Match-Prevention Technique Against Denial-of-Service Attack on Address Resolution and Duplicate Address Detection Processes in IPv6 Link-Local Network

Address Resolution (AR) and Duplicate Address Detection (DAD) are considered the most important processes in Neighbour Discovery Protocol (NDP), which occurs frequently from each Internet Protocol version 6 (IPv6) host communicating with other neighbouring hosts. Two NDP messages are used during AR and DAD to communicate with one another in the same IPv6 link-local network, namely Neighbour Solicitation (NS) and Neighbour Advertisement (NA) messages. However, NDP messages have non-secure designs and lack verification mechanisms for authenticating whether incoming messages originate from a legitimate or illegitimate node. Therefore, any node in the same link can manipulate NS or NA messages and then launch a Denial-of-Service (DoS) attack. Techniques proposed to secure AR and DAD include Secure NDP (SeND) and Trust-NDP (Trust-ND); however, these techniques either entail high processing time and bandwidth consumption or are vulnerable to DoS attacks because of their designs. Therefore, to secure AR and DAD, this study aims to introduce a prevention technique called Match-Prevention, which secures target IP addresses and exchange messages (i.e. NS and NA). The processing time, bandwidth consumption and DoS prevention success rate of Match-Prevention in different scenarios are evaluated, and its performance is compared with those of existing techniques, including Standard-Process (i.e., Standard-AR and Standard-DAD), SeND and Trust-ND. Results show that Match-Prevention requires less processing time during AR and DAD processes and less bandwidth consumption compared with other existing techniques. In terms of DoS prevention success rate, the experiments show that Standard-Process and Trust-ND are unable to secure AR and DAD from DoS attacks, whilst SeND is vulnerable to flooding attacks. By contrast, Match-Prevention allows IPv6 nodes to verify the incoming message, discard the fake message before further processing and prevent a DoS attack during AR and DAD in an IPv6 link-local network.

[1]  F. Beck,et al.  Monitoring the Neighbor Discovery Protocol , 2007, 2007 International Multi-Conference on Computing in the Global Information Technology (ICCGI'07).

[2]  Adrián Herrera How Secure is the Next-Generation Internet? An Examination of IPv6 , 2013 .

[3]  Mohammad M. Kadhum,et al.  Securing Duplicate Address Detection on IPv6 Using Distributed Trust Mechanism , 2020 .

[4]  Christoph Meinel,et al.  IPv6 Stateless Address Autoconfiguration: Balancing between Security, Privacy and Usability , 2012, FPS.

[5]  Andrey Bogdanov,et al.  spongent: A Lightweight Hash Function , 2011, CHES.

[6]  Rosni Abdullah,et al.  Review of Preventive Security Mechanisms for Neighbour Discovery Protocol , 2017 .

[7]  Willi Meier,et al.  Quark: A Lightweight Hash , 2010, Journal of Cryptology.

[8]  Bart Preneel,et al.  Open problems in hash function security , 2015, Designs, Codes and Cryptography.

[9]  Jean-Sébastien Coron,et al.  Merkle-Damgård Revisited: How to Construct a Hash Function , 2005, CRYPTO.

[10]  Bill Fenner Experimental Values In IPv4, IPv6, ICMPv4, ICMPv6, UDP, and TCP Headers , 2006, RFC.

[11]  Christoph Meinel,et al.  SSAS: A simple secure addressing scheme for IPv6 autoconfiguration , 2013, 2013 Eleventh Annual Conference on Privacy, Security and Trust.

[12]  Santosh Biswas,et al.  Detection of neighbor discovery protocol based attacks in IPv6 network , 2013 .

[13]  Ahmed K. Al-Ani,et al.  Review paper on neighbour discovery protocol in IPv6 link-local network , 2019 .

[14]  Guangjia Song,et al.  Anonymous-address-resolution model , 2016, Frontiers of Information Technology & Electronic Engineering.

[15]  GuangJia Song,et al.  Novel Duplicate Address Detection with Hash Function , 2016, PloS one.

[16]  Rosilah Hassan,et al.  IPv6 Neighbor Discovery Protocol Specifications, Threats and Countermeasures: A Survey , 2017, IEEE Access.

[17]  M. Mikuc,et al.  SEND-based source address validation for IPv6 , 2009, 2009 10th International Conference on Telecommunications.

[18]  Thomas Narten,et al.  Privacy Extensions for Stateless Address Autoconfiguration in IPv6 , 2001, RFC.

[19]  Christoph Meinel,et al.  SEcure Neighbor Discovery: A Cryptographic Solution for Securing IPv6 Local Link Operations , 2013 .

[20]  Thomas Narten,et al.  Neighbor Discovery for IP Version 6 (IPv6) , 1996, RFC.

[21]  Carmen Llorente-Barroso,et al.  Empowering the Elderly and Promoting Active Ageing Through the Internet: The Benefit of e-inclusion Programmes , 2017 .

[22]  Bahari Belaton,et al.  ICMPv6-Based DoS and DDoS Attacks and Defense Mechanisms: Review , 2017 .

[23]  Selvakumar Manickam,et al.  Detection and Defense Mechanisms on Duplicate Address Detection Process in IPv6 Link-Local Network: A Survey on Limitations and Requirements , 2018, Arabian Journal for Science and Engineering.

[24]  Mohammed Anbar,et al.  DAD-match; Security technique to prevent denial of service attack on duplicate address detection process in IPv6 link-local network , 2019, PloS one.

[25]  Mohammed Anbar,et al.  Preventing Denial of Service Attacks on Address Resolution in IPv6 Link-local Network: AR-match Security Technique , 2019 .

[26]  Rosni Abdullah,et al.  Authentication and Privacy Approach for DHCPv6 , 2019, IEEE Access.

[27]  S. Nandi,et al.  Host based IDS for NDP related attacks: NS and NA Spoofing , 2013, 2013 Annual IEEE India Conference (INDICON).