Publications (4)0 Total impact
Conference Paper: Host based IDS for NDP related attacks: NS and NA Spoofing[Show abstract] [Hide abstract]
ABSTRACT: To accommodate more hosts in the network, IP Version 6 (IPv6) is used. It also allows flexibility in allocating addresses and efficient routing for internet traffic using Stateless Autoconfiguration method (SLAAC) and Neighbor Discovery Protocol (NDP). Although efficient, NDP and SLAAC represent a significant security risk in IPv6. IPSec, which is mandated by the IPv6 specifications for security, is not suited to easily secure Ipv6 messages because of the need to manually configure the IPSec keys. Without IPSec protection, IPv6 messages can be easily spoofed. In this paper we propose a host based IDS using active detection technique for IPv6 (NDP). In this scheme we verify any change made in host cache using either data tables (passive) or by sending active probes in real time. The scheme is successfully validated in a test bed with various attack scenarios and the results show the effectiveness of the proposed technique.
- [Show abstract] [Hide abstract]
ABSTRACT: Internet Protocol version 6 (IPv6) uses Network Discovery Protocol (NDP) to find the Media Access Control (MAC) address to communicate with hosts in a LAN. Like its predecessor, Address Resolution Protocol (ARP) in IPv4, NDP is stateless and lacks authentication by default. The traditional spoofing attacks for exploiting the IP to MAC resolution using ARP in IPv4 are also relevant in NDP. By using spoofed MAC addresses, a malicious host can also launch Denial-of-Service (DoS), Man-in-the-Middle(MiTM) attacks etc. in IPv6 network. Although there are various detection/prevention mechanisms available for IPv4, many of them are not yet implemented in IPv6 as the protocol is relatively new and slowly coming in use. Few mechanisms have been proposed for detection/prevention of these attacks in IPv6, but they either are non-scalable, computationally expensive, require management of cryptographic keys or change in the protocol itself. In this paper, we propose an active detection mechanism for NDP based attacks in IPv6 network to overcome these problems. Experimental results illustrate the efficacy and performance of the scheme.
Conference Paper: Detection of NDP based attacks using MLD[Show abstract] [Hide abstract]
ABSTRACT: Neighbor Discovery Protocol (NDP) is one of the core protocol in IPv6 network. It provides facilities like Stateless Address Autoconfiguration (SLAAC), Neighbor unreachability Detection (NUD), address resolution (similar to ARP in IPv4) etc. Due to lack of authorization in NDP messages, many attacks like Neighbor Solicitation (NS) spoofing, Neighbor Advertisement (NA) spoofing, Man-in-the-Middle (MiTM), Denial-of- Service (DoS) etc. are possible. The attack detection mechanism proposed in this paper is based on two different schemes, passive monitoring scheme and active detection mechanism using probing. In the proposed scheme, we build state of the network using Multicast Listener Discovery (MLD) queries and validate captured packets with this state. This allows us to detect attacks almost instantaneously and reduce the network traffic induced by IDS as compared to Active Probing scheme and at the same time retain its high detection rate.
- [Show abstract] [Hide abstract]
ABSTRACT: The function of Address Resolution Protocol (ARP) is critical in local area networking as well as for routing Internet traffic across gateways. ARP, being a Stateless protocol, is prone to various attacks such as ARP spoofing, ARP flooding and ARP poisoning. This work discusses about an efficient scalable implementation of an Intrusion Detection System (IDS) with active detection, to detect ARP spoofing, flooding and related attacks like Man-in-the-Middle(MiTM) and Denial-of-Service(DoS) etc.
Indian Institute of Technology Guwahati
Gauhāti, Assam, India
- Department of Computer Science and Engineering