Spread identity: A new dynamic address remapping mechanism for anonymity and DDoS defense

We present and experimentally evaluate spread identity---a new dynamic network address remapping mechanism for Internet connections that provides anonymity and DDoS defense. For each session between a source and destination host, the trusted source gateway dynamically and randomly assigns an IP address for the source from the pool of all routable IP addresses within the source organization. Similarly, in response to a name resolution query from the source gateway, the trusted authoritative DNS server for the destination host dynamically and randomly assigns an IP address for the destination from the pool of all routable IP addresses within the destination organization. Moreover, different hosts can share the same IP address when communicating with distinct peers. Each gateway creates a NAT entry, valid for the communication session, based on the dynamic assignment by its organization. An eavesdropper listening to packets flowing through the Internet between the source and destination gateways learns only the source and destination domains the eavesdropper cannot see the actual complete IP addresses of the source and destination hosts. In addition, spread identity enhances DDoS defense capabilities by facilitating filtering of packets based on destination address. Whereas a traditional IP source address can be spoofed, with spread identity the destination address cannot be spoofed. Therefore, using multiple IP addresses for the same destination enables simple and powerful DDoS protections that block attackers without necessarily blocking legitimate users. Our ns-2 simulations demonstrate that file transfer success rates for our spread identity DDoS protection mechanism are similar to those of filter- and capability-based approaches, with lower file transfer times than for filter-based approaches. Deploying spread identity requires changes to organizational gateways but not to Internet routers. Another cost is increased DNS traffic, but unlike overlay-based DDoS defense approaches, spread identity does not increase overall communication network latency. A partial form of spread identity implemented only at the destination facilitates destination-based filtering without providing sender anonymity.