EIP - Preventing DDoS with Ephemeral IP Identifiers Cryptographically Generated

TL;DR

This paper proposes a novel endpoint addressing scheme using cryptographically generated ephemeral IP identifiers to prevent DDoS attacks, enhancing security without relying on third-party authorities.

Contribution

It introduces a new cryptographic IP identifier scheme and security procedures that enable DDoS prevention without mandatory end-to-end authentication or third-party trust.

Findings

Hosts use ephemeral, cryptographically generated IPs

Self-signed certificates enable attack defenses

Map/Encap approaches support open Internet communication

Abstract

Nowadays, denial of service (DoS) attacks represent a significant fraction of all attacks that take place in the Internet and their intensity is always growing. The main DoS attack methods consist of flooding their victims with bogus packets, queries or replies, so as to prevent them from fulfilling their roles. Preventing DoS attacks at network level would be simpler if end-to-end strong authentication in any packet exchange was mandatory. However, it is also likely that its mandatory adoption would introduce more harm than benefits. In this paper we present an end-point addressing scheme and a set of security procedures which satisfy most of network level DoS prevention requirements. Instead of being known by public stable IP addresses, hosts use ephemeral IP Identifiers cryptographically generated and bound to its usage context. Self-signed certificates and challenge-based protocols allow, without the need of any third parties, the implementation of defenses against DoS attacks. Communication in the open Internet while using these special IP addresses is supported by the so-called Map/Encap approaches, which in our point of view will be sooner or later required for the future Internet.