Addressless: A new internet server model to prevent network scanning

Eliminating unnecessary exposure is a principle of server security. The huge IPv6 address space enhances security by making scanning infeasible, however, with recent advances of IPv6 scanning technologies, network scanning is again threatening server security. In this paper, we propose a new model n...

Descripción completa

Detalles Bibliográficos
Autores principales: Hao, Shanshan, Liu, Renjie, Weng, Zhe, Chang, Deliang, Bao, Congxiao, Li, Xing
Formato: Online Artículo Texto
Lenguaje:English
Publicado: Public Library of Science 2021
Materias:
Research Article
Acceso en línea:https://www.ncbi.nlm.nih.gov/pmc/articles/PMC7853473/
https://www.ncbi.nlm.nih.gov/pubmed/33529188
http://dx.doi.org/10.1371/journal.pone.0246293
_version_ 1783645968255680512
author Hao, Shanshan
Liu, Renjie
Weng, Zhe
Chang, Deliang
Bao, Congxiao
Li, Xing
author_facet Hao, Shanshan
Liu, Renjie
Weng, Zhe
Chang, Deliang
Bao, Congxiao
Li, Xing
author_sort Hao, Shanshan
collection PubMed
description Eliminating unnecessary exposure is a principle of server security. The huge IPv6 address space enhances security by making scanning infeasible, however, with recent advances of IPv6 scanning technologies, network scanning is again threatening server security. In this paper, we propose a new model named addressless server, which separates the server into an entrance module and a main service module, and assigns an IPv6 prefix instead of an IPv6 address to the main service module. The entrance module generates a legitimate IPv6 address under this prefix by encrypting the client address, so that the client can access the main server on a destination address that is different in each connection. In this way, the model provides isolation to the main server, prevents network scanning, and minimizes exposure. Moreover it provides a novel framework that supports flexible load balancing, high-availability, and other desirable features. The model is simple and does not require any modification to the client or the network. We implement a prototype and experiments show that our model can prevent the main server from being scanned at a slight performance cost.
format Online
Article
Text
id pubmed-7853473
institution National Center for Biotechnology Information
language English
publishDate 2021
publisher Public Library of Science
record_format MEDLINE/PubMed
spelling pubmed-78534732021-02-09 Addressless: A new internet server model to prevent network scanning Hao, Shanshan Liu, Renjie Weng, Zhe Chang, Deliang Bao, Congxiao Li, Xing PLoS One Research Article Eliminating unnecessary exposure is a principle of server security. The huge IPv6 address space enhances security by making scanning infeasible, however, with recent advances of IPv6 scanning technologies, network scanning is again threatening server security. In this paper, we propose a new model named addressless server, which separates the server into an entrance module and a main service module, and assigns an IPv6 prefix instead of an IPv6 address to the main service module. The entrance module generates a legitimate IPv6 address under this prefix by encrypting the client address, so that the client can access the main server on a destination address that is different in each connection. In this way, the model provides isolation to the main server, prevents network scanning, and minimizes exposure. Moreover it provides a novel framework that supports flexible load balancing, high-availability, and other desirable features. The model is simple and does not require any modification to the client or the network. We implement a prototype and experiments show that our model can prevent the main server from being scanned at a slight performance cost. Public Library of Science 2021-02-02 /pmc/articles/PMC7853473/ /pubmed/33529188 http://dx.doi.org/10.1371/journal.pone.0246293 Text en © 2021 Hao et al http://creativecommons.org/licenses/by/4.0/ This is an open access article distributed under the terms of the Creative Commons Attribution License (http://creativecommons.org/licenses/by/4.0/) , which permits unrestricted use, distribution, and reproduction in any medium, provided the original author and source are credited.
spellingShingle Research Article
Hao, Shanshan
Liu, Renjie
Weng, Zhe
Chang, Deliang
Bao, Congxiao
Li, Xing
Addressless: A new internet server model to prevent network scanning
title Addressless: A new internet server model to prevent network scanning
title_full Addressless: A new internet server model to prevent network scanning
title_fullStr Addressless: A new internet server model to prevent network scanning
title_full_unstemmed Addressless: A new internet server model to prevent network scanning
title_short Addressless: A new internet server model to prevent network scanning
title_sort addressless: a new internet server model to prevent network scanning
topic Research Article
url https://www.ncbi.nlm.nih.gov/pmc/articles/PMC7853473/
https://www.ncbi.nlm.nih.gov/pubmed/33529188
http://dx.doi.org/10.1371/journal.pone.0246293
work_keys_str_mv AT haoshanshan addresslessanewinternetservermodeltopreventnetworkscanning
AT liurenjie addresslessanewinternetservermodeltopreventnetworkscanning
AT wengzhe addresslessanewinternetservermodeltopreventnetworkscanning
AT changdeliang addresslessanewinternetservermodeltopreventnetworkscanning
AT baocongxiao addresslessanewinternetservermodeltopreventnetworkscanning
AT lixing addresslessanewinternetservermodeltopreventnetworkscanning

Ejemplares similares