After checking the existing controllers and their facilities, it was found that the Floodlight controller should be used for simulating the laboratury platform. This controller is developed in Java programming language and is responsible for maintaining all network rules and providing necessary instructions to the underlying infrastructure on how to manage traffic. Also, the controller supports functional interfaces such as (REST API) for easier programming of people with the product. Mininet has been used to simulate the desired topology of switches, bots, and the main server. MiniNet hosts are based on Linux and the switches used also support OpenFlow for high flexibility in SDN. The Mininet network system is used for creating hosts, and it is a lightweight and efficient method of creating these nodes; however, this method does not provide the opportunity to create virtual machines that operate independently from each other, and the configurations of the hosts are not saved when they are turned off. Also, in mininet, it is possible to connect directly to the controller via its special connection. Next, a script has been developed to execute a DDOS attack with the help of Python version 3 that targets websites and sends fake traffic to the servers. As soon as the script receives the desired port number and packet rate for the website, it begins attacking it. In this method, the links for the attack packets have a route mutation so that the attackers cannot identify the real topology of the network for a possible denial of service attack. At the same time, it allows the defender to save the information of the attacker through forensics. In the end, the strategy presented in the moving target defense sector needs to be implemented. By implementing the presented method and checking the results, it is observed that the delay in normal packets is reduced and the resources used are reduced compared to the past methods.
3.1 Moving Target Defense Strategy
The second part of the research method is the selection and change in moving target defense strategies. In this research, the idea of the moving target defense approach is taken from the classic "Shell Game" which dates back at least to ancient Greece. By expanding this idea, it is possible to reach a new type of defense in networks, which can defend the networks without looking at the vulnerabilities and hardware and software facilities. By carefully examining the model presented in [2], it can be seen that no attention has been paid to the bandwidth or overhead of the systems. By changing the type of strategies used in overlay networks and replacing random algorithms with measurement methods, it is possible to enhance network defenses.Considering the overhead of the virtual machines involved, it is possible to mutate the packet on the freest virtual machine. In this way, even a larger amount of traffic can be checked in less time, which reduces the delay and increases the efficiency of the system. After the packet passes through the firewall and enters the database (watch list), the desired information of the packet is stored, and according to the number of times the packet passes through the controller, the decision about the packet begins. If the number of packet views is more than the specified limit, the packet will be disconnected, otherwise, if it is less than the specified limit, it will be transferred to the moving target defense section. In this part, decisions are made according to the overhead of virtual shadows host (VSH). In other words, if the specified bandwidth of VSH is less than the allowed limit, the packet will be mutated and re-entered by the tricked networks. If the specified bandwidth is within the normal range, the packet is first entered into the tricked networks and is examined by forensic mechanisms [25].
Additionally, if the packet does not contain any suspicious items, it will continue its route normally and enter the main website or server, and if there are any suspicious items, the packet will be discarded.
3.2 Final implementation
Making changes to the moving target defense in the strategy section is explained in the two pseudo-codes in this section. With the help of pseudo-code, the outline of these two defense algorithms is determined before execution.
The first algorithm is the most important part of the moving target defense strategy. This algorithm is used to select the moving target defense strategy for packets that reach the strategy selection section after passing through the firewall. In the next step, a decision is made according to the network resources. In this pseudo-code, based on the bandwidth, the strategy is selected and the closed route is determined. If the bandwidth exceeds the limit set by the user, it enters the virtual functions of the network. Otherwise, the route mutation strategy will occur and the packet will undergo a route mutation and the route database will be updated.
In Fig. 3, the packet entry section is shown with pseudocode and this algorithm continues until the moment of packet delivery to the strategy selection section. This algorithm specifies the items that need to be stored in the watch list, such as srcIP and dstIP, and indicates the reaction based on the number of packets passed. In this pseudo-code, variables such as SwitchiD, srcIP, dstIP, protocol, and maxUsage are received from the packet and according to the maxUsage number (maximum watching), a decision is made to enter the package or delete it.
If the route mutation occurs, the values of srclP, dstIP, protocol, and MTDStrategy are sent to the router to perform the mutation. Also, the triggeredUpdate value is updated and the new value is recorded in the database.