Spread Identity: A new dynamic address remapping mechanism for anonymity and DDoS defense
Article type: Research Article
Authors: Phatak, Dhananjay | Sherman, Alan T.; * | Joshi, Nikhil | Sonawane, Bhushan | Relan, Vivek G. | Dawalbhakta, Amol
Affiliations: Cyber Defense Lab, Department of CSEE, University of Maryland, Baltimore, MD, USA
Correspondence: [*] Corresponding author: Alan T. Sherman, Cyber Defense Lab, Department of CSEE, University of Maryland, Baltimore County (UMBC), 1000 Hilltop Circle, Baltimore, MD 21250, USA. E-mail: [email protected]
Abstract: We present and experimentally evaluate Spread Identity (SI) – a new dynamic network address remapping mechanism that provides anonymity and DDoS defense capabilities for Internet communications. For each session between a source and destination host, the trusted source gateway dynamically and randomly assigns an IP address for the source host from the pool of all routable IP addresses allocated to the source organization. Similarly, in response to a name resolution query from the source gateway, the trusted authoritative DNS server for the destination organization dynamically assigns an IP address for the destination host from the pool of all routable IP addresses allocated to the destination organization. These assignments depend upon the state of the server (including load, residual capacity, time of day) and policy. Different hosts can share the same IP address when communicating with distinct peers. Each gateway creates a NAT entry, valid for the communication session, based on the dynamic assignment by its organization. An eavesdropper listening to packets flowing through the Internet between the source and destination gateways learns only the source and destination domains; the eavesdropper cannot see the actual complete IP addresses of the source and destination hosts. In addition, SI enhances DDoS defense capabilities by enabling packet filtering based on destination addresses. With multiple IP addresses for the same destination, filtering based on destination addresses can block attackers without necessarily blocking legitimate users. Deploying SI requires changes to organizational gateways and, possibly, to the edge-routers that interface with organizational gateways; but network mechanisms farther upstream, including the core routers in the Internet, remain unchanged. Likewise, the installed base of operating systems running individual hosts in the internal network, together with the end-user application suites they support, remain untouched. SI mechanisms are backward compatible, incrementally deployable, and robustly scalable. A naïve implementation of SI can increase the DNS traffic; however, when SI is implemented at both the source and the destination ends, it is possible for SI to reduce DNS traffic. Ns-2 simulations and experiments on the DeterLab test bed corroborate the main hypotheses and demonstrate advantages of the SI paradigm. Ns-2 simulations demonstrate that file transfer success rates for our SI DDoS protection mechanism are similar to those of filter- and capability-based approaches, with lower file transfer times than for filter-based approaches. DeterLab trials demonstrate that SI consumes similar resources (connection establishment time, network address translation table size, packet forwarding rate and memory) to those of a typical single NAT system, though with higher name resolution times.
Keywords: Address-hopping, address pooling, anonymity, applied cryptography, Distributed Denial of Service (DDoS) attacks, Domain Name Server (DNS), Internet Protocol (IP), Network Address Translation (NAT), network security, spread identity, statistical address multiplexing
DOI: 10.3233/JCS-2012-0463
Journal: Journal of Computer Security, vol. 21, no. 2, pp. 233-281, 2013