Name: Springer, Cham
Print ISBN: 978-3-319-32697-9
Online ISBN: 978-3-319-32699-3
eBook Packages: Computer ScienceComputer Science (R0)