To defend against network reconnaissance for unauthorized access of the packet forwarding path, we leverage software-defined networking (SDN) and build moving target defense (MTD) by randomizing network addresses. We distinguish our work from prior research by implementing MTD at the data plane and on all nodes along the forwarding path. Thus, our scheme is fast and lightweight in operation (significantly decreasing the controller communication overhead) and enables quicker security response to reduce the attack impact (as opposed to having the attack impact all the way to the endhost destination). We validate our work on an Open vSwitch-based testbed and show that the attacker's cost to achieve timely network reconnaissance increases by more than an order of magnitude than having the controller actuate the MTD.
展开▼
