A Proactive Approach to Detect IoT Based Flooding Attacks by Using Software Defined Networks and Manufacturer Usage Descriptions

Document
Description

The advent of the Internet of Things (IoT) and its increasing appearances in

Small Office/Home Office (SOHO) networks pose a unique issue to the availability

and health of the Internet at large.

The advent of the Internet of Things (IoT) and its increasing appearances in

Small Office/Home Office (SOHO) networks pose a unique issue to the availability

and health of the Internet at large. Many of these devices are shipped insecurely, with

poor default user and password credentials and oftentimes the general consumer does

not have the technical knowledge of how they may secure their devices and networks.

The many vulnerabilities of the IoT coupled with the immense number of existing

devices provide opportunities for malicious actors to compromise such devices and

use them in large scale distributed denial of service attacks, preventing legitimate

users from using services and degrading the health of the Internet in general.

This thesis presents an approach that leverages the benefits of an Internet Engineering

Task Force (IETF) proposed standard named Manufacturer Usage Descriptions,

that is used in conjunction with the concept of Software Defined Networks

(SDN) in order to detect malicious traffic generated from IoT devices suspected of

being utilized in coordinated flooding attacks. The approach then works towards

the ability to detect these attacks at their sources through periodic monitoring of

preemptively permitted flow rules and determining which of the flows within the permitted

set are misbehaving by using an acceptable traffic range using Exponentially

Weighted Moving Averages (EWMA).