Proactive routing mutation against stealthy Distributed Denial of Service attacks: metrics, modeling, and analysis
Abstract
The Infrastructure Distributed Denial of Service (IDDoS) attacks continue to be one of the most devastating challenges facing cyber systems. The new generation of IDDoS attacks exploit the inherent weakness of cyber infrastructure including deterministic nature of routes, skew distribution of flows, and Internet ossification to discover the network critical links and launch highly stealthy flooding attacks that are not observable at the victim end. In this paper, first, we propose a new metric to quantitatively measure the potential susceptibility of any arbitrary target server or domain to stealthy IDDoS attacks, and es- timate the impact of such susceptibility on enterprises. Second, we develop a proactive route mutation technique to minimize the susceptibility to these attacks by dynamically changing the flow paths periodically to invalidate the adversary knowledge about the network and avoid targeted critical links. Our proposed approach actively changes these network paths while satisfying security and qualify of service requirements. We present an integrated approach of proactive route mutation that combines both infrastructure-based mutation that is based on reconfiguration of switches and routers, and middle-box approach that uses an overlay of end-point proxies to construct a virtual network path free of critical links to reach a destination. Wemore »
- Authors:
-
- Cyber Defense and Network Assurability Center, College of Computing and Informatics, University of North Carolina Charlotte, USA
- Pacific Northwest National Laboratory, USA
- Publication Date:
- Research Org.:
- Pacific Northwest National Laboratory (PNNL), Richland, WA (United States)
- Sponsoring Org.:
- USDOE
- OSTI Identifier:
- 1433769
- Report Number(s):
- PNNL-SA-128859
Journal ID: ISSN 1548-5129
- DOE Contract Number:
- AC05-76RL01830
- Resource Type:
- Journal Article
- Journal Name:
- Journal of Defense Modeling and Simulation
- Additional Journal Information:
- Journal Volume: 15; Journal Issue: 2; Journal ID: ISSN 1548-5129
- Publisher:
- Society for Modeling and Simulation International
- Country of Publication:
- United States
- Language:
- English
- Subject:
- ARC
Citation Formats
Duan, Qi, Al-Shaer, Ehab, Chatterjee, Samrat, Halappanavar, Mahantesh, and Oehmen, Christopher. Proactive routing mutation against stealthy Distributed Denial of Service attacks: metrics, modeling, and analysis. United States: N. p., 2016.
Web. doi:10.1177/1548512917731002.
Duan, Qi, Al-Shaer, Ehab, Chatterjee, Samrat, Halappanavar, Mahantesh, & Oehmen, Christopher. Proactive routing mutation against stealthy Distributed Denial of Service attacks: metrics, modeling, and analysis. United States. https://doi.org/10.1177/1548512917731002
Duan, Qi, Al-Shaer, Ehab, Chatterjee, Samrat, Halappanavar, Mahantesh, and Oehmen, Christopher. 2016.
"Proactive routing mutation against stealthy Distributed Denial of Service attacks: metrics, modeling, and analysis". United States. https://doi.org/10.1177/1548512917731002.
@article{osti_1433769,
title = {Proactive routing mutation against stealthy Distributed Denial of Service attacks: metrics, modeling, and analysis},
author = {Duan, Qi and Al-Shaer, Ehab and Chatterjee, Samrat and Halappanavar, Mahantesh and Oehmen, Christopher},
abstractNote = {The Infrastructure Distributed Denial of Service (IDDoS) attacks continue to be one of the most devastating challenges facing cyber systems. The new generation of IDDoS attacks exploit the inherent weakness of cyber infrastructure including deterministic nature of routes, skew distribution of flows, and Internet ossification to discover the network critical links and launch highly stealthy flooding attacks that are not observable at the victim end. In this paper, first, we propose a new metric to quantitatively measure the potential susceptibility of any arbitrary target server or domain to stealthy IDDoS attacks, and es- timate the impact of such susceptibility on enterprises. Second, we develop a proactive route mutation technique to minimize the susceptibility to these attacks by dynamically changing the flow paths periodically to invalidate the adversary knowledge about the network and avoid targeted critical links. Our proposed approach actively changes these network paths while satisfying security and qualify of service requirements. We present an integrated approach of proactive route mutation that combines both infrastructure-based mutation that is based on reconfiguration of switches and routers, and middle-box approach that uses an overlay of end-point proxies to construct a virtual network path free of critical links to reach a destination. We implemented the proactive path mutation technique on a Software Defined Network using the OpendDaylight controller to demonstrate a feasible deployment of this approach. Our evaluation validates the correctness, effectiveness, and scalability of the proposed approaches.},
doi = {10.1177/1548512917731002},
url = {https://www.osti.gov/biblio/1433769},
journal = {Journal of Defense Modeling and Simulation},
issn = {1548-5129},
number = 2,
volume = 15,
place = {United States},
year = {Wed Aug 17 00:00:00 EDT 2016},
month = {Wed Aug 17 00:00:00 EDT 2016}
}
Works referenced in this record:
A Computing Procedure for Quantification Theory
journal, July 1960
- Davis, Martin; Putnam, Hilary
- Journal of the ACM, Vol. 7, Issue 3
A note on two problems in connexion with graphs
journal, December 1959
- Dijkstra, E. W.
- Numerische Mathematik, Vol. 1, Issue 1
A framework for reliable routing in mobile ad hoc networks
conference, January 2003
- Ye, Z.; Krishnamurthy, S. V.; Tripathi, S. K.
- IEEE INFOCOM 2003. Twenty-second Annual Joint Conference of the IEEE Computer and Communications Societies (IEEE Cat. No.03CH37428)
SecMR – a secure multipath routing protocol for ad hoc networks
journal, January 2007
- Mavropodi, Rosa; Kotzanikolaou, Panayiotis; Douligeris, Christos
- Ad Hoc Networks, Vol. 5, Issue 1
Formal Approach for Route Agility against Persistent Attackers
book, January 2013
- Jafarian, Jafar Haadi; Al-Shaer, Ehab; Duan, Qi
- Lecture Notes in Computer Science