Detection and Defense Mechanisms on Duplicate Address Detection Process in IPv6 Link-Local Network: A Survey on Limitations and Requirements

Al-Ani, Ahmed; Anbar, Mohammed; Manickam, Selvakumar; Wey, Chong Yung; Leau, Yu‐Beng

doi:10.1007/s13369-018-3643-y

Cited by 14 publications

(14 citation statements)

References 67 publications

Supporting

Mentioning

Contrasting

Order By: Relevance

“…Therefore, these hosts are unable to join the IPv6 network and communicate with other hosts in the network. This type of attack is referred to as a DoS-on-DAD, which prevents hosts from configuring IP addresses in an IPv6 link-local network, as revealed in previous studies [15]. Figure 3 illustrates a DoS-on-DAD attack in an IPv6 link-local network.…”

Section: Duplicate Address Detection and Its Security Challengesmentioning

confidence: 91%

“…Therefore, INDPmon can also warn the network of NDP attacks because the majority of these attacks violate the protocol rules. Previous studies [10], [15] show that INDPmon can only identify NDP attacks that violate the fundamental protocols (i.e. protocol-rule-related violations).…”

Section: A Network Monitoring Techniquesmentioning

confidence: 99%

“…SeND aims to prevent NS and NA spoofing, NUD failure, DoS-on-AR and NDP DoS attacks [24]. However, previous studies [7], [10], [15] reveal that the security options of SeND, including CGA and RSA, hinder the implementation of this mechanism as an NDP extension in an IPv6 link-local network. Moreover, CGA cannot establish the identity of a legitimate host, thereby allowing attackers to capture the NDP messages, modify the CGA parameters and, eventually, exploit the target hosts.…”

Section: B Extend Ndp-header Techniquesmentioning

confidence: 99%

See 2 more Smart Citations

Match-Prevention Technique Against Denial-of-Service Attack on Address Resolution and Duplicate Address Detection Processes in IPv6 Link-Local Network

2020

Self Cite

View full text Add to dashboard Cite

Protocol version 6 (IPv6) host communicating with other neighbouring hosts. Two NDP messages are used during AR and DAD to communicate with one another in the same IPv6 link-local network, namely Neighbour Solicitation (NS) and Neighbour Advertisement (NA) messages. However, NDP messages have non-secure designs and lack verification mechanisms for authenticating whether incoming messages originate from a legitimate or illegitimate node. Therefore, any node in the same link can manipulate NS or NA messages and then launch a Denial-of-Service (DoS) attack. Techniques proposed to secure AR and DAD include Secure NDP (SeND) and Trust-NDP (Trust-ND); however, these techniques either entail high processing time and bandwidth consumption or are vulnerable to DoS attacks because of their designs. Therefore, to secure AR and DAD, this study aims to introduce a prevention technique called Match-Prevention, which secures target IP addresses and exchange messages (i.e. NS and NA). The processing time, bandwidth consumption and DoS prevention success rate of Match-Prevention in different scenarios are evaluated, and its performance is compared with those of existing techniques, including Standard-Process (i.e., Standard-AR and Standard-DAD), SeND and Trust-ND. Results show that Match-Prevention requires less processing time during AR and DAD processes and less bandwidth consumption compared with other existing techniques. In terms of DoS prevention success rate, the experiments show that Standard-Process and Trust-ND are unable to secure AR and DAD from DoS attacks, whilst SeND is vulnerable to flooding attacks. By contrast, Match-Prevention allows IPv6 nodes to verify the incoming message, discard the fake message before further processing and prevent a DoS attack during AR and DAD in an IPv6 link-local network.

show abstract

Section: Duplicate Address Detection and Its Security Challengesmentioning

confidence: 91%

Section: A Network Monitoring Techniquesmentioning

confidence: 99%

Section: B Extend Ndp-header Techniquesmentioning

confidence: 99%

See 1 more Smart Citation

Match-Prevention Technique Against Denial-of-Service Attack on Address Resolution and Duplicate Address Detection Processes in IPv6 Link-Local Network

2020

Self Cite

View full text Add to dashboard Cite

show abstract

“…The OpenFlow network has three main components which are OpenFlow Controller, OpenFlow Switches and OpenFlow protocol as shown in Fig 6. In the OpenFlow network, the OpenFlow controller manages the entire network. The controller is considered the brain of the OpenFlow network [23]. The controller maintains network topology information, installs the instruction in all OpenFlow devices and monitors the network status network.…”

Section: Openflowmentioning

confidence: 99%

Mechanism to prevent the abuse of IPv6 fragmentation in OpenFlow networks

et al. 2020

Self Cite

View full text Add to dashboard Cite

OpenFlow makes a network highly flexible and fast-evolving by separating control and data planes. The control plane thus becomes responsive to changes in topology and load balancing requirements. OpenFlow also offers a new approach to handle security threats accurately and responsively. Therefore, it is used as an innovative firewall that acts as a first-hop security to protect networks against malicious users. However, the firewall provided by OpenFlow suffers from Internet protocol version 6 (IPv6) fragmentation, which can be used to bypass the OpenFlow firewall. The OpenFlow firewall cannot identify the message payload unless the switch implements IPv6 fragment reassembly. This study tests the IPv6 fragmented packets that can evade the OpenFlow firewall, and proposes a new mechanism to guard against attacks carried out by malicious users to exploit IPv6 fragmentation loophole in OpenFlow networks. The proposed mechanism is evaluated in a simulated environment by using six scenarios, and results exhibit that the proposed mechanism effectively fixes the loophole and successfully prevents the abuse of IPv6 fragmentation in OpenFlow networks.

show abstract

“…IPv4 was originally designed to provide IP addresses up to 4.29 billion [14]. Nevertheless, IP addresses provided by the IPv4 have already raised the issue of address depletion where the number of active internet users in 2019 exceeds 4.53 billion [15].…”

Section: Introductionmentioning

confidence: 99%

ICMPv6-Based DoS and DDoS Attacks Detection Using Machine Learning Techniques, Open Challenges, and Blockchain Applicability: A Review

2020

Self Cite

View full text Add to dashboard Cite

Although the launch of Internet Protocol version six (IPv6) addressed the issue of IPv4's address depletion, but also mandated the use of Internet Control Message Protocol version six (ICMPv6) messages in newly introduced features such as the Neighbor Discovery Protocol (NDP). This has exacerbated existing network attacks including ICMPv6-based Denial of Service (DoS) attacks and its variant form Distributed Denial of Service (DDoS) attack. Intrusion Detection Systems (IDS) aimed at tackling security issues raised by ICMPv6-based DoS and DDoS attacks have been reviewed by researchers and a general classification of existing IDSs was proposed as anomaly-based and signature-based. However, it is incredibly hard to see the overall picture of IDSs based on Machine Learning (ML) techniques with such a classification, as there is a lack of a more detailed view of the ML approach, classifiers, feature selection techniques, datasets, and different evaluation metrics. Nevertheless, recent developments in this relatively new field have not been covered such as ML-based IDSs using flow-based traffic representation. Therefore, this paper specifically reviews and classifies IDSs based on ML techniques to detect ICMPv6-based DoS and DDoS attacks as single and hybrid classifiers. In addition, blockchain applicability in Collaborative IDS (CIDS) architecture based on the ensemble framework has been proposed as a solution to one of the open challenges for ICMPv6-based DoS and DDoS attacks detection problem. Moreover, this review also provides a classification of ICMPv6 vulnerabilities to DoS and DDoS attacks which would provide a reference resource for future researchers in this domain. To the best of the author's knowledge, this is the first review paper specifically focusing on IDSs based on ML techniques in this domain, as well as blockchain applicability as a possible research direction has been proposed to attract researcher's focus on building ensemble learning-based IDS models.

show abstract

Detection and Defense Mechanisms on Duplicate Address Detection Process in IPv6 Link-Local Network: A Survey on Limitations and Requirements

Cited by 14 publications

References 67 publications

Match-Prevention Technique Against Denial-of-Service Attack on Address Resolution and Duplicate Address Detection Processes in IPv6 Link-Local Network

Match-Prevention Technique Against Denial-of-Service Attack on Address Resolution and Duplicate Address Detection Processes in IPv6 Link-Local Network

Mechanism to prevent the abuse of IPv6 fragmentation in OpenFlow networks

ICMPv6-Based DoS and DDoS Attacks Detection Using Machine Learning Techniques, Open Challenges, and Blockchain Applicability: A Review

Contact Info

Product

Resources

About