Intrusion Response for Zero-day Multi-stage Attacks

Overview

Summary

Current large-scale Distributed Denial of Service (DDoS) mitigation techniques center around dropping traffic at the edge routers of a network. Traffic is dropped based off of its source IP or destination IP. Blocking malicious traffic based on the source IP is ideal because the remaining legitimate traffic is still routed normally. However, if a large botnet is used or if the attacker can spoof IPs, source based blocking becomes infeasible. If the malicious traffic cannot be blocked by the source IP, the edge routers may drop traffic based on the destination IP, saving the rest of the network but completing the denial of service. This research aims to present a mission-critical, protected service on multiple random IPv6 addresses. Using DNSCurve, the addresses will remain secret and are only disclosed to authenticated clients. Each client or a group of clients resolve the service to unique, random IPv6 addresses. If a malicious attacker compromises a legitimate client or sniffs a legitimate client’s traffic and discovers the address of the protected service, a DDoS attack may be launched against the service. However, since each legitimate client or group of clients is using a unique IP to connect to the service, malicious traffic to that single IP may be dropped without denying service to the other legitimate clients. Existing clients can be used unmodified – only the IPv6 randomization needs to be added to the service host’s network.

Students

  • Jevin Sweval, jevin AT purdue DOT edu
  • Gasper Modelo Howard, gmodeloh AT purdue DOT edu
Last modified: March 16, 2015