Using MTD and SDN-based Honeypots to Defend

DDoS Attacks in IoT

Xupeng Luo Qiao Yan
College of Computer Science and Software Engineering College of Computer Science and Software Engineering
Shenzhen University Shenzhen University
Shenzhen, China Shenzhen, China
[email protected] [email protected]

Mingde Wang Wenyao Huang

College of Computer Science and Software Engineering College of Computer Science and Software Engineering
Shenzhen University Shenzhen University
Shenzhen, China Shenzhen, China
[email protected] [email protected]

Abstract—With the rapid development of Internet of Things many others [2]. Peak attacks size of different IoT botnets, as
(IoT), distributed denial of service (DDoS) attacks become the shown in Fig. 1.
important security threat of the IoT. Characteristics of IoT,
such as large quantities and simple function, which have easily
caused the IoT devices or servers to be attacked and be turned
into botnets for launching DDoS attacks. In this paper, we use
software-defined networking (SDN) to develop moving target
defense (MTD) architecture that increases uncertainty because of
ever changing attack surface. In addition, we deploy SDN-based
honeypots to mimic IoT devices, luring attackers and malwares.
Finally, experimental results show that combination of MTD and
SDN-based honeypots can effectively hide network asset from
scanner and defend against DDoS attacks in IoT.
Index Terms—SDN, honeypot, DDoS attack, IoT security, MTD

I. I NTRODUCTION
IoT technology is the future of economic development, Fig. 1. Peak attacks size of different IoT botnets.
social progress and technological innovation, relating to the se-
curity utilization of national physical infrastructure. On the one In this paper we propose using MTD and SDN-based honey-
hand, the IoT, all-encompassing communication in ubiquitous pots for defending DDoS attacks in IoT. MTD is the concept
network, is used to realize the combination of human society of dynamically changing the configuration and behavior of
and physical world on the basis of Internet development. IoT the network in order to increase uncertainty and apparent
makes it more refined and dynamic management of production complexity for attackers, reduce their window of opportunity
and life. On the other hand, a lot of problems of network and increase the costs of their probing and attack efforts [3].
security convert from Internet to IoT, such as confidentiality, Several features of SDN, such as ability of programming the
integrity and availability, can have more serious consequences network, logical centralization of network control and globe
like power outages, financial paralysis, social disruption and network view [4] are helpful for developing and managing
even a threat to national security. Therefore, the security has random host mutation efficiently and flexibly. Application of
been a chief obstructive factor in IoT development. this technique mutates IP addresses of IoT devices/servers and
Because most IoT devices are lack of computation and defines forwarding behavior, so they can defend scanning-
communication capabilities, they are very easy to be attacked based attacks actively. Furthermore, based on SDN, we deploy
and be turned into botnets for launching DDoS attacks [1]. For honeypots to mimic weak IoT devices, lure attackers to take
example, on 21 October 2016 multiple major DDoS attacks in the bait, grasp attackers finally.
DNS services of DNS service provider Dyn occurred using The rest of the paper is organized as follows. We first briefly
Bashlite and Mirai malware installed on a large number of summarize related work on defending DDoS attacks in IoT
IoT devices, resulting in the inaccessibility of several high- environment. Then we propose an active DDoS attacks defense
profile websites such as GitHub, Twitter, Reddit, Netflix and method in IoT by using MTD and SDN-based honeypots.

978-1-7281-1973-1/19/$31.00 ©2019 IEEE 392

Authorized licensed use limited to: University of Wollongong. Downloaded on May 30,2020 at 19:40:21 UTC from IEEE Xplore. Restrictions apply.
Experimental results are given to show the effectiveness of IoT devices/servers with unpredictability and rate to make
defending DDoS attacks. We conclude this paper finally. attackers harder to discover active hosts in the target network,
and (2) SDN-based honeypots, imitating IoT devices to accom-
II. R ELATED W ORK modate and capture the attackers activities, achieving detection
Honeypot is a computer security mechanism which is used and mitigation during the attacks.
to detect, deflect, or counteract attacks, and it has obtained
positive effects in defending DDoS attacks in the Internet. In
[5], the authors present DDoS detection technique with virtual 

roaming honeypot and ant colony optimisation technique. $WWDFNHUV &RQWUROOHU

Virtual roaming honeypot uses hop-by-hop back propagation
mechanism to identify different intruders and record attack
information. To trace the track of intruders, the ant colony
optimisation analyzes density of the pheromone over the *DWHZD\
6ZLWFK
records. With the rapid development of IoT, DDoS attacks
become the important security threat of the IoT. The authors
in [1] propose a novel honeypot called IoTPOT which mimics
IoT devices, monitor IoT threats and captures Telnet-based
intrusions. They further analyze threats and propose IoTBOX   

which runs captured malware and point out that there are at 6'1EDVHG+RQH\SRWV ,R7'HYLFHV ,R76HUYHUV
least five DDoS malware families and eight different types of
botnet architectures targeting IoT devices. More and more re-
searchers have paid attention to honeypot and other techniques
for defending DoS/DDoS attacks in IoT. Anirudh et al. [6] ,3$GGUHVV3RRO
propose a honeypot model for mitigating DoS attacks launched
on IoT devices. This model isolates abnormal requests in the
Fig. 2. Overview of the proposed DDoS defense framework for IoT.
honeypot and stores related information of attacker as log by
utilizing intrusion detection system (IDS).
Based on the software-defined anything paradigm, Da Yin et A. MTD
al. [7] present a software-defined Internet of Things (SD-IoT) The MTD architecture is designed and implemented us-
framework and algorithm to detect and mitigate DDoS attack. ing RYU application, RYU controller and Open vSwitch in
The proposed framework consists of SD-IoT controllers, SD- Mininet network, as shown in Fig. 3. This architecture realizes
IoT switches integrated with an IoT gateway, and terminal random IP addresses mutation after random interval time. We
IoT devices. They propose an algorithm calculates the cosine keep the real IP addresses of IoT devices/servers (called rIP)
similarity of the vectors of the packet-in rate at the ports of unchanged, and map random short-lived virtual IP addresses
the SD-IoT boundary switches and then determines whether (called vIP) to them at random interval time. IP address pool
a DDoS attack has occurred, find the real DDoS attacker and is a range of static IP addresses that will be assigned to IoT
block the DDoS attack at the source. To defend against DDoS devices/servers as vIP. Each rIP associates with a random vIP
attacks in Industrial Internet of Things (IIoT), the authors at each interval time. The lifetime of virtual IP address is short
of [8] introduce a multi-level DDoS mitigation framework and random providing high unpredictable and mutation rate
for IIoT. Edge computing level serves to connect an IIoT to maximize the defense of attackers’ probe about the active
device to the network and secure the IIoT device’s security, hosts and network topology, and increase deterrence of attack
fog computing level provides low latency and high quality of planning. MTD performs following tasks: (1) establishes a
service, and cloud computing level uses intelligent computing large number of consecutive IP addresses and binds that to
algorithms to detect DDoS attacks. Abdulaziz et al. [9] propose the IP address pool, (2) randomizes interval time using random
a prevention technique to enhance cyber security of IoT timer, (3) generates an IP address mutation event every interval
devices and network against DDoS attacks based on the basic time, and (4) maps rIP to random vIP from IP address pool and
structure and functions of existing IDS. handles active connection by installing flows in Open vSwitch
with required address mutation actions.
III. P ROPOSED M ETHOD
A number of IoT devices have poor security and potential B. SDN-based Honeypot
vulnerability, which makes them attractive targets for ma- Mass IoT devices mostly have sole function and poor
licious attackers and may not even know they have been security, it is difficulty to detect cyber attacks only rely on
infected. To improve security of IoT, active defense method IoT gateway and limited computing capability of IoT devices.
of MTD and SDN-based honeypots is proposed, as shown The Mirai malware, its variants and other IoT malwares cause
in Fig. 2. Our proposed method consists of two defense huge destroy to the IoT, giving a wake-up call to the industry
mechanisms: (1) MTD, frequently changing IP addresses of to better secure IoT devices. Through an analysis of Mirai

393

Authorized licensed use limited to: University of Wollongong. Downloaded on May 30,2020 at 19:40:21 UTC from IEEE Xplore. Restrictions apply.
 IV. E XPERIMENTAL R ESULTS
5DQGRP7LPHU
5DQGRP,3
$GGUHVVHV0XWDWLRQ Cyber attacks often begin with a scan attack, which attackers
+RVW use to find active hosts and their exploitable vulnerabilities
VUFU VUFY on targeted network. There are many scan tools, the most
GVWY GVWU
$SSOLFDWLRQ
familiar being Nmap, Zmap and Masscan. In order to show
([HFXWLRQ
the effectiveness of MTD against scanning-based attacks, we
3DFNHW2XW run Nmap, Zmap and Masscan on our MTD architecture which
6ZLWFK
VUFY VUFY consists of 100 IoT devices. Then we compare three scan tools’
GVWY GVWY results and find no real IP addresses and a few initial virtual
3DFNHW2XW
&RQWUROOHU
IP addresses are discovered in scanning, since the virtual IP
3DFNHW,Q addresses will be soon out-of-date, as shown in Fig. 5.
6ZLWFK
VUFY VUFU &"!
GVWU GVWY

&!!

'(- (. /012234 5(+ 436703/

%!

'819
+RVW
$!
:819
*1//012
Fig. 3. The architecture of MTD. #!

"!

malware, we know that attacks of SSH-based and Telnet-based !

'()*+, *+,
are the main ways of infection. When an IoT device is infected
and became one of botnets, it will infect other IoT devices.
Fig. 5. Scan results with and without MTD.
And SYN flood attack is the main way of DDoS attack. So, we
firstly consider to set up several SDN-based honeypots (traps)
For our experiments of SDN-based honeypot, Mirai mal-
to imitate various IoT devices, and let them lure attacker and
ware is implemented as attacker to launch SSH-based and
malware with vulnerabilities of weak password, open port, etc.
Telnet-based attacks, and 20 IoT devices with default pass-
These honeypots can detect and mitigate attacks of SSH-based
words are targets. We use SDN to deploy honeypots of Cowrie
and Telnet-based. When SDN-based honeypots receive a lot
which is a medium interaction SSH and Telnet honeypot
of requests regularly about login from the same IP address
designed to log brute force attacks and the shell interaction
enough times, the RYU controller will install relevant flow in
performed by the attacker. The SDN combine with honey-
Open vSwitch to drop packets from this suspicious IP address
pots, provide a flexible defense mechanism. Fig. 6 shows
and put it in blacklist of IoT gateway. Secondly, a few SDN-
effectiveness of different number of SDN-based honeypots
based honeypots mimic IoT servers to defend suspected DDoS
against SSH-based (it’s the same with Telnet-based) attacks.
attacks by analyzing the traffic mirror of IoT servers. Fig. 4
As expected, IoT devices can’t observe bots, so all of them
shows the architecture of SDN-based honeypots.
will be infected without SDN and honeypots. The number of
bots will gradually reduce with the increasment of SDN-based
honeypot. Mirai connects and controls 20 bots to launch SYN

flood attacks on IoT servers. We set packet count 10000 and
$WWDFNHUV data size 120, SDN-based honeypots analyze the traffic mirror
of IoT servers, when the ratio of SYN datagram’s number
to TCP datagram’s number from same IP address reaches
 threshold 0.6, increments the counter value by one. This IP
*DWHZD\
6'1EDVHG+RQH\SRWV  address is suspect and will be blocked after counter value
6'1EDVHG+RQH\SRWV
reaches 5. By comparing different values of threshold and

counter, the settings of threshold and counter above lead to
,R7'HYLFHV 6ZLWFK
 higher accuracy. We check availability of IoT server by using
,R76HUYHUV
an normal IoT device TCP ping the IoT server. Finally Fig. 7

%RWQHW shows the impact of the TCP connection delay between the
&RQWUROOHU IoT device and the IoT server during SYN flood attack, and
compares with and without SDN-based honeypots. Experimen-
Fig. 4. The architecture of SDN-based honeypots. tal results indicate that our proposed SDN-based honeypots
methodology can effectively decrease the SYN flooding.

394

Authorized licensed use limited to: University of Wollongong. Downloaded on May 30,2020 at 19:40:21 UTC from IEEE Xplore. Restrictions apply.
 !56,7289,- $56,7289,-. &56,7289,-. )56,7289,-. [6] M. Anirudh, S. A. Thileeban, and D. J. Nallathambi, “Use of honeypots
$" for mitigating dos attacks targeted on iot networks,” in 2017 Interna-
tional Conference on Computer, Communication and Signal Processing
$! (ICCCSP), pp. 1–4, Jan 2017.
[7] D. Yin, L. Zhang, and K. Yang, “A ddos attack detection and mitigation
#" with software-defined internet of things framework,” IEEE Access, vol. 6,
pp. 24694–24705, 2018.
+,-.

#! [8] Q. Yan, W. Huang, X. Luo, Q. Gong, and F. R. Yu, “A multi-level

ddos mitigation framework for the industrial internet of things,” IEEE
" Communications Magazine, vol. 56, pp. 30–36, Feb 2018.
[9] A. Aldaej, “Enhancing cyber security in modern internet of things (iot)
! using intrusion prevention algorithm for iot (ipai),” IEEE Access, pp. 1–1,
! #! $! %! &! "! '! (! )! *! 2019.
/012 3.4

Fig. 6. Number of bots in IoT changes over time.

34567389.1+,5:4;+/<4= 67389.1+,5:4;+/<4=1

%"#

%
()*+ ,+-./ 012

$"#

!"#

!
! # $! $# %! %# &! &# '! '# #!
()*+ 012

Fig. 7. TCP connection time delay.

V. C ONCLUSION
In this paper, we presented how the SDN could be useful for
MTD and honeypot, especially to defend DDoS attacks in IoT.
Specifically, we first presented using SDN to develop a MTD
architecture to defend scanning-based attacks at early phase
by mutating IoT devices’ IP addresses randomly, because the
uncertainty and attack surface is increasing. After this phase,
we proposed a DDoS attack mitigation method using SDN-
based honeypots which mimic IoT devices/servers to improve
their security. Experimental results indicated that our proposed
MTD and SDN- based honeypots methodology can effectively
detect and mitigate attacks of scanning-based, SSH-based,
Telnet-based and SYN flood. For future, we plan to study
MTD and SDN-based honeypots with other techniques effect
against other attack models.
R EFERENCES
[1] M. P. P. Yin, S. Suzuki, K. Yoshioka, T. Matsumoto, T. Kasama, and
C. Rossow, “Iotpot: A novel honeypot for revealing current iot threats,”
Journal of Information Processing, vol. 24, no. 3, pp. 522–533, 2016.
[2] K. Angrishi, “Turning internet of things(iot) into internet of vulnerabilities
(iov) : Iot botnets,” arXiv, vol. abs/1702.03681, 2017.
[3] J. Steinberger, B. Kuhnert, C. Dietz, L. Ball, A. Sperotto, H. Baier,
A. Pras, and G. Dreo, “Ddos defense using mtd and sdn,” in NOMS 2018
- 2018 IEEE/IFIP Network Operations and Management Symposium,
pp. 1–9, April 2018.
[4] L. Cui, F. R. Yu, and Q. Yan, “When big data meets software-defined
networking: Sdn for big data and big data for sdn,” IEEE Network, vol. 30,
pp. 58–65, January 2016.
[5] R. Selvaraj, V. M. Kuthadi, and T. Marwala, “Ant-based distributed denial
of service detection technique using roaming virtual honeypots,” IET
Communications, vol. 10, no. 8, pp. 929–935, 2016.

395

Authorized licensed use limited to: University of Wollongong. Downloaded on May 30,2020 at 19:40:21 UTC from IEEE Xplore. Restrictions apply.