Abstract
IPv6 has been proposed as a basic Internet protocol for realizing a ubiquitous computing service. An IPv6 LAN may suffer from a Neighbor Discovery-Denial of Service (ND-DoS) attack, which results in network congestion on the victim IPv6 LAN by making a great number of Neighbor Discovery protocol messages generated. A ND-DoS attacker may use a fake source IP address to hide his/her identity, which makes it more difficult to handle the attack. In this paper, we propose an IP checking and packet marking scheme, which is applied to an IPv6 access router. The proposed scheme can effectively protect IPv6 LAN from ND-DoS attack employing fake source IP by providing the packets suspected to use fake source and/or destination IP addresses with a poor QoS.
This is a preview of subscription content, log in via an institution.
Buying options
Tax calculation will be finalised at checkout
Purchases are for personal use only
Learn about institutional subscriptionsPreview
Unable to display preview. Download preview PDF.
References
Altug, R.O., Akinlar, C.: Unique Subnet Auto-configuration in IPv6 Networks. In: Parr, G., Malone, D., Ó Foghlú, M. (eds.) IPOM 2006. LNCS, vol. 4268, pp. 108–119. Springer, Heidelberg (2006)
DeNardis, L.: Questioning IPv6 Security. Business Communications Review Magazine, 51–53 (2006)
Templeton, S.J., Levitt, K.E.: Detecting Spoofed Packets. In: Proc. Of DISCEX 2003, pp. 164–175 (2003)
Ferguson, P., Senie, D.: Network Ingress Filtering: Defeating Denial of Service Attacks which employ IP Source Address Spoofing. IETF, RFC 2827 (2000)
Geng, X., Whinston, A.B.: Defeating Distributed Denial of Service Attacks. IT Professional 2(4), 36–41 (2000)
Nikander, P., Kempf, J., Nordmark, E.: IPv6 Neighbor Discovery (ND) Trust Models and Threats. IETF, RFC 3756 (2004)
Mutaf, P., Castelluccia, C.: Compact Neighbor Discovery: a Bandwidth Defense through Bandwidth Optimization. In: Proc. of INFOCOM 2005, pp. 2711–2719 (2005)
Narten, T., Nordmark, E., Simpson, W.: Neighbor Discovery for IP Version 6 (IPv6). IETF, RFC 2461 (1998)
Tseng, Y., Jiang, J., Lee, J.: Secure Bootstrapping and Routing in an IPv6-Based Ad Hoc Network. In: Proc. of ICPP Workshops, pp. 375–383 (2003)
Leckie, C., Kotagiri, R.: A Probabilistic Approach to Detecting Network Scans. In: Proc. NOMS 2002, pp. 359–372 (2002)
Schechter, S., Jung, J., Berger, A.W.: Fast Detection of Scanning Worm Infections. In: Jonsson, E., Valdes, A., Almgren, M. (eds.) RAID 2004. LNCS, vol. 3224, pp. 59–81. Springer, Heidelberg (2004)
Arkko, J., Kempf, J., Zill, B., Nikander, P.: SEcure Neighbor Discovery (SEND). IETF, RFC 3971 (2005)
Arkko, J., Aura, T., et al.: Securing IPv6 Neighbor and Router Discovery. In: Proc. of the 3rd ACM workshop on Wireless security, pp. 77–86 (2002)
Cisco Systems: Strategies to Protect Against Distributed Denial of Service (DDoS) Attacks. White paper (2000), http://www.cisco.com/warp/.../newsflash.html
Bradner, S., Paxson, V.: IANA Allocation Guidelines For Value. In: the Internet Protocol and Related Headers. IETF, RFC 2780 (2000)
Grossman, D.: New Terminology and Clarifications for Diffserv. IETF, RFC 3260 (2002)
UCB/LBNL/VINT: ns Notes and Documentation, http://www.isi.edu/nsnam/ns
Author information
Authors and Affiliations
Editor information
Rights and permissions
Copyright information
© 2008 Springer-Verlag Berlin Heidelberg
About this paper
Cite this paper
An, G., Kim, K. (2008). Real-Time IP Checking and Packet Marking for Preventing ND-DoS Attack Employing Fake Source IP in IPv6 LAN. In: Rong, C., Jaatun, M.G., Sandnes, F.E., Yang, L.T., Ma, J. (eds) Autonomic and Trusted Computing. ATC 2008. Lecture Notes in Computer Science, vol 5060. Springer, Berlin, Heidelberg. https://doi.org/10.1007/978-3-540-69295-9_5
Download citation
DOI: https://doi.org/10.1007/978-3-540-69295-9_5
Publisher Name: Springer, Berlin, Heidelberg
Print ISBN: 978-3-540-69294-2
Online ISBN: 978-3-540-69295-9
eBook Packages: Computer ScienceComputer Science (R0)