Abstract
Over the last decade, Software-Defined Networking (SDN) has become increasingly popular in computer network infrastructures. However, due to its relatively recent implementation, protective measures still need to be fully developed. One significant security concern with SDN is its vulnerability to scanning attacks, which can escalate to more severe attacks like Denial-of-Service (DoS) attacks. Recently, Moving Target Defense (MTD) techniques have been used to address scanning attacks. Still, they can negatively impact network performance due to the reliance on delay tactics that increase network latency. This article introduces the MTD Adaptive Delay System (MADS) to provide feasible MTD-based protection against scanning attacks without compromising the network service parameters, especially regarding Quality of Service (QoS). Unlike existing methods that continually apply delays to all traffic packets, MADS-based delays are only triggered and applied to packets when the victim network is under attack based on the intensity of the traffic commonly used in scanning attacks. MADS' performance was evaluated and compared to state-of-the-art MTD-based defenses, and it was found to cause less network degradation while maintaining the same efficiency as MTD-based techniques against scanning attacks. Furthermore, MADS had a shorter average latency time (99.4% lower) and better average throughput (4.87% higher) than the two baseline MTD-based solutions. Additionally, MADS did not produce Bad TCP packets compared to baseline works under the same attack scenarios.
Similar content being viewed by others
Data Availability
Not applicable.
References
Silva, J.B., Dantas Silva, F., Neto, E.P., Lemos, M., Neto, A.: Benchmarking of mainstream SDN controllers over open off-the-shelf software-switches. Internet Technol. Lett. (2020). https://doi.org/10.1002/itl2.152
Neto, E.P., Silva, F.S.D., Schneider, L.M., Neto, A.V., Immich, R.: Seamless MANO of multi-vendor SDN controllers across federated multi-domains. Comput. Netw. 186, 107752 (2021). https://doi.org/10.1016/j.comnet.2020.107752
Jaber, M., Imran, M.A., Tafazolli, R., Tukmanov, A.: 5G backhaul challenges and emerging research directions: a survey. IEEE Access 4, 1743–1766 (2016). https://doi.org/10.1109/ACCESS.2016.2556011
Zaidi, Z., Friderikos, V., Yousaf, Z., Fletcher, S., Dohler, M., Aghvami, H.: Will SDN be part of 5G? IEEE Commun. Surv. Tutor. 20(4), 3220–3258 (2018). https://doi.org/10.1109/COMST.2018.2836315
Rahouti, M., Xiong, K., Xin, Y., Jagatheesaperumal, S.K., Ayyash, M., Shaheed, M.: SDN security review: threat taxonomy, implications, and open challenges. IEEE Access 10, 45820–45854 (2022). https://doi.org/10.1109/ACCESS.2022.3168972
Jiménez, M.B., Fernández, D., Rivadeneira, J.E., Bellido, L., Cárdenas, A.: A survey of the main security issues and solutions for the SDN architecture. IEEE Access 9, 122016–122038 (2021). https://doi.org/10.1109/ACCESS.2021.3109564
Ahmad, I., Namal, S., Ylianttila, M., Gurtov, A.: Security in software defined networks: a survey. IEEE Commun. Surv. Tutor. 17(4), 2317–2346 (2015). https://doi.org/10.1109/COMST.2015.2474118
Datsika, E., Vardakas, J.S., Ramantas, K., Mekikis, P.-V., Monroy, I.T., Neto, L.A., Verikoukis, C.: SDN-enabled resource management for converged Fi-Wi 5G fronthaul. IEEE J. Sel. Areas Commun. 39(9), 2772–2788 (2021). https://doi.org/10.1109/JSAC.2021.3064651
Abdou, A., van Oorschot, P.C., Wan, T.: Comparative analysis of control plane security of SDN and conventional networks. IEEE Commun. Surv. Tutor. 20(4), 3542–3559 (2018). https://doi.org/10.1109/COMST.2018.2839348
Scott-Hayward, S., Natarajan, S., Sezer, S.: A survey of security in software defined networks. IEEE Commun. Surv. Tutor. 18(1), 623–654 (2016). https://doi.org/10.1109/COMST.2015.2453114
Shin, S., Gu, G.: Attacking software-defined networks: a first feasibility study. In: Proceedings of the Second ACM SIGCOMM Workshop on Hot Topics in Software Defined Networking, pp. 165–166. (2013)
Sonchack, J., Aviv, A.J., Keller, E.: Timing SDN control planes to infer network configurations. In: Proceedings of the 2016 ACM International Workshop on Security in Software Defined Networks & Network Function Virtualization, pp. 19–22. (2016)
Pascoal, T.A., Fonseca, I.E., Nigam, V.: Slow denial-of-service attacks on software defined networks. Comput. Netw. 173, 107223 (2020)
Silva, F.S.D., Neto, E.P., Oliveira, H., Rosário, D., Cerqueira, E., Both, C., Zeadally, S., Neto, A.V.: A survey on long-range wide-area network technology optimizations. IEEE Access 9, 106079–106106 (2021). https://doi.org/10.1109/ACCESS.2021.3079095
Dantas Silva, F.S., Silva, E., Neto, E.P., Lemos, M., Venancio Neto, A.J., Esposito, F.: A taxonomy of DDoS attack mitigation approaches featured by SDN technologies in IoT scenarios. Sensors (2020). https://doi.org/10.3390/s20113078
NETSCOUT systems: cloud in the crosshairs: NETSCOUT’s 14th worldwide infrastructure security report. (2019)
Pascoal, T.A., Dantas, Y.G., Fonseca, I.E., Nigam, V.: Slow TCAM exhaustion DDoS attack. In: IFIP International Conference on ICT Systems Security and Privacy Protection, pp. 17–31. Springer (2017)
Yuwen, H., Zhang, L., Wang, Z., Kong, Y.: Probability-based delay scheme for resisting SDN scanning. In: 2016 2nd IEEE International Conference on Computer and Communications (ICCC), pp. 1096–1101. IEEE (2016)
Ma, D., Xu, Z., Lin, D.: Defending blind DDoS attack on SDN based on moving target defense. In: International Conference on Security and Privacy in Communication Networks, pp. 463–480. Springer (2014)
Narantuya, J., Yoon, S., Lim, H., Cho, J., Kim, D.S., Moore, T., Nelson, F.: SDN-based IP shuffling moving target defense with multiple SDN controllers. In: 2019 49th Annual IEEE/IFIP International Conference on Dependable Systems and Networks—Supplemental Volume (DSN-S), pp. 15–16. (2019). https://doi.org/10.1109/DSN-S.2019.00013
Connell, W., Menasce, D.A., Albanese, M.: Performance modeling of moving target defenses with reconfiguration limits. IEEE Trans. Depend. Secur. Comput. (2018). https://doi.org/10.1109/TDSC.2018.2882825
Cho, J.-H., Sharma, D.P., Alavizadeh, H., Yoon, S., Ben-Asher, N., Moore, T.J., Kim, D.S., Lim, H., Nelson, F.F.: Toward proactive, adaptive defense: a survey on moving target defense. IEEE Commun. Surv. Tutor. (2020). https://doi.org/10.1109/COMST.2019.2963791
MacFarland, D.C., Shue, C.A.: The SDN shuffle: creating a moving-target defense using host-based software-defined networking. In: Proceedings of the Second ACM Workshop on Moving Target Defense, pp. 37–41. (2015)
Liu, C.-C., Huang, B.-S., Tseng, C.-W., Yang, Y.-T., Chou, L.-D.: SDN/NFV-based moving target DDoS defense mechanism. In: International Conference of Reliable Information and Communication Technology, pp. 548–556. Springer (2018)
Aydeger, A., Saputro, N., Akkaya, K., Rahman, M.: Mitigating crossfire attacks using SDN-based moving target defense. In: 2016 IEEE 41st Conference on Local Computer Networks (LCN), pp. 627–630. IEEE (2016)
Aydeger, A., Saputro, N., Akkaya, K.: Utilizing NFV for effective moving target defense against link flooding reconnaissance attacks. In: MILCOM 2018-2018 IEEE Military Communications Conference (MILCOM), pp. 946–951. IEEE (2018)
Jafarian, J.H., Al-Shaer, E., Duan, Q.: OpenFlow random host mutation: transparent moving target defense using software defined networking. In: Proceedings of the First Workshop on Hot Topics in Software Defined Networks, pp. 127–132. (2012)
Gillani, F., Al-Shaer, E., Duan, Q.: In-design resilient SDN control plane and elastic forwarding against aggressive DDoS attacks. In: Proceedings of the 5th ACM Workshop on Moving Target Defense, pp. 80–89. (2018)
Kampanakis, P., Perros, H., Beyene, T.: SDN-based solutions for moving target defense network protection. In: Proceeding of IEEE International Symposium on a World of Wireless, Mobile and Multimedia Networks 2014, pp. 1–6. IEEE (2014)
Hou, J., Zhang, M., Zhang, Z., Shi, W., Qin, B., Liang, B.: On the fine-grained fingerprinting threat to software-defined networks. Future Gener. Comput. Syst. 107, 485–497 (2020)
Silva, F.S.D., Schneider, L., Rosário, D., Neto, A.: Network slicing mobility aware control to assist handover decisions on e-health 5g use cases. In: 2022 International Wireless Communications and Mobile Computing (IWCMC), p. 1. (2022)
Open Networking Foundation: OpenFlow switch specification. Version 1.3.0 (Wire Protocol 0x04) (2012). https://opennetworking.org/wp-content/uploads/2014/10/openflow-spec-v1.3.0.pdf
Zheng, J., Namin, A.S.: A survey on the moving target defense strategies: an architectural perspective. J. Comput. Sci. Technol. 34(1), 207–233 (2019)
Lei, C., Zhang, H.-Q., Tan, J.-L., Zhang, Y.-C., Liu, X.-H.: Moving target defense techniques: a survey. Secur. Commun. Netw. (2018). https://doi.org/10.1155/2018/3759626
Zhuang, R., DeLoach, S.A., Ou, X.: Towards a theory of moving target defense. In: Proceedings of the First ACM Workshop on Moving Target Defense, pp. 31–40. (2014)
Okhravi, H., Hobson, T., Bigelow, D., Streilein, W.: Finding focus in the blur of moving-target techniques. IEEE Secur. Priv. 12(2), 16–26 (2013)
Klöti, R., Kotronis, V., Smith, P.: OpenFlow: a security analysis. In: 2013 21st IEEE International Conference on Network Protocols (ICNP), pp. 1–6. IEEE (2013)
Ji, W., Yang, S., Zhang, B., Zhang, T., Lian, Y., Xu, C.: Multi-domain multicast routing mutation scheme for resisting DDoS attacks. In: 2022 International Wireless Communications and Mobile Computing (IWCMC), pp. 142–147. (2022). https://doi.org/10.1109/IWCMC55113.2022.9824529
Hyder, M.F., Fatima, T.: Towards crossfire distributed denial of service attack protection using intent-based moving target defense over software-defined networking. IEEE Access 9, 112792–112804 (2021). https://doi.org/10.1109/ACCESS.2021.3103845
Shen, J., Zhang, T., Zhang, B., Ji, W., Kuang, X., Xu, C.: PPO-RM: proximal policy optimization based route mutation for multimedia services. In: 2021 International Wireless Communications and Mobile Computing (IWCMC), pp. 35–40. (2021). https://doi.org/10.1109/IWCMC51323.2021.9498706
Gudla, C., Sung, A.H.: Moving target defense application and analysis in software-defined networking. In: 2020 11th IEEE Annual Information Technology, Electronics and Mobile Communication Conference (IEMCON), pp. 0641–0646. (2020). https://doi.org/10.1109/IEMCON51383.2020.9284847
Yoon, S., Cho, J.-H., Kim, D.S., Moore, T.J., Free-Nelson, F., Lim, H.: Attack graph-based moving target defense in software-defined networks. IEEE Trans. Netw. Serv. Manag. 17(3), 1653–1668 (2020). https://doi.org/10.1109/TNSM.2020.2987085
Kelly, J., DeLaus, M., Hemberg, E., O’Reilly, U.-M.: Adversarially adapting deceptive views and reconnaissance scans on a software defined network. In: 2019 IFIP/IEEE Symposium on Integrated Network and Service Management (IM), pp. 49–54. (2019)
Zhang, Z., Towey, D., Ying, Z., Zhang, Y., Zhou, Z.Q.: MT4NS: metamorphic testing for network scanning. In: 2021 IEEE/ACM 6th International Workshop on Metamorphic Testing (MET), pp. 17–23. (2021). https://doi.org/10.1109/MET52542.2021.00010
Zhijun, W., Qing, X., Jingjie, W., Meng, Y., Liang, L.: Low-rate DDoS attack detection based on factorization machine in software defined network. IEEE Access 8, 17404–17418 (2020). https://doi.org/10.1109/ACCESS.2020.2967478
Zarek, A., Ganjali, Y., Lie, D.: OpenFlow Timeouts Demystified. University of Toronto, Toronto (2012)
Funding
Not applicable.
Author information
Authors and Affiliations
Contributions
FSDS: conceptualization, methodology, formal analysis, writing—original draft, writing—review & editing, supervision. TP: conceptualization, methodology, formal analysis, writing—original draft, writing—review & editing, supervision. EPN: conceptualization, writing—original draft, writing—review & editing. RSSN: formal analysis, writing—original draft. CHMS: writing—review & editing. AJVN: writing—review & editing.
Corresponding author
Ethics declarations
Competing Interests
The authors declare no competing interests.
Ethical Approval
Not applicable.
Additional information
Publisher's Note
Springer Nature remains neutral with regard to jurisdictional claims in published maps and institutional affiliations.
Rights and permissions
Springer Nature or its licensor (e.g. a society or other partner) holds exclusive rights to this article under a publishing agreement with the author(s) or other rightsholder(s); author self-archiving of the accepted manuscript version of this article is solely governed by the terms of such publishing agreement and applicable law.
About this article
Cite this article
Dantas Silva, F.S., Neto, E.P., Nunes, R.S.S. et al. Securing Software-Defined Networks Through Adaptive Moving Target Defense Capabilities. J Netw Syst Manage 31, 61 (2023). https://doi.org/10.1007/s10922-023-09746-z
Received:
Accepted:
Published:
DOI: https://doi.org/10.1007/s10922-023-09746-z