Proactive routing mutation against stealthy Distributed Denial of Service attacks: metrics, modeling, and analysis

Abstract

Infrastructure Distributed Denial of Service (IDDoS) attacks continue to be one of the most devastating challenges facing cyber systems. The new generation of IDDoS attacks exploits the inherent weakness of cyber infrastructure, including the deterministic nature of routing, skewed distribution of flows, and Internet ossification to discover the network critical links and launch highly stealthy flooding attacks that are not observable at the victim’s end. In this paper, first, we propose a new metric to quantitatively measure the potential susceptibility of any arbitrary target server or domain to stealthy IDDoS attacks, and estimate the impact of such susceptibility on enterprises. Second, we develop proactive route mutation techniques to minimize the susceptibility to these attacks by dynamically changing the flow paths periodically to invalidate the adversary knowledge about the network and avoid targeted critical links. Our proposed approach actively changes these network paths while satisfying security and Quality of Service requirements. We implemented the proactive path mutation technique on a Software Defined Network using the OpenDaylight controller to demonstrate a feasible deployment of this approach. Our evaluation validates the correctness, effectiveness, and scalability of the proposed approaches.