MVPN: A Defense Architecture against VPN Traffic Hijacking Based on MTD

Abstract

With the increasing awareness of privacy protection, Virtual Private Networks (VPNs) are widely used to build a more secure communication tunnel. However, a traffic hijacking attack called blind in/on-path has seriously threatened the security of VPNs. Inspired by Moving Target Defense (MTD), Moving VPN architecture (MVPN) is designed to defend against such attacks. MVPN includes multiple nodes to encrypt and decrypt traffic to enhance reliability. Thus, the consistency judgment algorithm is proposed to make MVPN obtain the ability to perceive attacks. Moreover, according to the judgment result and the state update strategy, the MVPN state is dynamically changed so as to achieve the purpose of active defense. In addition, this paper also designs the multichannel packet classification mechanism and availability assurance strategy, which not only ensures the security and availability of the system but also reduces the performance loss caused by the defense strategy. The simulation verifies that MVPN architecture can reduce the success rate of blind in/on-path attacks by five orders of magnitude. In addition, we implemented and deployed MVPN based on the fast-forwarding framework of the Data Plane Development Kit (DPDK). Experiments in the real environment also show that the MVPN system can effectively prevent attackers from carrying out blind in/on-path attacks.