ABSTRACT
Advances in layer 2 networking technologies have fostered the deployment of large, geographically distributed LANs. Due to their large diameter, such LANs provide many vantage points for wiretapping. As an example, Google's internal network was reportedly tapped by governmental agencies, forcing the Web giant to encrypt its internal traffic. While using encryption certainly helps, eavesdroppers can still access traffic metadata which often reveals sensitive information, such as who communicates with whom and which are the critical hubs in the infrastructure.
This paper presents iTAP, a system for providing strong anonymity guarantees within a network. iTAP is network-based and can be partially deployed. Akin to onion routing, iTAP rewrites packet headers at the network edges by leveraging SDN devices. As large LANs can see millions of flows, the key challenge is to rewrite headers in a way that guarantees strong anonymity while, at the same time, scaling the control-plane (number of events) and the data-plane (number of flow rules). iTAP addresses these challenges by adopting a hybrid rewriting scheme. Specifically, iTAP scales by reusing rewriting rules across distinct flows and by distributing them on multiple switches. As reusing headers leaks information, iTAP monitors this leakage and adapts the rewriting rules before any eavesdropper could provably de-anonymize any host.
We implemented iTAP and evaluated it using real network traffic traces. We show that iTAP works in practice, on existing hardware, and that deploying few SDN switches is enough to protect a large share of the network traffic.
- B1SDN product brief. http://www.znyx.com/wp-content/uploads/2015/05/B1_SDN_brief_101414_web.pdf.Google Scholar
- Cisco IOS NetFlow. http://www.cisco.com/c/en/us/products/ios-nx-os-software/ios-netflow/index.html.Google Scholar
- Enterprise campus 3.0 architecture: Overview and framework. http://www.cisco.com/c/en/us/td/docs/solutions/Enterprise/Campus/campover.html.Google Scholar
- IBM x-force threat intelligence quarterly, 2Q 2015.https://public.dhe.ibm.com/common/ssi/ecm/wg/en/wgl03076usen/WGL03076USEN.PDF.Google Scholar
- Media access control (MAC) security. http://standards.ieee.org/getieee802/download/802.1AE-2006.pdf.Google Scholar
- Noviswitch 2122 high performance openflow switch. http://noviflow.com/wp-content/uploads/NoviSwitch-2122-Datasheet-V2_1.pdf.Google Scholar
- RFC 6325 - routing bridges (rbridges). https://tools.ietf.org/html/rfc3031, July 2011.Google Scholar
- I. Ahmad, S. Namal, M. Ylianttila, and A. Gurtov. Security in software defined networks: a survey. Communications Surveys & Tutorials, IEEE, 17(4), 2015. Google ScholarCross Ref
- S. Antonatos, P. Akritidis, E. P. Markatos, and K. G. Anagnostakis. Defending against hitlist worms using network address space randomization. Computer Networks, 51(12), 2007. Google ScholarDigital Library
- P. Bosshart, D. Daly, G. Gibb, M. Izzard, N. McKeown, J. Rexford, C. Schlesinger, D. Talayco, A. Vahdat, G. Varghese, et al. P4: Programming protocol-independent packet processors. ACM CCR, 44(3), 2014.Google Scholar
- M. Casado, T. Garfinkel, A. Akella, M. J. Freedman, D. Boneh, N. McKeown, and S. Shenker. Sane: A protection architecture for enterprise networks. In USENIX Security, 2006.Google ScholarDigital Library
- D. Chaum, F. Javani, A. Kate, A. Krasnova, J. de Ruiter, and A. T. Sherman. cmix: Anonymization by high-performance scalable mixing.Google Scholar
- C. Chen, D. E. Asoni, D. Barrera, G. Danezis, and A. Perrig. Hornet: High-speed onion routing at the network layer. In ACM SIGSAC, 2015.Google ScholarDigital Library
- R. Dingledine, N. Mathewson, and P. Syverson. Tor: The second-generation onion router. Technical report, DTIC, 2004.Google Scholar
- K. P. Dyer, S. E. Coull, and T. Shrimpton. Marionette: A programmable network traffic obfuscation system. In USENIX Security, 2015.Google Scholar
- E. Germano da Silva, L. A. Dias Knob, J. A. Wickboldt, L. P. Gaspary, L. Z. Granville, and A. Schaeffer-Filho. Capitalizing on SDN-based SCADA systems: An anti-eavesdropping case-study. In IFIP/IEEE IM, 2015. Google ScholarCross Ref
- K. Giotis, C. Argyropoulos, G. Androulidakis, D. Kalogeras, and V. Maglaris. Combining openflow and sflow for an effective and scalable anomaly detection and mitigation mechanism on SDN environments. Computer Networks, 62, 2014. Google ScholarDigital Library
- D. Goldschlag, M. Reed, and P. Syverson. Onion routing. Communications of the ACM, 42(2), 1999. Google ScholarDigital Library
- K. E. Huber. Host-based systemic network obfuscation system for windows. Technical report, DTIC, 2011.Google Scholar
- J. H. Jafarian, E. Al-Shaer, and Q. Duan. Openflow random host mutation: transparent moving target defense using software defined networking. In ACM HotSDN, 2012. Google ScholarDigital Library
- D. Kewley, R. Fink, J. Lowry, and M. Dean. Dynamic approaches to thwart adversary intelligence gathering. In IEEE DARPA DISCEX, volume 1, 2001. Google ScholarCross Ref
- O. Khazan. The creepy, long-standing practice of undersea cable tapping. http://www.theatlantic.com/international/archive/2013/07/id/277855/, July 2013.Google Scholar
- D. Kreutz, F. Ramos, and P. Verissimo. Towards secure and dependable software-defined networks. In ACM HotSDN, 2013. Google ScholarDigital Library
- S. Le Blond, D. Choffnes, W. Zhou, P. Druschel, H. Ballani, and P. Francis. Towards efficient traffic-analysis resistant anonymity networks. In ACM CCR, volume 43, 2013. Google ScholarDigital Library
- D. C. MacFarland and C. A. Shue. The SDN shuffle: Creating a moving-target defense using host-based software-defined networking. In ACM MTD, 2015.Google ScholarDigital Library
- S. A. Mehdi, J. Khalid, and S. A. Khayam. Revisiting traffic anomaly detection using software defined networking. In International Workshop on Recent Advances in Intrusion Detection. Springer, 2011. Google ScholarDigital Library
- P. Porras, S. Shin, V. Yegneswaran, M. Fong, M. Tyson, and G. Gu. A security enforcement kernel for openflow networks. In ACM HotSDN, 2012. Google ScholarDigital Library
- P. A. Porras, S. Cheung, M. W. Fong, K. Skinner, and V. Yegneswaran. Securing the software defined network control layer. In NDSS, 2015. Google ScholarCross Ref
- C. Rotsos, N. Sarrar, S. Uhlig, R. Sherwood, and A. W. Moore. Oflops: An open framework for openflow switch evaluation. PAM, Berlin, Heidelberg, 2012. Springer-Verlag.Google ScholarDigital Library
- M. Seaman. Shortest path bridging. http://ieee802.org/1/files/public/docs2005/new-seaman-shortestpath-par-0405-02.htm, 2005.Google Scholar
- C. E. Shannon. Communication theory of secrecy systems. Bell system technical journal, 28(4), 1949. Google ScholarCross Ref
- L. Shu and W. Weinstein. Camouflage of network traffic to resist attack, Jan. 30 2007. US Patent 7,171,493.Google Scholar
- R. Skowyra, K. Bauer, V. Dedhia, and H. Okhravi. Have no phear: Networks without identifiers. In ACM MTD, 2016.Google ScholarDigital Library
- B. Stephens, A. Cox, W. Felter, C. Dixon, and J. Carter. Past: Scalable ethernet for data centers. In ACM CoNEXT, 2012.Google ScholarDigital Library
- Y. Sun, A. Edmundson, L. Vanbever, O. Li, J. Rexford, M. Chiang, and P. Mittal. RAPTOR: Routing attacks on privacy in TOR. In USENIX Security, 2015.Google Scholar
- C. Timberg. Google encrypts data amid backlash against NSA spying. http://wapo.st/1adFyAe.Google Scholar
- L. Vanbever, O. Li, J. Rexford, and P. Mittal. Anonymity on quicksand: Using BGP to compromise TOR. In ACM HotNets, 2014.Google ScholarDigital Library
- A. Voellmy, J. Wang, Y. R. Yang, B. Ford, and P. Hudak. Maple: simplifying SDN programming using algorithmic policies. In ACM CCR, volume 43, 2013. Google ScholarDigital Library
- F. Webber, P. P. Pal, M. Atighetchi, C. Jones, and P. Rubel. Applications that participate in their own defense (apod). Technical report, DTIC, 2003.Google Scholar
- W. Weinstein and J. Lepanto. Camouflage of network traffic to resist attack (contra). In DARPA DISCEX, volume 2, 2003.Google ScholarCross Ref
- N. Zaidenberg and A. Resh. Timing and side channel attacks. In Cyber Security: Analytics, Technology and Automation. Springer, 2015. Google ScholarCross Ref
- Y. Zhang. An adaptive flow counting method for anomaly detection in SDN. In ACM CoNEXT, 2013. Google ScholarDigital Library
- Floodlight openflow controller. https://github.com/floodlight/floodlight.Google Scholar
- Open vswitch. http://openvswitch.org/.Google Scholar
- RFC 4301 - security architecture for the internet protocol. https://tools.ietf.org/html/rfc4301, Dec 2005.Google Scholar
Recommendations
Building Privacy-Preserving Cryptographic Credentials from Federated Online Identities
CODASPY '16: Proceedings of the Sixth ACM Conference on Data and Application Security and PrivacyFederated identity providers, e.g., Facebook and PayPal, offer a convenient means for authenticating users to third-party applications. Unfortunately such cross-site authentications carry privacy and tracking risks. For example, federated identity ...
CoverUp: Privacy Through "Forced" Participation in Anonymous Communication Networks
ASIA CCS '17: Proceedings of the 2017 ACM on Asia Conference on Computer and Communications SecurityMany privacy-enhancing technologies, in particular anonymous communication networks (ACNs) as a key building block, suffer from a lack of a sufficient number of participants. Without high user participation, ACNs are vulnerable to traffic analysis ...
Crypto-Book: an architecture for privacy preserving online identities
HotNets-XII: Proceedings of the Twelfth ACM Workshop on Hot Topics in NetworksThrough cross-site authentication schemes such as OAuth and OpenID, users increasingly rely on popular social networking sites for their digital identities--but use of these identities brings privacy and tracking risks. We propose Crypto-Book, an ...
Comments