EIP - Preventing DDoS with Ephemeral IP Identifiers Cryptographically Generated
This addresses the growing issue of DDoS attacks for internet users and networks, offering a novel approach that could enhance security without mandatory strong authentication, though it appears incremental as it builds on existing Map/Encap methods.
The paper tackles the problem of preventing network-level DDoS attacks by proposing an endpoint addressing scheme using ephemeral IP identifiers that are cryptographically generated and context-bound, enabling defenses without third parties through self-signed certificates and challenge-based protocols.
Nowadays, denial of service (DoS) attacks represent a significant fraction of all attacks that take place in the Internet and their intensity is always growing. The main DoS attack methods consist of flooding their victims with bogus packets, queries or replies, so as to prevent them from fulfilling their roles. Preventing DoS attacks at network level would be simpler if end-to-end strong authentication in any packet exchange was mandatory. However, it is also likely that its mandatory adoption would introduce more harm than benefits. In this paper we present an end-point addressing scheme and a set of security procedures which satisfy most of network level DoS prevention requirements. Instead of being known by public stable IP addresses, hosts use ephemeral IP Identifiers cryptographically generated and bound to its usage context. Self-signed certificates and challenge-based protocols allow, without the need of any third parties, the implementation of defenses against DoS attacks. Communication in the open Internet while using these special IP addresses is supported by the so-called Map/Encap approaches, which in our point of view will be sooner or later required for the future Internet.