Optimized Duplicate Address Detection for the Prevention of Denial-of-Service Attacks in IPv6 Network

Abstract

In constrained IoT networks, Stateless Address Autoconfiguration (SLAAC) utilizes the Duplicate Address Detection (DAD) protocol to ensure the uniqueness of IPv6 addresses. However, the DAD employed in SLAAC is susceptible to various security vulnerabilities, including issues related to confidentiality, conflicting addresses, and spoofing attacks. Malicious nodes can exploit these weaknesses to perform Denial of Service (DoS) attacks by consistently claiming a tentative address, joining with conflicting address, or disclosing assigned address. Existing measures against DAD attacks have limitations, e.g. high computation, communication overhead, energy consumption, and major protocol modification. To address these challenges, this paper presents an innovative Optimized DAD (O-DAD) that is robust, scalable, and compliant with standard specifications. In O-DAD, the uniqueness of tentative IPv6 addresses is ensured in a way that neither new nor existing nodes have knowledge of each other's exact assigned addresses. O-DAD also hampers the ability of malicious nodes to spoof new/existing nodes. Experimental results demonstrate that the proposed solution effectively mitigates these attacks and exhibits superior performance in terms of Address Success Ratio (ASR), computational complexity, overhead, and energy consumption. When compared to Secure, Improved, and Standard DAD, the proposed scheme reduces overhead and energy by approximately 6%, 8%, and 15%, respectively.