6th European Conference - Academic Conferences
6th European Conference - Academic Conferences
6th European Conference - Academic Conferences
You also want an ePaper? Increase the reach of your titles
YUMPU automatically turns print PDFs into web optimized ePapers that Google loves.
Stephen Groat et al.<br />
Sections 4 and 5 analyze the different factors which affect the security of a dynamic address and how<br />
these factors affect each other. Section 6 uses statistical simulation results to validate our security<br />
analysis of dynamic addressing factors. In Section 7, we discuss specific security advantages offered<br />
by dynamic addresses. Future work planned to demonstrate a dynamic addressing approach is<br />
discussed in Section 8 and we conclude in Section 9.<br />
2. Problem<br />
Static addresses are necessary to allow users to repeatedly find resources. Without providing a<br />
notification of an address change, users must have a single, static identifier to locate resources. For<br />
example, IP addresses, whether static or dynamic, are often connected with Domain Name System<br />
(DNS) names. DNS names are updated with the current IP address to facilitate location of resources<br />
on the Internet with an easily recognizable value. Without a static value connected to networked<br />
resources, whether DNS names or IP addresses, users would be unable to find the resources. Even<br />
Dynamic Host Configuration Protocol (DHCP) leased addresses, which are widely assumed to be<br />
dynamic, rarely change.<br />
While static addressing is critical to assist users in finding resources, static addresses allow malicious<br />
users to easily locate targets for attack. For example, DNS names and IP addresses are publically<br />
available static addresses. These vectors allow attackers to easily conduct scans to locate target<br />
hosts. Once a target is located, the attacker can focus on the target found and assume that the<br />
target’s static identifier will not change. An attacker is able to make this assumption since identifier<br />
changes would interrupt service for valid users. To ensure the reliability and security of service, critical<br />
services must deploy some sort of moving target defense that changes static identifiers while allowing<br />
continuity of service for trusted users.<br />
3. Related work<br />
The need for an anonymous network address to maintain security and privacy has been explored.<br />
Reiter and Rubin (1999) developed a scheme, called Crowds, to maintain IP address anonymity from<br />
web sites. The protocol uses other computers surfing the web to funnel web requests through. The<br />
effect is to create a crowd of users browsing web servers to hide web requests. Johnson et al. (2007)<br />
identified the need to anonymize addresses and built a trust model into Tor networks called Nymble.<br />
Nymble hides clients' IP addresses from servers. Shields et al. (2000) created another anonymity<br />
protocol named Hordes. Hordes’ focus is on creating a secure system that does not decrease network<br />
performance. All of these approaches focus on hiding the publicly available addresses by using<br />
complex support networks. We analyze the vectors that static address create for tracking and attack<br />
and recommend anonymizing the host address, which none of these three protocols addresses.<br />
Koukis et al. (2006) uses web site signatures and fingerprinting to determine host addresses in<br />
anonymized IP logs. This method is ineffective for tracking dynamic hosts, further demonstrating the<br />
potential security and privacy advantages of dynamic addresses.<br />
A number of researchers have focused on the potential dangers resulting from network address<br />
tracking in the Internet Protocol version 6 (IPv6). Dunlop et al. (2011) identified the dangers posed by<br />
auto-configured addresses in IPv6 and presented a taxonomy of methods to obscure addresses.<br />
Narten, Draves, and Krishnan (2007) also identified a privacy concern with IPv6 addresses and<br />
proposed a potential solution called privacy extensions. Privacy extensions can create new addresses<br />
for users each time they connect to a subnet. Bagnulo and Arkko (2006) also proposed a solution<br />
aimed at protecting IPv6 addresses. Their approach, called Cryptographically Generated Addresses<br />
(CGAs), uses a self-generated public key to obscure an address for each subnet. Neither privacy<br />
extensions nor CGAs dynamically obscure addresses and addresses remain the same until the user<br />
terminates the session. Even though the addresses are obscured, they typically remain static long<br />
enough for a malicious third party to gather information about the user.<br />
While we have discovered no other academic work considering the security and privacy effects of<br />
addressing, two patents attempt to utilize dynamic addressing for security. A technique by Sheymov<br />
(2010) is designed with the goal of dynamic obscuration. Sheymov's objective behind dynamic<br />
obscuration is to provide intrusion protection from certain classes of network attacks. While<br />
Sheymov’s method uses dynamic addressing, it relies on an Intrusion Detection System to trigger<br />
address changes. We analyze consistent dynamic address changes that require no additional<br />
systems to support. Fink et al. (2006) also propose a technique for dynamically obscuring host<br />
addresses called Adaptive Self-Synchronized Dynamic Address Translation (ASD). ASD uses<br />
85