Jinwoo Kim (KAIST), Eduard Marin (Telefonica Research (Spain)), Mauro Conti (University of Padua), Seungwon Shin (KAIST)

Path tracing tools, such as traceroute, are simple yet fundamental network debugging tools for network operators to detect and fix network failures. Unfortunately, adversaries can also use such tools to retrieve previously unknown network topology information which is key to realizing sophisticated Denial-of-Service attacks, such as Link Flooding Attacks (LFAs), more efficiently. Over the last few years, several network obfuscation defenses have been proposed to proactively mitigate LFAs by exposing virtual (fake) topologies that conceal potential bottleneck network links from adversaries. However, to date there has been no comprehensive and systematic analysis of the level of security and utility their virtual topologies offer. A critical analysis is thus a necessary step towards better understanding their limitations and building stronger and more practical defenses against LFAs.

In this paper, we first conduct a security analysis of the three state-of-the-art network obfuscation defenses. Our analysis reveals four important, common limitations that can significantly decrease the security and utility of their virtual topologies. Motivated by our findings, we present EqualNet, a secure and practical proactive defense for long-term network topology obfuscation that alleviates LFAs within a network domain. EqualNet aims to equalize tracing flow distributions over nodes and links so that adversaries are unable to distinguish which of them are the most important ones, thus significantly increasing the cost of performing LFAs. Meanwhile, EqualNet preserves subnet information, helping network operators who use path tracing tools to debug their networks. To demonstrate its feasibility, we implement a full prototype of it using Software-Defined Networking (SDN) and perform extensive evaluations both in software and hardware. Our results show that EqualNet is effective at equalizing the tracing flow distributions of small, medium and large networks even when only a small number of routers within the network support SDN. Finally, we analyze the security of EqualNet against a wide variety of attacks.

View More Papers

Demo #14: In-Vehicle Communication Using Named Data Networking

Zachariah Threet (Tennessee Tech), Christos Papadopoulos (University of Memphis), Proyash Poddar (Florida International University), Alex Afanasyev (Florida International University), William Lambert (Tennessee Tech), Haley Burnell (Tennessee Tech), Sheikh Ghafoor (Tennessee Tech) and Susmit Shannigrahi (Tennessee Tech)

Read More

insecure:// Vulnerability Analysis of URI Scheme Handling in Android...

Abdulla Aldoseri (University of Birmingham) and David Oswald (University of Birmingham)

Read More

ROV-MI: Large-Scale, Accurate and Efficient Measurement of ROV Deployment

Wenqi Chen (Tsinghua University), Zhiliang Wang (Tsinghua University), Dongqi Han (Tsinghua University), Chenxin Duan (Tsinghua University), Xia Yin (Tsinghua University), Jiahai Yang (Tsinghua University), Xingang Shi (Tsinghua University)

Read More

Local and Central Differential Privacy for Robustness and Privacy...

Mohammad Naseri (University College London), Jamie Hayes (DeepMind), Emiliano De Cristofaro (University College London & Alan Turing Institute)

Read More