skip to main content
OSTI.GOV title logo U.S. Department of Energy
Office of Scientific and Technical Information

Title: Proactive routing mutation against stealthy Distributed Denial of Service attacks: metrics, modeling, and analysis

Abstract

The Infrastructure Distributed Denial of Service (IDDoS) attacks continue to be one of the most devastating challenges facing cyber systems. The new generation of IDDoS attacks exploit the inherent weakness of cyber infrastructure including deterministic nature of routes, skew distribution of flows, and Internet ossification to discover the network critical links and launch highly stealthy flooding attacks that are not observable at the victim end. In this paper, first, we propose a new metric to quantitatively measure the potential susceptibility of any arbitrary target server or domain to stealthy IDDoS attacks, and es- timate the impact of such susceptibility on enterprises. Second, we develop a proactive route mutation technique to minimize the susceptibility to these attacks by dynamically changing the flow paths periodically to invalidate the adversary knowledge about the network and avoid targeted critical links. Our proposed approach actively changes these network paths while satisfying security and qualify of service requirements. We present an integrated approach of proactive route mutation that combines both infrastructure-based mutation that is based on reconfiguration of switches and routers, and middle-box approach that uses an overlay of end-point proxies to construct a virtual network path free of critical links to reach a destination. Wemore » implemented the proactive path mutation technique on a Software Defined Network using the OpendDaylight controller to demonstrate a feasible deployment of this approach. Our evaluation validates the correctness, effectiveness, and scalability of the proposed approaches.« less

Authors:
 [1];  [1];  [2];  [2];  [2]
  1. Cyber Defense and Network Assurability Center, College of Computing and Informatics, University of North Carolina Charlotte, USA
  2. Pacific Northwest National Laboratory, USA
Publication Date:
Research Org.:
Pacific Northwest National Laboratory (PNNL), Richland, WA (United States)
Sponsoring Org.:
USDOE
OSTI Identifier:
1433769
Report Number(s):
PNNL-SA-128859
Journal ID: ISSN 1548-5129
DOE Contract Number:  
AC05-76RL01830
Resource Type:
Journal Article
Journal Name:
Journal of Defense Modeling and Simulation
Additional Journal Information:
Journal Volume: 15; Journal Issue: 2; Journal ID: ISSN 1548-5129
Publisher:
Society for Modeling and Simulation International
Country of Publication:
United States
Language:
English
Subject:
ARC

Citation Formats

Duan, Qi, Al-Shaer, Ehab, Chatterjee, Samrat, Halappanavar, Mahantesh, and Oehmen, Christopher. Proactive routing mutation against stealthy Distributed Denial of Service attacks: metrics, modeling, and analysis. United States: N. p., 2016. Web. doi:10.1177/1548512917731002.
Duan, Qi, Al-Shaer, Ehab, Chatterjee, Samrat, Halappanavar, Mahantesh, & Oehmen, Christopher. Proactive routing mutation against stealthy Distributed Denial of Service attacks: metrics, modeling, and analysis. United States. https://doi.org/10.1177/1548512917731002
Duan, Qi, Al-Shaer, Ehab, Chatterjee, Samrat, Halappanavar, Mahantesh, and Oehmen, Christopher. 2016. "Proactive routing mutation against stealthy Distributed Denial of Service attacks: metrics, modeling, and analysis". United States. https://doi.org/10.1177/1548512917731002.
@article{osti_1433769,
title = {Proactive routing mutation against stealthy Distributed Denial of Service attacks: metrics, modeling, and analysis},
author = {Duan, Qi and Al-Shaer, Ehab and Chatterjee, Samrat and Halappanavar, Mahantesh and Oehmen, Christopher},
abstractNote = {The Infrastructure Distributed Denial of Service (IDDoS) attacks continue to be one of the most devastating challenges facing cyber systems. The new generation of IDDoS attacks exploit the inherent weakness of cyber infrastructure including deterministic nature of routes, skew distribution of flows, and Internet ossification to discover the network critical links and launch highly stealthy flooding attacks that are not observable at the victim end. In this paper, first, we propose a new metric to quantitatively measure the potential susceptibility of any arbitrary target server or domain to stealthy IDDoS attacks, and es- timate the impact of such susceptibility on enterprises. Second, we develop a proactive route mutation technique to minimize the susceptibility to these attacks by dynamically changing the flow paths periodically to invalidate the adversary knowledge about the network and avoid targeted critical links. Our proposed approach actively changes these network paths while satisfying security and qualify of service requirements. We present an integrated approach of proactive route mutation that combines both infrastructure-based mutation that is based on reconfiguration of switches and routers, and middle-box approach that uses an overlay of end-point proxies to construct a virtual network path free of critical links to reach a destination. We implemented the proactive path mutation technique on a Software Defined Network using the OpendDaylight controller to demonstrate a feasible deployment of this approach. Our evaluation validates the correctness, effectiveness, and scalability of the proposed approaches.},
doi = {10.1177/1548512917731002},
url = {https://www.osti.gov/biblio/1433769}, journal = {Journal of Defense Modeling and Simulation},
issn = {1548-5129},
number = 2,
volume = 15,
place = {United States},
year = {Wed Aug 17 00:00:00 EDT 2016},
month = {Wed Aug 17 00:00:00 EDT 2016}
}

Works referenced in this record:

A Computing Procedure for Quantification Theory
journal, July 1960


A note on two problems in connexion with graphs
journal, December 1959


A framework for reliable routing in mobile ad hoc networks
conference, January 2003

  • Ye, Z.; Krishnamurthy, S. V.; Tripathi, S. K.
  • IEEE INFOCOM 2003. Twenty-second Annual Joint Conference of the IEEE Computer and Communications Societies (IEEE Cat. No.03CH37428)
  • https://doi.org/10.1109/INFCOM.2003.1208679

SecMR – a secure multipath routing protocol for ad hoc networks
journal, January 2007


Formal Approach for Route Agility against Persistent Attackers
book, January 2013