Review of Preventive Security Mechanisms for Neighbour Discovery Protocol

Anbar, Mohammed; Abdullah, Rosni; Saad, Redhwan M. A.; Hasbullah, Iznan H.

doi:10.1166/asl.2017.10272

Cited by 12 publications

(5 citation statements)

References 0 publications

Supporting

Mentioning

Contrasting

Order By: Relevance

“…IPv6 NDP allows nodes to detect neighbours on a similar LAN and let their existence be known to their neighbours. NDP also has important processes, such as AR, DAD and NUD [8].…”

Section: Neighbour Discovery Protocolmentioning

confidence: 99%

Match-Prevention Technique Against Denial-of-Service Attack on Address Resolution and Duplicate Address Detection Processes in IPv6 Link-Local Network

2020

Self Cite

View full text Add to dashboard Cite

Protocol version 6 (IPv6) host communicating with other neighbouring hosts. Two NDP messages are used during AR and DAD to communicate with one another in the same IPv6 link-local network, namely Neighbour Solicitation (NS) and Neighbour Advertisement (NA) messages. However, NDP messages have non-secure designs and lack verification mechanisms for authenticating whether incoming messages originate from a legitimate or illegitimate node. Therefore, any node in the same link can manipulate NS or NA messages and then launch a Denial-of-Service (DoS) attack. Techniques proposed to secure AR and DAD include Secure NDP (SeND) and Trust-NDP (Trust-ND); however, these techniques either entail high processing time and bandwidth consumption or are vulnerable to DoS attacks because of their designs. Therefore, to secure AR and DAD, this study aims to introduce a prevention technique called Match-Prevention, which secures target IP addresses and exchange messages (i.e. NS and NA). The processing time, bandwidth consumption and DoS prevention success rate of Match-Prevention in different scenarios are evaluated, and its performance is compared with those of existing techniques, including Standard-Process (i.e., Standard-AR and Standard-DAD), SeND and Trust-ND. Results show that Match-Prevention requires less processing time during AR and DAD processes and less bandwidth consumption compared with other existing techniques. In terms of DoS prevention success rate, the experiments show that Standard-Process and Trust-ND are unable to secure AR and DAD from DoS attacks, whilst SeND is vulnerable to flooding attacks. By contrast, Match-Prevention allows IPv6 nodes to verify the incoming message, discard the fake message before further processing and prevent a DoS attack during AR and DAD in an IPv6 link-local network.

show abstract

“…IPv6 NDP allows nodes to detect neighbours on a similar LAN and let their existence be known to their neighbours. NDP also has important processes, such as AR, DAD and NUD [8].…”

Section: Neighbour Discovery Protocolmentioning

confidence: 99%

Match-Prevention Technique Against Denial-of-Service Attack on Address Resolution and Duplicate Address Detection Processes in IPv6 Link-Local Network

2020

Self Cite

View full text Add to dashboard Cite

show abstract

“…Attackers can interrupt and negatively affect verification by sending bogus reply messages when a new host starts DAD. Researches [8], [16], [18] emphasized that DAD is vulnerably exposed to DoS attacks.…”

Section: Denial Of Service Attack On Duplicate Address Detection (Dosmentioning

confidence: 99%

“…SeND aims at preventing NS and NA spoofing, NUD failure, DAD DoS and NDP DoS attacks [20]. However, previous studies [8], [11], [20] highlighted the deficiencies of SeND for NDP in IPv6 link-local network. In general, security options (i.e., CGA and RSA) are limited.…”

Section: Related Workmentioning

confidence: 99%

“…According to previous scholarly studies [5], [6] it is proven that the local network’s communication neighboring hosts are not totally reliable because they are more likely to act as attackers. Researchers [7], [8] investigated dangers and weaknesses of neighboring discovery. The attackers can take advantage of vulnerabilities in the neighboring discovery to launch a DoS attack.…”

Section: Introductionmentioning

confidence: 99%

See 1 more Smart Citation

DAD-match; Security technique to prevent denial of service attack on duplicate address detection process in IPv6 link-local network

2019

Self Cite

View full text Add to dashboard Cite

An efficiently unlimited address space is provided by Internet Protocol version 6 (IPv6). It aims to accommodate thousands of hundreds of unique devices on a similar link. This can be achieved through the Duplicate Address Detection (DAD) process. It is considered one of the core IPv6 network’s functions. It is implemented to make sure that IP addresses do not conflict with each other on the same link. However, IPv6 design’s functions are exposed to security threats like the DAD process, which is vulnerable to Denial of Service (DoS) attack. Such a threat prevents the host from configuring its IP address by responding to each Neighbor Solicitation (NS) through fake Neighbor Advertisement (NA). Various mechanisms have been proposed to secure the IPv6 DAD procedure. The proposed mechanisms, however, suffer from complexity, high processing time, and the consumption of more resources. The experiments-based findings revealed that all the existing mechanisms had failed to secure the IPv6 DAD process. Therefore, DAD-match security technique is proposed in this study to efficiently secure the DAD process consuming less processing time. DAD-match is built based on SHA-3 to hide the exchange tentative IP among hosts throughout the process of DAD in an IPv6 link-local network. The obtained experimental results demonstrated that the DAD-match security technique achieved less processing time compared with the existing mechanisms as it can resist a range of different threats like collision and brute-force attacks. The findings concluded that the DAD-match technique effectively prevents the DoS attack during the DAD process. The DAD-match technique is implemented on a small area IPv6 network; hence, the author future work is to implement and test the DAD-match technique on a large area IPv6 network.

show abstract

“…Trust vulnerability in NDP messages allows DoS attacks to be performed by exploiting the functions of NDP protocol [31]. For example, the flooding of Neighbor Solicitation (NS) messages (ICMPv6 message type value 135) and Neighbour Advertisement (NA) messages (ICMPv6 message type value 136) would eventually consume a portion of the victim's resources or may cause a complete stoppage of its services while it tries to respond to the malicious messages [32]. In the same fashion, Router Solicitation (RS) messages (ICMPv6 message type value 133) and Router Advertisement (RA) messages (ICMPv6 message type value 134) flooding and malformed RA prefix advertisements can cause traffic interruption and routing storms.…”

Section: Introductionmentioning

confidence: 99%

ICMPv6-Based DoS and DDoS Attacks Detection Using Machine Learning Techniques, Open Challenges, and Blockchain Applicability: A Review

2020

Self Cite

View full text Add to dashboard Cite

Although the launch of Internet Protocol version six (IPv6) addressed the issue of IPv4's address depletion, but also mandated the use of Internet Control Message Protocol version six (ICMPv6) messages in newly introduced features such as the Neighbor Discovery Protocol (NDP). This has exacerbated existing network attacks including ICMPv6-based Denial of Service (DoS) attacks and its variant form Distributed Denial of Service (DDoS) attack. Intrusion Detection Systems (IDS) aimed at tackling security issues raised by ICMPv6-based DoS and DDoS attacks have been reviewed by researchers and a general classification of existing IDSs was proposed as anomaly-based and signature-based. However, it is incredibly hard to see the overall picture of IDSs based on Machine Learning (ML) techniques with such a classification, as there is a lack of a more detailed view of the ML approach, classifiers, feature selection techniques, datasets, and different evaluation metrics. Nevertheless, recent developments in this relatively new field have not been covered such as ML-based IDSs using flow-based traffic representation. Therefore, this paper specifically reviews and classifies IDSs based on ML techniques to detect ICMPv6-based DoS and DDoS attacks as single and hybrid classifiers. In addition, blockchain applicability in Collaborative IDS (CIDS) architecture based on the ensemble framework has been proposed as a solution to one of the open challenges for ICMPv6-based DoS and DDoS attacks detection problem. Moreover, this review also provides a classification of ICMPv6 vulnerabilities to DoS and DDoS attacks which would provide a reference resource for future researchers in this domain. To the best of the author's knowledge, this is the first review paper specifically focusing on IDSs based on ML techniques in this domain, as well as blockchain applicability as a possible research direction has been proposed to attract researcher's focus on building ensemble learning-based IDS models.

show abstract

Review of Preventive Security Mechanisms for Neighbour Discovery Protocol

Cited by 12 publications

References 0 publications

Match-Prevention Technique Against Denial-of-Service Attack on Address Resolution and Duplicate Address Detection Processes in IPv6 Link-Local Network

Match-Prevention Technique Against Denial-of-Service Attack on Address Resolution and Duplicate Address Detection Processes in IPv6 Link-Local Network

DAD-match; Security technique to prevent denial of service attack on duplicate address detection process in IPv6 link-local network

ICMPv6-Based DoS and DDoS Attacks Detection Using Machine Learning Techniques, Open Challenges, and Blockchain Applicability: A Review

Contact Info

Product

Resources

About