Fast IP Hopping Randomization to Secure Hop-by-Hop Access in SDN Sang-Yoon Chang Younghee Park Bhavana Babu Ashok Babu University of Colorado Colorado Springs San Jose State University San Jose State University Colorado Springs, CO 80918 San Jose, CA 95192 San Jose, CA 95192 [email protected] [email protected] [email protected] Abstract—Moving target defense (MTD) is useful for thwarting networking paths. In contrast to the network security mea- network reconnaissance and preventing unauthorized access. sures at the network perimeter based on filtering or intrusion While previous research in MTD focuses on protecting the detection/prevention, MTD provides a defense-by-depth mea- endnodes, we leverage software-defined networking (SDN) to implement MTD on the data-plane switches, which significantly sure which can be effective even against the attackers who decreases the controller communication overhead and enables already breached the network-perimeter defense and have the quicker defense response to reduce the attack impact. Our work access to the links in the networking forwarding paths. MTD not only randomizes the IP addresses for MTD but also uses varies the networking parameters (such as the address, the the IP addresses for synchronization across the nodes in the networking path by generating hash-chain-based synchronization medium access, and the networking configuration) to build signatures. Our scheme is practical as it builds on and encodes the path integrity. The authorized nodes who share the key knows existing IP addresses for randomization to construct a modular the varying pattern whereas the unauthorized parties who do solution independent to the routing/flow rule implementation and not share the key do not know the MTD pattern. MTD is does not incur additional networking overhead except for the useful in preventing the unauthorized attackers from achieving seed distribution (which can occur offline). Our scheme is also effective (the attacker’s required cost to achieve timely network network reconnaissance, which is the process of investigating reconnaissance increases by more than an order of magnitude and acquiring networking-relevant knowledge for vulnerability than the previous state of the art having the controller actuate discovery and is often the pre-requisite for passive eaves- the MTD randomization) and scalable (the relative overhead dropping and active injection threats (e.g., denial of service cost of our scheme becomes smaller as the network grows). We analyze our scheme and implement and experiment it on an (DoS) injections), because MTD significantly increases the Open vSwitch-based testbed and on CloudLab to validate these unauthorized attacker’s cost in probing and achieving network properties. reconnaissance. Index Terms—Moving target defense, Access randomization, While the MTD technique is generally considered effective Network synchronization, IP address control, Software-defined network (SDN), Data plane security, Network security against unauthorized attackers and used in many contexts (such as in configuration randomization, memory protection, and wireless/spread-spectrum, as discussed in greater detail in I. INTRODUCTION Section II), a major challenge for deploying MTD defense Computer networking uses the IP protocol, in which the IP is the overhead cost of implementing and executing the addresses are used to address the networking nodes and to MTD on the legitimate parties holding the key. While the route/forward the packets. IP addresses are generally arbitrar- advantage from the key decreases the MTD effort compared ily chosen and assigned to each networking nodes, and there to the attackers without the key, the MTD implementation is significant freedom in choosing the IP addresses. still incurs overhead compared to having no MTD (static We propose encoding information to the IP address values configuration) and such overhead may be large enough to limit and introduce additional functionalities using the IP address its practicality in some applications. Prior literature proposes field of the networking header. More specifically, we use the building MTD defense in software-defined network (SDN), in IP addresses to construct moving target defense (MTD) on which the trusted SDN controller actuates the MTD on the the data-plane switches (which forward/route the network- data-plane endnodes via explicit OpenFlow-based northbound ing packets on the endnode’s behalf), providing an efficient communications controlling the MTD execution [3], [4]. To security measure to prevent the unauthorized access of the address the overhead issues, we significantly improve the prior work to construct MTD defense in SDN by spreading the This work is an extended version of the short paper published at IEEE/IFIP information from the northbound communications (so that one NOMS, Istanbul, Turkey, April, 2016 [1]. The authors extend the previous controller communication can start a chain and be used for work by introducing and developing the IP-address-based synchronization scheme and implementing a prototype in CloudLab [2] to evaluate the many MTD updates) and by having the data-plane switch proposed schemes in various networking topologies. nodes execute the MTD. 2 In addition to making it lightweight for greater practicality, chain seeds in our work, in addition to its typical functionality our IP-address-based access randomization scheme is more of establishing the routing of the networking packets. effective than the prior literature, because we implement the To summarize, we make the following contributions in defense on the switches in addition to the destination endnodes this paper. First, we design an algorithm and a protocol to (in contrast, prior work only protects the endnodes) in order to construct a switch-centric MTD for securing the access of limit the attack impact in the number of links/switches affected the networking path. Second, we design a synchronization by the attacker’s injections. scheme to allow synchronous MTD for the nodes in the Because of the involvement of the switches along the networking path; the synchronization uses the networking- forwarding path, we also use the IP addresses for synchro- layer field so that it is appropriate and minimizes the overhead nization to ensure that the source-destination endnodes and to the intermediate switches. Third, we theoretically analyze the intermediate switches are in the same MTD phase. We the MTD and the synchronization schemes and implement propose synchronization signatures, which are generated from them and evaluate the effectiveness, performances, and the a one-way hash chain and will replace the IP addresses in the cost overheads. More specifically, for MTD, we focus on networking header field. its effectiveness against cognitive and reactive attacker and Our schemes for access randomization and for synchroniza- compare with the prior approach of the controller-driven tion are unobtrusive and modular to the rest of the networking MTD randomization; for synchronization, we investigate the operations, for example, it generally applies across the net- cost overheads and the scalability as the nodes increase in working implementations and does not affect or require change the networking path between the source and the destination to the routing protocols or the routing/flow-rule establishment. endnode. Section II further describes our novel contributions In addition, because the information is encoded in the IP and contrasts them to the prior research work. address field, it has no overhead in the data networking The rest of the paper is organized as follows. We review the throughput. In other words, our schemes for randomization relevant prior work and highlight our contributions beyond the and synchronization piggyback on the data communications state of the art in Section II. Afterward, we describe the system and do not require separate communications. (The only extra and threat model in Section III. Our access randomization communication needed is for the seed distributions to reset scheme is presented in Section IV and analyzed in Section V; the randomization/synchronization pseudo-random generation our synchronization scheme is presented in Section VI and (PRG) chains, which overhead can be amortized because we analyzed in Section VII. Section VIII validates its effectiveness can control the chain length to spread the information from and the security cost overhead using an Open vSwitch-based that communication to multiple randomization/synchronization prototype and a CloudLab-based prototype. Lastly, Section IX instances.) Therefore, our overhead/cost evaluation includes concludes our paper. the computational latency and computational resources of the II. RELATED WORK AND OUR CONTRIBUTIONS MTD/IP hopping and analyze the control/set-up overhead in Networking security has traditionally placed heavier focus Section VIII. on the defense at the network perimeter, e.g., filtering and The lack of real-time networking overhead (no additional intrusion detection/prevention, so that attackers do not have the communication packets) distinguishes our work from prior link access within the system. In contrast, we are motivated to research implementing MTD based on real-time controller construct a defense-by-depth measure to build security even communications [3], [4]. Our evaluation shows that the at- when the attacker compromised the network boundary and tacker cost to achieve network reconnaissance increases by have the link access