Novel Mechanism to Prevent Denial of Service (DoS) Attacks in IPv6 Duplicate Address Detection Process

Abstract

Most IPv6 security issues are still the same as IPv4; IPv6 has its own unique design characteristics that have additional impact to system and network security, as well as the potential impact on policies and procedures. Address autoconfiguration is a key feature of the IPv6 protocol stack that allow hosts to generate own addresses using a confluence of information from other hosts and information from router advertisement. Duplicate Address Detection (DAD) is a process that is part of address autoconfiguration that is used to check if the addresses generated has already been configured. Nevertheless, the design of DAD process is vulnerable to Denial of Service (DoS) attack leaving hosts unconfigured. For example, any host can reply to Neighbor Solicitations (NS) for a temporary address, causing the other host to consider it as a duplicate and eventually reject the address. Various mechanisms such as SeND and SAVI has been introduced to address such attacks, but these techniques were not very effective as there were still possibilities of DoS attacks to be carried out. As such, a new mechanism is needed to more effectively prevent DoS attacks on DAD process. In this paper, we present a detailed design and development of a novel mechanism that can address the shortfalls of existing prevention techniques.