Professional Documents
Culture Documents
ABSTRACT fixed value of 0xFFFE (comprising 16 bits) in the middle (i.e., 25th to
With the increase in number of hosts in the Internet, there is also a rise 41th position) of the 48 bit MAC address of the host and changing the
in the demand for IP address space. To cater to this issue, IP version 6 7th bit of MAC from 0 to 1; these 64 bits are called interface identi-
(IPv6) succeeded IPv4. Compared to 32 bit IP address space in IPv4, IP fier. The higher order 64 bits of the link local address is a fixed value
address in IPv6 is composed of 128 bits. In IPv4, when a host wants to of 0xFF80:0000:0000:0000. The link local address identifies a host
communicate with another host in an LAN, it needs to know the MAC in the link and can be used to communicate with other hosts within a
address of the target host, which was possible through Address Resolu- link. The lower order 64 bits of the global address for a host is same as
tion Protocol (ARP). As ARP is stateless and due to lack of authoriza- the lower order 64 bits of the link local address. The higher order 64
tion in ARP messages, many attacks like request spoofing, response bits are obtained from an incoming Router Advertisement (which is a
spoofing, Man-in-the-Middle (MiTM), Denial-of- Service (DoS) etc. message in IPv6, to be elaborate latter).
are possible. IPv6 uses Network Discovery Protocol (NDP) to find the
MAC address. NDP is also stateless and lacks authentication of its When a host wants to communicate with another host, it needs to know
messages by default. So NDP also suffers from many attacks similar the MAC address of the target host. In IPv4 ARP (Address Resolu-
to ARP namely, neighbor solicitation spoofing, neighbor advertisement tion Protocol) is used for finding the MAC address given the IP ad-
spoofing, router solicitation spoofing, router advertisement spoofing, dress. As ARP is stateless and due to lack of authorization in ARP
neighbor unreachability detection attack etc. Although there are var- messages, many attacks like Man-in-the-Middle (MiTM), Denial-of-
ious attack detection and prevention mechanisms available for ARP Service (DoS) etc. initiate with the exploitation of this essential pro-
attacks, they are not yet implemented for NDP (IPv6). In this paper tocol of IPv4 [9]. There are number of passive solutions proposed in
we propose an attack detection mechanism for neighbor solicitation the literature to detect, mitigate and prevent such attacks namely, static
spoofing and neighbor advertisement spoofing. IP-MAC assignment [10], use of hardware [12] and software to mon-
itor changes in IP-MAC pairs [5, 4, 7], signature intrusion detection
Keywords system [1] etc. The main drawbacks of these passive schemes were
IPv6 Security, Network Discovery Protocol, Neighbor spoofing, Attack lack of dynamism, scalability and false alarms. Attempts to eliminate
detection such drawbacks have been made in some active techniques for detect-
ing ARP attacks [15, 9, 17], where the IDS actively sends probe pack-
ets to hosts in the LAN in addition to observations (like changes of
1. INTRODUCTION IP-MAC pairs). Details of ARP attack detection techniques and issues
With rapid growth of the Internet, demand for more space in the In- therein can be found in [9].
ternet Protocol(IP) address range arised. In the traditional IP Version
4 (IPv4), IP address comprise 32 bits thereby supporting an address IPv6 uses Network Discovery Protocol (NDP) to find the MAC ad-
space of the O(232 ). IP version 6 (IPv6), where the IP address is dress. The traditional attacks for exploiting ARP are also relevant in
composed of 128 bits, succeeded IPv4, primarily to solve the address NDP as it is also stateless and lacks authentication of its messages by
scarcity problem. This expansion, apart from allowing many more de- default. Neighbor solicitation spoofing, neighbor advertisement spoof-
vices and users on the Internet, also provides many extra features like ing, router solicitation spoofing, router advertisement spoofing, neigh-
flexibility in allocating addresses, efficiency in routing traffic [16] etc. bor unreachability detection attack etc. are some examples of NDP
related attacks. Although there are various attack detection and preven-
IPv6 uses two addressing schemes, one for local communication on the tion mechanisms available for ARP attacks (in IPv4 discussed above),
link (called link local address) and the other for communication outside they are not yet implemented in NDP (IPv6) as the protocol is relatively
the link (called global address). IPv6 subnet size has been standard- new and slowly coming in use. A few mechanism has been proposed
ized by fixing the size of the host identifier to 64 bits to facilitate an for detection / prevention of these attacks, but they are either com-
automatic mechanism for generating the host identifier from MAC ad- putationally expensive or requires management of cryptographic keys
dress. The link local address is 128 bits and is generated as follows. or involve change in NDP itself. In this paper we propose an attack
The lower order 64 bits of link local address is obtained by inserting a detection mechanism for two IPv6 NDP related attacks namely, neigh-
bor solicitation spoofing and neighbor advertisement spoofing. These
spoofing attacks may lead to other attacks namely, Man in the mid-
dle (MiTM), Denial of Service (DoS), which are also detected by the
proposed scheme.
Neighbor Discovery Protocol Monitor (NDPmon) [14]: It is a tool 1. Neighbor Solicitation Table: (N ST ):
that observes NS/NA packets in the local network to see if there are Purpose: Whenever a neighbor solicitation message is sent, it is
changes in IP-MAC pairings; on detection of changes it notifies the recorded in the solicitation table N ST .
administrator by writing in the syslog. The problem with this approach Components (Rows):
is, if the first sent packet itself is having a spoofed MAC address then N STIP S Source IP of the Solicitation message, N STM ACS
the whole system fails. Further, any genuine change in IP-MAC pair Source MAC of the Solicitation message, N STIP D Destination
will be discarded. IP of the Solicitation message and timestamp N STtau
So, from the review, it may be stated that an NDP attack preventa- 2. Neighbor Advertisement table (N AT ):
tion/detection scheme needs to have the following features Purpose: This table records neighbor advertisement messages
sent by nodes in the network.
Components:
• Should not modify the standard NDP or violate layering archi- N ATIP S Source IP of the Advertisement message, N ATM ACS
tecture of network Source MAC of the Advertisement message, N ATIP D Destina-
tion IP of the Advertisement message, N ATM ACD Destination
• Should not require patching, installation of extra softwares in all MAC of the Advertisement message and timestamp N ATtau
systems
3. Probe table (P RB):
Purpose: For the verification of an IP-MAC pair, our IDS sends
In this paper we propose a mechanism (i.e., Intrusion Detection Sys- out a Neighbor solicitation probe packet and its response (neigh-
tem (IDS)) for detecting two NDP related attacks namely NS spoofing bor advertisement) is verified. This process is initiated to in-
and NA spoofing. The technique involves installation of the IDS in spect suspicious Neighbor solicitation and advertisement mes-
just one system in the network, do not require changes in the standard sages. The probe table stores the information about the probe
NDP protocol. Further, the IDS also detects MiTM and DoS attacks packets sent out by IDS.
generated by NA/NS spoofing. Components:
P RBIP IP address for which verification message is being sent,
4. PROPOSED SCHEME P RBM AC MAC address for which verification message is be-
ing sent.
This section focuses on the proposed Intrusion Detection System (IDS)
for detection NS/NA spoofing attacks. 4. Authenticated bindings table (AU T H):
Purpose: This table records IP-MAC bindings which have been
4.1 Assumptions found to be authentic by the verification mechanism of IDS.
The proposed model relies on the following assumptions regarding Components:
IPv6 LAN. AU T HIP and AU T HM AC IP-MAC pair verified to be gen-
uine.
1. All nodes are IPv6 configured using Stateless address autocon- 5. Log table (LOG):
figuration (SLAAC) mechanism or have been assigned static IP. Purpose: Whenever a spoofing is detected, the parameters are
The router has a static IPv6 address which sends out various net- recorded here along with the timestamp. Components:
work parameters required by hosts on the network for autocon- LOGIP S Source IP of the Advertisement message, LOGM ACS
figuration. Source MAC of the Advertisement message, LOGIP D Destina-
tion IP of the Advertisement message, LOGM ACD Destination
2. Genuine non-compromised nodes on the link which are expected MAC of the Advertisement message and timestamp LOGtau
to reply a Neighbor Solicitation message (either unicast or mul-
ticast) must do so within a specific time interval Treq . 6. Unsolicited advertisement table (U SAT ):
Purpose: This data table stores information about number of
3. IDS is a trusted machine with a static IP-MAC binding. It has neighbor advertisements for which no neighbor solicitation ex-
two network interfaces dedicated to their respective purposes; ists sent by a node within a specified time interval δ. Also mali-
one being responsible to collect network data in the LAN through cious neighbor solicitation messages (those which are not in Log
port mirroring and the other being exclusively used for handling table and Authenticated table) are stored in this table.
NS/RS or NA/RA probes requests/replies. Components:
U SATIP D Destination IP of the Advertisement message and packet is discarded and a status flag is set accordingly. Else the packet
timestamp U SATtau . details are recorded in the Neighbor Advertisement table (N AT ). Next
Although N As are sent in response to N Ss normally, there are our algorithm checks if this packet is in response to some N S probe
exceptions to it. For example, N As are unsolicited when sent sent by VERIFY_IP-MAC() module of the IDS. This can be identified
in order to propagate new information like change in its MAC by the fact that for such packets, N APIP D ==IDSIP C and there ex-
or IP address or at the time a node joins a network. Such N As ists a probe message entry corresponding to that packet in probe table
are handled separately and are not included in the Unsolicited (P RB) . For such packets, this algorithm terminates.
Advertisement table.
If none of the above cases holds, then the advertisement packet is
4.3 Algorithm and detection modules checked for a corresponding neighbor solicitation (N S) in the solicita-
The proposed scheme is based on two main modules NS-Handler() and tion table (N ST ). If a corresponding match is found then this packet is
NA-Handler(). These are elaborated in Algorithm 1 and Algorithm 2, searched for its entry in Authenticated bindings table (AU T H). If en-
respectively. try corresponding to this packet is found, then the advertisement packet
Algorithm 1 handles Neighbor Solicitation (N S) messages and Algo- has genuine IP-MAC binding.In case of a mismatch in MAC address
rithm 2 deals with Neighbor Advertisement (N A) messages. i.e. N AM ACS 6= AU T HTM ACS [i] (for some i ∈ N), the packet is
Flow chart in Figure 1 illustrates the basic working of Algorithm 1. marked spoof ed and recorded in the log table LOG. If the advertise-
ment packet entry is not available in any Authenticated table, then a
Algorithm 1: NS probe is sent by the VERIFY_IP-MAC() module. If there is no
For any NS packet (N SP ) it first checks whether the packet is mal- NS packet entry in Solicitation table (N ST ) for the received adver-
formed i.e. any changes in the immutable fields of the packet header or tisement packet, then this advertisement packet is an unsolicited adver-
inconsistent MAC addresses in the ICMPv6 header and IPv6 header. A tisement packet. It is to be noted that this statement means there is no
status flag is set accordingly to reflect this inconsistency and the algo- corresponding NS packet in N ST table though it is possible that the
rithm terminates here itself. The algorithm also skips the packet orig- solicitation flag in the ICMPv6 header of the packet is set to 1 by the
inated from IDS as we assume IP-MAC pairing of the IDS is already attacker. In this case UNSOLICITED_ADVT_HANDLER() module
verified. In all other cases, the NS request is added to the Solicitation is called by the algorithm with parameters as destination IP N AIP D
table and further processing of the packet is done as per the algorithm. and timestamp τ . Also an entry is created in the Log table LOG for
this packet.
Next the NS packet (N SP ) is searched in the Authenticated bindings
table (AU T H). If a match is found, the packet has genuine IP-MAC Algorithm 2 N A handler algorithm.
pair which is already recorded in the Authenticated bindings table. In Input: N AP - Neighbor advertisement packet, τ : time when this
case of a mismatch in the MAC address, the packet is spoofed with packet was received.
incorrect MAC address and hence status flag is set to spoofed. This Output: Status of the packet.
spoofed packet details is recorded in Log table. If neither of the above
cases occur the packet is sent to verification module which sends out if N AP is malf ormed then
probe packets to verify the genuineness of the packet. status ← malf ormed
else
Algorithm 1 N S handler algorithm. Add N APIP S , N APM ACS , N APIP D and τ to the advertise-
Input : N SP - Neighbor Solicitation packet, τ : time when this packet ment table (N AT )
was received. if N APIP D == IP (IDS) & N APIP S is present in some probe
Output: status of the packet. table (i.e. this packet is in response to some probe packet sent by
IDS) then
if N SP is malf ormed then Exit
status ← malf ormed else
else if N SPIP S = IP (IDS) and N SPM ACS = M AC(IDS) if N APIP S == N SPIP D for some NSP present in N ST table
then (i.e. this NAP is in response to a neighbor solicitation sent by
Exit some host ) then
else if N SPIP S == :: (unspecified address) then if N APIP S is found in some authenticated table then
status ← unspecif ied if N APM ACS also matches then
Exit status ← genuine
else else
Add N SPIP S , N SPM ACS , N SPIP D and τ to the Solicitation status ← spoof ed
table (N ST ) Add N APIP S , N APM ACS , N APIP D , N APM ACD ,
if N SPIP S is found in an AU T H table (i.e. atleast one of the τ to Log table
AU T H table present in the window has this entry) then end if
if N SPM ACS also matches then else
status ← genuine VERIFY_IP-MAC(N SP , τ )
else end if
status ← spoof ed Add N SPIP S , N SPM ACS , N SPIP D , else
N U LL, τ to Log table Add N APIP S , N APM ACS , N APIP D , N APM ACD , τ to
end if Log table
else UNSOLICITED_ADVT_HANDLER(N APIP D , τ )
VERIFY_IP-MAC(N SP , τ ) end if
end if end if
end if end if
Algorithm 2: The main modules discussed in Algorithms1 and Algorithm 2 are as-
Algorithm 2 is N A handler. Flow chart in Figure 2 illustrates the ba- sisted by sub-modules namely VERIFY_IP-MAC(),
sic working of Algorithm 2. As before, for any N A message the al- RESPONSE_ANALYSER() and UNSOLICITED_ADVT_HANDLER().
gorithm first checks whether this packet is malformed; if it is so, the Now we discuss these modules is detail.
Start
YES
N SP is STATU S =
Exit
m alform ed m alform ed
NO
NO Is corresponding YES
Is source Is source IP YES
M AC also m atches
IP-M AC sam e present in STATU S= genuine
w ith that in
as that of ID S ? AU TH T ?
AU TH T ?
YES NO
NO
Exit
NO
NO
Verify_IP-M AC()
Exit
6WDUW
<(6
1$3LV 67$786
([LW
PDOIRUPHG PDOIRUPHG
12
12 ,VFRUUHVSRQGLQJ <(6
,VGHVWLQDWLRQ ,VVRXUFH,3 <(6
0$&DOVRPDWFKHV
,30$&VDPH SUHVHQWLQ 67$786 JHQXLQH
ZLWKWKDWLQ
DVWKDWRI,'6" $87+7 "
$87+7 "
<(6 12
12
([LW
([LW <(6
,VVRXUFH,3 ,VFRUUHVSRQGLQJ <(6 67$786 VSRRIHG
SUHVHQWLQ/RJ 0$&VDPHDVWKDW $GGSDFNHWGHWDLOV
WDEOH" LQ/RJWDEOH" WR/RJWDEOH
12
12
9HULI\B,30$&
([LW
3 .PAD V
IP(A), M AC(A)
2 . PSOL
IP(A), M AC(?) 5 . PSOL
IP(C), M AC(?)
LEGEN D
LOG0 := LOG table which have entries corresponding to MACS • Packet 1: Node A sends neighbor advertisement to host B. Ad-
& (τ -LOGτ ) < TM iT M vertisement table (N AT ) is updated with a new entry corre-
if LOG0IP S == IP D && LOG0IP D == IP S for some log table in sponding to this packet.
LOG0 ) then
status ← M iT M and attacker is M ACS • Packet 2: Since there is no entry for packet 1 in any Authenti-
end if cated bindings table, E sends a NS probe packet (packet 2) to
verify the source MAC address claimed by packet 1 and a corre-
sponding entry is added to probe table P RB.
• Packet 3: After probe packet is sent, RESPONSE_ANALYSER()
Table 1: Neighbor Solicitation Table module is called. This module waits for Tr eq and collects the re-
Pac. no. IPsrc M ACsrc IPdst τ sponse obtained within this time interval. Only A will respond
− − − − − and hence packet 1 is inferred to be genuine. AU T H table is
updated with an entry for IP-MAC pair of node A.
centering
Spoofed advertisement packet sent by attacker D to victim A:
Table 2: Neighbor Advertisement Table
Pac. no. IPsrc M ACsrc IPdst M ACdst τ
1 IP A MAC A IP B MAC B τ1 • Packet 4: Attacker D sends out a spoofed packet having IP(C)-
3 IP A MAC A IP E MAC E τ2 MAC(D) binding to node A. This is recorded in Advertisement
4 IP C MAC D IP A MAC A τ3 table N AT .
6 IP C MAC D IP E MAC E τ4 • Packet 5: Packet 4 is detected by IDS (E) and since there is no
7 IP C MAC C IP E MAC E τ5 entry in any Authenticated bindings table, a corresponding probe
packet is sent to verify its identity. Probe table is accordingly
updated with IP(C)-MAC(D) entry. After sending probe packet,
RESPONSE_ANALYSER() module is executed.
Table 3: Probe table
Pac. no. IP MAC • Packet 6,7: In response to probe solicitation sent by IDS, at-
2. IP A MAC A tacker will respond with a neighbor advertisement having IP(B)-
5 IP C MAC D MAC(D) so as to present its original spoofed advertisement packet
as genuine, while host C replies with its genuine IP(C)-MAC(C)
packet. Now these advertisements will be received within Treq 6. CONCLUSION
and recorded by IDS in the advertisement table N AT . In this paper we presented a technique for detecting neighbor solicita-
RESPONSE_ANALYSER() module analyses N AT table and tion spoofing and advertisement spoofing attacks in IPv6 NDP. Further,
concludes that there is an attempt of spoofing against IP of C the scheme also detects MiTM and DoS attacks generated by NA/NS
since there are two different MAC address corresponding to same spoofing. The scheme uses an active probing mechanism. As the ac-
IP (that of C). tive probes are nothing but NS messages, the scheme does not require
any change in NDP. Further, this being a software based approach does
not require any additional hardware to operate. Also, as the software
The entries in Neighbor Solicitation Table, Neighbor Advertisement is installed in a centralized location, other hosts do not required any
Table, Probe table and Authenticated bindings table for the packet se- patching or installing.
quence used in the above example is shown in Table 1 through Table
4.
At present the scheme can only detect NS spoofing, NA spoofing,
MiTM and DoS attacks. There are several other attacks possible on
5. EXPERIMENTAL RESULTS NDP namely, malicious router attack, neighbor unreachability detec-
The test bed created for our experiments consists of 6 machines run- tion attack, duplicate address detection attack etc. The authors are
ning different operating systems. We name the machines with alpha- currently extending the scheme proposed in this paper to handle these
bets ranging from A-F. Machines A-E are running the following OSs: attacks.
Windows Xp, Ubuntu (as router), Windows 7, Backtrack 5, Fedora 14
and Windows 3003, respectively. The machine D with Backtrack 5 7. REFERENCES
is acting as the attacker machine and machine E is set up as the IDS. [1] Cristina L. Abad and Rafael I. Bonilla. An analysis on the
These machines are connected in a LAN with a CISCO catalyst 3560 schemes for detecting and preventing ARP cache poisoning
G series switch [11] with port mirroring enabled for system E. The attacks. In International Conference on Distributed Computing
algorithms mentioned in Section 4 are implemented in C++ and the ta- Systems Workshops, pages 60–67. IEEE, 2007.
bles in MySQL. The IDS has two preemptive modules namely, packet
[2] Ed. J. Arkko, J. Kempf, B. Zill, and P. Nikander.
grabber and packet injector. Packet grabber sniffs the packets from
Cryptographically generated addresses (CGA). RFC 3972,
the network, filters NDP packets and invoke either the Algorithm 1 or
Internet Engineering Task Force, March 2005.
Algorithm 2 depending upon the NS or NA.
[3] Ed. J. Arkko, J. Kempf, B. Zill, and P. Nikander. SEcure
neighbor discovery (SEND). RFC 3971, Internet Engineering
Figure 4 and Figure 5 shows the amount of NDP traffic generated in
Task Force, March 2005.
the experimentation in two cases. The first case is of normal operation
in the absence of the IDS. Second case is when the IDS is running [4] arpdefender. http://www.arpdefender.com.
and there are no attacks generated in the network. We notice that the [5] arpwatch. http://www.arpalert.org.
extra traffic generated is slightly high at the initialization phase and [6] T. Aura. Neighbor discovery for IP version 6 (IPv6). RFC 2461,
then goes down to become negligible. Once genuine IP-MAC pairs Internet Engineering Task Force, December 1998.
are identified (by probing) they are stored in Authenticated bindings [7] colasoft capsa. http://www.colasoft.com.
table. Following that no probes are required to be sent for any NDP [8] A. Conta, S. Deering, and M. Gupta. Internet Control Message
solicitation/advertisement from these IP-MAC pairs. In case of attack, Protocol (ICMPv6) for the Internet Protocol Version 6 (IPv6)
a little extra traffic is generated by our IDS for the probes. With each Specification. Technical Report 4443, Internet Engineering Task
spoofed NS/NA packet, our IDS sends a probe request and expects at Force, March 2006.
least two replies (one from normal and the other from the attacker), [9] N. Hubbali, S. Biswas, S. Roopa, R. Ratti, and S. Nandi. LAN
thereby adding only three NDP packets for each spoofed packet. attack detection using discrete event systems. ISA Transactions,
50(1):119–130, 2010.
NDP Traffic at Normal Condition [10] Charles M. Kozierok. TCP/IP Guide. No Starch Press, 1 edition,
35
October 2005.
30
[11] Cisco Systems PVT LTD. Cisco 3560 catalyst switches
reference manual.
NDP Packet Count
25
20 Normal without IDS [12] Cisco Systems PVT LTD. Cisco 6500 catalyst switches
15 Normal with IDS
reference manual.
10 [13] T. Narten, E. Nordmark, and W. Simpson. Security features in
5
ipv6. Whitepaper, SANS Institute, 2002.
0
1 7 13 19 25 31 37 43 49 55 61 67 73 79 85 91 97
[14] NDPmon. http://ndpmon.sourceforge.net.
Seconds
[15] V. Ramachandran and S. Nandi. Detecting ARP spoofing: An
active technique. International Conference on Information
Figure 4: NDP traffic at Normal Condition Systems Security, LNCS, 3803:239–250, 2005.
[16] Microsoft Technet. Ipv6 features.
[17] Zouheir Trabelsi and Khaled Shuaib. Man in the middle
NDP Traffic at Attack condition
intrusion detection. In Globecom, pages 1–6. IEEE, 2006.
35
30
NDP Packet Count
25
10
0
1 7 13 19 25 31 37 43 49 55 61 67 73 79 85 91 97
Seconds