ABSTRACT
The immense address space available with the new 128-bit addressing scheme enables mechanisms like Moving Target Defense for IPv6 networks. Moving Target IPv6 Defense (MT6D) promises security by letting nodes hop to new addresses that are cryptographically computed between involved nodes without disrupting ongoing conversations. After implementing MT6D as a testbed for previous research project, we asked ourselves if it is worth looking at the old addresses that are being given up by MT6D nodes and purged in the process. We explored the idea if activity on these relinquished addresses holds any vital clues for verifying and reinforcing the security of MT6D networks. During the analysis, we realized the need for a method to ensure the resiliency of the scheme besides uncovering any attacks that are underway. In this paper, we will discuss a novel solution that comprises of learning addresses that are being relinquished by the MT6D nodes, acquiring these addresses, performing traffic enumeration on these addresses and visualizing the same. We can become cognizant of a trailing attacker following a MT6D node along the address changes, besides uncovering any suspicious traffic hitting the MT6D nodes with this solution in place.
- Matthew D Ford. New internet security and privacy models enabled by ipv6. In SAINT Workshops, pages 2--5, 2005. Google ScholarDigital Library
- Matthew Dunlop, Stephen Groat, William Urbanski, Randy Marchany, and Joseph Tront. Mt6d: A moving target ipv6 defense. In Military Communications Conference, 2011-Milcom 2011, pages 1321--1326. IEEE, 2011.Google ScholarCross Ref
- S Deering and R Hinden. Rfc 2460-internet protocol, version 6 (ipv6). Internet Engineering Task Force, RFC, 1998. Google ScholarDigital Library
- T Narten, E Nordmark, and W Simpson. H. soliman," neighbor discovery for ip version 6 (ipv6). Technical report, RFC 4861, September, 2007.Google Scholar
- R Vida and L Costa. Rfc 3810: Multicast listener discovery version 2 (mldv2) for ipv6. Request for Comments, IETF, 2004.Google Scholar
- Philippe Biondi. Scapy. see http://www.secdev.org/projects/scapy, 2011.Google Scholar
- Gerald Combs et al. Wireshark. Web page: http://www.wireshark. org/last modified, pages 12--02, 2007.Google Scholar
- Michael Bostock. D3. js. Data Driven Documents, 2012.Google Scholar
- Anon Captain. Visualization code base. In http://www.codepen.io/anon, 2014.Google Scholar
- John Ronan, Matthew Ford, and Jonathan Stevens. Initial results from an ipv6 darknet. 2006.Google Scholar
- H PROJEC. Know your enemy: Statistics, 2002.Google Scholar
- David Moore, Colleen Shannon, Geoffrey M Voelker, and Stefan Savage. Network telescopes: Technical report. Department of Computer Science and Engineering, University of California, San Diego, 2004.Google Scholar
- Barry Irwin. A network telescope perspective of the conficker outbreak. In Information Security for South Africa (ISSA), 2012, pages 1--8. IEEE, 2012.Google ScholarCross Ref
- Kazuya Kishimoto, Kenji Ohira, Yukiko Yamaguchi, Hirofumi Yamaki, and Hiroki Takakura. An adaptive honeypot system to capture ipv6 address scans. In Cyber Security (CyberSecurity), 2012 International Conference on, pages 165--172. IEEE, 2012. Google ScholarDigital Library
Index Terms
- Attention: moving target defense networks, how well are you moving?
Recommendations
Characterizing Dark DNS Behavior
DIMVA '07: Proceedings of the 4th international conference on Detection of Intrusions and Malware, and Vulnerability AssessmentSecurity researchers and network operators increasingly rely on information gathered from honeypots and sensors deployed on darknets, or unused address space, for attack detection. While the attack traffic gleaned from such deployments has been ...
Optimizing a network layer moving target defense for specific system architectures
ANCS '13: Proceedings of the ninth ACM/IEEE symposium on Architectures for networking and communications systemsComplex defenses, such as moving target defenses, exist to help protect against threats. While these new forms of defense offer increased security, they are resource intensive and cannot be run on many new classes of network connected mobile systems. To ...
Spatio-temporal Address Mutation for Proactive Cyber Agility against Sophisticated Attackers
MTD '14: Proceedings of the First ACM Workshop on Moving Target DefenseThe static one-to-one binding of hosts to IP addresses allows adversaries to conduct thorough reconnaissance in order to discover and enumerate network assets. Specifically, this fixed address mapping allows distributed network scanners to aggregate ...
Comments