NetHide: Secure and Practical Network Topology Obfuscation

Authors: Roland Meier, Petar Tsankov, Vincent Lenders, Laurent Vanbever, and Martin Vechev

Proceedings of the 27th USENIX Security Symposium

Abstract

Simple path tracing tools such as traceroute allow malicious users to infer network topologies remotely and use that knowledge to craft advanced denial-of-service (DoS) attacks such as Link-Flooding Attacks (LFAs). Yet, despite the risk, most network operators still allow path tracing as it is an essential network debugging tool.

In this paper, we present NetHide, a network topology obfuscation framework that mitigates LFAs while preserving the practicality of path tracing tools. The key idea behind NetHide is to formulate network obfuscation as a multi-objective optimization problem that allows for a flexible tradeoff between security (encoded as hard constraints) and usability (encoded as soft constraints). While solving this problem exactly is hard, we show that NetHide can obfuscate topologies at scale by only considering a subset of the candidate solutions and without reducing obfuscation quality. In practice, NetHide obfuscates the topology by intercepting and modifying path tracing probes directly in the data plane. We show that this process can be done at line-rate, in a stateless fashion, by leveraging the latest generation of programmable network devices.

We fully implemented NetHide and evaluated it on realistic topologies. Our results show that NetHide is able to obfuscate large topologies (> 150 nodes) while preserving near-perfect debugging capabilities. In particular, we show that operators can still precisely trace back > 90 % of link failures despite obfuscation.

People

Dr. Roland Meier

PhD student

2017—2022

Prof. Laurent Vanbever

Group Leader

BibTex

@INPROCEEDINGS{meier2018nethide,
	isbn = {978-1-931971-46-1},
	year = {2018-08},
	booktitle = {Proceedings of the 27th USENIX Security Symposium},
	type = {Conference Paper},
	author = {Meier, Roland and Tsankov, Petar and Lenders, Vincent and Vanbever, Laurent and Vechev, Martin},
	language = {en},
	address = {Berkeley, CA},
	publisher = {USENIX Association},
	title = {NetHide: Secure and Practical Network Topology Obfuscation},
	PAGES = {693 - 709},
	Note = {27th USENIX Security Symposium (USENIX Security 2018); Conference Location: Baltimore, MD, USA; Conference Date: August 15-17, 2018}
}

Research Collection: 20.500.11850/367431