4.1.1 Internal address mutation.

In RDAM, the internal address iIP_i ∈ S^I of host h_i is the host’s real address. In order to protect communications within a physical subnet (a group of hosts physically connected through common switches), the internal addresses of all the hosts in RDAM occupy different subnets of the internal address space so that the internal hosts cannot communicate directly through common switches. Denote L as the mask length of all subnets; then the subnet of iIP_i is , and . Therefore, the number of internal hosts supported by RDAM satisfies n^I ≤ m^I/2^32−L.

In order to ensure normal communication and confuse the attacker in RDAM, each subnet has a virtual gateway, the IP address of which is and gIP_i ≠ iIP_i, and the MAC address gMAC_i is generated randomly. The virtual gateway can respond to some basic protocols such as address resolution protocol (ARP) and Internet control message protocols (ICMP). After the connection to the network has been established, each host will obtain the MAC address of its virtual gateway through ARP protocol for subsequent communications.

The controller can directly obtain DNS requests from internal hosts; therefore in RDAM, for each host h_i we record its internal DNS query list , which is the address list of the internal hosts that have queried the given host’s domain name (the address list will be cleared after the domain name changed). Only the connection requests of the hosts in this list are allowed to forward to h_i. Therefore, if the attacker does not know the internal host's domain name, then even if the attacker knows the host’s internal address, the attacker still cannot access the host, so the internal addresses can mutate over a long period or remain unchanged.

In addition, the internal host can obtain the internal address through DHCP, and can also use a statically configured internal address; however, the subnet of the configured address cannot be repeated by other internal hosts. If hosts in the same physical subnet are configured with the same subnet, then they can directly access each other without protection. Therefore, in RDAM, all the hosts should be configured in separate subnets.

4.1.2 External address mutation.

Because of the recursive query, the controller may not obtain the IP address of the external host in the DNS request from the external network; therefore, it is not possible to identify the external host issuing the DNS query. To address this issue, RDAM uses the time window method to reduce the probability that the attacker can access the public host through the IP address. For each public host s_i, we record its external DNS query time , which is the time of the latest DNS query for its external address eIP_i ∈ S^E from the external network. Only within the following win_i time range can external hosts access s_i through eIP_i.

In order to calculate the time window of each public host, RDAM counts the number of times each public host is DNS-queried by an external host through its domain name to obtain the average speed λ_i(t) of the DNS query for s_i at time t. It can be assumed that the time interval of external hosts issuing the DNS query for s_i follows an exponential distribution with parameter λ_i(t). Then the probability that external hosts can access s_i through eIP_i is . In RDAM, we set the above probability of each public host as p. Then the time window of s_i is ; that is, the more a public host is DNS-queried by external hosts per unit time, the smaller its time window will be.

In the time window, the attacker could still access the public host through the external address, and therefore the external address of the public host still needs to be dynamically mutated at a high frequency. Denote as the external address mutation rate of public host s_i; then the next external address mutation time is the current mutation time plus . can be pre-configured, and the more critical a public host is, the higher its mutation rate should be.

4.1.3 Domain name mutation.

Each host h_i has a dynamic domain name d_i ∈ S^D. For the convenience of users, the domain names of all hosts are periodically changed at fixed times. Denote T₀ as the first domain name mutation time, and T^D as the time interval of domain name mutation; then the next domain name mutation time after time t is .

Because the domain name space has sufficient size, it can guarantee that in a sufficient number of domain name mutation cycles, a domain name will not be repeated. Assume the non-repeat cycle number of the domain name mutation is x; then RDAM records the domain names D^x ⊂ S^D that are assigned in the last x cycles. Assume φ denotes the maximum ratio of the number of allocated domain names |D^x| = xn^I to the domain name space size; then the non-repeat cycle number of domain names supported by RDAM satisfies x ≤ min(m^D/n^I−1,φm^D/n^I).

4.2.1 Packet processing algorithm.

In RDAM, software-defined switches modify and forward transmission control protocol (TCP) and user datagram protocol (UDP) packets according to flow tables; packets that have no matching flows in flow tables and ARP, ICMP, DNS, and DHCP packets are forwarded to the controller. The controller processes the above packets and installs the flows necessary for new connections in the software-defined switches in the path. Each connection must be associated with some fixed flows, thus ensuring end-to-end connectivity continuity.

The general packet processing algorithm is presented in Algorithm 1. The flows in the algorithm are the combined description of all software-defined switches in the path, in fact the action of the flows in the source and destination switches should only contain part of the modification action, and the intermediate switches should only contain the forward action. The flow chart of Algorithm 1 is presented in Fig 2.

Algorithm 1 Packet Processing Algorithm

for all packets p do

    if p is a DHCP request for h_i then

        generate iIP_i, d_i, gIP_i, gMAC_i, record if_i, mac_i, D^x∪ = {d_i}

        if h_i is a public host then

            generate eIP_i,

        end if

            generate response of iIP_i, gIP_i and send to if_i

        else if p is an ARP request for gIP_i from h_i then

            generate response of gMAC_i and send to if_i

        else if p is a Type-A DNS request for h_i from h_j then

            generate response of iIP_i,TTL = next(now)−now and send to if_j

        else if p is a Type-A DNS request for h_i from external then

            , generate response of and send to if^E

        else if p is a Type-PTR DNS request for h_i from h_i then

            generate response of d_i and send to if_i

        else if p is a TCP-SYN or UDP then

            if p is from h_i to h_j and then

                install forward direction flows in switches with action

                    p.srcMAC ≔ gMAC_j,p.dstMAC ≔ mac_j,Forward → if_j

                install backward direction flows in switches with action

                    p.srcMAC ≔ gMAC_i,p.dstMAC ≔ mac_i,Forward → if_i

            else if p is from private host h_i to external then

                install forward direction flows in switches with action

                    p.srcMAC ≔ gMAC_i,p.dstMAC ≔ GMAC,Forward → if^E

                install backward direction flows in switches with action

                    p.srcMAC ≔ gMAC_i,p.dstMAC ≔ mac_i,Forward → if_i

            else if p is from public host s_i to external or opposite with then

                install outside direction flows in switches with action

                    p.srcIP ≔ eIP_i,p.srcMAC ≔ gMAC_i,p.dstMAC ≔ GMAC,Forward → if^E

                install inside direction flows in switches with action

                    p.dstIP ≔ iIP_i,p.srcMAC ≔ gMAC_i,p.dstMAC ≔ mac_i,Forward → if_i

            else

                throw p

            end if

        else if p is a ICMP packet then

            do action like TCP or UDP packet but do not install flows

        else

            throw p

        end if

    end for

Download:

• PPT
  PowerPoint slide
• PNG
  larger image
• TIFF
  original image

Fig 2. Flow chart of Algorithm 1.

https://doi.org/10.1371/journal.pone.0177111.g002

All throw packets, including error packets and connection failure packets, are recorded for subsequent dynamic mutation and attack behavior analysis. Error packets include: 1) packets with incorrect mapping of interfaces, MAC addresses, and IP addresses; and 2) TCP-SYN, UDP, and ICMP packets from an internal host to an external address. Connection failure packets include: 1)DNS packets querying currently unused internal domain names; 2) TCP-SYN, UDP, and ICMP packets connecting to currently unused internal or external addresses; 3) TCP-SYN, UDP, and ICMP packets from a source address that is an internal address and is not in the DNS query list of the destination host; and 4) TCP-SYN, UDP, and ICMP packets that the destination host is a public host, the source address is an external address, and the time is not in the time window of the destination host.

4.2.2 Domain name and external address mutation algorithm.

The domain names of all hosts are periodically changed at fixed times, and no assigned domain name will be repeated in x cycles; therefore, the mutation space is S^D − D^x. The external addresses of all public hosts are changed randomly according to their mutation rate, and no external address that is assigned to mutated hosts can be the same as the external addresses of all non-mutated hosts; therefore, the mutation space is . The general domain name and external address mutation algorithm is presented in Algorithm 2.

Algorithm 2 Mutation Algorithm

for each time of performing domain name mutation do

    for each h_i do

        random select d_i from S^D−D^x

        D^x∪ = {d_i}

    end for

    remove expired domain name from D^x

end for

for each time of performing external address mutation do

    for each s_i that do

        random select eIP_i from S^E−A

        A ≔ A∪eIP_i,

    end for

end for

In the random selection of the domain name and external address in the above algorithm, we consider the following two methods: 1) uniform mutation, that is, the domain names and the external addresses are uniformly selected in the mutation space; and 2) failure-prior mutation, that is, the destination domain names and the addresses of the connection failure packets are preferentially selected.

4.4.1 Application level gateway service (ALG).

When an external host accesses a public host, the destination IP address is different from the actual IP address of the server host. However, in some special application protocols, such as file transfer protocol (FTP), generic routing encapsulation (GRE), etc., the payload contains the server host's IP address to establish connections. Therefore, IP address mutation may disrupt the normal communication of these protocols. RDAM implements application level gateway service (ALG) in the switch connected to the gateway to perform the detection and transformation of the payload when the internal address and the external address of the public host are interchanged, ensuring normal communication through the protocol without requiring the user to implement any special configuration.

4.4.2 Fingerprint mutation.

The attacker can use fingerprinting tools such as Nmap to identify the target host's fingerprint information, such as operating system, set of services, etc., for the purpose of finding a target host’s vulnerabilities. RDAM uses the recognition and replacement method to realize the confusion of some fingerprint information [33], including the version of the server software in FTP and the hypertext transfer protocol (HTTP), and the operating system version.

5.1.1 Repeatable scans.

In repeatable scans, the address or domain name scanned is randomly generated. Therefore, regardless of which mutation method the defender uses, the probability of the scanner hitting a designated host is the same as the probability in the static address environment.

Here, we analyze repeatable scanning of domain names and IP addresses from internal and external scanners in RDAM.

(1) Domain name scans: First, consider that the internal/external scanner scans domain names. Because the size of the domain name space is m^D, the probability of the scanner hitting each host in each scan is 1/m^D. Then, in k scans the scanner misses each host with probability (1−1/m^D)^k. Because the probability of each host being hit is independent of each other host, the probability of the scanner missing each host is also the expected ratio of missed hosts. Therefore, the expected ratio of missed hosts in k scans is

Thus, when the number of scans is the same as the external address space size m^E, RDAM allows of the hosts to be missed by the scanner.

(2) IP address scans by an external scanner: In RDAM, the probability that each public host can be accessed through its external address is p, so the probability of the scanner hitting each host in each scan is p/m^E. Therefore, the expected ratio of missed hosts in k scans is

Thus, when the number of scans is m^E, RDAM allows of the hosts to be missed by the scanner.

(3) IP address scans by an internal scanner: In RDAM, internal hosts can access another host only when they are in the internal DNS query list; therefore, the internal scanner cannot hit any host by scanning IP addresses, and the expected ratio of missed hosts in k scans is

To perform simulation experiments, we created a network of SDN switches using Mininet [35], and developed the RDAM controller using POX [36] to manage the SDN network. The network included n^I = 12000 internal hosts, of which n^E = 6000 hosts were public hosts; the external address space was a Class B subnet (m^E = 65536); and the length of the 3LD was 4 (l = 4). Fig 5 shows the theoretical and experimental results of the ratio of missed hosts by the internal and external repeatable scanners scanning domain names and IP addresses as the scanning number increases. In the simulation, every data point was taken as the average of 10 runs, and the scanner executed a total of m^E scans. In existing network address shuffling techniques, such as NASR [10], OF-RHM [11], etc., internal and external scanners can directly access an internal host once they hit the host’s IP address, because of the lack of the DNS query list and the time window methods. Therefore, the result of the internal/external scanner scanning IP addresses in OF-RHM is equivalent to the result of the external scanner scanning IP addresses in RDAM when p = 1 in Fig 5(B).

Download:

• PPT
  PowerPoint slide
• PNG
  larger image
• TIFF
  original image

Fig 5. The ratio of hosts missed by repeatable scanners.

(A) Scan domain names. (B) Scan IP addresses.

https://doi.org/10.1371/journal.pone.0177111.g005

From the figure, we can see that the experimental results are basically the same as those predicted by the theoretical analysis. RDAM allows 96.2% of hosts to be missed by internal and external scanners scanning domain names; an internal scanner cannot hit any host by scanning IP addresses; for external scanners scanning IP addresses, when p = 1, that is, no time window, RDAM allows only 37% of hosts to be missed, while when p = 0.2, RDAM allows 81% of hosts to be missed by adjusting the time window setting.

5.1.2 Non-repeat scans in uniform mutation.

Assume that r denotes the ratio of the attacker scanning rate to the defender mutation rate; that the external address mutation rate of all public hosts is the same; and that they mutate at the same time. When r ≤ 1, the domain name (IP address) will be changed between any two scans; therefore, the scanning process is equivalent to a repeatable scan, and the scan results are consistent with those presented in the previous section.

Next, we analyze the case when r ≥ 1, assuming r is an integer.

(1) Domain name scans: First, consider that the internal/external scanners scan domain names. Because the hosts’ domain names are uniformly distributed in the domain name space after each mutation, between two mutations, the probability of the scanner hitting each host in k′ scan is k′/m^D. k ≤ m^D scans can be divided into ⌊k/r⌋+1 mutations; therefore, the expected ratio of missed hosts in k scans, which is also the probability of the scanner missing each host, is

Thus, we can see that P_miss(r,k) decreases as r increases, and

1) when r ≪ k, , P_miss(r,k) reaches its maximum, and RDAM achieves the best defense performance;

2) when r < k ∧ r → k, P_miss(k) ≈ 1−r/m^D; and

3) when r ≥ k, P_miss(r,k) ≈ 1−r/m^D, the domain name mutation offers no additional defense performance compared to the static environment.

From the above analysis we can obtain . Because m^E ≪ m^D, so . Therefore, when the number of scans is m^E, RDAM allows 1−m^E/m^D of the hosts to be missed by the scanner.

(2) IP address scans by an external scanner: In RDAM, the probability that each public host can be accessed through its external address is p. Therefore, the expected ratio of missed hosts in k scans is

Thus, we can obtain 1−p≤P_miss(r,m^E) ≤ e^−p. Therefore, when the number of scans is m^E, RDAM allows at most e^−p and at least 1−p of the hosts to be missed by the scanner.

(3) IP address scans by an internal scanner: In RDAM, the internal scanner cannot hit any host by scanning IP addresses. Therefore, the expected ratio of missed hosts in k scans is

Fig 6 shows the theoretical and experimental results of the ratio of hosts missed by the internal and external non-repeat scanners scanning domain names and IP addresses when the defender adopts uniform mutation as r increases. The simulation environment is the same as that described in Section 5.1.1. In the simulation, every data point was taken as the average of 10 runs, and the scanner executed a total of m^E scans. In particular, the result of the internal/external scanner scanning IP addresses in OF-RHM when the defender adopts uniform mutation is equivalent to the result of the external scanner scanning IP addresses in RDAM when p = 1 in Fig 6(B).

Download:

• PPT
  PowerPoint slide
• PNG
  larger image
• TIFF
  original image

Fig 6. The ratio of hosts missed by non-repeat scanners in uniform mutation.

(A) Scan domain names. (B) Scan IP addresses.

https://doi.org/10.1371/journal.pone.0177111.g006

From the figure, we can see that the experimental results are basically the same as those predicted by the theoretical analysis. RDAM allows 96.2% of hosts to be missed by internal and external scanners scanning domain names; internal scanners cannot hit any host by scanning IP addresses; for external scanners scanning IP addresses, when p = 1, that is, no time window, RDAM allows at most 37% of hosts to be missed, and the ratio decreases as r increases, while when p = 0.2, RDAM allows 80% of hosts to be missed by adjusting the time window setting.

5.1.3 Non-repeat scans in failure-prior mutation.

Assume that r denotes the ratio of the attacker scanning rate to the defender mutation rate; that the external address mutation rate of all public hosts is the same; and that they mutate at the same time. Similarly, when r ≤ 1, the scan results are consistent with those presented in Section 5.1.1.

Next, we also analyze the case when r ≥ 1, assuming r is an integer.

(1) Domain name scans: First, consider that the internal/external scanner scans domain names, and denote the number of hosts as n (n = n^I for the internal scanner and n = n^E for the external scanner). In failure-prior mutation, the domain names missed by the scanner are preferentially selected as hosts’ domain names, and the scanner will never scan those domain names in non-repeat scans, so some hosts will not be hit by the scanner. Denote X_i as the number of inaccessible hosts in the i^th mutation interval; then X₁ = 0.

In the i^th mutation interval, the domain names of the remaining n−X_i hosts are uniformly distributed in the domain name space, the size of which is m^D−X_i. In this interval, the probability of the scanner hitting each host in k′ scans is , and the scanning number of hitting a host follows an hypergeometric distribution; thus, the expected hitting number is k′(n−X_i)/(m^D−X_i). The scanner can execute r scans in this interval, and therefore the number of missed domain names is r−r(n−X_i)/(m^D−X_i), which is the number of inaccessible hosts in the i+1^th mutation interval. Considering that the number of hosts is n, we can obtain X_i+1 = min(n,r−r(n−X_i)/(m^D−X_i)).

k ≤ m^D scans could be divided into ⌊k/r⌋ + 1 mutations; therefore, the expected ratio of missed hosts in k scans, which is also the probability of the scanner missing each host, is where X₁ = 0, X_i+1 = min(n,r−r(n−X_i)/(m^D−X_i)).

Thus we can obtain that

1) when r ≪ k ∧ r ≪ n, X_i is negligible, so ;

2) when r < k ∧ X_i < n, the larger r is, the larger X_i is, and the better the defense performance is, so P_miss(r,k) increases as r increases;

3) when r < k ∧ X₂ = n, namely, n/(1−n/m^D) ≤ r < k, X_i = n,i > 1, we can obtain P_miss(r,k) ≈ 1−r/m^D, so P_miss(r,k) decreases as r increases; and

4) when r ≥ k, P_miss(r,k) ≈ 1−k/m^D.

From the above analysis we find that when r = n/(1−n/m^D), P_miss(r,k) reaches its maximum; when r ≥ k, P_miss(r,k) reaches its minimum, so . Therefore, when the number of scans is m^E, RDAM allows at most and at least 1−m^E/m^D of the hosts to be missed by the scanner.

(2) IP address scans by an external scanner: In RDAM, the probability that each public host can be accessed through its external address is p. Therefore, the expected ratio of missed hosts in k scans is where X₁ = 0, X_i+1 = min(n^E,r − pr(n^E − X_i)/(m^E − X_i)).

Similarly, we find that when r < k ∧ X₂ = n, namely n/(1−pn^E/m^E) ≤ r < k, P_miss(r,k) ≈ 1−pr/m^E can reach its maximum; when r ≥ k, P_miss(r,k) ≈ 1−pk/m^D reaches its minimum, so . Therefore, when the number of scans is m^E, RDAM allows at most and at least 1−p of the hosts missed to be by the scanner.

(3) IP address scans by an internal scanner: In RDAM, the internal scanner cannot hit any host by scanning IP addresses. Therefore, the expected ratio of missed hosts in k scans is

Fig 7 shows the theoretical and experimental results of the ratio of hosts missed by the internal and external non-repeat scanners scanning domain names and IP addresses when the defender adopts failure-prior mutation as r increases. The simulation environment is the same as that presented in Section 5.1.1. In the simulation, every data point was taken as the average of 10 runs, and the scanner executed a total of m^E scans. In particular, the result of the internal/external scanner scanning IP addresses in OF-RHM when the defender adopts failure-prior mutation is equivalent to the result of the external scanner scanning IP addresses in RDAM when p = 1 in Fig 7(B).

Download:

• PPT
  PowerPoint slide
• PNG
  larger image
• TIFF
  original image

Fig 7. The ratio of hosts missed by non-repeat scanners in failure-prior mutation.

(A) Scan domain names. (B) Scan IP addresses.

https://doi.org/10.1371/journal.pone.0177111.g007

From the figure, we can see that the experimental results are basically the same as those predicted by the theoretical analysis. For the internal scanner (external scanner) scanning domain names, the ratio of missed hosts first increases then decreases as r increases, and RDAM allows at most 99.7% (99.3%) and at least 96.2% of hosts to be missed. The internal scanner cannot hit any host by scanning IP addresses. For the external scanner scanning IP addresses, the ratio of missed hosts also first increases then decreases as r increases; when p = 1, that is, no time window, RDAM allows at most 89.9% of hosts to be missed, while when p = 0.2, RDAM allows at most 98.1% and at least 80% of hosts to be missed by adjusting the time window setting.

Through the analysis of the above three cases, we can see that RDAM increases the scanning space of the scanner through the dynamic domain name method, and reduces the probability that the scanner can access hosts by scanning the IP address through the DNS query list and time window. RDAM offers better defense performance than the general network address shuffling method, whether it is for the repeatable scanning attack or the non-repeat scanning attack.

5.3.1 Flow table size.

In RDAM, each TCP/UDP session needs to establish two flow table entries in the software-defined switches in the path. Assume in RDAM, each internal host establishes on average w₁ sessions with other internal hosts per second, w₂ sessions with external hosts per second, and each session on average takes θ seconds to terminate. Then according to Little’s law in queuing theory, the mean length of the flow table is (w₁ + 2w₂)n^Iθ. Fig 9 shows the flow table lengths for various session establishment rates (w₁ and w₂/w₁) when n^I = 12000, θ = 10s.

Download:

• PPT
  PowerPoint slide
• PNG
  larger image
• TIFF
  original image

Fig 9. Flow table lengths for different session establishment rates.

https://doi.org/10.1371/journal.pone.0177111.g009

5.3.2 Operational delay.

We tested the operational delay caused by RDAM in our laboratory prototype. The software-defined switches and the controller were implemented in the X86 platform operating at 4 GHz using Intel's DPDK; the controller had two cores and 4 GB of memory; the switches had six cores and 8 GB of memory. All internal hosts, the DNS server, the DHCP server, and the security authentication server had two cores operating at 3.7 GHz and 4 GB of memory; the internal hosts ran the Win7 operating system, and the servers ran the Windows Server 2003 operating system. External hosts were generated through a server running Hyper-V with 32 cores operating at 3.9 GHz and 64 GB of memory; each external host had one core and 512 MB of memory running the Windows XP operating system. We tested 3 scenarios: scenarios with no flow table entry and 1 million flow table entries in the switches, and a scenario without RDAM, whereby hosts access each other using IP addresses through common switches. In each scenario, we measured the delay results of connections between internal hosts and connections of external hosts accessing public hosts, ran 100 trials respectively by using 25 internal hosts/external hosts visiting 4 public hosts. Table 1 shows the experimental results of the connection delay (the delay from the DNS request to establish a connection) and the transmission delay (the delay resulting from packet processing in software-defined switches after establishing the connection). From the results, we can see that the connection delay is unlikely to be noticed by users, and the transmission delay is negligible compared with the whole packet transmission process.

Download:

• PPT
  PowerPoint slide
• PNG
  larger image
• TIFF
  original image

Table 1. Operation delay with and without RDAM.

https://doi.org/10.1371/journal.pone.0177111.t001