Fast IP Hopping Randomization to Secure Hop-by-Hop Access in SDN

Moving target defense (MTD) is useful for thwarting network reconnaissance and preventing unauthorized access. While previous research in MTD focuses on protecting the endnodes, we leverage software-defined networking to implement MTD on the data-plane switches, which significantly decreases the controller communication overhead and enables quicker defense response to reduce the attack impact. This paper not only randomizes the IP addresses for MTD but also uses the IP addresses for synchronization across the nodes in the networking path by generating hash-chain-based synchronization signatures. Our scheme is practical as it builds on and encodes the existing IP addresses for randomization to construct a modular solution independent to the routing/flow rule implementation and does not incur additional networking overhead except for the seed distribution (which can occur offline). Our scheme is also effective (the attacker's required cost to achieve timely network reconnaissance increases by more than an order of magnitude than the previous state-of-the-art having the controller actuate the MTD randomization) and scalable (the relative overhead cost of our scheme becomes smaller as the network grows). We analyze our scheme and implement and experiment it on an Open vSwitch-based testbed and on CloudLab to validate these properties.