Pivoting remains an economical and practical penetration method as it allows a malevolent actor to obtain access to a private network through compromised devices. There are various tools both on the web and native to many operating systems, making pivoting simple to execute, even with limited system access. Preventing these attacks is traditionally performed with detection software running on end hosts or with perimeter devices, e.g., firewalls. However, not all end-host devices are under administrator control, and attackers can work around defences using SSH tunnels or obscuring their IP addresses. Rather than relying on middleboxes or end hosts, we leverage a programmable data plane for both their unique vantage point and traffic processing capabilities. Our system makes no assumptions about the underlying traffic and requires no cooperation from end hosts. We showcase Spotlight, a P4-based system that reliably intercepts pivoting attacks while raising only a small number of alarms. We develop a prototype system and demonstrate its effectiveness against various attacks on real-world traces.

Load

Load