TY - JOUR
T1 - Edge Security for SIP-enabled IoT Devices with P4
AU - Febro, Aldo
AU - Xiao, Hannan
AU - Spring, William Joseph
AU - Christianson, Bruce
N1 - © 2021 Elsevier B.V. All rights reserved. This is the accepted manuscript version of an article which has been published in final form at https://doi.org/10.1016/j.comnet.2021.108698
PY - 2022/2/11
Y1 - 2022/2/11
N2 - The exponential growth of IoT devices poses security concerns, in part because they provide a fertile breeding ground for botnets. For example, the Mirai botnet infected almost 65,000 devices in its first 20 hours. With the prevalence of Session Initiation Protocol (SIP) phones and devices on the networks today, the attacker could easily target and recruit these IoT devices as bots. Conventional network security measures do not provide adequate attack prevention, detection, and mitigation for these widely distributed IoT devices. This paper presents microVNF, a Virtualized Network Function (VNF) that leverages the programmable data plane feature on the edge switch. Based on knowledge gained from the Mirai botnet incident and following the defense-in-depth principle, microVNF protects IoT devices against SIP DDoS attacks in two stages: before and after infection. Prior to infection, it protects against SIP scanning, enumeration, and dictionary attacks. After infection, microVNF blocks botnet registration attempts to the command-and-control (CNC) server, thereby preventing the botnet from receiving commands sent from the CNC server, and detects and mitigates botnet SIP DDoS attacks. We conducted six experiments that involved using popular attack tools against microVNF, and it successfully performed deep-packet inspection of unencrypted SIP packets so as to track anomalies from a typical SIP state-machine. In this use case, besides providing physical connectivity to the IoT devices, the edge switch containing microVNF also provides the first line of defense in stopping malicious packets from propagating upstream to the core network. In addition to securing SIP, the microVNF approach can be adapted to other text-based, application-layer protocols such as HTTP and SMTP. MicroVNF leverages the native capability of programmable data planes without depending on external devices, thereby making this approach practical for securing edge-computing environments against application-layer attacks.
AB - The exponential growth of IoT devices poses security concerns, in part because they provide a fertile breeding ground for botnets. For example, the Mirai botnet infected almost 65,000 devices in its first 20 hours. With the prevalence of Session Initiation Protocol (SIP) phones and devices on the networks today, the attacker could easily target and recruit these IoT devices as bots. Conventional network security measures do not provide adequate attack prevention, detection, and mitigation for these widely distributed IoT devices. This paper presents microVNF, a Virtualized Network Function (VNF) that leverages the programmable data plane feature on the edge switch. Based on knowledge gained from the Mirai botnet incident and following the defense-in-depth principle, microVNF protects IoT devices against SIP DDoS attacks in two stages: before and after infection. Prior to infection, it protects against SIP scanning, enumeration, and dictionary attacks. After infection, microVNF blocks botnet registration attempts to the command-and-control (CNC) server, thereby preventing the botnet from receiving commands sent from the CNC server, and detects and mitigates botnet SIP DDoS attacks. We conducted six experiments that involved using popular attack tools against microVNF, and it successfully performed deep-packet inspection of unencrypted SIP packets so as to track anomalies from a typical SIP state-machine. In this use case, besides providing physical connectivity to the IoT devices, the edge switch containing microVNF also provides the first line of defense in stopping malicious packets from propagating upstream to the core network. In addition to securing SIP, the microVNF approach can be adapted to other text-based, application-layer protocols such as HTTP and SMTP. MicroVNF leverages the native capability of programmable data planes without depending on external devices, thereby making this approach practical for securing edge-computing environments against application-layer attacks.
KW - SIP, DDoS, Dictionary attack, IoT, P4, VNF, SIPVicious, Edge Computing
U2 - 10.1016/j.comnet.2021.108698
DO - 10.1016/j.comnet.2021.108698
M3 - Article
SN - 1389-1286
VL - 203
JO - Computer Networks
JF - Computer Networks
M1 - 108698
ER -