Agile virtual infrastructure for cyber deception against stealthy DDoS attacks

DDoS attacks have been a persistent threat to network availability for many years. Most of the existing mitigation techniques attempt to protect against DDoS by filtering out attack traffic. However, as critical network resources are usually static, adversaries are able to bypass filtering by sending stealthy low traffic from large number of bots that mimic benign traffic behavior. Sophisticated stealthy attacks on critical links can cause a devastating effect such as partitioning domains and networks. Our proposed approach, called MoveNet, defend against DDoS attacks by proactively and reactively changing the footprint of critical resources in an unpredictable fashion to deceive attacker's knowledge about critical network resources. MoveNet employs virtual networks (VNs) to offer constant, dynamic and threat-aware reallocation of critical network resources (VN migration). Our approach has two components: (1) a correct-by-construction VN migration planning that significantly increases the uncertainty about critical links of multiple VNs while preserving the VN properties, and (2) an efficient VN migration mechanism that identifies the appropriate configuration sequence to enable node migration while maintaining the network integrity (e.g., avoiding session disconnection). We formulate and implement this framework using Satisfiability Modulo Theory (SMT) logic.We also demonstrate the effectiveness of our implemented framework on both PlanetLab and Mininet-based experimentations.