Chhoyhopper: A Moving Target Defense with IPv6. Rizvi, A. & Heidemann, J. Poster abstract and poster at Annual Computer Security Applications Conference, December, 2021. Paper abstract bibtex Services on the public Internet are frequently scanned, then subject to brute-force and denial-of-service attacks. We would like to run such services stealthily, available to friends but hidden from adversaries. In this work, we propose a moving target defense named ``Chhoyhopper'' that utilizes the vast IPv6 address space to conceal publicly available services. The client and server hop to different IPv6 addresses in a pattern based on a shared, pre-distributed secret and the time of day. By hopping over a /64 prefix, services cannot be found by active scanners, and passively observed information is useless after two minutes. We demonstrate our system with the two important applications—SSH and HTTPS.
@Misc{Rizvi21a,
author = "{ASM} Rizvi and John Heidemann",
title = "Chhoyhopper: A Moving Target Defense with {IPv6}",
howpublished = "Poster abstract and poster at " # " Annual Computer Security Applications Conference",
month = dec,
year = 2021,
sortdate = "2021-12-07",
project = "ant, sabres",
jsubject = "network_security",
jlocation = "johnh: pafile",
keywords = "moving target, chhoyhopper, ipv6, ssh",
blogurl = "https://ant.isi.edu/blog/?p=1819",
url = "https://ant.isi.edu/%7ejohnh/PAPERS/Rizvi21a.html",
pdfurl = "https://ant.isi.edu/%7ejohnh/PAPERS/Rizvi21a.pdf",
otherpdfurl = "https://ant.isi.edu/~rizvi/acsac-2021/chhoyhopper-abstract-and-poster.pdf",
abstract = "Services on the public Internet are frequently scanned, then subject
to brute-force and denial-of-service attacks. We would like to run
such services stealthily, available to friends but hidden from adversaries. In this work, we propose a moving target defense named
``Chhoyhopper'' that utilizes the vast IPv6 address space to conceal
publicly available services. The client and server hop to different
IPv6 addresses in a pattern based on a shared, pre-distributed secret
and the time of day. By hopping over a /64 prefix, services cannot
be found by active scanners, and passively observed information
is useless after two minutes. We demonstrate our system with the
two important applications—SSH and HTTPS.",
}
Downloads: 0
{"_id":"mXgZFiFYdiSSRdNNp","bibbaseid":"rizvi-heidemann-chhoyhopperamovingtargetdefensewithipv6-2021","author_short":["Rizvi, A.","Heidemann, J."],"bibdata":{"bibtype":"misc","type":"misc","author":[{"firstnames":["ASM"],"propositions":[],"lastnames":["Rizvi"],"suffixes":[]},{"firstnames":["John"],"propositions":[],"lastnames":["Heidemann"],"suffixes":[]}],"title":"Chhoyhopper: A Moving Target Defense with IPv6","howpublished":"Poster abstract and poster at Annual Computer Security Applications Conference","month":"December","year":"2021","sortdate":"2021-12-07","project":"ant, sabres","jsubject":"network_security","jlocation":"johnh: pafile","keywords":"moving target, chhoyhopper, ipv6, ssh","blogurl":"https://ant.isi.edu/blog/?p=1819","url":"https://ant.isi.edu/%7ejohnh/PAPERS/Rizvi21a.html","pdfurl":"https://ant.isi.edu/%7ejohnh/PAPERS/Rizvi21a.pdf","otherpdfurl":"https://ant.isi.edu/ rizvi/acsac-2021/chhoyhopper-abstract-and-poster.pdf","abstract":"Services on the public Internet are frequently scanned, then subject to brute-force and denial-of-service attacks. We would like to run such services stealthily, available to friends but hidden from adversaries. In this work, we propose a moving target defense named ``Chhoyhopper'' that utilizes the vast IPv6 address space to conceal publicly available services. The client and server hop to different IPv6 addresses in a pattern based on a shared, pre-distributed secret and the time of day. By hopping over a /64 prefix, services cannot be found by active scanners, and passively observed information is useless after two minutes. We demonstrate our system with the two important applications—SSH and HTTPS.","bibtex":"@Misc{Rizvi21a,\n author = \"{ASM} Rizvi and John Heidemann\",\n title = \"Chhoyhopper: A Moving Target Defense with {IPv6}\",\n howpublished = \"Poster abstract and poster at \" # \" Annual Computer Security Applications Conference\",\n month = dec,\n year = 2021,\n\tsortdate = \t\t\"2021-12-07\", \n\tproject = \"ant, sabres\",\n\tjsubject = \"network_security\",\n jlocation = \"johnh: pafile\",\n keywords = \"moving target, chhoyhopper, ipv6, ssh\",\n\tblogurl = \"https://ant.isi.edu/blog/?p=1819\",\n\turl =\t\"https://ant.isi.edu/%7ejohnh/PAPERS/Rizvi21a.html\",\n\tpdfurl =\t\"https://ant.isi.edu/%7ejohnh/PAPERS/Rizvi21a.pdf\",\n\totherpdfurl = \"https://ant.isi.edu/~rizvi/acsac-2021/chhoyhopper-abstract-and-poster.pdf\",\n\tabstract = \"Services on the public Internet are frequently scanned, then subject\nto brute-force and denial-of-service attacks. We would like to run\nsuch services stealthily, available to friends but hidden from adversaries. In this work, we propose a moving target defense named\n``Chhoyhopper'' that utilizes the vast IPv6 address space to conceal\npublicly available services. The client and server hop to different\nIPv6 addresses in a pattern based on a shared, pre-distributed secret\nand the time of day. By hopping over a /64 prefix, services cannot\nbe found by active scanners, and passively observed information\nis useless after two minutes. We demonstrate our system with the\ntwo important applications—SSH and HTTPS.\",\n}\n\n\n","author_short":["Rizvi, A.","Heidemann, J."],"bibbaseid":"rizvi-heidemann-chhoyhopperamovingtargetdefensewithipv6-2021","role":"author","urls":{"Paper":"https://ant.isi.edu/%7ejohnh/PAPERS/Rizvi21a.html"},"keyword":["moving target","chhoyhopper","ipv6","ssh"],"metadata":{"authorlinks":{}}},"bibtype":"misc","biburl":"https://bibbase.org/f/dHevizJoWEhWowz8q/johnh-2023-2.bib","dataSources":["YLyu3mj3xsBeoqiHK","fLZcDgNSoSuatv6aX","fxEParwu2ZfurScPY","7nuQvtHTqKrLmgu99"],"keywords":["moving target","chhoyhopper","ipv6","ssh"],"search_terms":["chhoyhopper","moving","target","defense","ipv6","rizvi","heidemann"],"title":"Chhoyhopper: A Moving Target Defense with IPv6","year":2021}