Spread Identity: A Dynamic Identity Remapping Paradigm to Enable Moving Target [Def | Off]enses

Inspired by the success of the spread-spectrum techniques at the physical layer, we have developed the Spread Identity (SI) paradigm for higher layers [1,2] and demonstrated its effectiveness in the Internet [3]

SI leverages full potential of dynamic indirection via double- NATing at trusted perimeter gate- ways where all the externally routable IP addresses assigned to an organization are pooled; and then dynamically assigned to in- coming and outgoing flows or parts thereof. The addresses can be changed in real-time at any level of granularity: at one extreme, IP addresses can be statically bound to internal-hosts as is done today. On the other extreme, each packet within a flow can be dynamically assigned different (src/dst) addresses from their respective pools. Static assignment of IP addrs. to hosts makes them easy targets for DDoS attacks, probes or other abuses. Filtering based on src addresses does not help mitigate DDoS attacks or probes; since those can be spoofed. SI deliberately spreads the Identity of a potential victim across multiple IP addrs by dynamically returning different IP addrs in its pool in response to DNS queries; depending on the state (ex: the residual capacity of the victim, the load, whether it is under attack, etc). Suspected hosts are returned one small set of addresses; whereas legit traffic can be mapped onto a different set of IP addresses. Now the victim together with most of its legit traffic can be protected by filtering flows to the destination addresses doled out to suspect hosts.