Chhoyhopper: A Moving Target Defense with IPv6. Rizvi, A. & Heidemann, J. In Proceedings of the IEEE Workshop on Measurements, Attacks, and Defenses for the Web (MADWeb), pages to appear, San Diego, California, USA, April, 2022. IEEE.
Chhoyhopper: A Moving Target Defense with IPv6 [link]Paper  doi  abstract   bibtex   
Services on the public Internet are frequently scanned, then subject to brute-force password attempts and Denial-of-Service (DoS) attacks. We would like to run such services stealthily, where they are available to friends but hidden from adversaries. In this work, we propose a discovery-resistant moving target defense named ``Chhoyhopper'' that utilizes the vast IPv6 address space to conceal publicly available services. The client meets the server at an IPv6 address that changes in a pattern based on a shared, pre-distributed secret and the time of day. By hopping over a /64 prefix, services cannot be found by active scanners, and passively observed information is useless after two minutes. We demonstrate our system with the two important applications—SSH and HTTPS, and make our system publicly available.
@InProceedings{Rizvi22b,
        author =        "{A S M} Rizvi and John Heidemann",
        title =         "Chhoyhopper: A Moving Target Defense with {IPv6}",
        booktitle =     "Proceedings of the " # "{IEEE} Workshop on Measurements, Attacks, and Defenses for the Web (MADWeb)",
        year =          2022,
	sortdate = 		"2022-04-24", 
	project = "ant, ddidd, paaddos, sabres",
	jsubject = "network_security",
        pages =      "to appear",
        month =      apr,
        address =    "San Diego, California, USA",
        publisher =  "IEEE",
        jlocation =   "johnh: pafile",
        keywords =   "chhoyhopper, moving target defense, ipv6, https, tls, ssh",
        doi =        "https://dx.doi.org/10.14722/madweb.2022.23004",
	blogurl = "https://ant.isi.edu/blog/?p=1845",
	url =	"https://ant.isi.edu/%7ejohnh/PAPERS/Rizvi22a.html",
	pdfurl =	"https://ant.isi.edu/%7ejohnh/PAPERS/Rizvi22b.pdf",
	abstract = "Services on the public Internet are frequently scanned, then subject
to brute-force password attempts and Denial-of-Service (DoS) attacks.
We would like to run such services stealthily, where they are
available to friends but hidden from adversaries.  In this work, we
propose a discovery-resistant moving target defense named
``Chhoyhopper'' that utilizes the vast IPv6 address space to conceal
publicly available services.  The client meets the server at an IPv6
address that changes in a pattern based on a shared, pre-distributed
secret and the time of day.  By hopping over a /64 prefix, services
cannot be found by active scanners, and passively observed information
is useless after two minutes.  We demonstrate our system with the two
important applications---SSH and HTTPS, and make our system publicly
available.",
}

Downloads: 0