ChamaleoNet: Programmable Passive Probe for Enhanced Visibility on Erroneous Traffic

TL;DR

ChamaleoNet is a programmable SDN-based system that enhances network visibility by selectively capturing erroneous traffic, aiding in security and management without compromising privacy.

Contribution

It introduces a scalable, privacy-aware passive probing system that isolates erroneous packets using SDN, and integrates with deception techniques like honeypots.

Findings

Reduces traffic to the controller by 96% using in-hardware filtering.

Effectively detects misconfigured and infected hosts.

Provides enhanced visibility into external attacker scans.

Abstract

Traffic visibility remains a key component for management and security operations. Observing unsolicited and erroneous traffic, such as unanswered traffic or errors, is fundamental to detect misconfiguration, temporary failures or attacks. ChamaleoNet transforms any production network into a transparent monitor to let administrators collect unsolicited and erroneous traffic directed to hosts, whether offline or active, hosting a server or a client, protected by a firewall, or unused addresses. ChamaleoNet is programmed to ignore well-formed traffic and collect only erroneous packets, including those generated by misconfigured or infected internal hosts, and those sent by external actors which scan for services. Engineering such a system poses several challenges, from scalability to privacy. Leveraging the SDN paradigm, ChamaleoNet processes the traffic flowing through a campus/corporate network and focuses on erroneous packets only, lowering the pressure on the collection system while respecting privacy regulations by design. ChamaleoNet enables the seamless integration with active deceptive systems like honeypots that can impersonate unused hosts/ports/services and engage with senders. The SDN in-hardware filtering reduces the traffic to the controller by 96%, resulting in a scalable solution, which we offer as open source. Simple analytics unveil internal misconfigured and infected hosts, identify temporary failures, and enhance visibility on external radiation produced by attackers looking for vulnerable services.