Chhoyhopper: A Moving Target Defense with IPv6
This addresses security for service operators on the public Internet by hiding services from adversaries, though it is incremental as it builds on existing moving target defense concepts with IPv6.
The paper tackles the problem of protecting public Internet services from scanning and attacks by proposing Chhoyhopper, a moving target defense that uses IPv6 address hopping based on shared secrets and time-of-day, making services undetectable to active scanners and rendering passive information useless after two minutes.
Services on the public Internet are frequently scanned, then subject to brute-force and denial-of-service attacks. We would like to run such services stealthily, available to friends but hidden from adversaries. In this work, we propose a moving target defense named "Chhoyhopper" that utilizes the vast IPv6 address space to conceal publicly available services. The client and server to hop to different IPv6 addresses in a pattern based on a shared, pre-distributed secret and the time-of-day. By hopping over a /64 prefix, services cannot be found by active scanners, and passively observed information is useless after two minutes. We demonstrate our system with SSH, and show that it can be extended to other applications.