Using Linux TCP connection repair for mid-session endpoint handover: a security enhancement use-case

Slice-based Network Control allows the delivery of different SLAs to heterogeneous services and the isolation of network flows, all within the same shared infrastructure. Industry 4.0 and the IoT are prime use-cases for Network Slicing and expose a large number of embedded systems that cannot run advanced anti-malware routines - this raises significant security concerns. An approach to defending against these issues is honeynets, isolated sandbox networks with decoy functions (honeypots) mimicking the real endpoints. However, steering an active TCP connection (i.e., the attack) to a different endpoint (i.e., the decoy) is still a significant challenge. This article proposes using the SDN controller to bootstrap a smooth handover of the active TCP session across endpoints. Our proposal's core is a purpose-built proxy function that will resume a live attack session with the decoy using the Linux Kernel's TCP-REPAIR features. Because we are effectively recreating the socket as if the connection was initially established with that new endpoint, all of the TCP state machine and control sequence inner-workings are still done seamlessly by the kernel's built-in routines and the higher-level abstractions that use them. The results show that our approach has a similar performance to a regular socket (latency and throughput), while the new management interfaces integrate nicely into the existing Network Slicing operations.