Stephen Groat

MT6D: A Moving Target IPv6 Defense

The Internet Protocol version 6 (IPv6) brings with it a seemingly endless supply of network addresses. It does not, however, solve many of the vulnerabilities that existed in Internet Protocol version 4 (IPv4). In fact, privacy-related crimes in IPv6 are made easier due to the way IPv6 addresses are formed. We developed a Moving Target IPv6 Defense (MT6D) that leverages the immense address space of IPv6. The two goals of MT6D are maintaining user privacy and protecting against targeted network attacks. These goals are achieved by repeatedly rotating the addresses of both the sender and receiver. Address rotation occurs, regardless of the state of ongoing sessions, to prevent an attacker from discovering the identities of the two communicating hosts. Rotating addresses mid-session prevents an attacker from even determining that the same two hosts are communicating. The continuously changing addresses also force an attacker to repeatedly reacquire the target node before he or she can launch a successful network attack. Our proof of concept demonstrates the feasibility of MT6D and its ability to seamlessly bind new IPv6 addresses. We also demonstrate MT6Ds ability to rotate addresses mid-session without dropping or renegotiating sessions. Since MT6D operates at the network layer of the protocol stack, it provides a powerful moving target solution that is both platform and application independent.

GoldPhish: Using Images for Content-Based Phishing Analysis

Phishing attacks continue to plague users as attackers develop new ways to fool users into submitting personal information to fraudulent sites. Many schemes claim to protect against phishing sites. Unfortunately, most do not protect against zero-day phishing sites. Those schemes that do allege to provide zero-day protection, often incorrectly label both phishing and legitimate sites. We propose a scheme that protects against zero-day phishing attacks with high accuracy. Our approach captures an image of a page, uses optical character recognition to convert the image to text, then leverages the Google PageRank algorithm to help render a decision on the validity of the site. After testing our tool on 100 legitimate sites and 100 phishing sites, we accurately reported 100% of legitimate sites and 98% of phishing sites.

Using an IPv6 moving target defense to protect the Smart Grid

As advanced Internet Protocol (IP)-based communication systems are proposed for the Smart Grid, security solutions must be developed which address not only the security of the communications, but also the security of the communicating systems. To support the large number of hosts required for the Smart Grid on an IP network, the new Internet Protocol version 6 (IPv6) must be leveraged. Unfortunately, IPv6 inherits the majority of Internet Protocol version 4 (IPv4) vulnerabilities as well as adds new address-based exploits. The embedded systems necessary for Smart Grid deployments using IP communications will be especially vulnerable to attacks due to their limited system resources. A moving target defense not only secures the communications between peers, but also prevents the peers from being located for attack. Implementing security at the network layer mitigates most IP-specific exploits and allows for solutions to be integrated with minimal impact to existing Smart Grid systems, thus reducing costs and increasing reliability. By using a network layer moving target defense, hosts cannot be located for exploitation and secure connectivity is maintained with trusted peers. A robust Smart Grid network must be capable of proactive defense so that components are not consumed with defending incoming attacks. A solution which implements a proactive network layer defense called the Moving Target IPv6 Defense (MT6D) is offered as a potential solution for secure Smart Grid communications.

The privacy implications of stateless IPv6 addressing

Current implementations of the Internet Protocol version 6 (IPv6) use a static value determined from the Media Access Control (MAC) address as the host portion, or interface identifier (IID), of the IPv6 address. Some implementations create the IID using the MAC unobscured, while others compute a onetime hash value involving the MAC. As a result of this deterministic address assignment, the IID of the address is the same, regardless of the network the node accesses. This IID assignment provides interested parties (whether malicious or not) with the ability to easily track a nodes physical location using simple tools such as ping and traceroute. Additionally, a static IID provides a means to correlate network traffic with a specific user. This is accomplished through a combination of filtering of the static IID and traffic analysis. The serious breaches in privacy caused by a static IID should be addressed before deployment of IPv6 becomes widespread.

Optimizing a network layer moving target defense for specific system architectures

Complex defenses, such as moving target defenses, exist to help protect against threats. While these new forms of defense offer increased security, they are resource intensive and cannot be run on many new classes of network connected mobile systems. To provide security for these systems, a highly efficient defense must be used. Moving Target Defense for IPv6 (MT6D) is a network layer moving target defense that was originally designed using Python for portability to a variety of system architectures. Optimizing a moving target defense (MTD) for a specific system architecture increases performance to allow for these new defenses to be deployed in resource constrained environments. By transitioning from Python to C, and by using system specific networking features, MT6D can be successfully deployed to resource constrained network systems.

IPv6: Nowhere to Run, Nowhere to Hide

Due to a large address space, Internet Protocol version 6 (IPv6) uses stateless address autoconfiguration to assign network addresses to hosts. This unmanaged technique creates a static value derived from the Media Access Control (MAC) address of a network interface as the host portion, or interface identifier (IID). Static IID assignment provides third parties (whether malicious or not) with the ability to track a nodes physical location, correlate network traffic with a specific user, and collect details about a nodes operating system. Using our live production IPv6 network, we demonstrate not only the feasibility of IID monitoring, but also the ease with which an attacker can accomplish it. We then highlight some possible nefarious applications where IPv6 address tracking and analysis could assist the cyber criminal. In order to prevent this privacy breach, we offer solutions that disassociate the IPv6 address from its user.

Using transport layer multihoming to enhance network layer moving target defenses

As systems and networks begin to transition to the Internet Protocol version 6 (IPv6), the immense address space available in the new protocol allows for devices to maintain multiple addresses and to change addresses frequently. These new capabilities encourage network layer moving target defenses in IPv6. Yet, common transport layer protocols, such as the Transmission Control Protocol (TCP) and the User Datagram Protocol (UDP), create sockets that are bound to a single IP address and that require significant amounts of system and network overhead per session, discouraging their use for communication over multiple addresses. Stream Control Transmission Protocol (SCTP) is a transport layer protocol that allows for network sockets to use multiple IP addresses, referred to as multihoming. SCTP was tested with the Moving Target Defense for IPv6 (MT6D), a network layer moving target defense that was originally designed using UDP to dynamically change IPv6 addresses while maintaining sessions. By switching from UDP to SCTP, MT6D will improve performance and show the capability of multi-homed transport layer protocols, such as SCTP, in moving target defenses.

Securing static nodes in mobile-enabled systems using a network-layer moving target defense

As computing becomes mobile and systems enable connectivity through mobile applications, the characteristics of the network communication of these systems change due to the instability of mobile nodes on networks. Mobile devices logically move by changing addresses throughout the course of their communication in the system. These mobiles nodes acquire characteristics of a moving target defense, in which nodes change addresses to avoid detection and attack. Yet, as mobile nodes change addresses, the critical points in the system that applications are set to communicate with, such as servers, cloud services, and peer registration servers, remain static and become easily identifiable. Mobile-enabled systems are beginning to model heterogeneous moving target networks, in which some nodes move while others remain static. Heterogeneous moving target networks expose relationships and dependencies between nodes, helping an attacker easily identify the static, critical nodes within a mobile-enabled system. Homogeneous moving target networks, in which all nodes change addresses, mask the critical points within the system, blending the mobile nodes with the critical, static nodes, and provide additional security for the static nodes. By applying a moving target defense to all nodes within a mobile-enabled system, the critical points can be masked and additional security can be provided.