Security Through Varying IPs

alanjstr writes "Reuters is reporting that an ex-CIA director and ex-KGB man have come together and developed a new way of 'hiding' internet communications. It does this by IP hopping: 'The Invicta system uses special cards to link protected computers to a central control unit. It lets clients decide how often they wish to vary IP addresses and specify which applications may be accessed on their network.'" I've always wondered if there could be a way through software to do this. Of course, a centralized server would need to route which would be a major bandwidth bottleneck.

Re:Security through Vapor?

[ajs]

I hear the toll of the bell:

Even if every company wanted a billion IP addresses, that wouldn't be a big deal in a 128bit address space

I didn't think I'd have to do the math on /. , but here goes:

Company X has 100 applications that require a VPN (say, 100 data feed vendors). So, they do the usual IP address math that big companies do (round up the the nearest obscene order of magnitude). So, a billion addresses per application is roughly 32 bits.

Now, I need about 100 of those, but clearly growth is a concern, so let's say I need about 8 bits worth.

Ok, so before that company even gets off the ground. Before they even start deploying IPv6 on their servers, desktops, etc. They're using 256 COMPANIES worth of standard IPv6 allocation. If every company does this (and of course, this is a conservative example), we're talking about a gold-rush on IPv6 addresses that would exaust the non-reserved addresses trivially in the first 5 years.

Let's not be hasty, though, let's assume that we can multiplex these puppies. So, one device might be able to handle multiple servers and clients and rotate the IPs correctly using one IP space. Cool, so for each server-side device IBM buys, only one company's worth of v6 allocation need be used. That should give us another couple of years of life on the namespace.

All things considered, this is a very bad idea. Rotating through 20 addresses to confuse the issue can add some difficulty for crackers, but using "billions" of addresses will add you to my "rude Internet citizens" list.

Security through Vapor?

[ajs]

This sounds very suspcious to me.... Problems as I see it:

1. Your clients must all use this technology. This is fine for building a VPN, but it does nothing for building services which must be announced to the public.
2. The quote: "The number of IP addresses drawn on may be in the billions thanks to an artificial increase in cyberspace, Sheymov said," makes me wonder. Are they refering to IPv6 or to private addresses? If we're talking IPv6, then I'm very concerned because I don't want to see every company on the planet sucking up billions of addresses per application. That would make the increase to 128 bits pointless. If they're talking about private addresses, you still have to map to an external address at some point, and that's your weak link.
3. Since when do we expect the former head of the CIA to sell security solutions without back doors?
4. On the other hand, since when do we expect the former head of the CIA to have a technical clue when endorsing products?

Color me skeptical....

Working with MS networking....

[Dr.+Blue]

Yeah, I can see how great this would work with Windows: "You have worked for 2 seconds so I am changing your IP address. Windows must be restarted in order for this change to take effect. Restart now?" :-)

security through obscurity

[joq]

All this sounds like is a time based routing mechanism nothing more, and I don't really see how changing the IP address is going to save a misconfigured machine. For one, somewhere down the line the address is going to delegate out, so if say someone is browsing via 10.10.1.16 and they're browsing say something on my server and my logs show:

198.81.129.14
"http://www.antioffline.com/cia-soviet/" "Mozilla/4.0 (compatible; MSIE 5.5;Windows NT 5.0)"

Then about one second later

198.81.129.193 "http://www.antioffline.com/cia-soviet/" "Mozilla/4.0 (compatible; MSIE 5.5;Windows NT 5.0)"

Now this is typically another visitor or whatever, but if the connections were so repetitive enough with the same browser fingerprint coming through I can probably correlate them both together by their netblocks depending on who owned the block. So unless they plan on purchasing completely obsolete netblocks like say 198.81.129.0-255 then 198.83.0.0.-255 than how do they expect to stay obscured from view? Keep in mind that there are hardly any complete netblocks to purchase in that fashion (class A s close to impossible), so what are they really planning on doing?

Now if they partnered with ISP's to snag dhcp addresses not being used from a wide variety of places, say Earthlink here, MomandPopISP there, then it'd be a plus for them however simple traceroutes, and block lookups can give you their information. (who owns the block etc)

All it sounds like is a sort of a dhcp-round-robbin-routing set up which is not going to save them still, if someone is really intent on getting access to their networks, they'd run out of address ranges before their scheme would work.

Now on the spook/snoop side of things... I say TMTOWTPGPSAM! (There's More Than One Way To Sign PGP Sign A Message) to keep info from eyes other than the intended recipient.

The more things change...

[isomeme]

Sounds like the IP analog for radio Frequency Hopping Spread Spectrum (FHSS). Which, by the way, was invented and patented as a radio security technique during WWII by movie star Hedy Lamarr and her pianist. A movie star geek girl? I was definitely born in the wrong generation...

--

Just another step in the ladder

[SlashGeek]

It's a step, but lets face it. If somebody, especially the gov't really wants to see what you are up to, they'll find a way.

Of course, a centralized server would need to route which would be a major bandwidth bottleneck.

And, of course, a centralized server could also be very easily tapped by a Carnivore-like device.

I guess it could scare off a few skript kiddies though.

Re:IP V6 Sooner than Later

[SlashGeek]

Read the article!!! The author clearly stated that things like encryption and firewalls were like "building fences around known locations" wich makes them "sitting ducks for a determined hacker." The idea behind IP hopping is that they don't even know where you are to begin with. Like spread spectrum radio waves, you first have to lock into the variation, wich in this case could be completely random, then deal with the "fences". It adds another layer, and a pretty damn good one.

This is a great concept...

[SomeoneGotMyNick]

It should be worth making a few more episodes of The Lone Gunmen to exploit it.

Re:Very cool idea....

[hillct]

Maybe, but isn't this just a variant on 'security through obscurity'?

I'd have to say that this is a not-so-clasic example, and in fact a neat idea, but when it comes down to it it's still securing a system through making it difficult to find.

It's admittedly a neat technology, but it it really secure?

--CTH

--

Ahh, I get it...

[Shoten]

Ok, let's see if I get this right...

They keep moving around so many times a second that the bad guys can't find them. If a bad guy manages to ping an address that's a target, by the time he even types the "n" in "nmap" it's another address.

But the GOOD traffic can find them? How the hell does this thing know the difference? It sounds like they came up with a great way to hide a computer (especially if they end up trying to pretend to be someone else's IP range in the process), but they totally ignore the fundamental problem: how to tell good traffic from bad without a human having to examine it. This has to be some of the worst snake oil I have ever seen.

Not really a shield

[ZaneMcAuley]

More like a moving target :) Duck shoot ne1 :)