Spread Identity: A new dynamic address remapping mechanism for anonymity and DDoS defense

We present and experimentally evaluate Spread Identity (SI)—a new dynamic network address remapping mechanism that provides anonymity and DDoS defense capabilities for Internet communications. For each session between a source and destination host, the trusted source gateway dynamically and randomly assigns an IP address for the source host from the pool of all routable IP addresses allocated to the source organization (by the IANA). Similarly, in response to a name resolution query from the source gateway, the trusted authoritative DNS server (i.e., the ADNS) for the destination organization dynamically assigns an IP address for the destination host from the pool of all routable IP addresses allocated to the destination organization. These assignments depend upon the state of the server (including load, residual capacity, time of day) and policy. Different hosts can share the same IP address when communicating with distinct peers. Each gateway creates a NAT entry, valid for the communication session, based on the dynamic assignment by its organization. An eavesdropper listening to packets flowing through the Internet between the source and destination gateways learns only the source and destination domains; the eavesdropper cannot see the actual complete IP addresses of the source and destination hosts. In addition, SI enhances DDoS defense capabilities by enabling packet filtering based on destination addresses. With multiple IP addresses for the same destination, filtering based on destination addresses can block attackers without necessarily blocking legitimate users. Deploying SI requires changes to organizational gateways and, possibly, to the edgerouters that interface with organizational gateways; but network mechanisms farther upstream, including the core routers in the Internet remain unchanged. Likewise, the installed base of operating systems running individual hosts in the internal network, together with the end-user application suites they support, remain untouched; thereby illustrating that the SI mechanisms are backward compatible, incrementally deployable, and robustly scalable. A naïve implementation of SI can increase the DNS traffic; however, when SI is implemented at both the source and the destination ends, it is possible for SI to reduce DNS traffic. Ns-2 simulations and experiments on the DeterLab test bed corroborate the main hypotheses and demonstrate advantages of the SI paradigm. Ns-2 simulations demonstrate that file transfer success rates for our SI DDoS protection mechanism are similar to those of filter-based and capability-based approaches, with lower file transfer times than those for filter-based approaches. DeterLab trials demonstrate that SI consumes similar resources (connection establishment time, network address translation table size, packet forwarding rate, and memory) to those of a typical single NAT system; but with higher name resolution times. 1 Sherman was supported in part by the Department of Defense under IASP Grants H98230-09-1-0404, H98230-10-1-0359, and H98230-11-1-0473.