Securing IPv6 neighbor and router discovery
WiSE '02 Proceedings of the 1st ACM workshop on Wireless security
Computer Networks
Defeating Distributed Denial of Service Attacks
IT Professional
| Hi-index | 0.00 |
Neighbor Discovery (ND) protocol is very important in ubiquitous networks because it can provide IP auto-configuration and address resolution. However, a malicious user can make access router of local area network (LAN) generate useless ND protocol messages by sending it abnormal data packets with fictitious destination IP address. If a malicious user sends the access router the enormous volume of abnormal traffic, this may result in network congestion and degrade quality of service (QoS) not only for ND-requested normal traffic, but also for ND-free normal traffic. In this paper, we propose a scheme that is able to effectively control ND congestion by rate-limiting ND protocol messages generated by abnormal data packet. In our scheme, when an access router receives a ND-requested packet, it checks if the destination IP address of the packet exists actually on the target LAN. If yes, it sends out the ND message for the packet using good QoS in packet forwarding service. Otherwise, it uses bad QoS. To learn topology of the target LAN, the router monitors all traffic from the target LAN. Through simulation, we show that our scheme can guarantee not only QoS of ND-requested data traffic, but also QoS of ND-free data traffic irrespectively of the degree of attack strength.