NetHide: Secure and Practical Network Topology Obfuscation

Roland Meier◦, Petar Tsankov◦, Vincent Lenders�, Laurent Vanbever◦, Martin Vechev◦

◦ ETH Zürich, � armasuisse

To appear at USENIX Security 2018

NetHide: Secure and Practical Network Topology Obfuscation

Roland Meier◦, Petar Tsankov◦, Vincent Lenders�, Laurent Vanbever◦, Martin Vechev◦

◦ ETH Zürich, � armasuisse

To appear at USENIX Security 2018

Link-Flooding Attacks: DDoS against network core

Botnet Public servers � Low-rate, legitimate flowsspread over many endpoints

� Flows concentrate at targetlink and lead to congestion

Require knowledge about thetopology & forwarding behavior

NetHide: Proactive LFA defense

NetHide obfuscates a network topology suchthat an attacker does not see attackable links.

Challenge: Trade-off between

� Security: Hide enough such that anattacker can not perform the attack

� Practicality: Do not hide too muchfor legitimate use of diagnostic tools

NetHide hides the vulnerable physical topology and shows a secure virtual topology

Input Topology obfuscation

Physical topology

A

B

E

FC D Accuracy

Accuracy

compare ( , )

compare ( , )

Utility for failure of link (D,E)________

compare ( , )

compare ( , )

Utility for failure of link (D,E)________

Topology deployment

using programmable network devices

Virtual topology

A

B

E

FC D

dst TTL actions

E 2 TTL=3, dst=D

Random sample ofcandidate solutions

Select topology with maximal accuracy and utility (V2)

bottlenecklink (C,D)

virtual link= 2 common

= 2 common

observe failure (A,E)

observe no failure P

O

= 3 common

= 3 common

observe failure (D,E)

observe no failure P

P

… … …

dst TTL actions

A 3 TTL=4… … …

dst TTL actions

F 3 TTL=4… … …

dst TTL actions

B 3 TTL=4… … …

c(C,D) < fd(C,D)

§ Physical topology

§ Routing behavior

§ Set of flows

§ Capacity of each link

Input:

V1

V2

Deriving a secure and practical topology

Given a physical topology P , NetHide computesa virtual topology V with the following properties:

� V is secure (no LFA possible);

� Path that a packet takes in V is similar to P ;

� Link failures in P are accurately observed in V .

Network users only see the virtual topology

NetHide uses programmable network devices to rewriteprobing packets (e.g. from traceroute) such that:

� The observed paths match the virtual topology;

� Link failures can be detected;

� There is no impact on the network performance.

NetHide works in practice

� Evaluation with 3 real topologies:Abilene (11 nodes), Switch (42), US Carrier (158)

� Increasing the security by 80%changes < 20% of the paths (Switch)

� > 90% of the link failures can be precisely tracked back0.0 0.2 0.4 0.6 0.8 1.0

Flow density reduction factor

0.0

0.2

0.4

0.6

0.8

1.0

% u

nmod

ified

pat

hs

bette

r

Path changes

SwitchAbileneUsCarrierAlgorithm:NetHideRandom

0.0 0.2 0.4 0.6 0.8 1.0% correct observations

0.0

0.2

0.4

0.6

0.8

1.0

CD

F -

P(X

<=

x)

better

Detecting link failures

This work was partly supported by armasuisse Science and Technology (S+T) under the Zurich Information Security and Privacy (ZISC) grant.

armasuisse