logo

SCIENCE CHINA Information Sciences, Volume 63 , Issue 6 : 169301(2020) https://doi.org/10.1007/s11432-019-9921-7

Multi-variant network address hopping to defend stealthy crossfire attack$^\dagger$

More info
  • ReceivedJan 3, 2019
  • AcceptedJun 18, 2019
  • PublishedMar 12, 2020

Abstract

There is no abstract available for this article.


Acknowledgment

This work was supported by National Key Research and Development Program of China (Grant Nos. 2016YFB0800102, 2017YFB0803205), Key Research and Development Program of Zhejiang Province (Grant Nos. 2017C01064, 2017C01055, 2018C01088), and Fundamental Research Funds for the Central Universities (Grant No. 2016XZZX001-04).


References

[1] Kang M S, Lee S B, Gligor V D. The crossfire attack. In: Proceedings of IEEE Symposium on Security and Privacy, Berkeley, 2013. 127--141. Google Scholar

[2] Venkatesan S, Albanese M, Amin K, et al. A moving target defense approach to mitigate DDoS attacks against proxy-based architectures. In: Proceedings of IEEE Conference on Communications and Network Security (CNS), Philadelphia, 2016. 198--206. Google Scholar

[3] Wang J, Wen R, Li J Q, et al. Detecting and mitigating target link-flooding attacks using SDN. IEEE Trans Depend Secure Comput, 2018. doi: 10.1109/TDSC.2018.2822275. Google Scholar

[4] Zheng J, Li Q, Gu G. Realtime DDoS Defense Using COTS SDN Switches via Adaptive Correlation Analysis. IEEE TransInformForensic Secur, 2018, 13: 1838-1853 CrossRef Google Scholar

[5] Hu H, Wu J, Wang Z. Mimic defense: a designed-in cybersecurity defense framework. CrossRef Google Scholar

[6] OpenFlow specification 1.3, Open Networking Foundation Std, 2012. Google Scholar

[7] Riley G F, Henderson T R. The NS-3 network simulator. In: Modeling and Tools for Network Simulation. Berlin: Springer, 2010. 15--34. Google Scholar

[8] Lantz B, Heller B, Mckeown N. A network in a laptop: rapid prototyping for software-defined networks. In: Proceedings of the 9th ACM SIGCOMM Workshop on Hot Topics in Networks, New York, 2010. Google Scholar

[9] Zhou B, Gao P, Wu C, et al. Multi-variant network address hopping to defend stealthy crossfire attack (full paper). In: Proceedings of the 1st National Conference on Advanced Computing and Defense, 2018. 540--556. Google Scholar

  • Figure 1

    (Color online) Defense effectiveness evaluation of MVNAH. (a), (b) and (c) are the TCP packet receiving rate and congestion window (CWnd) size changes at the target side, tested in NS-3 with $|Y|=2000$, where the variants and suppressing policies are enforced at 15 s in (a) and between 10–20 s in (c), respectively; (d), (e) and (f) are tested in Mininet with $|Y|=50$. (a) rate changes for variants; (b) decreased rate changes for reroute; (c) rate changes for suppressing; bandiwdth & CWnd changes for (d) variants, (e) reroute, and (f) suppressing.

  •   

    Algorithm 1 genVariants

    Require:$G,~P_{\rm~all},~W^{c,d},~\Theta$.

    $Q~=~\mathrm{PriorityQueue}()$, $N~=~Y~\cup~H$, ${\rm~torch}~=~\mathrm{int}[|N|]$;

    ${\rm~visited}~=~\mathrm{boolean}[|N|]$;

    for $w^{c,d}_i~\in~W^{c,d}$

    $\tilde{L}~=~\{l_k~|~l_k~\in~P(w^{c,d}_i)\}$;

    $Q.\mathrm{add}(w^{c,d}_i)$;

    ${\rm~torch}[1\cdots]=-1$, ${\rm~visited}[1\cdots]=\mathrm{false}$;

    while $|Q|>0$ do

    $u~=~Q.\mathrm{poll}()$;

    for $l_j~\in~\mathrm{edges}(u)$

    $v~=~\mathrm{peerNode}(u,~l_j)$;

    if $l_j~\notin~\tilde{L}~\vee~{\rm~visited}[v]$ then continue;

    if $l_j~\in~\Theta$ then

    ${\rm~torch}[v]~=~l_j$;

    else

    ${\rm~torch}[v]~=~{\rm~torch}[u]$;

    end if

    ${\rm~torch}[u]~=~-1$;

    $Q.\mathrm{add}(v)$, ${\rm~visited}[v]~=~\mathrm{true}$;

    end for

    end while

    $V_{w^{c,d}_i}=(w^{c,d}_i,~\{s_j~|~{\rm~torch}[j]~\neq~-1\})$;

    end for

    return $\Upsilon.V~=~\cup_{w^{c,d}_i~\in~\widetilde{W^{c,d}}}V_{w^{c,d}_j}$.

  •   

    Algorithm 2 genTrafficSteerings

    Require:$G,~P_{\rm~all},~W^{c,d},~\Lambda$.

    if $\Lambda~=~\emptyset$ then return $\emptyset$

    $\Upsilon.R~=~\emptyset,~\Upsilon.S~=~\emptyset$, $N~=~Y~\cup~H$;

    for $w_i~\in~W^{c,d}$

    $P'(w_i)~=~\mathrm{shortestPaths}(G(N,~L\!~\setminus\!~\Lambda),~w_i,~\Xi)$;

    for $w_j~\in~W$

    if $P'(w_i,~w_j)~=~\emptyset$ then $\Upsilon.S~=~\Upsilon.S~\cup~\{(w_i,~w_j)\}$;

    end for

    $\widetilde{R}~=~\{p_j~|~p_j~\in~P'(w_i,~W)~\wedge~(w_i,~W)~\notin~\Upsilon.S\}$;

    $\Upsilon.R~=~\Upsilon.R~\cup~\{(p_j,~\nu_{\mathrm{rand}}(w^{c,d}_{\mathrm{dest}}(p_j)))~|~p_j~\in~\widetilde{R}~\wedge~\nu_{\mathrm{rand}}(w^{c,d}_{\mathrm{dest}}(p_j)))\}$;

    end for

    return $(\Upsilon.R,~\Upsilon.S)$.

Copyright 2020  CHINA SCIENCE PUBLISHING & MEDIA LTD.  中国科技出版传媒股份有限公司  版权所有

京ICP备14028887号-23       京公网安备11010102003388号