Abstract:
With the increasing diversity of network attacks, there is a trend towards building more agile networks
that can defend themselves or prevent attackers to easily launch attacks. To this end, moving target
defense (MTD) mechanisms have started to be pursued to dynamically change the structure and configuration
of the networks not only during an attack but also before an attack so that conducting network
reconnaissance will become much more difficult. Furthermore, various network forensics mechanisms
are introduced to help locating the source and types of attacks as a reactive defense mechanism. Emerging
Software Defined Networking (SDN) and Network Function Virtualization (NFV) provide excellent
opportunities to implement these mechanisms efficiently. This paper considers MTD in the context of
an Internet Service Provider (ISP) network and proposes an architectural framework that will enable it
even at the reconnaissance phase while facilitating forensics investigations. We propose various virtual
shadow networks through NFV to be used when implementing MTD mechanisms via route mutation. The
idea is to dynamically change the routes for specific reconnaissance packets so that attackers will not
be able to easily identify the actual network topologies for potential distributed denial of service attacks
(DDoS) such as Crossfire while enabling the defender to store potential attacker’s information through a
forensics feature. We present an integrated framework that encompasses these features. The proposed
framework is implemented in Mininet to test its effectiveness and overheads. The results demonstrated
the effectiveness in terms of failing the attackers at the expense of slightly increased path lengths, endto-
end delay and storage for forensic purposes.
