Denial of Service Attack over Secure Neighbor Discovery (SeND)

Amjed Sid Ahmed, Rosilah Hassan, Nor Effendy Othman

Abstract


IPv6, the Internet Protocol suite version 6, uses a Neighbor Discovery Protocol (NDP). NDP mainly replaces router discovery and the Address Resolution Protocol (ARP) and thereafter redirects the functions used in IPv4 i.e. the Internet Protocol suite version 4. The NDP system is a stateless protocol since it does not need the dynamic host’s configuration protocol server to enable the various IPv6 nodes for determining the connected hosts along with the IPv6 network routers. To add layers of protection to NDP, the SeND (Secure Neighbor Discovery) extension was developed, which provides router authorization, proof of address ownership, and message protection for the protocol. SeND employs CGAs (Cryptographically Generated Addresses) and X.509 certificates. Despite its many advantages, deploying SeND is not easy, and it is still vulnerable to certain DoS (Denial-of-Service) attacks. The components of SeND and its responses to NDP threats are further elaborated in this paper. In addition, an overview of the implementation of SeND, its limitations, existing vulnerabilities, and current deployment challenges are also presented.  Furthermore, to test the performance of SeND under a DoS attack, a test bed was implemented and the results discussed. 


Keywords


DoS; IPv6; NDP; SLAAC

Full Text:

PDF

References


G. Song and Z. Ji, “Novel Duplicate Address Detection with Hash Function,” Plos One, vol. 11, no. 3, 2016.

S. U. Rehman and S. Manickam, “Novel Mechanism to Prevent Denial of Service (DoS) Attacks in IPv6 Duplicate Address Detection Process,” International Journal of Security and Its Applications, vol. 10, no. 4, pp. 143–154, 2016.

M. Anbar, R. Abdullah, R. M. A. Saad, E. Alomari, and S. Alsaleem, “Review of Security Vulnerabilities in the IPv6 Neighbor Discovery Protocol,” Lecture Notes in Electrical Engineering Information Science and Applications (ICISA) 2016, pp. 603–612, 2016.

T. Zhang and Z. Wang, “Research on IPv6 Neighbor Discovery Protocol (NDP) security,” 2016 2nd IEEE International Conference on Computer and Communications (ICCC), 2016.

Ahmed, A. S., Ismail, N. H. A., Hassan, R., and Othman, N. E, “Balancing performance and security for IPv6 neighbor discovery”. International Journal of Applied Engineering Research, 10(19), 40191-40196, 2015.

A. S. Ahmed, R. Hassan, and N. E. Othman, “Improving security for IPv6 neighbor discovery,” 2015 International Conference on Electrical Engineering and Informatics (ICEEI), 2015.

Ahmed, Amjed Sid Ahmed Mohamed Sid, Rosilah Hassan, and Nor Effendy Othman. "IPv6 Neighbor Discovery Protocol Specifications, Threats and Countermeasures: A Survey."IEEE Access 5 (2017): 18187-18210.

S. Praptodiyono, I. H. Hasbullah, M. Anbar, R. K. Murugesan, and A. Osman, “Improvement of Address Resolution Security in IPv6 Local Network using Trust-ND,” TELKOMNIKA Indonesian Journal of Electrical Engineering, vol. 13, no. 1, Jan. 2015.

F. Najjar, M. M. Kadhum, and H. El-Taj, “Detecting Neighbor Discovery Protocol-Based Flooding Attack Using Machine Learning Techniques,” Lecture Notes in Electrical Engineering Advances in Machine Learning and Signal Processing, pp. 129–139, 2016.

Y. Lu, M. Wang, and P. Huang, “An SDN-Based Authentication Mechanism for Securing Neighbor Discovery Protocol in IPv6,” Security and Communication Networks, vol. 2017, pp. 1–9, 2017.

I. H. Hasbullah, M. M. Kadhum, Y.-W. Chong, K. Alieyan, A. Osman, and S., “Timestamp utilization in Trust-ND mechanism for securing Neighbor Discovery Protocol,” 2016 14th Annual Conference on Privacy, Security and Trust (PST), 2016.

R. M. A. Saad, M. Anbar, and S. Manickam, “Rule-based detection technique for ICMPv6 anomalous behaviour,” Neural Computing and Applications, 2017.

A. S. Ahmed, R. Hassan, and N. E. Othman, “Security threats for IPv6 transition strategies: A review,” 2014 4th International Conference on Engineering Technology and Technopreneuship (ICE2T), 2014.

O. E. Elejla, M. Anbar, and B. Belaton, “ICMPv6-Based DoS and DDoS Attacks and Defense Mechanisms: Review,” IETE Technical Review, pp. 1–18, Feb. 2016.

Ahmed, Amjed Sid, Rosilah Hassan, and Nor Effendy Othman. "Securing IPv6 Link Local Communication Using IPSec: Obstacles and Challenges." Advanced Science Letters 23, no. 11 (2017): 11124-11128.

R. M. A. Saad, M. Anbar, S. Manickam, and E. Alomari, “An Intelligent ICMPv6 DDoS Flooding-Attack Detection Framework (v6IIDS) using Back-Propagation Neural Network,” IETE Technical Review, vol. 33, no. 3, pp. 244–255, 2015.

O. E. Elejla, B. Belaton, M. Anbar, and A. Alnajjar, “Intrusion Detection Systems of ICMPv6-based DDoS attacks,” Neural Computing and Applications, 2016.

Ahmed, Amjed Sid, Rosilah Hassan, and Nor Effendy Othman. "Secure neighbor discovery (SeND): Attacks and challenges." In Electrical Engineering and Informatics (ICEEI), 6th International Conference on, pp. 1-6. IEEE, 2017.

J. L. Shah, “A novel approach for securing IPv6 link local communication,” Information Security Journal: A Global Perspective, vol. 25, no. 1-3, pp. 136–150, Apr. 2016.

P. Sumathi, S. Patel, and P., “Secure Neighbor Discovery (SEND) Protocol challenges and approaches,” 2016 10th International Conference on Intelligent Systems and Control (ISCO), 2016.

Alsadeh, Ahmad, Hosnieh Rafiee, and Christoph Meinel, "Cryptographically Generated Addresses (CGAs): Possible attacks and proposed mitigation approaches," Computer and Information Technology (CIT), 2012 IEEE 12th International Conference on. IEEE, 2012.




DOI: http://dx.doi.org/10.18517/ijaseit.8.5.6427

Refbacks

  • There are currently no refbacks.



Published by INSIGHT - Indonesian Society for Knowledge and Human Development