Guangjia Song,Zhenzhou Ji

DOI: https://doi.org/10.1201/b19779-113

2016-01-01

Abstract:Duplicate Address Detection (DAD) is an important component of the address resolution protocols, which determines whether an Internet Protocol (IP) address can be used. In the traditional DAD process, critical information is broadcast through the network. This is a vulnerability that malicious nodes can exploit to mount attacks, resulting in failure to configure IP addresses. To resolve the issue, a new DAD process with variable-length prefix, DAD-vP, was proposed. With DAD-vP, prefix is used to indicate a specific range rather than the entire destination address being tested. This significantly increases the difficulty of mounting an attack. Simulation results show that when under attack, address configuration using the DAD-vP process has a much higher success rate compared to that using the traditional DAD process.

Peng Kuang,Ying Liu,Lin He

DOI: https://doi.org/10.1109/icc40277.2020.9149310

2020-01-01

Abstract:Duplicate Address Detection (DAD) is an essential part of the Neighbor Discovery Protocol (NDP), which determines whether the IPv6 address of a node conflicts with those of other nodes. Due to the lack of verification of NDP messages, DAD is vulnerable to DoS attacks. Existing solutions suffer from high complexity, need to modify the NDP, or have a single point of failure. To solve the above problems, we propose P4DAD, a secure DAD mechanism described by P4. By creating and maintaining binding entries between IPv6 address and link-layer property of host, P4DAD can filter spoofed NDP messages in an in-network manner to prevent DoS attacks on DAD without modifications to the NDP or host stack. We implement a prototype of P4DAD and evaluate it in terms of functionality, performance, and scalability. Evaluation results show that P4DAD can prevent DoS attacks on DAD successfully with negligible overhead, and has satisfactory scalability.

Lin He,Peng Kuang,Ying Liu,Gang Ren,Jiahai Yang

DOI: https://doi.org/10.1016/j.comnet.2021.108323

IF: 5.493

2021-10-01

Computer Networks

Abstract:Duplicate Address Detection (DAD) is one of the functions of the Neighbor Discovery Protocol (NDP), which determines whether the IPv6 address of a node conflicts with those of other nodes. However, due to the lack of verification of NDP messages, DAD is vulnerable to Denial of Service (DoS) attacks. Existing solutions suffer from high complexity and low security, need to modify the NDP, or have a single point of failure, which renders them infeasible to be deployed.To solve the above problems, we propose P4DAD, which is a secure DAD mechanism based on P4. By creating and maintaining a binding entry between an IPv6 address and a link-layer property of a host's network attachment, P4DAD can filter spoofed NDP messages in an in-network manner to prevent DoS attacks on DAD without modification to the NDP or host stack. We implement a prototype of P4DAD and evaluate it in terms of functionality, performance, and scalability. Evaluation results show that P4DAD can prevent DoS attacks on DAD successfully with negligible overhead and has satisfactory scalability.

computer science, information systems,telecommunications,engineering, electrical & electronic, hardware & architecture

Song Guangjia,Ji Zhenzhou

DOI: https://doi.org/10.1109/imccc.2015.150

2015-01-01

Abstract:Given the lack of authentication mechanisms, the address resolution protocols (ARPs) (address resolution protocol, neighbor discovery protocol, and so on) are vulnerable to attack, such as man in the middle and denial of service among others. Therefore, the safety problem of the address resolution (AR) has been significantly given focus, and, in this paper, two problems related to AR have been investigated. First, the indecisiveness of the AR is proven. Therefore, all decision methods adopted to ensure the AR are imperfect, second, the equivalence between the AR and the duplicate address detection (DAD) process is proven. Thus, the AR and the DAD process can be replaced by each other, and can even be completed by the same process which will significantly simplify the design and implementation of the address resolution protocol.

Kai Bu,Zhixin Sun

DOI: https://doi.org/10.1109/ICYCS.2008.324

2008-01-01

Abstract:The emergence of Distributed Denial of Service (DDoS) attack increases the destructive force of Denial of Service (DoS) attack drastically. Besides bringing more terrible threats, the attack from far and near and the employment of internet protocol (IP) spoofing make the abnormal traffic detection harder and harder. This paper proposes a mechanism defined as AMHI (Address Matching and Hash Inspection) and a method based on it for DDoS attacks detection and defense. Through the simulation experiment, the Address Matching and backup Hash Inspection operations to the suspicious traffic implemented on router interface for local subnet can detect and defend DDoS attacks effectively even when using IP Spoofing. In addition, this method can also decrease a mass of statistical work for the routers, and to some extent ease the pressure of heavy traffic caused by attacks.

Song Guangjia,Ji Zhenzhou,Wang Hui

DOI: https://doi.org/10.3969/j.issn.1000-0801.2014.04.008

2014-01-01

Abstract:In stateless address auto configuration, node needs to carry out duplicate address detection before using a new IP address. In the detection process, once a malicious node claims that the resolve IP address is occupied, the node's address configuration will fail. For this case, WAY（who are you）mechanism as a defensive approach was proposed. WAY mechanism uses reverse address confirmation, self-declaration and WAY-table inspection to filter the spoofing packets, which make attackers' cost increase and cannot carry out secondary attack. The experiments show that WAY mechanism can effectively compensate the security flaws of neighbor discovery protocol, significantly increase the success rate of stateless address auto configuration.

Adamu Abubakar Ibrahim,Rawad Abdulkhaleq Abdulmolla Abdulghafor,Sharyar Wani

DOI: https://doi.org/10.11113/ijic.v12n2.368

2022-11-20

International Journal of Innovative Computing

Abstract:The Neighbor Discovery Protocol (NDP) enables nodes on the same IPv6 link to advertise their existence to their neighbors and learn about their neighbors’ existences in an IPv6 link-local network. Duplicate Address Detection (DAD) on NDP is used to determine whether or not an address requested by a node is already in use by another node. The Neighbor Solicitation (NS) and Neighbor Advertisement (NA) operations are associated to DAD checks in order to ensure that each interface within the transmission session is unique. Unfortunately, NS and NA operations have a significant disadvantage in that they are based on insecure architectures and lack verification procedures for determining whether incoming messages originate from a valid or illegitimate node. This will eventually allow any node in the same link to be manipulated during NS and NA message transmission sessions. Despite some attempts to secure the entire NDP operations, they still suffer from computing resources requirement for their operations. As a result, this study proposes an Initial Neighbor Inspection (INI) on DAD operation. The proposed techniques allow for an initial round of verification of the nodes on the same link before a broadcast request on the existence of neighbors, which is followed by another round of learning about neighbors’ existences. Conclusively, using this idea, as a simple verification will indicate the presence of neighbors, we may restrict solicitation and advertising to only those who are eligible. This means that the computational processing time for NS and NA on DAD operations would not rise.

Junchi Xing,Mingliang Yang,Haifeng Zhou,Chunming Wu,Wei Ruan

DOI: https://doi.org/10.1109/IPCCC47392.2019.8958776

2019-01-01

Abstract:Network reconnaissance aims at gathering as much information as possible before an attack is launched. Meanwhile, static host address configuration facilitates network reconnaissance. Currently, more sophisticated network reconnaissance has been emerged with the adaptive and cooperative features. To address this, in this paper, we present Hiding and Trapping (HaT), which is a deceptive approach to disrupt adversarial network reconnaissance with the help of the software-defined networking (SDN) paradigm. HaT is able to hide valuable hosts from attackers and to trap them into decoy nodes through strategic and holistic host address mutation according to characteristic of adversaries. We implement a prototype of HaT, and evaluate its performance by experiments. The experimental results show that HaT is capable to effectively disrupt adversarial network reconnaissance with better deceptive performance than the existing address randomization approach.

Guangjia SONG,Zhenzhou JI

DOI: https://doi.org/10.3969/j.issn.2095-2163.2015.02.008

2015-01-01

Abstract:Given the lack of authentication mechanisms, the address resolution protocols ( ARPs) ( address resolution pro-tocol, neighbor discovery protocol, and so on) are vulnerable to attack, such as man in the middle and denial of service a-mong others. Therefore, the safety problem of the address resolution ( AR) has been significantly given focus, and, in this paper, two problems related to AR have been investigated. First, the indecisiveness of the AR is proven. Therefore, all de-cision methods adopted to ensure the AR are imperfect;second, the equivalence between the AR and the duplicate address detection ( DAD) process is proven. Thus, the AR and the DAD process can be replaced by each other, and can even be completed by the same process which will significantly simplify the design and implementation of the ARPs.

Guang Yao,Jun Bi,Sen Wang,Yueran Zhang,Yitian Li

DOI: https://doi.org/10.1109/LCN.2010.5735746

2010-01-01

Abstract:In IPv6 network, before configuring any address, a node must perform Duplicate Address Detection (DAD) to ensure the address is unique on link. However, original DAD is unreliable and vulnerable. In this article, a pull model DAD is designed, which achieves improvements both in reliability and security through changing the solicitation model. Comparing with SEcure Neighbor Discovery (SEND), this proposal has advantage in lightweight overhead and flexibility of address generation. Through evaluation, it is found to be feasible and cost effective.

Ahmed K. Al-Ani,Mohammed Anbar,Selvakumar Manickam,Chong Yung Wey,Yu-Beng Leau,Ayman Al-Ani

DOI: https://doi.org/10.1007/s13369-018-3643-y

IF: 2.807

2018-12-07

Arabian Journal for Science and Engineering

Abstract:The deployment of Internet Protocol Version 6 (IPv6) has progressed at a rapid pace. IPv6 has introduced new features and capabilities that is not available in IPv4. However, new security risks and challenges emerge with any new technology. Similarly, Duplicate Address Detection (DAD), part of Neighbor Discovery Protocol in IPv6 protocol, is subject to security threats such as denial-of-service attacks. This paper presents a comprehensive review on detection and defense mechanisms for DAD on fixed network. The strengths and weaknesses of each mechanism to Secure-DAD process are discussed from the perspective of implementation and processing time. Finally, challenges and future directions are presented along with feature requirements for the new security mechanism to secure DAD procedure in an IPv6 link-local network.

multidisciplinary sciences

GUAN Jun,CHEN Jian,CHEN Jiong,PAN Xue-zeng

2006-01-01

Abstract:In Hierarchical Mobile IPv6(HMIPv6) protocol,the Duplicate Address Detection(DAD) operations for the On-link Care-of Address(LCoA) and Regional Care-of Address(RCoA) greatly impair the mobile node's inner-MAP and inter-MAP handover performance.The HMIPv6 protocol based on care-of address pool which introduced LCoA pool and RCoA pool into HMIPv6 was proposed,care-of addresses were got from the pools directly,and therefore the DAD operations for the LCoA and RCoA were avoided.The experiment results show that the proposed protocol greatly reduces the handover latency.

Boyang Zhou,Gaoning Pan,Chunming Wu,Kai Zhu,Wei Ruan

DOI: https://doi.org/10.1007/s11432-019-9921-7

2020-01-01

Science China Information Sciences

Abstract:Dear editor, Recently, crossfire attack has been witnessed as a new distributed denial-of-service (DDoS) weapon that can effectively cut off the data connections between the chosen target area (wd) of servers and the end hosts (H).The attack is launched by a network of bot (botnet) to drain bandwidth of persistent routes (PRs) in the indirect and lowrate data flooding towards the decoys that are located in upstream to the target, where the PRs are probed by the adversary who sends Internet control message protocol (ICMP) packets with different time-to-live (TTL) values, e.g., using traceroute [1].Such flooding is hard to be detected by firewalls or IDSes.

Guangjia Song,Zhenzhou Ji

2015-01-01

Abstract:Address resolution is an important component of network communication. It determines the correspondence relationship between the IP and MAC of the host. Given the public destination of address resolutions, existing address resolution protocols are vulnerable to deception attacks, such as man-in-the-middle or DoS. Thus, a new security protocol called seek secret man (SSM) is proposed to address this drawback. Further, we utilize the SSM protocol as prototype and design a secure address resolution process called AR-SSM. This technique uses encryption technology to hide the destination of the address resolution, thereby preventing an attacker from launching a pointed attack. The experimental and comparison results show that in the presence of malicious nodes, the address cache pollution rate of AR-SSM is far lower than that of the traditional address resolution process.

Dalia Nashat,Sabah M. Morsy

DOI: https://doi.org/10.1109/ACCESS.2022.3172329

IF: 3.9

IEEE Access

Abstract:Nowadays, cyber-attack is a severe criminal violation, and it is one of the most active fields of research. Man-in-the-middle attack (MITM) is a type of cyber-attack in which an unauthorized third party secretly accesses the communication between two hosts in the same network to read=modify the transferred data between them. ARP spoofing-based MITM attack exploits ARP protocol weakness where the attacker associates its MAC address with the IP address of an intended legitimate host. Although there are many defense approaches for ARP spoofing based-MITM attacks, these methods are uncompleted or have a performance overhead since they modify the original ARP protocol. Also, some of these approaches depend on the centralized server which leads to a single point of failure. This paper presents a detection scheme for ARP spoofing-based MITM attack called D-ARP which is compatible with the original ARP protocol. The main idea of D-ARP is to send an ARP packet signed with a key in parallel with the original ARP packets to make a correlation between requests and replies. Each host records the signed ARP packets whether it is a request or a reply in a log file. Based on this correlation, D-ARP matches the injected key to detect ARP spoofing if there is a duplicate or conflict in the MAC address. For more reliability, D-ARP uses the DHCP server and the Nmap feature to detect the MAC addresses of MITM attackers. Moreover, this scheme also offers a module for Admin to create a trusted list of hosts. The experimental results show that D-ARP is very effective to detect and prevent ARP spoofing with zero false positives and zero false negative probabilities without any modifications in the original ARP protocol.

Computer Science

Gyanendra Kumar,Pragya

DOI: https://doi.org/10.1002/cpe.8131

2024-05-01

Concurrency and Computation Practice and Experience

Abstract:Summary The fusion of drones with the Internet, termed the Internet of Drones (IoD), resembles the Internet of Things (IoT) paradigm. In IoD, drones necessitate unique identifiers similar to IPv6 addresses. This paper presents a novel approach for securing the duplicate address detection (DAD) process in the IoD environment. This paper focuses on addressing the security challenges posed by malicious drones in the DAD process. The proposed solution introduces a hidden DAD (H‐DAD) process, to mitigate attacks on the DAD process. In this scheme, drones transmit a transformed portion of their interface identifier (IID) while concealing the full IID, thus thwarting potential disruptions by malicious entities. We evaluated the effectiveness of the H‐DAD scheme through experimental analysis using Python with SimPy, comparing it with the Improved DAD, Secure DAD, and Standard DAD schemes. Our results demonstrate a notable improvement, with the Hidden DAD scheme achieving a 100% address success rate under attack. Moreover, it exhibits approximately 5% and 12% lower overhead and energy consumption, respectively, compared to the other schemes.

computer science, theory & methods, software engineering

Guangjia Song,Zhenzhou Ji,Wang Hui

DOI: https://doi.org/10.14257/ijfgcn.2015.8.4.19

2015-01-01

International Journal of Future Generation Communication and Networking

Abstract:Address resolution is an important process in network communications. The primary function of address resolution is to determine the correspondence of a target network address to a physical address. The traditional address resolution process assumes that all the nodes on a network are honest and credible, and these nodes directly broadcast the resolution target address on the network. This process enables malicious nodes to easily mount attacks. We propose a reverse address resolution process with variable length prefix (called Re-AR) that obviates such attacks. According to the revelation principle, a node's <IP, MAC> mapping can be viewed as a private type in the address resolution process. In our proposed process, after a node receives an address resolution request broadcast, it unicasts the private type to a positive resolve node that assigns the communication to the correct node according to a predetermined mechanism. Based on simulation results, when the destination address is hidden in the broadcast packets, malicious nodes cannot easily conduct spoofing attacks according to the destination addresses. This phenomenon effectively prevents spoofing and significantly reduces the pollution rate of address cache tables.

Haider Salim,Zhitang Li,Hao Tu,Zhengbiao Guo

DOI: https://doi.org/10.1109/dcabes.2012.71

2012-01-01

Abstract:Owing to its great need for mapping an IP address to the corresponding MAC address over an Ethernet topology, Address Resolution Protocol (ARP) has been, and still is, capable of accomplishing this task efficiently. At the same time, it suffers from some security shortcomings, because of the malicious hosts have the possibility of poisoning the ARP cache for another host on the same LAN. In this paper, by gratuitous ARP request packets, we propose a solution to the problem of ARP poisoning. Our suggested mechanism which is named a Gratuitous Decision Packet System (GDPS) seeks to achieve two main goals: (1) Detection of suspicious ARP packets, by implementing a real-time analyzing for received ARP packets. (2) The distinction between a legitimate and malicious host through sending a modified request packet of the gratuitous ARP packets. Furthermore, the experiments show that the presented design has the efficiency and accuracy, as well as it does not require any additional software or hardware.

Laurent Patrice,Ramadhani Sinde,Judith Leo

DOI: https://doi.org/10.1109/access.2024.3409679

IF: 3.9

2024-06-15

IEEE Access

Abstract:Address Resolution Protocol (ARP) spoofing has been a long-standing problem with no clear remedy until now. The attacks can be launched easily utilizing an enormous number of publicly available tools on the web; however, they are extremely tough to counterattack due to ARP's stateless nature for not authenticating ARP replies for a subsequent request. Previous studies have demonstrated significant efforts to counterattack these assaults in Software-Defined Networks (SDN); however, much effort has been focused solely on detecting the assaults, with little effort being made to address performance bottlenecks, scalability, and Single Point of Failure (SPOF) issues in large-scale networks. In this study, we focus on developing ARP spoofing attacks detection mechanism in large-scale SDN that is immune to SPOF and provides enhanced network performance and scalability. The main purpose is to enable controllers to intercept and analyze all incoming ARP packets, learn address mappings, and store them in the application's memory to be used as a basis for ongoing ARP cache comparisons while maintaining a global cache in a controller. To achieve the goal of this study, a simulation experiment in a closed network environment was undertaken to precisely monitor network traffic and result patterns. Mininet and the Open Network Operating System were used to implement the data plane and OpenFlow controllers. The results show that, the proposed solution is resistant to ARP spoofing attacks, with an average detection and mitigation time of 4.3 and 26.19 milliseconds, respectively. Further significant improvements have been observed in alleviating SPOF and performance bottlenecks.

computer science, information systems,telecommunications,engineering, electrical & electronic

Guang-jia Song,Zhen-zhou Ji

DOI: https://doi.org/10.1631/fitee.1500382

IF: 2.526

2016-01-01

Frontiers of Information Technology & Electronic Engineering

Abstract:Address-resolution protocol (ARP) is an important protocol of data link layers that aims to obtain the corresponding relationship between Internet Protocol (IP) and Media Access Control (MAC) addresses. Traditional ARPs (address-resolution and neighbor-discovery protocols) do not consider the existence of malicious nodes, which reveals destination addresses in the resolution process. Thus, these traditional protocols allow malicious nodes to easily carry out attacks, such as man-in-the-middle attack and denial-of-service attack. To overcome these weaknesses, we propose an anonymous-address-resolution (AS-AR) protocol. AS-AR does not publicize the destination address in the address-resolution process and hides the IP and MAC addresses of the source node. The malicious node cannot obtain the addresses of the destination and the node which initiates the address resolution; thus, it cannot attack. Analyses and experiments show that AS-AR has a higher security level than existing security methods, such as secure-neighbor discovery.