6th European Conference - Academic Conferences
6th European Conference - Academic Conferences
6th European Conference - Academic Conferences
Create successful ePaper yourself
Turn your PDF publications into a flip-book with our unique Google optimized e-Paper software.
Stephen Groat et al.<br />
symmetric keys established through a handshake process between a trusted sender and receiver<br />
enclave. This technique adds additional overhead due to repetition of the handshake process. A<br />
dynamic addressing technique must minimize overhead to be feasible for implementation. We analyze<br />
the factors that contribute to creating an effective dynamic addressing technique with the goal of<br />
determining the most efficient approach.<br />
4. Analysis of dynamic address factors<br />
There are three factors that contribute to an attacker’s ability to detect a target host on a subnet. The<br />
first factor is the number of dynamic bits in the address, which affects the size of the subnet. In a<br />
small address space, it is trivial for an attacker to check each address. The second factor is how often<br />
a target host’s address changes. If the address remains static, an attacker has as much time as<br />
necessary to locate the host. The third factor is the density of the address space, or the number of<br />
other hosts on an IP subnet. If an attacker does not know the target host’s address on a subnet,<br />
multiple other addresses will make identifying the target more difficult.<br />
For the purpose of our analysis, we investigate an attacker actively scanning an IP subnet with<br />
unicast addresses to identify a single targeted host. There are other methods an attacker can use to<br />
detect target hosts on a network. One such technique is a broadcast ping, allowed by IPv4. Many<br />
gateway devices block broadcast pings. Another method is to passively scan a subnet with a packet<br />
sniffer. This method has scope limitations as the attacker must have a presence on the same subnet<br />
as the target host. A unicast scan is more likely since there are multiple methods of scans that avoid<br />
common security measures implemented on networks.<br />
4.1 Size of address<br />
The larger the address space, the more time it takes an attacker, on average, to locate the target<br />
address on an IP subnet. Table 1 illustrates this by comparing subnets of various sizes. In the table,<br />
we use the three most common Internet Protocol version 4 (IPv4) classful address blocks as<br />
examples. We also compare the typical subnet size used in IPv6. Scanning an entire class C address<br />
space is trivial and can be accomplished in less than a minute while scanning an entire IPv6 subnet is<br />
currently infeasible.<br />
Table 1: Comparison of addresses of various sizes, the scan time is based on a sequential scan with<br />
a 150 millisecond average round trip time for a single packet (GLORIAD 2010)<br />
Address Type Address Size (bits) Address Size (hosts) Scan Time<br />
IPv4 Class C Subnet 8 256 38 sec<br />
IPv4 Class B Subnet 16 65,536 3 hrs<br />
IPv4 Class A Subnet 24 16,777,200 29 days<br />
IPv6 Subnet 64 1.845·10 19<br />
8.77·10 10 yrs<br />
So far we have mentioned the time it takes an attacker to scan the various address types in Table 1,<br />
however, this is the time it takes an attacker to scan the entire address space. The expected amount<br />
of time to locate a host is much less due to a paradox known as the birthday attack (Schneier 1996).<br />
According to the birthday attack, an attacker can expect to locate a target host in attempts where<br />
m is the number of bits in the address. What this means is that an attacker can expect to locate a host<br />
on a class C subnet in 2.4 seconds, a class B subnet in 38 seconds, and a class A subnet in 10<br />
minutes. A host on an IPv6 subnet can still expect to escape detection for over 73,500 years. No IPv4<br />
host that is not defending against active scanning can have any expectation of remaining hidden for a<br />
reasonable amount of time.<br />
4.2 Frequency of address change<br />
The more frequently an address changes, the more difficult it is, on average, for an attacker to<br />
successfully locate and target a specific address. This is particularly true if the address changes more<br />
rapidly than an attacker can scan the subnet. As mentioned in Section 4.1, a larger address space<br />
takes longer to scan. It follows that addresses on a larger subnet need to change less frequently. To<br />
understand the relationship between changing and non-changing addresses, we analyze the number<br />
of attempts it takes an attacker to locate a static address on a subnet. Since the address is static, the<br />
probability of an attacker guessing the address increases with each subsequent guess. This<br />
86