An Analysis of Selected IPv6 Network Attacks

Tato diplomová práce se zabývá analýzou a demonstrací vybraných IPv6 útoků, konkrétně dvou Man-in-the-Middle útoků a jednoho Denial of Service útoku - Rogue Router Advertisement a Neighbor Cache Poisoning resp. Duplicate Address Detection DoS. V její první části autor prezentuje informace související s danou problematikou a nutné na pochopení problému. Dále autor poskytuje detailní popis realizace daných útoků v praxi za pomoci veřejně dostupných nástrojů. Druhá část práce nastíňuje možnosti prevence proti prezentovaným útokům, analyzuje implementace některých způsobů obrany na Cisco a H3C zařízeních a diskutuje jejích použitelnost.This master's thesis analyses and demonstrates selected IPv6 attacks including two Man-in-the-Middle attacks and one Denial of Service attack - Rogue Router Advertisement, Neighbor Cache Poisoning and Duplicate Address Detection DoS, respectively. In the first part the author presents necessary information related to the issue and provides detailed information on how to realize these attacks in practice using publicly available tools. The second part of the thesis presents various ways of mitigating presented attacks, analyses implementations of some of those countermeasures on Cisco and H3C devices and discussess their applicability.

A Machine Learning Approach to Detect Router Advertisement Flooding Attacks in Next-Generation IPv6 Networks

Router advertisement (RA) flooding attack aims to exhaust all node resources, such as CPU and memory, attached to routers on the same link. A biologically inspired machine learning-based approach is proposed in this study to detect RA flooding attacks. The proposed technique exploits information gain ratio (IGR) and principal component analysis (PCA) for feature selection and a support vector machine (SVM)-based predictor model, which can also detect input traffic anomaly. A real benchmark dataset obtained from National Advanced IPv6 Center of Excellence laboratory is used to evaluate the proposed technique. The evaluation process is conducted with two experiments. The first experiment investigates the effect of IGR and PCA feature selection methods to identify the most contributed features for the SVM training model. The second experiment evaluates the capability of SVM to detect RA flooding attacks. The results show that the proposed technique demonstrates excellent detection accuracy and is thus an effective choice for detecting RA flooding attacks. The main contribution of this study is identification of a set of new features that are related to RA flooding attack by utilizing IGR and PCA algorithms. The proposed technique in this paper can effectively detect the presence of RA flooding attack in IPv6 network

IPv4 to IPv6 transition : security challenges

Tese de mestrado integrado. Engenharia Informática e Computação. Faculdade de Engenharia. Universidade do Porto. 201

Addressless: A New Internet Server Model to Prevent Network Scanning

Eliminating unnecessary exposure is a principle of server security. The huge IPv6 address space enhances security by making scanning infeasible, however, with recent advances of IPv6 scanning technologies, network scanning is again threatening server security. In this paper, we propose a new model named addressless server, which separates the server into an entrance module and a main service module, and assigns an IPv6 prefix instead of an IPv6 address to the main service module. The entrance module generates a legitimate IPv6 address under this prefix by encrypting the client address, so that the client can access the main server on a destination address that is different in each connection. In this way, the model provides isolation to the main server, prevents network scanning, and minimizes exposure. Moreover it provides a novel framework that supports flexible load balancing, high-availability, and other desirable features. The model is simple and does not require any modification to the client or the network. We implement a prototype and experiments show that our model can prevent the main server from being scanned at a slight performance cost

Аналіз захищеності комп’ютерних мереж на основі моделювання атак по протоколу IPv6

Розглянуто проблему безпеки мережевого протоколу IPv6, показано основні вразливості цього протоколу на обладнанні Cisco та Aruba, їх переваги та недоліки. Мета дослідження – створення тестової лабораторії та аналіз рівня безпеки протоколу на мережевому обладнанні двох відомих вендорів та визначення рівня безпеки мережі. Емульовано тестову лабораторію мережі, що дає можливість проведення ряду атак по протоколу IPv6, а саме: розвідка в IPv6 мережі, Smurf атака, стек заголовків розширення, підміна повідомлення RA, підміна повідомлення NA, підміна DHCPv6 сервера та вторгнення в тунель. Тестова лабораторія може бути використана розробниками Cisco та Aruba для усунення вразливостей в мережевому обладнанні. Дозволяє запобігти атакам зловмисника на мережу шляхом додавання системи виявлення несанкціонованого доступу. Під час тестування виявлено вразливості обладнання обох вендорів під час розвідки в IPv6 мережі, стеках заголовків розширення та вторгненні в тунель. Реалізація стандартних заходів безпеки не завжди дозволяє попередити розглянуті атаки, крім того, може перешкоджати проходженню клієнтського трафіку, що суттєво впливає на якість обслуговування кінцевих користувачів мережі. При аналізі рівня безпеки, сегменти мережі, відповідають середньому рівню безпеки. Розмір пояснювальної записки – 105 аркушів, містить 34 ілюстрацій, 26 таблиць, 6 додатків.Examined the problem of security of IPv6 network protocol, shown the main vulnerabilities of this protocol on the equipment of Cisco and Aruba, their advantages and disadvantages. The aim of the study – creating a test laboratory and analyzing the security level of the protocol on the network equipment of the two well-known vendors and determining the security level of the network. Emulated test lab of the network that allows for a series of IPv6 attacks: intelligence in IPv6 network, Smurf attack, Extension header stack, RA message substitution, NA message substitution, DHCPv6 server substitution and tunnel invasion. This test laboratory can be used by Cisco and Aruba developers for eliminating vulnerabilities in network equipment. It allows to prevent malicious attacks on the network. During the testing, the vulnerability of both vendors was detected in IPv6 network intelligence. They are intelligence in IPv6 network, Extension header stack and tunnel invasion. Realization of standard security measures does not always allow to prevent the considered attacks, in addition, it can interfere with the passage of client traffic, which significantly affects on the quality of service of end users of the network. When security level was analyzed, network segments correspond to the average security level. Explanatory note size – 105 pages, contains 34 illustrations, 26 tables, 6 applications

NAT64/DNS64 in the Networks with DNSSEC

Zvyšuj?c? se pod?l resolverů a aplikac? použ?vaj?c? DNS-over-HTTPSvede k vyš?mu pod?lu klientů použ?vaj?c?ch DNS resolvery třet?chstran. Kvůli tomu ovšem selhává nejpouž?vanějš? NAT64 detekčn?metoda RFC7050[1], což vede u klientů použ?vaj?c?ch přechodovémechanismy NAT64/DNS64 nebo 464XLAT k neschopnosti tytopřechodové mechanismy správně detekovat, a t?m k nedostupnostiobsahu dostupného pouze po IPv4. C?lem této práce je navrhnoutnovou detekčn? metodu postavenou na DNS, která bude pracovati s resolvery třet?ch stran, a bude schopná využ?t zabezpečen? DNSdat pomoc? technologie DNSSEC. Práce popisuje aktuálně standardizovanémetody, protokoly na kterých závis?, jejich omezen?a interakce s ostatn?mi metodami. Navrhovaná metoda použ?vá SRVzáznamy k přenosu informace o použitém NAT64 prefixu v globáln?mDNS stromu. Protože navržená metoda použ?vá již standardizovanéprotokoly a typy záznamů, je snadno nasaditelná bez nutnostimodifikovat jak DNS server, tak s?t'ovou infrastrukturu. Protožemetoda použ?vá k distribuci informace o použitém prefixu globáln?DNS strom, umožňuje to metodě použ?t k zabezpečen? technologiiDNSSEC. To této metodě dává lepš? bezpečnostn? vlastnosti nežjaké vykazuj? předchoz? metody. Tato práce vytvář? standardizačn?bázi pro standardizaci v rámci IETF.The rising number of DNS-over-HTTPS capable resolvers and applicationsresults in the higher use of third-party DNS resolvers byclients. Because of that, the currently most deployed method of theNAT64 prefix detection, the RFC7050[1], fails to detect the NAT64prefix. As a result, clients using either NAT64/DNS64 or 464XLATtransition mechanisms fail to detect the NAT64 prefix properly,making the IPv4-only resources inaccessible. The aim of this thesisis to develop a new DNS-based detection method that would workwith foreign DNS and utilize added security by the DNS securityextension, the DNSSEC. The thesis describes current methods ofthe NAT64 prefix detection, their underlying protocols, and theirlimitations in their coexistence with other network protocols. Thedeveloped method uses the SRV record type to transmit the NAT64prefix in the global DNS tree. Because the proposed method usesalready existing protocols and record types, the method is easilydeployable without any modification of the server or the transportinfrastructure. Due to the global DNS tree usage, the developedmethod can utilize the security provided by the DNSSEC and thereforeshows better security characteristics than previous methods.This thesis forms the basis for standardization effort in the IETF.

Adaptive Response System for Distributed Denial-of-Service Attacks

The continued prevalence and severe damaging effects of the Distributed Denial of Service (DDoS) attacks in today’s Internet raise growing security concerns and call for an immediate response to come up with better solutions to tackle DDoS attacks. The current DDoS prevention mechanisms are usually inflexible and determined attackers with knowledge of these mechanisms, could work around them. Most existing detection and response mechanisms are standalone systems which do not rely on adaptive updates to mitigate attacks. As different responses vary in their “leniency” in treating detected attack traffic, there is a need for an Adaptive Response System. We designed and implemented our DDoS Adaptive ResponsE (DARE) System, which is a distributed DDoS mitigation system capable of executing appropriate detection and mitigation responses automatically and adaptively according to the attacks. It supports easy integrations for both signature-based and anomaly-based detection modules. Additionally, the design of DARE’s individual components takes into consideration the strengths and weaknesses of existing defence mechanisms, and the characteristics and possible future mutations of DDoS attacks. These components consist of an Enhanced TCP SYN Attack Detector and Bloom-based Filter, a DDoS Flooding Attack Detector and Flow Identifier, and a Non Intrusive IP Traceback mechanism. The components work together interactively to adapt the detections and responses in accordance to the attack types. Experiments conducted on DARE show that the attack detection and mitigation are successfully completed within seconds, with about 60% to 86% of the attack traffic being dropped, while availability for legitimate and new legitimate requests is maintained. DARE is able to detect and trigger appropriate responses in accordance to the attacks being launched with high accuracy, effectiveness and efficiency. We also designed and implemented a Traffic Redirection Attack Protection System (TRAPS), a stand-alone DDoS attack detection and mitigation system for IPv6 networks. In TRAPS, the victim under attack verifies the authenticity of the source by performing virtual relocations to differentiate the legitimate traffic from the attack traffic. TRAPS requires minimal deployment effort and does not require modifications to the Internet infrastructure due to its incorporation of the Mobile IPv6 protocol. Experiments to test the feasibility of TRAPS were carried out in a testbed environment to verify that it would work with the existing Mobile IPv6 implementation. It was observed that the operations of each module were functioning correctly and TRAPS was able to successfully mitigate an attack launched with spoofed source IP addresses

Tragedy of the routing table: An analysis of collective action amongst Internet network operators

S.M. thesisThis thesis analyzes and discusses the effectiveness of social efforts to achieve collective action amongst Internet network operators in order to manage the growth of the Internet routing table. The size and rate of growth of the Internet routing table is an acknowledged challenge impeding the scalability of our BGP interdomain routing architecture. While most of the work towards a solution to this problem has focused on architectural improvements, an effort launched in the 1990s called the CIDR Report attempts to incentivize route aggregation using social forces and norms in the Internet operator community. This thesis analyzes the behavior of Internet network operators in response to the CIDR Report from 1997 to 2011 to determine whether the Report was effective in achieving this goal. While it is difficult to causally attribute aggregation behavior to appearance on the CIDR report, there is a trend for networks to improve their prefix aggregation following an appearance on the CIDR Report compared to untreated networks. This suggests that the CIDR Report did affect network aggregation behavior, although the routing table continued to grow. This aggregation improvement is most prevalent early in the study period and becomes less apparent as time goes on. Potential causes of the apparent change in efficacy of the Report are discussed and examined using Ostrom s Common Pool Resource framework. The thesis then concludes with a discussion of options for mitigating routing table growth, including the continued use of community forces to better manage the Internet routing table.S.M

Analysis, design and experimental evaluation of connectivity management in heterogeneous wireless environments

Mención Internacional en el título de doctorThe future of network communications is mobile as many more users demand for ubiquitous connectivity. Wireless has become the primary access technology or even the only one, leading to an explosion in traffic demand. This challenges network providers to manage and configure new requirements without incrementing costs in the same amount. In addition to the growth in the use of mobile devices, there is a need to operate simultaneously different access technologies. As well, the great diversity of applications and the capabilities of mobile terminals makes possible for us to live in a hyper-connected world and offers new scenarios. This heterogeneity poses great challenges that need to be addressed to offer better performance and seamless experience to the final user. We need to orchestrate solutions to increase flexibility and empower interoperability. Connectivity management is handled from different angles. In the network stack, mobility is more easily handled by IP mobility protocols, since IP is the common layer between the different access technologies and the application diversity. From the end-user perspective, the connection manager is in charge of handling connectivity issues in mobile devices, but it is an unstandardized entity so its performance is heavily implementation-dependent. In this thesis we explore connectivity management from different angles. We study mobility protocols as they are part of our proposed solutions. In most of the cases we include an experimental evaluation of performance with 3G and IEEE 802.11 as the main technologies. We consider heterogeneous scenarios, with several access technologies where mobile devices have also several network interfaces. We evaluate how connectivity is handled as well as its influence in a handover. Based on the analysis of real traces from a cellular network, we confirm the suitability of more efficient mobility management. Moreover, we propose and evaluate three different solutions for providing mobility support in three different heterogeneous scenarios. We perform an experimental evaluation of a vehicular route optimization for network mobility, reporting on the challenges and lessons learned in such a complicated networking environment. We propose an architecture for supporting mobility and enhance handover in a passive optical network deployment. In addition, we design and deploy a mechanism for mobility management based on software-defined networking.Programa Oficial de Doctorado en Ingeniería TelemáticaPresidente: Arturo Azcorra Saloña.- Secretario: Ramón Agüero Calvo.- Vocal: Daniel Nunes Coruj