Real-Time IP Checking and Packet Marking for Preventing ND-DoS Attack Employing Fake Source IP in IPv6 LAN

Authors:
Gaeil An;Kiyoung Kim
Affiliations:
Network Security Research Division, Electronics and Telecommunications Research Institute (ETRI), Daejon, Korea 305-350;Network Security Research Division, Electronics and Telecommunications Research Institute (ETRI), Daejon, Korea 305-350
Venue:
ATC '08 Proceedings of the 5th international conference on Autonomic and Trusted Computing
Year:
2008

Citing 3
Cited 0

Securing IPv6 neighbor and router discovery

WiSE '02 Proceedings of the 1st ACM workshop on Wireless security
Defeating Distributed Denial of Service Attacks

IT Professional
Unique subnet auto-configuration in IPv6 networks

IPOM'06 Proceedings of the 6th IEEE international conference on IP Operations and Management

Quantified Score

Hi-index	0.00

Visualization

Abstract

IPv6 has been proposed as a basic Internet protocol for realizing a ubiquitous computing service. An IPv6 LAN may suffer from a Neighbor Discovery-Denial of Service (ND-DoS) attack, which results in network congestion on the victim IPv6 LAN by making a great number of Neighbor Discovery protocol messages generated. A ND-DoS attacker may use a fake source IP address to hide his/her identity, which makes it more difficult to handle the attack. In this paper, we propose an IP checking and packet marking scheme, which is applied to an IPv6 access router. The proposed scheme can effectively protect IPv6 LAN from ND-DoS attack employing fake source IP by providing the packets suspected to use fake source and/or destination IP addresses with a poor QoS.