DAD-match; Security technique to prevent denial of service attack on duplicate address detection process in IPv6 link-local network

Al-Ani, Ahmed; Anbar, Mohammed; Manickam, Selvakumar

doi:10.1371/journal.pone.0214518

Cited by 18 publications

(9 citation statements)

References 20 publications

Supporting

Mentioning

Contrasting

Order By: Relevance

“…However, there hasn't been much discussion about how to apply diligent checking operations in actual applications. As a result, following the previous successful applications of the Match-prevention technique for preventing DAD by Al-Ani et al [7] and the DAD-match technique by Al-Ani et al [16] for securing DAD, and motivated by the works of [1][2][3][4][5], this paper presents an Initial Neighbor Inspection approach to DAD operation by establishing an initial round of verification of the nodes on the same link before a broadcast request on the existence.…”

Section: Related Workmentioning

confidence: 81%

A New Concept of Duplicate Address Detection Processes in IPv6 Link-Local Network

2022

View full text Add to dashboard Cite

The Neighbor Discovery Protocol (NDP) enables nodes on the same IPv6 link to advertise their existence to their neighbors and learn about their neighbors’ existences in an IPv6 link-local network. Duplicate Address Detection (DAD) on NDP is used to determine whether or not an address requested by a node is already in use by another node. The Neighbor Solicitation (NS) and Neighbor Advertisement (NA) operations are associated to DAD checks in order to ensure that each interface within the transmission session is unique. Unfortunately, NS and NA operations have a significant disadvantage in that they are based on insecure architectures and lack verification procedures for determining whether incoming messages originate from a valid or illegitimate node. This will eventually allow any node in the same link to be manipulated during NS and NA message transmission sessions. Despite some attempts to secure the entire NDP operations, they still suffer from computing resources requirement for their operations. As a result, this study proposes an Initial Neighbor Inspection (INI) on DAD operation. The proposed techniques allow for an initial round of verification of the nodes on the same link before a broadcast request on the existence of neighbors, which is followed by another round of learning about neighbors’ existences. Conclusively, using this idea, as a simple verification will indicate the presence of neighbors, we may restrict solicitation and advertising to only those who are eligible. This means that the computational processing time for NS and NA on DAD operations would not rise.

show abstract

Section: Related Workmentioning

confidence: 81%

A New Concept of Duplicate Address Detection Processes in IPv6 Link-Local Network

2022

View full text Add to dashboard Cite

show abstract

“…Still, they involve complex cryptographic techniques unsuitable for resource-constrained environments. Authentication-based schemes 52,61,62 require an additional authentication system to authorize the participation of various components in the DAD process, which is tedious and violates the SLAAC standard. Detection and defense mechanisms 46,55,58,60,[64][65][66][67] use intelligent techniques to identify and take defensive actions against malicious nodes, but they require additional development and implementation and cannot prevent all attacks.…”

Section: Dad Solutions To Mitigate Dos Attacksmentioning

confidence: 99%

IPv6 addressing with hidden duplicate address detection to mitigate denial of service attacks in the internet of drone

Kumar,

Pragya

2024

Concurrency and Computation

View full text Add to dashboard Cite

SummaryThe fusion of drones with the Internet, termed the Internet of Drones (IoD), resembles the Internet of Things (IoT) paradigm. In IoD, drones necessitate unique identifiers similar to IPv6 addresses. This paper presents a novel approach for securing the duplicate address detection (DAD) process in the IoD environment. This paper focuses on addressing the security challenges posed by malicious drones in the DAD process. The proposed solution introduces a hidden DAD (H‐DAD) process, to mitigate attacks on the DAD process. In this scheme, drones transmit a transformed portion of their interface identifier (IID) while concealing the full IID, thus thwarting potential disruptions by malicious entities. We evaluated the effectiveness of the H‐DAD scheme through experimental analysis using Python with SimPy, comparing it with the Improved DAD, Secure DAD, and Standard DAD schemes. Our results demonstrate a notable improvement, with the Hidden DAD scheme achieving a 100% address success rate under attack. Moreover, it exhibits approximately 5% and 12% lower overhead and energy consumption, respectively, compared to the other schemes.

show abstract

“…Al-Ani et al [22] proposed an alternative DAD method to address the DoS attack during the DAD process in the IPv6 network. DAD-match have introduced two new NDP message types known as NS-match and NA-match.…”

Section: Related Workmentioning

confidence: 99%

“…Song and Ji [21] DAD-h i) vulnerable to hash collision attack because using MD5, ii) suffers from Dos attack, and iii) only implemented for neighbor discovery, not for RD. Al-Ani et al [22] DAD-match i) suffers from pre-image attack; ii) has lower hash power, and iii) only implemented for neighbor discovery not for RD. Praptodiyono et al [23] Trust-ND i) the hash collision attack can be used against the SHA-1 hashing algorithm, ii) unreliable generation of trust value, iii) vulnerable to DoS attack, and iv) complex processing overhead.…”

mentioning

confidence: 99%

Proposed security mechanism for preventing fake router advertisement attack in IPv6 link-local network

Al-Shareeda

Manickam

Saare

et al. 2022

IJEECS

View full text Add to dashboard Cite

The design of router discovery (RD) is a trust mechanism to confirm the legitimacy of the host and router. Fake router advertisement (RA) attacks have been made possible by this RD protocol design defect. Studies show that the standard RD protocol is vulnerable to a fake RA attack where the host will be denied a valid gateway. To cope with this problem, several prevention techniques have been proposed in the past to secure the RD process. Nevertheless, these methods have a significant temporal complexity as well as other flaws, including the bootstrapping issue and hash collision attacks. Thus, the SecMac-secure router discovery (SecMac-SRD) technique, which requires reduced processing time and may thwart fake RA assaults, is proposed in this study as an improved secure RD mechanism. SecMac-SRD is built based on a UMAC hashing algorithm with ElGamal public key distribution cryptosystem that hides the RD message exchange in the IPv6 link-local network. Based on the obtained expected results display that the SecMac-SRD mechanism achieved less processing time compared to the existing secure RD mechanism and can resist fake RA attacks. The outcome of the expected results clearly proves that the SecMac-SRD mechanism effectively copes with the fake RA attacks during the RD process.

show abstract

DAD-match; Security technique to prevent denial of service attack on duplicate address detection process in IPv6 link-local network

Cited by 18 publications

References 20 publications

A New Concept of Duplicate Address Detection Processes in IPv6 Link-Local Network

A New Concept of Duplicate Address Detection Processes in IPv6 Link-Local Network

IPv6 addressing with hidden duplicate address detection to mitigate denial of service attacks in the internet of drone

Proposed security mechanism for preventing fake router advertisement attack in IPv6 link-local network

Contact Info

Product

Resources

About