1st International ICST Conference on Security and Privacy for Emerging Areas in Communication Networks

Research Article

Spread-Identity mechanisms for DOS resilience and Security.

  • @INPROCEEDINGS{10.1109/SECURECOMM.2005.54,
        author={D.S.  Phatak},
        title={Spread-Identity mechanisms for DOS resilience and Security.},
        proceedings={1st International ICST Conference on Security and Privacy for Emerging Areas in Communication Networks},
        publisher={IEEE},
        proceedings_a={SECURECOMM},
        year={2006},
        month={3},
        keywords={},
        doi={10.1109/SECURECOMM.2005.54}
    }
    
  • D.S. Phatak
    Year: 2006
    Spread-Identity mechanisms for DOS resilience and Security.
    SECURECOMM
    IEEE
    DOI: 10.1109/SECURECOMM.2005.54
D.S. Phatak1
  • 1: University of Maryland Baltimore County (UMBC)

Abstract

The explosive growth in wireless (and wired) networking technologies and services indicates that multiple means of network connectivity will become available in the near future. For example, stationary and mobile hosts currently support Internet access via wired LANs, Wireless LANs/PANs (e.g., 802.11x, 802.15) or wide area wireless cellular phone and data networks (like GSM). In essence, heterogeneous multi-homing is now a necessity for all hosts (mobile or non-mobile). In order to tap the full potential of such heterogeneous multi-homing, we introduce the novel “Spread Identity (SI)” communications paradigm. Therein, the concept of multi-homing is extended to allow each interface to simultaneously assume multiple addresses and dynamically acquire and release them as needed which is tantamount to “Spreading Identity” at the network( IP) level and has fundamental implications for security. In this paper we show how the spread Identity mechanisms can effectively (1) Mitigate DDOS attacks by rate-limiting the number of name-resolution responses. (2) Quickly detect and neutralize resource-overload type DDOS attacks that cannot be prevented by rate-limiting (3) Enable surviving the remaining types of DDOS attacks by quenching destination addresses they target (in essence by changing the Identity) (4) and preventing future attack flows by returning NULL addresses, and re-directing the attackers against one-another. We demonstrate that Spread Identity mechanisms can also be leveraged to bolster the security of single sourceto- destination flows. SI mechanisms can attain the same level of security as that of a single link with Strong Security Infrastructure (SSI) at a lower cost (in terms of the infrastructure required and the encryption effort needed). The fundamental concept of Spreading-Identity revealed herein is more general and potentially applicable to other scenarios beyond Internet/Electronic communications.