nethide: secure and practical network topology obfuscation · nethide hides the vulnerable physical...
TRANSCRIPT
NetHide: Secure and Practical Network Topology Obfuscation
Roland Meier◦, Petar Tsankov◦, Vincent Lenders�, Laurent Vanbever◦, Martin Vechev◦
◦ ETH Zürich, � armasuisse
To appear at USENIX Security 2018
NetHide: Secure and Practical Network Topology Obfuscation
Roland Meier◦, Petar Tsankov◦, Vincent Lenders�, Laurent Vanbever◦, Martin Vechev◦
◦ ETH Zürich, � armasuisse
To appear at USENIX Security 2018
Link-Flooding Attacks: DDoS against network core
Botnet Public servers � Low-rate, legitimate flowsspread over many endpoints
� Flows concentrate at targetlink and lead to congestion
Require knowledge about thetopology & forwarding behavior
NetHide: Proactive LFA defense
NetHide obfuscates a network topology suchthat an attacker does not see attackable links.
Challenge: Trade-off between
� Security: Hide enough such that anattacker can not perform the attack
� Practicality: Do not hide too muchfor legitimate use of diagnostic tools
NetHide hides the vulnerable physical topology and shows a secure virtual topology
Input Topology obfuscation
Physical topology
A
B
E
FC D Accuracy
Accuracy
compare ( , )
compare ( , )
Utility for failure of link (D,E)________
compare ( , )
compare ( , )
Utility for failure of link (D,E)________
Topology deployment
using programmable network devices
Virtual topology
A
B
E
FC D
dst TTL actions
E 2 TTL=3, dst=D
Random sample ofcandidate solutions
Select topology with maximal accuracy and utility (V2)
bottlenecklink (C,D)
virtual link= 2 common
= 2 common
observe failure (A,E)
observe no failure P
O
= 3 common
= 3 common
observe failure (D,E)
observe no failure P
P
… … …
dst TTL actions
A 3 TTL=4… … …
dst TTL actions
F 3 TTL=4… … …
dst TTL actions
B 3 TTL=4… … …
c(C,D) < fd(C,D)
§ Physical topology
§ Routing behavior
§ Set of flows
§ Capacity of each link
Input:
V1
V2
Deriving a secure and practical topology
Given a physical topology P , NetHide computesa virtual topology V with the following properties:
� V is secure (no LFA possible);
� Path that a packet takes in V is similar to P ;
� Link failures in P are accurately observed in V .
Network users only see the virtual topology
NetHide uses programmable network devices to rewriteprobing packets (e.g. from traceroute) such that:
� The observed paths match the virtual topology;
� Link failures can be detected;
� There is no impact on the network performance.
NetHide works in practice
� Evaluation with 3 real topologies:Abilene (11 nodes), Switch (42), US Carrier (158)
� Increasing the security by 80%changes < 20% of the paths (Switch)
� > 90% of the link failures can be precisely tracked back0.0 0.2 0.4 0.6 0.8 1.0
Flow density reduction factor
0.0
0.2
0.4
0.6
0.8
1.0
% u
nmod
ified
pat
hs
bette
r
Path changes
SwitchAbileneUsCarrierAlgorithm:NetHideRandom
0.0 0.2 0.4 0.6 0.8 1.0% correct observations
0.0
0.2
0.4
0.6
0.8
1.0
CD
F -
P(X
<=
x)
better
Detecting link failures
This work was partly supported by armasuisse Science and Technology (S+T) under the Zurich Information Security and Privacy (ZISC) grant.
armasuisse