Lin He,Peng Kuang,Ying Liu,Gang Ren,Jiahai Yang

DOI: https://doi.org/10.1016/j.comnet.2021.108323

IF: 5.493

2021-10-01

Computer Networks

Abstract:Duplicate Address Detection (DAD) is one of the functions of the Neighbor Discovery Protocol (NDP), which determines whether the IPv6 address of a node conflicts with those of other nodes. However, due to the lack of verification of NDP messages, DAD is vulnerable to Denial of Service (DoS) attacks. Existing solutions suffer from high complexity and low security, need to modify the NDP, or have a single point of failure, which renders them infeasible to be deployed.To solve the above problems, we propose P4DAD, which is a secure DAD mechanism based on P4. By creating and maintaining a binding entry between an IPv6 address and a link-layer property of a host's network attachment, P4DAD can filter spoofed NDP messages in an in-network manner to prevent DoS attacks on DAD without modification to the NDP or host stack. We implement a prototype of P4DAD and evaluate it in terms of functionality, performance, and scalability. Evaluation results show that P4DAD can prevent DoS attacks on DAD successfully with negligible overhead and has satisfactory scalability.

computer science, information systems,telecommunications,engineering, electrical & electronic, hardware & architecture

GuangJia Song,ZhenZhou Ji

DOI: https://doi.org/10.1371/journal.pone.0151612

IF: 3.7

2016-01-01

PLoS ONE

Abstract:Duplicate address detection (DAD) is an important component of the address resolution protocol (ARP) and the neighbor discovery protocol (NDP). DAD determines whether an IP address is in conflict with other nodes. In traditional DAD, the target address to be detected is broadcast through the network, which provides convenience for malicious nodes to attack. A malicious node can send a spoofing reply to prevent the address configuration of a normal node, and thus, a denial-of-service attack is launched. This study proposes a hash method to hide the target address in DAD, which prevents an attack node from launching destination attacks. If the address of a normal node is identical to the detection address, then its hash value should be the same as the "Hash_64" field in the neighboring solicitation message. Consequently, DAD can be successfully completed. This process is called DAD-h. Simulation results indicate that address configuration using DAD-h has a considerably higher success rate when under attack compared with traditional DAD. Comparative analysis shows that DAD-h does not require third-party devices and considerable computing resources; it also provides a lightweight security resolution.

Adamu Abubakar Ibrahim,Rawad Abdulkhaleq Abdulmolla Abdulghafor,Sharyar Wani

DOI: https://doi.org/10.11113/ijic.v12n2.368

2022-11-20

International Journal of Innovative Computing

Abstract:The Neighbor Discovery Protocol (NDP) enables nodes on the same IPv6 link to advertise their existence to their neighbors and learn about their neighbors’ existences in an IPv6 link-local network. Duplicate Address Detection (DAD) on NDP is used to determine whether or not an address requested by a node is already in use by another node. The Neighbor Solicitation (NS) and Neighbor Advertisement (NA) operations are associated to DAD checks in order to ensure that each interface within the transmission session is unique. Unfortunately, NS and NA operations have a significant disadvantage in that they are based on insecure architectures and lack verification procedures for determining whether incoming messages originate from a valid or illegitimate node. This will eventually allow any node in the same link to be manipulated during NS and NA message transmission sessions. Despite some attempts to secure the entire NDP operations, they still suffer from computing resources requirement for their operations. As a result, this study proposes an Initial Neighbor Inspection (INI) on DAD operation. The proposed techniques allow for an initial round of verification of the nodes on the same link before a broadcast request on the existence of neighbors, which is followed by another round of learning about neighbors’ existences. Conclusively, using this idea, as a simple verification will indicate the presence of neighbors, we may restrict solicitation and advertising to only those who are eligible. This means that the computational processing time for NS and NA on DAD operations would not rise.

Guangjia Song,Zhenzhou Ji

DOI: https://doi.org/10.1201/b19779-113

2016-01-01

Abstract:Duplicate Address Detection (DAD) is an important component of the address resolution protocols, which determines whether an Internet Protocol (IP) address can be used. In the traditional DAD process, critical information is broadcast through the network. This is a vulnerability that malicious nodes can exploit to mount attacks, resulting in failure to configure IP addresses. To resolve the issue, a new DAD process with variable-length prefix, DAD-vP, was proposed. With DAD-vP, prefix is used to indicate a specific range rather than the entire destination address being tested. This significantly increases the difficulty of mounting an attack. Simulation results show that when under attack, address configuration using the DAD-vP process has a much higher success rate compared to that using the traditional DAD process.

Ahmed K. Al-Ani,Mohammed Anbar,Selvakumar Manickam,Chong Yung Wey,Yu-Beng Leau,Ayman Al-Ani

DOI: https://doi.org/10.1007/s13369-018-3643-y

IF: 2.807

2018-12-07

Arabian Journal for Science and Engineering

Abstract:The deployment of Internet Protocol Version 6 (IPv6) has progressed at a rapid pace. IPv6 has introduced new features and capabilities that is not available in IPv4. However, new security risks and challenges emerge with any new technology. Similarly, Duplicate Address Detection (DAD), part of Neighbor Discovery Protocol in IPv6 protocol, is subject to security threats such as denial-of-service attacks. This paper presents a comprehensive review on detection and defense mechanisms for DAD on fixed network. The strengths and weaknesses of each mechanism to Secure-DAD process are discussed from the perspective of implementation and processing time. Finally, challenges and future directions are presented along with feature requirements for the new security mechanism to secure DAD procedure in an IPv6 link-local network.

multidisciplinary sciences

Yubing Li,Wei Yang,Zhou,Qingyun Liu,Zhao Li,Shu Li

DOI: https://doi.org/10.1109/icc45855.2022.9839137

2022-01-01

Abstract:Internet Protocol Version 6 (IPv6) is expected for widespread deployment worldwide. Such rapid development of IPv6 may lead to safety problems. The main threats in IPv6 networks are denial of service (DoS) attacks and distributed DoS (DDoS) attacks. In addition to the similar threats in Internet Protocol Version 4 (IPv4), IPv6 has introduced new potential vulnerabilities, which are DoS and DDoS attacks based on Internet Control Message Protocol version 6 (ICMPv6). We divide such new attacks into two categories: pure flooding attacks and source address spoofing attacks. We propose P4-NSAF, a scheme to defend against the above two IPv6 DoS and DDoS attacks in the programmable data plane. P4-NSAF uses Count-Min Sketch to defend against flooding attacks and records information about IPv6 agents into match tables to prevent source address spoofing attacks. We implement a prototype of P4-NSAF with P4 and evaluate it in the programmable data plane. The result suggests that P4-NSAF can effectively protect IPv6 networks from DoS and DDoS attacks based on ICMPv6.

Yi Shen,Chunming Wu,Dezhang Kong,Mingliang Yang

DOI: https://doi.org/10.1109/icc40277.2020.9149276

2020-01-01

Abstract:Distributed Denial of Service (DDoS) attack is one of the most severe threats to the current network security. As a new network architecture, Software-Defined Networking (SDN) draws notable attention from both industry and academia. The characteristics of SDN such as centralized management and flow-based traffic monitoring make it an ideal platform to defend against DDoS attacks. When designing a network intrusion detection system (NIDS) in SDN, how to obtain fine-grained flow information with minimal overhead to the SDN architecture is a problem to be solved. In this paper, we propose TPDD, a two-phase DDoS detection system to detect DDoS attacks in SDN. In the first phase, we utilize the characteristics of SDN to collect coarse-grained flow information from the core switches and locate the potential victim. Then we monitor the edge switches located close to the potential victim to obtain finer-grained traffic information in the second phase. The collection method of each phase fully considers the impact on the bandwidth between the controller and switches. Without modifying the existing flow rules, the collection module can obtain sufficient information about traffic. By using entropy-based and machine learning-based methods, the detection module can effectively detect anomalies and identify whether the potential victim marked in the first phase is the target of attacks. Experimental results show that TPDD can effectively detect DDoS attacks with little overhead.

Guang Yao,Jun Bi,Sen Wang,Yueran Zhang,Yitian Li

DOI: https://doi.org/10.1109/LCN.2010.5735746

2010-01-01

Abstract:In IPv6 network, before configuring any address, a node must perform Duplicate Address Detection (DAD) to ensure the address is unique on link. However, original DAD is unreliable and vulnerable. In this article, a pull model DAD is designed, which achieves improvements both in reliability and security through changing the solicitation model. Comparing with SEcure Neighbor Discovery (SEND), this proposal has advantage in lightweight overhead and flexibility of address generation. Through evaluation, it is found to be feasible and cost effective.

Song Guangjia,Ji Zhenzhou,Wang Hui

DOI: https://doi.org/10.3969/j.issn.1000-0801.2014.04.008

2014-01-01

Abstract:In stateless address auto configuration, node needs to carry out duplicate address detection before using a new IP address. In the detection process, once a malicious node claims that the resolve IP address is occupied, the node's address configuration will fail. For this case, WAY（who are you）mechanism as a defensive approach was proposed. WAY mechanism uses reverse address confirmation, self-declaration and WAY-table inspection to filter the spoofing packets, which make attackers' cost increase and cannot carry out secondary attack. The experiments show that WAY mechanism can effectively compensate the security flaws of neighbor discovery protocol, significantly increase the success rate of stateless address auto configuration.

Gyanendra Kumar,Pragya

DOI: https://doi.org/10.1002/cpe.8131

2024-05-01

Concurrency and Computation Practice and Experience

Abstract:Summary The fusion of drones with the Internet, termed the Internet of Drones (IoD), resembles the Internet of Things (IoT) paradigm. In IoD, drones necessitate unique identifiers similar to IPv6 addresses. This paper presents a novel approach for securing the duplicate address detection (DAD) process in the IoD environment. This paper focuses on addressing the security challenges posed by malicious drones in the DAD process. The proposed solution introduces a hidden DAD (H‐DAD) process, to mitigate attacks on the DAD process. In this scheme, drones transmit a transformed portion of their interface identifier (IID) while concealing the full IID, thus thwarting potential disruptions by malicious entities. We evaluated the effectiveness of the H‐DAD scheme through experimental analysis using Python with SimPy, comparing it with the Improved DAD, Secure DAD, and Standard DAD schemes. Our results demonstrate a notable improvement, with the Hidden DAD scheme achieving a 100% address success rate under attack. Moreover, it exhibits approximately 5% and 12% lower overhead and energy consumption, respectively, compared to the other schemes.

computer science, theory & methods, software engineering

David Chunhu Li,Hsuan-Hao Tu,Li-Der Chou

DOI: https://doi.org/10.1016/j.compeleceng.2024.109307

IF: 4.152

2024-05-30

Computers & Electrical Engineering

Abstract:This paper presents a comprehensive system for detecting and defending against distributed denial-of-service (DDoS) and distributed reflective denial-of-service (DRDoS) flood attacks in software-defined networking (SDN) environments using Programming Protocol-Independent Packet Processors (P4). The proposed system introduces a hybrid intrusion statistical threshold algorithm (HISTA) that analyzes intrusion data statistics to identify potential malicious attacks. Upon detection, the system utilises P4 programmability to implement a custom defence mechanism on the P4 switch. A novel Uruk protocol header collaborates with HISTA for enhanced cross-layer attack detection and categorisation. The HISTA-Uruk mechanism selectively discards malicious packets while ensuring uninterrupted communication for legitimate packets, effectively preventing DDoS/DRDoS attacks. Extensive experiments validate the system's ability to efficiently detect and thwart various DDoS, DRDoS, and internal attacks, demonstrating its effectiveness in identifying threats and restoring impacted network connections across diverse attack scenarios.

engineering, electrical & electronic,computer science, interdisciplinary applications, hardware & architecture

Kai Bu,Zhixin Sun

DOI: https://doi.org/10.1109/ICYCS.2008.324

2008-01-01

Abstract:The emergence of Distributed Denial of Service (DDoS) attack increases the destructive force of Denial of Service (DoS) attack drastically. Besides bringing more terrible threats, the attack from far and near and the employment of internet protocol (IP) spoofing make the abnormal traffic detection harder and harder. This paper proposes a mechanism defined as AMHI (Address Matching and Hash Inspection) and a method based on it for DDoS attacks detection and defense. Through the simulation experiment, the Address Matching and backup Hash Inspection operations to the suspicious traffic implemented on router interface for local subnet can detect and defend DDoS attacks effectively even when using IP Spoofing. In addition, this method can also decrease a mass of statistical work for the routers, and to some extent ease the pressure of heavy traffic caused by attacks.

Wenchao Huang,Yan Xiong,Depin Chen

DOI: https://doi.org/10.1109/CSE.2009.87

2009-01-01

Abstract:Many approaches have been proposed to secure various ad hoc routing protocols. However, many attacks such as wormhole attacks, vertex cut attacks, and traffic-analysis based attacks are still not well addressed. In this paper, we propose a novel secure routing protocol DAAODV which is based on Ad-hoc On-demand Distance Vector routing (AODV). DAAODV takes full advantage of trusted computing technology, particularly the Direct Anonymous Attestation (DAA) and Property-based Attestation (PBA) protocols. DAAODV is an anonymous protocol without requirement of Trusted Third Party (TTP). Moreover, we propose an efficient signing and verification scheme to overcome the potential DoS attacks triggered by the low efficiency of DAA and PBA. In the simulation, the results show that DAAODV is still efficient in discovering secure routes compared with AODV protocol.

Shan Jing,Chuan Zhao,Wenxiu Zhang

DOI: https://doi.org/10.1109/HPCC-DSS-SmartCity-DependSys60770.2023.00055

2023-12-17

Abstract:As Software Defined Networking (SDN) becomes increasingly prevalent, the risk of Distributed Denial of Service (DDoS) attacks targeting SDN also grows. Specifically, the SDN data plane, consisting of simple forwarding devices, is more susceptible to DDoS attacks launched by malicious actors. These attacks can impose tremendous load on the SDN, potentially leading to its complete collapse in severe cases. The traditional SDN architecture based on the OpenFlow Protocol falls short in meeting the requirements for programming the data plane. To address this challenge and improve the flexibility of SDN architectures, the Programming Protocol-Independent Packet Processors (P4) has emerged. However, existing solutions, primarily based on Statistical Learning, Machine Learning, and Deep Learning, require further enhancement in terms of accuracy, complexity, and latency. In this study, we utilize the P4 language to implement a programmable data plane and propose the P4-CACNN model for detecting and defending against DDoS attacks on the data plane. Firstly, we employ an appropriate attention mechanism to enhance the processing of incoming traffic. Subsequently, the data is fed into a discriminator consisting of a Convolutional Neural Network (CNN) to classify whether it constitutes attack traffic. Experimental results demonstrate that our proposed model achieves a remarkable 98.99% accuracy in detecting DDoS attacks on the SDN data plane, while maintaining low latency.

Computer Science,Engineering

Francesco Musumeci,Ali Can Fidanci,Francesco Paolucci,Filippo Cugini,Massimo Tornatore

DOI: https://doi.org/10.1007/s10922-021-09633-5

2021-11-02

Journal of Network and Systems Management

Abstract:Abstract Distributed Denial of Service (DDoS) attacks represent a major concern in modern Software Defined Networking (SDN), as SDN controllers are sensitive points of failures in the whole SDN architecture. Recently, research on DDoS attacks detection in SDN has focused on investigation of how to leverage data plane programmability, enabled by P4 language, to detect attacks directly in network switches, with marginal involvement of SDN controllers. In order to effectively address cybersecurity management in SDN architectures, we investigate the potential of Artificial Intelligence and Machine Learning (ML) algorithms to perform automated DDoS Attacks Detection ( DAD ), specifically focusing on Transmission Control Protocol SYN flood attacks . We compare two different DAD architectures, called Standalone and Correlated DAD , where traffic features collection and attack detection are performed locally at network switches or in a single entity (e.g., in SDN controller), respectively. We combine the capability of ML and P4-enabled data planes to implement real-time DAD . Illustrative numerical results show that, for all tested ML algorithms, accuracy, precision, recall and F1-score are above 98% in most cases, and classification time is in the order of few hundreds of $$\upmu \text {s}$$ μ s in the worst case. Considering real-time DAD implementation, significant latency reduction is obtained when features are extracted at the data plane by using P4 language. Graphic Abstract

computer science, information systems,telecommunications

Laurent Patrice,Ramadhani Sinde,Judith Leo

DOI: https://doi.org/10.1109/access.2024.3409679

IF: 3.9

2024-06-15

IEEE Access

Abstract:Address Resolution Protocol (ARP) spoofing has been a long-standing problem with no clear remedy until now. The attacks can be launched easily utilizing an enormous number of publicly available tools on the web; however, they are extremely tough to counterattack due to ARP's stateless nature for not authenticating ARP replies for a subsequent request. Previous studies have demonstrated significant efforts to counterattack these assaults in Software-Defined Networks (SDN); however, much effort has been focused solely on detecting the assaults, with little effort being made to address performance bottlenecks, scalability, and Single Point of Failure (SPOF) issues in large-scale networks. In this study, we focus on developing ARP spoofing attacks detection mechanism in large-scale SDN that is immune to SPOF and provides enhanced network performance and scalability. The main purpose is to enable controllers to intercept and analyze all incoming ARP packets, learn address mappings, and store them in the application's memory to be used as a basis for ongoing ARP cache comparisons while maintaining a global cache in a controller. To achieve the goal of this study, a simulation experiment in a closed network environment was undertaken to precisely monitor network traffic and result patterns. Mininet and the Open Network Operating System were used to implement the data plane and OpenFlow controllers. The results show that, the proposed solution is resistant to ARP spoofing attacks, with an average detection and mitigation time of 4.3 and 26.19 milliseconds, respectively. Further significant improvements have been observed in alleviating SPOF and performance bottlenecks.

computer science, information systems,telecommunications,engineering, electrical & electronic

Gyanendra Kumar,Anil Gankotiya,Sur Singh Rawat,Balamurugan Balusamy,Shitharth Selvarajan

DOI: https://doi.org/10.1038/s41598-024-77035-z

IF: 4.6

2024-10-25

Scientific Reports

Abstract:With technology development, the growing self-communicating devices in IoT networks require specific naming and identification, mainly provided by IPv6 addresses. The IPv6 address in the IoT network is generated by using the stateless auto address configuration (SLAAC) mechanism, and its uniqueness is ensured by the DAD protocol. Recent research suggests that IPv6 deployment can be a risky decision due to the existing SLAAC-based addressing scheme and the DAD protocol being prone to reconnaissance and denial of service (DoS) attacks. This research paper proposes a new IPv6 generation scheme with an improved secure DAD mechanism to address these problems. The proposed addressing scheme generates IPv6 addresses by taking a hybrid approach based on vendor id of medium access control (MAC) address, physical location, and arbitrary random numbers, which mitigates reconnaissance attacks by malicious nodes. To prevent the DAD process from DoS attacks, hybrid values of interface identifier (IID) are multicast instead of actual values. The proposed scheme is evaluated under reconnaissance and DoS attacks in the presence of malicious nodes. The evaluation results demonstrate that the proposed method effectively mitigates reconnaissance and DoS attacks, outperforming the EUI-64 and SEUI-64 schemes in terms of address success rate (ASR), energy consumption, and communication overhead. Specifically, the proposed method significantly reduces the average probing rate for scanning the existence of an IPv6 address, with only a 1% probing rate compared to SEUI-64's 5% and EUI-64's 100%. Furthermore, the additional communication overhead introduced by the proposed method is less than 13% and 11% compared to EUI-64 and SEUI-64, respectively. Additionally, the energy consumption required to assign an IPv6 address using the proposed method is lower by 12% and 5% when compared to EUI-64 and SEUI-64, respectively. These findings highlight the effectiveness of the proposed method in enhancing security and optimizing resource utilization in IPv6 addressing.

multidisciplinary sciences

Jian-Ping WU,Dan LI,Jun BI,Ke XU,Xing LI,Jing ZHU

DOI: https://doi.org/10.11897/SP.J.1016.2016.01081

2016-01-01

Abstract:The Internet,which is constructed based on the TCP/IP structure,has been facing many challenges towards its scalability,efficiency,safety and flexibility.Most proposals today fail to solve these problems all together because they have not fully explored and exploited the multiple attributes of IP addresses.This paper proposes an address driven network architecture, called ADN.The core idea of ADN is solve the key problems faced by Internet,such as space scalability,smooth mobility,security and privacy,service quality,network virtualization,by innovative management and usage of IP addresses,with an extensive exploit of the multiple attributes of IP address,including the length attribute,logic attribute,topology attribute,time attribute,space attribute,ownership attribute,etc.The key technologies of ADN include validated IP address,two-dimensional routing,dynamical IP address,etc.The two-dimensional routing uses the source address as well as the destination address of an IP packet.On the premise of pure IP routing,two-dimensional routing is capable of realizing many complex routing strategies which most existing routing extensions cannot achieve without sacrificing its efficiency and manageability. The validated IP address and dynamical IP address verify the facticity and validity of the source address and destination address,respectively.They prevent the malicious users from launching attacks without being traced using source address forgery,or accessing other end-hosts in the Internet without authorization granted.

Haider Salim,Zhitang Li,Hao Tu,Zhengbiao Guo

DOI: https://doi.org/10.1109/dcabes.2012.71

2012-01-01

Abstract:Owing to its great need for mapping an IP address to the corresponding MAC address over an Ethernet topology, Address Resolution Protocol (ARP) has been, and still is, capable of accomplishing this task efficiently. At the same time, it suffers from some security shortcomings, because of the malicious hosts have the possibility of poisoning the ARP cache for another host on the same LAN. In this paper, by gratuitous ARP request packets, we propose a solution to the problem of ARP poisoning. Our suggested mechanism which is named a Gratuitous Decision Packet System (GDPS) seeks to achieve two main goals: (1) Detection of suspicious ARP packets, by implementing a real-time analyzing for received ARP packets. (2) The distinction between a legitimate and malicious host through sending a modified request packet of the gratuitous ARP packets. Furthermore, the experiments show that the presented design has the efficiency and accuracy, as well as it does not require any additional software or hardware.

Song Guangjia,Ji Zhenzhou

DOI: https://doi.org/10.1109/imccc.2015.150

2015-01-01

Abstract:Given the lack of authentication mechanisms, the address resolution protocols (ARPs) (address resolution protocol, neighbor discovery protocol, and so on) are vulnerable to attack, such as man in the middle and denial of service among others. Therefore, the safety problem of the address resolution (AR) has been significantly given focus, and, in this paper, two problems related to AR have been investigated. First, the indecisiveness of the AR is proven. Therefore, all decision methods adopted to ensure the AR are imperfect, second, the equivalence between the AR and the duplicate address detection (DAD) process is proven. Thus, the AR and the DAD process can be replaced by each other, and can even be completed by the same process which will significantly simplify the design and implementation of the address resolution protocol.