Denial of Service Attack in IPv 6 Duplicate Address Detection Process An Impact Analysis on IPv 6 Address Auto-configuration Mechanism

IPv6 was designed to replace the existing Internet Protocol, that is, IPv4. The main advantage of IPv6 over IPv4 is the vastness of address space. In addition, various improvements were brought to IPv6 to address the drawbacks in IPv4. Nevertheless, as with any new technology, IPv6 suffers from various security vulnerabilities. One of the vulnerabilities discovered allows Denial of Service Attack using the Duplicate Address Detection mechanism. In order to study and analyse this attack, an IPv6 security testbed was designed and implemented. This paper presents our experience with the deployment and operation of the testbed, and discussion on the outcome and data gathered from carrying out DoS attack in this testbed. Keywords—Duplicate Address Detection; Denial of Service; IPv6; Address autoconfiguration; Security; Internet Protocol


INTRODUCTION
Internet protocol version 6 (IPv6) [1], was introduced not only to overcome the limitations of an existing Internet protocol version 4 (IPv4) [2] but also be future oriented due to the rapid growth of Internet technologies.Thus, IPv6 is also known as a next generation Internet protocol.In December 1998, Internet Engineering Task Force (IETF) defined this new Internet protocol.In addition, to provide large address space, new features were introduced in IPv6 such as; simpler header format, mobility functions, extension header, as well as address autoconfiguration [1].
One of the main features of IPv6 protocol is address autoconfiguration [3], which means IPv6 host(s) can obtain IP address automatically.Therefore, autoconfiguration can simplify addressing assignment among IPv6 hosts in link local communication as hosts can generate addresses without any intervention.Even though it has eased IP addressing assignment, improper configuration can raise serious security issues.Studies [4][5][6] have proven that autoconfiguration mechanism is susceptible to security threats like denial of service (DoS) attacks during address autoconfiguration process.This paper focuses on the impact analysis of denial of service (DoS) attack [7] on duplicate address detection (DAD) [6] process during address autoconfiguration in IPv6 link local network and its consequences.The rest of the paper is organized as follows.
Section II of this article describes the concept of denial of service (DoS) attack and its classifications.Section III explains the address autoconfiguration process in IPv6 link local network, including duplicate address detection (DAD) process and the denial of service attack attempts during DAD process in respective subsections.Section IV presents the design and implementation of testbed setup based on DoS-on-DAD attack.Section V depicts the outcome obtained from the experimental setup.Finally, Section VI concludes this article with future work.

II. DENIAL OF SERVICE ATTACK AND ITS CLASSIFICATION
Denial of service (DoS) attack is one of the major security threats to the IPv4 and IPv6 networks [7].In DoS attacks, a victim host(s) can be denied from the services by wasting its resources and disrupt its communication with other neighboring hosts on same link.A targeted device is unable to process such large amount of network traffic and becomes unavailable or out of service.Moreover, when DoS attack is being attempted from large networks or systems then it is known as Distributed Denial of Service (DDoS) attacks [7,8].In order to perform DDoS attack, an attackers uses various resources such as network nodes and Internet services which are distributed around the globe considered as botnets.Later, these botnets are used to launch the DDoS attack against the targeted victim.Denial of Service (DoS) attacks in IPv6 network can be broadly classified into two main categories based on the attacked level such as; application level and network level.Further network level DoS attacks can be subdivided into gateway (router) and local link levels respectively.Figure 1 depicts the taxonomy of DoS attacks in IPv6 network.

A. Denial of service attacks on IPv6 network
During address autoconfiguration in IPv6 link local network, Internet control message protocol (ICMPv6) [9] message types are used by the hosts to communicate with neighboring hosts within a local link.However, studies [10,11] have shown that ICMPv6 messages are vulnerable to denial of service (DoS) attacks, especially during duplicate address detection (DAD) process while host(s) attempts to configure its own generated interface identifier (IID).
Therefore, an attacker can take an advantage of it and can fabricate these ICMPv6 messages.Later, attacker can exploit these modified messages to generate denial of service (DoS) attacks in a number of ways; either by spoofing the messages, Man-in-the-Middle form or simply sending excessive numbers of bogus ICMPv6 packets to the target host on the local link.Thus, an attacker can disrupt the IPv6 hosts to obtain their interface identifier (IID).

III. ADDRESS AUTOCONFIGURATION IN IPV6 LINK LOCAL NETWORK
In IPv6 Link local network, IPv6 host can communicate with other neighboring hosts by using five types of ICMPv6 messages also known as Neighbor Discovery Protocol (NDP) [12] messages are as follows:  Router Solicitation (RS) message type 133, is send by IPv6 hosts to discover the presence of a neighboring router(s) on local link.
 Router Advertisement (RA) message type 134, is sends by router(s) in reply to a RS message or periodically advertises the RA messages.
 Neighbor Solicitation (NS) message type 135, is send by IPv6 nodes to resolve IPv6 address to its link-layer address (MAC address) or to verify IPv6 node reachability or to perform duplicate address detection.
 Neighbor Advertisement (NA) message type 135, is send by IPv6 nodes in response to a NS message or to advertise a link-layer address change.
 Redirect message type 137, is send by routers in IPv6 Link local communication to advertise better route for a destination.
Neighbor discovery [12], as the name suggests, in IPv6 networks allow the hosts to find the presence and link local addresses of other hosts on the same link.Also, it provides other functionalities such as address resolution, neighbor unreachability detection, router discovery, redirect method for routers to inform IPv6 hosts about the most appropriate router available on the same link and resolve duplicate address detection on the same link .

A. IPv6 Address Autoconfiguration Process
When a new host joins an IPv6 local link network, it goes through a number of operations to configure its own Interface identifier (IID).As IPv6 host connects to local link network, it sends a Router Solicitation (RS) message to a link local router to get the network prefix information.In response, link local router replies with a Router Advertisement (RA) message by sending network prefix.Once the host has gathered that network prefix can now generate its interface identifier (IID) [3].
Afterwards, the host combines the subnet prefix with the IID to form a complete 128 bits IPv6 address which is enough for hosts to communicate within a same link [3].Finally, an autoconfiguration process verifies its uniqueness on a link by performing a Duplicate Address Detection process [6] that will be discussed in Subsection B. Figure 2 depicts new host address autoconfiguration process in IPv6 link local network.

B. Duplicate Address Detection Process
Duplicate address detection is a mechanism ensuring that all the IPv6 hosts have unique IP addresses by verifying their uniqueness on the same link.Every host must execute DAD process before specifying an address to an interface [6].When host(s) generate new IP addresses, after generating an interface identifier host(s) ascertain that no other neighboring host(s) already possesses that generated address on the same link to avoid the IP address conflict.
DAD process is being performed by sending Neighbor Solicitation (NS) messages multicast to all neighboring hosts within a same link.These NS messages carry the tentative IP address that the host(s) has generated and would like to assign as its interface identifier.If the tentative address is already assigned by any other neighboring host within a same link, then that neighboring host will send a Neighbor Advertisement (NA) in reply.Hence, new host generates a www.ijacsa.thesai.orgnew tentative address.In next attempt, if a new host does not receive any response to its NS messages from the neighboring nodes; it indicates that the newly generated address is unique and no other neighboring host is using this address.Thus, a host can use that generated address as preferred address as an interface identifier [6]. Figure 3 illustrates the DAD process.

C. Denial of Service Attack on DAD Process
During the DAD operation, an attacker can disguise the victim host while attempting to verify its address uniqueness in IPv6 link local communication by using the specific address and responds to every detection message.Thus, it the victim host may be unable to configure its IP address such type of attack is known as DoS on DAD attack.During this attack an attacker can respond to every duplicate address detection attempts made by a newly joining host in IPv6 link local communication.In case an attacker claims addresses, the other host(s) on a same link will never be able to configure an IP address [6]. Figure 4 illustrates the DoS on DAD attack.

A. Assumptions
In order to design and implement the proposed testbed, the following assumptions have been considered to conduct the experiments successfully such as:  IPv6 local network comprises of at least one gateway router, an ethernet switch, a new host, existing hosts and an attacker host.
 IPv6 address in the local network is obtained from SLAAC mechanism instead of using DHCPv6 server.
 The number of attacker hosts in an IPv6 local network are less than the number of legitimate hosts Based on the assumptions the required hardware and software specifications for testbed setup environment are presented in Tables 1 and 2, respectively.
The hardware and software specifications have been selected based on the availability and support for IPv6 environment at NAv6 research institute to conduct the experiment successfully.Testbed setup environment comprises hosts (Host A, Host B, Host C and Host D) based on Windows as well as Linux Operating Systems so that to run the experiment on both the platforms in order to analyses the impact of DoS-on-DAD attack as the design and implementation of IPv6 stack in these Operating Systems differ slightly in some manners [13].The Hackers Choice (THC) attacking toolkit [14] provides a set of tools that can enable the user to explore weaknesses in existing IPv6 implementations.One of the tools, called dosnew-ip6, can be used to run the DoS attack on DAD process in IPv6 local link network.Kali is a Linux-based open source system; it has built-in THC-IPv6 attacking toolkit support.Therefore, Kali have been used as an Attacker PC to exploit the testbed setup environment.
In order to monitor and capture the network traffic Wireshark [15,16] network analyser tool has been used to analyse the captured network traffic.Cisco router C7200 has been used as a gateway router for the network and Cisco catalyst 2960 fast ethernet switch has been used to connect all the hosts in IPv6 link local network.Figure 5 depicts the testbed setup environment.

A. Senario Based testbed Setup
Based on the deployed IPv6 testbed setup environment, two experimental scenarios have been conducted such as: Normal Scenario and Attacking Scenario.
 Normal Scenario: In case of normal scenario, a default DAD process during address autoconfiguration in IPv6 link local communication has been analysed by capturing the ICMPv6 message types like RS, RA, NS and NA in Wireshark network analyzer tool as shown in Figure 6.    8 shows that Linux based host after successful DAD process configured its link local address in IPv6 network.In order to test the scenario, Kali as an attacker (PC) have been used to run the DoS on DAD attack with the help of THC-IPv6 attacking toolkit during address autoconfiguration process in IPv6 link local network.During the attack, it has been noticed that Windows-based hosts, that is, Host A and Host B are unable to configure IPv6 link local addresses as depicted in Figure 10.

VI. CONCLUSION AND FUTURE WORK
The purpose of this paper was to analyse the impact of DoS on DAD attack and its outcome.In pursuant to this, an IPv6 testbed has been designed and implemented to carry out the attacks on multiple OS platforms.The testbed outcome has shown that during DoS-on-DAD attack IPv6 hosts are unable to obtain IPv6 addresses due to DAD process failure.There are existing mechanisms and approaches that, to some length, address this issue but have drawbacks in terms of efficiency and complexity.Thus, a more effective security mechanism is required to secure DAD process during address autoconfiguration in IPv6 link local network.Therefore, our future work will be to propose a security mechanism which ensures a secure DAD process during address autoconfiguration in IPv6 link local communication by preventing denial of service (DoS) attack with reduced overhead.

Fig. 4 .
Fig. 4. Denial of service attack on DAD process

Fig. 6 .
Fig. 6.ICMPv6 packets traffic analyses In order to investigate the DAD process on various platforms, address autoconfiguration process has been performed on hosts with different Operating Systems such as Windows (Win7, Win Vista) and Linux (Ubuntu, Fedora) on a deployed IPv6 Testbed setup.After successful DAD process hosts are able to configure their preferred IPv6 link local addresses.Figure 7 depicts the Windows host after configuring its IPv6 link local address.

Fig. 8 .
Fig. 8. Snapshot of Linux host Address Autoconfiguration  Attacking Scenario: In attacking scenario, an attempt of DoS-on-DAD attack during address autoconfiguration in IPv6 link local communication has been examined by capturing the ICMPv6 message types like RS, RA, NS and NA in Wireshark network analyser tool as shown in Figure 9.

Fig. 10 .
Fig. 10.Host unable to configure IPv6 link local addressLikewise, Linux Hosts such as; Host C and Host D are able to generate tentative IP address but fails to perform DAD process.Thus, due to the DAD process failure hosts are unable to verify the uniqueness of the generated (tentative) IP address.Since, only the preferred IP address after successful DAD process can allow host(s) to communicate with other neighboring hosts within the same link.Therefore, new host(s) cannot communicate with existing hosts in the IPv6 link local network as shown in Figure11.

Fig. 11 .
Fig. 11.Snapshot of DAD process failure V. TESTBED OUTCOME In this study, dos-new-ip6 attacking tool was used to examine the impact of DoS attack during DAD process on Windows and Linux based hosts on deployed IPv6 testbed setup environment as depicted in Figure 12.

Fig. 13 .
Fig. 13.Snapshot of DoS-on-DAD attack Since, the attacker disrupts the IPv6 hosts to obtain preferred IP addresses by causing DAD process failure.As a result, the new hosts are unable to communicate with their neighboring hosts on the same link.Figure 14 and 15 depicts Figure 14 and 15 depicts the outcome of the experiment conducted on both Windows and Linux OS platforms respectively.

TABLE I .
DETAILS ON HARDWARE REQUIRED FOR THE EXPERIMENTS www.ijacsa.thesai.org

TABLE II .
DETAILS ON SOFTWARE REQUIRED FOR THE EXPERIMENTS