APPROVAL SHEET Title of Thesis: Spread Identity: A New Dynamic Address Remapping Mechanism for Anonymity and DDoS Defense Name of Candidate: Bhushan Ekanth Sonawane Master of Science, 2010 Thesis and Abstract Approved: ___________________ Dhananjay Phatak Associate Professor Department of Computer Science and Electrical Engineering ___________________ Alan T. Sherman Associate Professor Department of Computer Science and Electrical Engineering Date Approved: ________________ Curriculum Vitae Name: Bhushan Eknath Sonawane. Permanent Address: 1114, Courtney road, Baltimore, MD-21227. Degree and date to be conferred: MS in Computer Science, August 2010. Date of Birth: May 9, 1985. Place of Birth: Dhule, Maharashtra, India. Secondary education: Jai Hind Junior College, Dhule, Maharashtra. Collegiate institutions attended: University of Maryland Baltimore County, MS Computer Science, 2010. University of Pune, BE Computer Engineering, 2006. Major: Computer Science. Professional Publications: Alan T. Sherman, Dhananjay Phatak, Bhushan Sonawane, Vivek Relan, "Location Authentication through Power Line Communication: Design, Protocol, and Analysis of a New Out-of-Band Strategy" in Proceedings of the 14th IEEE International Symposium on Power Line Communications and its Applications, March 2010. Professional positions held: July 2006 — July 2008. Senior Member of Technical Staff, Airtight Networks, Pune. ABSTRACT Title of Thesis: Spread Identity: A New Dynamic Address Remapping Mechanism for Anonymity and DDoS Defense. Bhushan Eknath Sonawane, MS-Computer Science, 2010. Directed By: Dhananjay Phatak, Associate Professor, Department of Computer Science and Electrical Engineering. Alan T. Sherman, Associate Professor, Department of Computer Science and Electrical Engineering. We present and experimentally evaluate spread identity — a new dynamic network address remapping mechanism for Internet connections that provides anonymity and DDoS defense. For each session between a source and destination host, the trusted source gateway dynamically and randomly assigns an IP address for the source from the pool of all routable IP addresses within the source organization. Similarly, in response to a name resolution query from the source gateway, the trusted authoritative DNS server for the destination host dynamically and randomly assigns an IP address for the destination from the pool of all routable IP addresses within the destination organization. Moreover, different hosts can share the same IP address when communicating with distinct peers. Each gateway creates a NAT entry, valid for the communication session, based on the dynamic assignment by its organization. An eavesdropper listening to packets flowing through the Internet between the source and destination gateways learns only the source and destination domains; the eavesdropper cannot see the actual complete IP addresses of the source and destination hosts. In addition, spread identity enhances DDoS defense capabilities by facilitating filtering of packets based on destination address. Whereas a traditional IP source address can be spoofed, with spread identity the destination address cannot be spoofed. Therefore, using multiple IP addresses for the same destination enables simple and powerful DDoS protections that block attackers without necessarily blocking legitimate users. Our ns-2 simulations demonstrate that file transfer success rates for our spread identity DDoS protection mechanism are similar to those of filter- and capability-based approaches, with lower file transfer times than for filter-based approaches. Deploying spread identity requires changes to organizational gateways but not to Internet routers. Another cost is increased DNS traffic, but unlike overlay- based DDoS defense approaches, spread identity does not increase overall communication network latency. A partial form of spread identity implemented only at the destination facilitates destination-based filtering without providing sender anonymity. Spread Identity: A New Dynamic Address Remapping Mechanism for Anonymity and DDoS Defense. By Bhushan Eknath Sonawane Thesis submitted to the Faculty of the Graduate School of the University of Maryland, Baltimore County, in partial fulfillment of the requirements for the degree of MS Computer Science 2010 © Copyright by Bhushan Eknath Sonawane 2010 Dedicated to my family. ii Acknowledgements I would like to express my sincere gratitude to my advisor Dr. Dhananjay Phatak. I thank him for the constant support and guidance, and for his continued belief in me throughout this thesis work. I also want to thank my co-adviser, Dr. Alan T. Sherman, for all his valuable suggestions. During the course of my research, he has been a great source of inspiration, motivation, and support. I would like to thank Dr. Chintan Patel for graciously agreeing to be on my thesis committee. I want to thank Vivek Relan for all the help he has given me during this thesis work. Thanks to my parents for their never-ending endurance with me during the tough times. I am grateful to my friends Varish, Tejas, and Tushar for being supportive throughout my stay at UMBC. iii Table of Contents Acknowledgements ...................................................................................................... iii List of Figures .............................................................................................................. vi 1. INTRODUCTION .................................................................................................... 1 2. OVERVIEW OF SPREAD IDENTITY ................................................................... 5 3. SPREAD IDENTITY ARCHITECTURE .............................................................. 11 3.1 Components ...................................................................................................... 11 3.2 Assumptions ...................................................................................................... 12 3.3 Protocols ........................................................................................................... 12 3.4 Design and Performance Issues ........................................................................ 16 4. RELATED WORK ................................................................................................. 20 4.1 DDoS Defense .................................................................................................. 20 4.1.1 Overlay Approaches................................................................................... 20 4.1.2 Filter-Based Approaches ............................................................................ 22 4.1.3 Capability-Based Approaches .................................................................... 23 4.2 Anonymity ........................................................................................................ 24 4.3 Other Related Work .......................................................................................... 26 5. ADVANTAGES OF SPREAD IDENTITY ........................................................... 27 5.1 DDoS ................................................................................................................ 27 5.1.1 Threat Model and Assumptions ................................................................. 27 5.1.2 Bandwidth clogging attacks ....................................................................... 28 5.1.3 Attacks against the Spread Identity Architecture....................................... 29 5.1.4 Flash crowds .............................................................................................. 30 iv 5.2 Anonymity ........................................................................................................ 31 5.2.1 Threat model and Assumptions ................................................................. 31 5.2.2 Overview of anonymity using Spread Identity .......................................... 31 5.2.4 Security analysis of Spread Identity anonymity. ....................................... 33 5.3 Spread Identity implemented only at destination side (Fail-Safe mechanisms) 34 5.3.1 Anonymity ................................................................................................. 34 5.3.2 DDoS prevention ....................................................................................... 35 6. EXPERIMENTAL EVALUATION ....................................................................... 36 6.1 Purpose .............................................................................................................. 36 6.2 Method .............................................................................................................. 36 6.3 Results and Analysis ......................................................................................... 39 7. DISCUSSION ......................................................................................................... 42 7.1 DNS caching timeout and size of NAT table at destination spread identity gateways. ................................................................................................................. 42 7.2 Other type of strategic DDoS attack against Spread Identity architecture for the Internet. ................................................................................................................... 43 7.3 Open Problems .................................................................................................. 43 8. CONCLUSION ......................................................................................................