OpenMTD

Abstract

Moving Target Defense (MTD) represents a way of defending networked systems on different levels. It mainly focuses on shifting the different surfaces of the protected environment. Existing approaches studied on network-level are Port Hopping (PH), which shifts ports, and Network Address Shuffling (NAS), which steadily alters the network addresses of hosts. As a result, the formerly static attack surface now behaves dynamically whilst the relationship of ports to services and network addresses to hosts can be changed. Most MTD approaches have only been evaluated theoretically and comparisons are still lacking. Hence, based on existing results, it is not possible to contrast implementations like PH and NAS in terms of security and network performance. Finally, implementation details are usually not shared publicly. To mitigate these shortcomings, we developed a hybrid platform that evaluates such techniques and reimplemented PH and NAS with additional features such as connection tracker with fingerprinting service and a honeypot module, which is helpful to bypass attackers attempts. We created a common software platform to integrate approaches using the same gateway components and providing graphic network usability. The environment, named OpenMTD, has been open-sourced and works in a modular fashion allowing for easy extensions and future developments. We show that common attacks, starting with a reconnaissance phase were not able to successfully reach vulnerable hosts that are part of the OpenMTD-protected network. A new worm has been developed to spread across the network and the propagation paths showed that OpenMTD can lay the ground for extending protection mechanisms against self-propagating threats.