Telephony Denial of Service Defense at Data Plane (TDoSD@DP)

The Session Initiation Protocol (SIP) is an application-layer control protocol used to establish and terminate calls that are deployed globally. A flood of SIP INVITE packets sent by an attacker causes a Telephony Denial of Service (TDoS) incident, during which legitimate users are unable to use telephony services. Legacy TDoS defense is typically implemented as network appliances and not sufficiently deployed to enable early detection. To make TDoS defense more widely deployed and yet affordable, this paper presents TDoSD@DP where TDoS detection and mitigation is programmed at the data plane so that it can be enabled on every switch port and therefore serves as distributed SIP sensors. With this approach, the damage is isolated at a particular switch and bandwidth saved by not sending attack packets further upstream. Experiments have been performed to track the SIP state machine and to limit the number of active SIP session per port. The results show that TDoSD@DP was able to detect and mitigate ongoing INVITE flood attack, protecting the SIP server, and limiting the damage to a local switch. Bringing the TDoS defense function to the data plane provides a novel data plane application that operates at the SIP protocol and a novel approach for TDoS defense implementation.Final Accepted Versio

Securing the Edges of IoT Networks: a Scalable SIP DDoS Defense Framework with VNF, SDN, and Blockchain

An unintended consequence of the global deployment of IoT devices is that they provide a fertile breeding ground for IoT botnets. An adversary can take advantage of an IoT botnet to launch DDoS attacks against telecommunication services. Due to the magnitude of such an attack, legacy security systems are not able to provide adequate protection. The impact ranges from loss of revenue for businesses to endangering public safety. This risk has prompted academia, government, and industry to reevaluate the existing de- fence model. The current model relies on point solutions and the assumption that adversaries and their attacks are readily identifiable. But adversaries have challenged this assumption, building a botnet from thousands of hijacked IoT devices to launch DDoS attacks. With bot- net DDoS attacks there are no clear boundary where the attacks originate and what defensive measures to use. The research question is: in what ways programmable networks could defend against Session Initiation Protocol (SIP) Distributed Denial-of-Service (DDoS) flooding attacks from IoT botnets? My significant and original contribution to the knowledge is a scalable and collaborative defence framework that secures the edges of IoT networks with Virtual Network Function (VNF), Software-Defined Networking (SDN), and Blockchain technology to prevent, detect, and mitigate SIP DDoS flooding attacks from IoT botnets. Successful experiments were performed using VNF, SDN, and Blockchain. Three kinds of SIP attacks (scan, brute force, and DDoS) were launched against a VNF running on a virtual switch and each was successfully detected and mitigated. The SDN controller gathers threat intelligence from the switch where the attacks originate and installs them as packet filtering rules on all switches in the organisation. With the switches synchronised, the same botnet outbreak is prevented from attacking other parts of the organisation. A distributed application scales this framework further by writing the threat intelligence to a smart contract on the Ethereum Blockchain so that it is available for external organisations. The receiving organisation retrieves the threat intelligence from the smart contract and installs them as packet filtering rules on their switches. In this collaborative framework, attack detection/mitigation efforts by one organisation can be leveraged as attack prevention efforts by other organisations in the community

Distributed SIP DDoS Defense with P4

© 2019 IEEE. Personal use of this material is permitted. Permission from IEEE must be obtained for all other uses, in any current or future media, including reprinting/republishing this material for advertising or promotional purposes, creating new collective works, for resale or redistribution to servers or lists, or reuse of any copyrighted component of this work in other works.SIP DDoS attack is growing and has a real threat to crippling public communication infrastructure. The standard approach to building the defense is at or near the attack destination (i.e. victim’s location). This approach is struggling to keep up with the growing volume and attack sophistication. To be better prepared for future attacks, the workload needs to be distributed, and the attack needs to be mitigated as close to the attack source as possible. This paper experiments with data plane programming (P4) and control plane programming of Ethernet switches to provide first-hop detection and mitigation capability for SIP INVITE DDoS attack at every switch port. This approachcreates a distributed or source-based defense component which could be added to the existing destination-based components to create a more comprehensive overall solution that is extensible, economical, and scalable against SIP DDoS attack of the future.Final Accepted Versio

Edge Security for SIP-enabled IoT Devices with P4

© 2021 Elsevier B.V. All rights reserved. This is the accepted manuscript version of an article which has been published in final form at https://doi.org/10.1016/j.comnet.2021.108698The exponential growth of IoT devices poses security concerns, in part because they provide a fertile breeding ground for botnets. For example, the Mirai botnet infected almost 65,000 devices in its first 20 hours. With the prevalence of Session Initiation Protocol (SIP) phones and devices on the networks today, the attacker could easily target and recruit these IoT devices as bots. Conventional network security measures do not provide adequate attack prevention, detection, and mitigation for these widely distributed IoT devices. This paper presents microVNF, a Virtualized Network Function (VNF) that leverages the programmable data plane feature on the edge switch. Based on knowledge gained from the Mirai botnet incident and following the defense-in-depth principle, microVNF protects IoT devices against SIP DDoS attacks in two stages: before and after infection. Prior to infection, it protects against SIP scanning, enumeration, and dictionary attacks. After infection, microVNF blocks botnet registration attempts to the command-and-control (CNC) server, thereby preventing the botnet from receiving commands sent from the CNC server, and detects and mitigates botnet SIP DDoS attacks. We conducted six experiments that involved using popular attack tools against microVNF, and it successfully performed deep-packet inspection of unencrypted SIP packets so as to track anomalies from a typical SIP state-machine. In this use case, besides providing physical connectivity to the IoT devices, the edge switch containing microVNF also provides the first line of defense in stopping malicious packets from propagating upstream to the core network. In addition to securing SIP, the microVNF approach can be adapted to other text-based, application-layer protocols such as HTTP and SMTP. MicroVNF leverages the native capability of programmable data planes without depending on external devices, thereby making this approach practical for securing edge-computing environments against application-layer attacks.Peer reviewe

Synchronizing DDoS Defense at Network Edge with P4, SDN, and Blockchain

© 2022 Elsevier B.V. All rights reserved. This is the accepted manuscript version of an article which has been published in final form at https://doi.org/10.1016/j.comnet.2022.109267Botnet-originated DDoS attacks continue to plague the internet and disrupt services for legitimate users. While various proposals have been presented in the last two decades, the botnet still has advantages over the defenders, because botnets have orchestrated processes to launch disruptive attacks. On the other hand, the defenders use manual methods, siloed tools, and lack orchestration among different organizations. These unorchestrated efforts slow down the attack response and extend the lifespan of botnet attacks. This article presents shieldSDN and shieldCHAIN, an inter-organization collaborative defense framework using P4, SDN, and Blockchain, which extends our earlier research on microVNF, a solution of Edge security for SIP- enabled IoT devices with P4. Besides mitigating DDoS attacks, microVNF also produces attack fingerprints called Indicator of Compromise (IOC) records. ShieldSDN and shieldCHAIN dis- tribute these IOCs to other organizations so that they can create their own packet filters. Effectively, shieldSDN and shieldCHAIN synchronize packet filters for different organizations to mitigate against the same botnet strain. Four experiments were performed successfully to validate the functionalities of shieldSDN and shieldCHAIN. The scope for the first experiment was intra- company, while the second, third, and fourth experiments were inter-company. In the first experiment, shieldSDN extracted IOCs from the source switch and installed these as packet filters on other switches within the same organization (in the U.S.). In the second experiment, the shieldCHAIN in the publishing organization (in the U.S.) shared IOCs by posting them to the Blockchain. In the third experiment, the shieldCHAIN in the subscriber organizations (in Singapore & the U.K.) retrieved these IOCs from Blockchain. Finally, in the last experiment, the shieldCHAIN in the subscriber organizations installed the retrieved IOCs as packet filters; that are identical to those in the originating organization. To the best of our knowledge, this is the first framework that uses the P4 switch, SDN controller, and Blockchain together for this use case. As SDN and Blockchain gain acceptance, this framework empowers community members to collaborate and defend against botnet DDoS attacks.Peer reviewe