Chhoyhopper: A Moving Target Defense with IPv6. Rizvi, A. & Heidemann, J. Poster abstract and poster at Annual Computer Security Applications Conference, December, 2021.
Chhoyhopper: A Moving Target Defense with IPv6 [link]Paper  abstract   bibtex   
Services on the public Internet are frequently scanned, then subject to brute-force and denial-of-service attacks. We would like to run such services stealthily, available to friends but hidden from adversaries. In this work, we propose a moving target defense named ``Chhoyhopper'' that utilizes the vast IPv6 address space to conceal publicly available services. The client and server hop to different IPv6 addresses in a pattern based on a shared, pre-distributed secret and the time of day. By hopping over a /64 prefix, services cannot be found by active scanners, and passively observed information is useless after two minutes. We demonstrate our system with the two important applications—SSH and HTTPS.
@Misc{Rizvi21a,
        author =     "{ASM} Rizvi and John Heidemann",
        title =      "Chhoyhopper: A Moving Target Defense with {IPv6}",
        howpublished = "Poster abstract and poster at " # " Annual Computer Security Applications Conference",
        month =      dec,
        year =       2021,
	sortdate = 		"2021-12-07", 
	project = "ant, sabres",
	jsubject = "network_security",
        jlocation =   "johnh: pafile",
        keywords =   "moving target, chhoyhopper, ipv6, ssh",
	blogurl = "https://ant.isi.edu/blog/?p=1819",
	url =	"https://ant.isi.edu/%7ejohnh/PAPERS/Rizvi21a.html",
	pdfurl =	"https://ant.isi.edu/%7ejohnh/PAPERS/Rizvi21a.pdf",
	otherpdfurl = "https://ant.isi.edu/~rizvi/acsac-2021/chhoyhopper-abstract-and-poster.pdf",
	abstract = "Services on the public Internet are frequently scanned, then subject
to brute-force and denial-of-service attacks. We would like to run
such services stealthily, available to friends but hidden from adversaries. In this work, we propose a moving target defense named
``Chhoyhopper'' that utilizes the vast IPv6 address space to conceal
publicly available services. The client and server hop to different
IPv6 addresses in a pattern based on a shared, pre-distributed secret
and the time of day. By hopping over a /64 prefix, services cannot
be found by active scanners, and passively observed information
is useless after two minutes. We demonstrate our system with the
two important applications—SSH and HTTPS.",
}

Downloads: 0