EIP - Preventing DDoS with Ephemeral IP Identifiers Cryptographically Generated

Nowadays, denial of service (DoS) attacks represent a significant fraction of all attacks that take place in the Internet and their intensity is always growing. The main DoS attack methods consist of flooding their victims with bogus packets, queries or replies, so as to prevent them from fulfilling their roles. Preventing DoS attacks at network level would be simpler if end-to-end strong authentication in any packet exchange was mandatory. However, it is also likely that its mandatory adoption would introduce more harm than benefits. In this paper we present an end-point addressing scheme and a set of security procedures which satisfy most of network level DoS prevention requirements. Instead of being known by public stable IP addresses, hosts use ephemeral IP Identifiers cryptographically generated and bound to its usage context. Self-signed certificates and challenge-based protocols allow, without the need of any third parties, the implementation of defenses against DoS attacks. Communication in the open Internet while using these special IP addresses is supported by the so-called Map/Encap approaches, which in our point of view will be sooner or later required for the future Internet.

• Publication year

  2016

• Venue

  Unknown venue

• Publication date

  2016-12-21

• Fields of study

  Computer Science, Engineering

• Identifiers
  arXiv 1612.07065
• External record

  Open on Semantic Scholar

• Source metadata

  Semantic Scholar

• No claims are published for this paper.

• No concepts are published for this paper.

• TLS Client Puzzles Extension

  2016cited by this paper
• SHA-3 Standard: Permutation-Based Hash and Extendable-Output Functions

  2015cited by this paper
• AmpPot: Monitoring and Defending Against Amplification DDoS Attacks

  2015cited by this paper
• Booters — An analysis of DDoS-as-a-service attacks

  2015cited by this paper
• and Technology

  2014cited by this paper
• Rate-limiting State

  2014influential reference
• Preventing DDoS attacks by identifier/locator separation

  2013cited by this paper
• A Survey of Defense Mechanisms Against Distributed Denial of Service (DDoS) Flooding Attacks

  2013cited by this paper
• LISP-MN: Mobile Networking Through LISP

  2012cited by this paper
• Designing a Deployable Future Internet : the Locator / Identifier Separation Protocol ( LISP ) case

  2012cited by this paper
• Host Identity Protocol (HIP): Connectivity, Mobility, Multi-Homing, Security, and Privacy over IPv4 and IPv6 Networks

  2010influential reference
• Is it congestion or a DDoS attack?

  2009cited by this paper
• Portcullis: protecting connection setup from denial-of-capability attacks

  2007cited by this paper
• Weak Authentication: How to Authenticate Unknown Principals without Trusted Parties

  2002cited by this paper
• Rethinking The Design Of The Internet: The End-To-End Arguments Vs. The Brave New World

  2001influential reference
• Network Ingress Filtering: Defeating Denial of Service Attacks which employ IP Source Address Spoofing

  1998cited by this paper
• Akamai Technologies

  year unknowncited by this paper

• Lisp Mapping System as DoS Amplification Vector

  2021cites this paper