Visible to the public SDN-Ti: A General Solution Based on SDN to Attacker Traceback and Identification in IPv6 Networks

TitleSDN-Ti: A General Solution Based on SDN to Attacker Traceback and Identification in IPv6 Networks
Publication TypeConference Paper
Year of Publication2019
AuthorsLi, Chunlei, Wu, Qian, Li, Hewu, Zhou, Jiang
Conference NameICC 2019 - 2019 IEEE International Conference on Communications (ICC)
ISBN Number978-1-5386-8088-9
Keywordsattack incident, attacker traceback, authentication, Collaboration, composability, computer network security, cryptography, Internet, IP networks, IPv6 address assignment scenarios, IPv6 addresses, IPv6 networks, ipv6 security, IPv6 testbed, Metrics, network accountability, network administrator, network attacks, Network security, normal forwarding method, policy-based governance, Protocols, pubcrawl, resilience, Resiliency, SDN controller, SDN switch, SDN-Ti prototype, Servers, Software Defined Network, software defined networking, stateless address autoconfiguration protocol, Switches, telecommunication traffic, trusted ID-encoded address
Abstract

Network attacks have become a growing threat to the current Internet. For the enhancement of network security and accountability, it is urgent to find the origin and identity of the adversary who misbehaves in the network. Some studies focus on embedding users' identities into IPv6 addresses, but such design cannot support the Stateless Address Autoconfiguration (SLAAC) protocol which is widely deployed nowadays. In this paper, we propose SDN-Ti, a general solution to traceback and identification for attackers in IPv6 networks based on Software Defined Network (SDN). In our proposal, the SDN switch performs a translation between the source IPv6 address of the packet and its trusted ID-encoded address generated by the SDN controller. The network administrator can effectively identify the attacker by parsing the malicious packets when the attack incident happens. Our solution not only avoids the heavy storage overhead and time synchronism problems, but also supports multiple IPv6 address assignment scenarios. What's more, SDN-Ti does not require any modification on the end device, hence can be easily deployed. We implement SDN-Ti prototype and evaluate it in a real IPv6 testbed. Experiment results show that our solution only brings very little extra performance cost, and it shows considerable performance in terms of latency, CPU consumption and packet loss compared to the normal forwarding method. The results indicate that SDN-Ti is feasible to be deployed in practice with a large number of users.

URLhttps://ieeexplore.ieee.org/document/8761485
DOI10.1109/ICC.2019.8761485
Citation Keyli_sdn-ti_2019