Hybridizing Entropy Based Mechanism with Adaptive

Threshold Algorithm to Detect RA Flooding Attack in

IPv6 Networks

Syafiq Bin Ibrahim Shah1, Mohammed Anbar1, Ayman Al-Ani1, and Ahmed K. Al-
Ani1
1
National advanced IPv6 Centre, Universiti Sains Malaysia, Penang, Malaysia

syafiqibrahimshah@usm.my, anbar@nav6.usm.my,
ayman@nav6.usm.my,and ahmedkhallel91@nav6.usm.my

Abstract. The implementation of the neighbor discovery protocol has intro-

duced new security vulnerabilities to Internet protocol version 6 (IPv6) net-
works. One of the most common attacks being attributed to the IPv6 network
layer is the denial of service (DoS) router advertisement (RA) flooding attack.
An attacker can flood massive amounts of RA packets to the IPv6 multicast ad-
dress which cause the hosts inside the link-local network to run out of central
processing unit resources due to packet processing overhead. This research pro-
poses a hybrid approach of entropy-based technique combined with the adap-
tive threshold algorithm to detect the aforementioned attack. By dynamically
adapting the threshold and choosing the right entropy feature, the proposed
technique is able to detect various scenarios of DoS RA flooding attack, includ-
ing evasion techniques used by attackers. The proposed technique yields 98%
detection accuracy according to the experiment conducted..

Keywords: IPv6, NDP, DoS, Flooding Attack, Entropy, EWMA, RA, Adaptive
Threshold Algorithm, Network Security

1 Introduction

Internet service providers across the world are currently and severely curbed by Inter-
net protocol version 4 (IPv4) addresses. The exhaustion of Internet protocol (IP) ad-
dresses has served as the main motivation of Internet protocol version 6 (IPv6) devel-
opment and deployment [1]. IPv6 provides new features, such as stateless address
auto configuration (SLAAC), neighbor unreachability detection and duplicate address
detection, and the capability to realise end-to-end connectivity without residing on a
network address translation (NAT) infrastructure [2]. These features rely heavily on
the newly introduced neighbor discovery protocol (NDP).
When a denial of service (DoS) is launched, an attacker typically attempts to con-
sume the network bandwidth and central processing unit (CPU) resources of the target
victim. This type of attack can be generated in an IPv6 network by simply flooding

© Springer Nature Singapore Pte Ltd. 2019 315

R. Alfred et al. (eds.), Computational Science and Technology, Lecture Notes
in Electrical Engineering 481, https://doi.org/10.1007/978-981-13-2622-6_31
316 S. B. I. Shah et al.

the link-local network with massive amounts of neighbor discovery (ND) packets.
Furthermore, network congestion is bound to happen due to the massive amount of
bandwidth consumption in the network. IPv6 inherits the same foundation as that of
IPv4, which means that the former has essentially adopted the latter’s attributes and
qualities, and even shortcomings.

1.1 Neighbor Discovery Protocol (NDP)

NDP operates on layer 2 of the IP stack, and it runs on top of Internet control message
protocol version 6 (ICMPv6) [3].

Table 1. Types of NDP messages

Type
Router Solicitation (RS)
Router Advertisement (RA)
Neighbor Solicitation (NS)
Neighbor Advertisement (NS)
Redirect
Function
Used by hosts for router discovery.
Used by routers to advertise addressing information.
Used for DAD and NUD.
Used by hosts for address resolution.
Used to redirect packets from one router to another.

NDP consists of five message types: router solicitation, router advertisement (RA),
neighbor solicitation, neighbor advertisement and redirect message. The hosts in an
IPv6 network communicate by exchanging these messages. Table 1 lists the types and
function of each message [4, 5].

1.2 Denial of Service Router Advertisement Flooding Attack

Routers share information with hosts residing in the same network segment by means
of RA message exchange. An RA message contains information, such as network
prefix and routing information that can be used by hosts. By default, the hosts in an
IPv6 link-local network does not authenticate ingress or egress of IPv6 RA messages.
On this basis, a malicious router can spoof and imitate a link-local default gateway
and then send crafted messages or flood packets to cause congestion. A hacker can
flood the link-local network with crafted address prefix information and default route
information. The SLAAC is enabled by default, and thus, the flooded bogus packets
will force victims to continuously update their network information. This scenario
will lead the victim to utilise its CPU resources until the system ultimately becomes
unresponsive [6].

1.3 Types of DoS RA Flooding Attack

A DoS RA flooding attack can be categorised into three types: a default attack, an
attack that utilises IPv6 extension headers and an attack involving the fragmentation
of packets into smaller pieces or fragments.
Hybridizing Entropy Based Mechanism with Adaptive Threshold Algorithm … 317

Fig. 1. Types of DoS RA Flooding Attack

The most common type of attack is the default attack in which an attacker floods
the network with bogus address prefixes and fake default route information. This type
of attack can be detected by the network intrusion detection system, after which an
RA guard that can drop the malicious packets is implemented [8], [9].
However, attackers have developed evasion techniques to bypass security valida-
tion by forging fake IP extension headers. A security mechanism that only dissects
and verifies the initial upper layer of the packet instead of analysing the entire header
chain will fail to detect the ulterior malicious content [7].
If a packet is too large to be sent through the network, then the source host will di-
vide the packets into fragments by using fragment headers. In IPv6, the reassembly of
these fragmented packets can only be rendered at the destination host. Attackers have
exploited these features by fragmenting malicious packets into smaller chunks. How-
ever, because the malicious packets cannot be reassembled into their full forms, the
security mechanism will defer from performing an analysis, thereby allowing the
malicious packets to penetrate the system [8].

2 Related Work

NDP messages can be protected with an Internet protocol security (IPsec) authentica-
tion header (AH) to ensure congeniality and integrity of information. The host can
verify if the received ND messages are valid and authorised depending on the set of
AH security associations (SA), a feature that is helpful in securing the stateless nature
of NDPs. Incidentally, SAs that are developed with Internet key exchange version 2
require functional IP addresses, which consequently results in bootstrapping prob-
lems. Hence, manual configuration must be performed to secure the NDP with IPSec,
but this process is tedious and the configuration is not scalable [10]. The experiments
conducted by Xinyu, Ting and Yi [11] proved that IPSec seems powerless if an at-
tacker launches a DoS attack using a legitimate non-spoofed IP address.
An RA guard, a mechanism to prevent the exploitation of RA messages, can be in-
stalled on managed switches, but it only forwards the packets received from a port
that is known to be connected to an authorised router. Nonetheless, malicious hosts
can be prevented from launching DoS attacks [12]. However, although RA guards can
effectively verify source legitimacy, the attackers can still circumvent and evade this
layer of protection either by forging fake extension headers or by forcing packet
318 S. B. I. Shah et al.

fragmentation [7]. Moreover, RA guards can only be installed on specific routers or

managed switches, which hinders their portability and scalability.
Aleesa, Hassan and Kamal [13] proposed a detection system for DoS RA flooding
by using a rule-based technique. A Web application was used as an attack target, and
the application relied on a real IPv6 network that consisted of four routers and six
machines. Two rules were defined to detect the RA flooding attack. The first rule is
the one-way connection density ratio, while the second rule is the incoming and out-
going ratio of the RA messages. The drawback of the method was the use of a static
predefined threshold. In addition, the detection system failed to validate its effective-
ness against the improvised evasion techniques attack.
Oshima, Nakashima and Sueyoshi [14] proposed and evaluated an early packet
flooding detection mechanism by using the window sizes of 50 packets for DDoS
attack and 500 packets for DoS attacks. Source IP and destination port number were
used to calculate the entropy value, and the results were used determine whether in-
trusion occurred or not. An accurate detection result was obtained with a false-
negative rate of 5% only during the evaluation phase.
Mousavi and St. Hilaire [15] evaluated the effectiveness of the entropy-based ap-
proach to detect DDoS in a software-defined networking environment. The entropy-
based approach was selected due to its minimal resource usage and effectiveness
against measure randomness. A window size of 50 packets was used for fast detec-
tion. The entropy of each window was calculated and compared with an experimental
threshold. When the entropy was lower than the threshold, an attack was detected.
The detection mechanism was able to detect 96% of the attacks.

3 Detection Technique

Fig. 2. Detection Technique

Ingress packets from the network are captured by the traffic capture engine, after
which the packets are stored as potential datasets. These datasets are then pre-
processed and filtered to reduce irrelevant and unwanted data from the sample. The
goal is to reduce the number of relevant traffic features without negatively affecting
classification and subsequently improve detection efficiency.
The incoming packets in the network are processed as follows. Only IPv6 packets
are filtered in and processed, whereas all other IP packets are filtered out and
dropped. The filtration process continues to filter only the ICMPv6 packets. Then, the
system verifies whether the packet is a type of ICMPv6 RA message. Type 134 mes-
sages are saved as datasets for further computation.
Hybridizing Entropy Based Mechanism with Adaptive Threshold Algorithm … 319

Fig. 3. Packet filtering flowchart

Two essential variables are used to detect network intrusion in the entropy-based
approach. The first variable is sliding window size and the second one is threshold
value. Sliding window size can be defined based on either a time-period or a number
of packet count. The entropy within the sliding window is calculated to measure ran-
domness, an indication of anomalous behaviour. This research proposes a window
size of 50 packets to gather statistics. The main reason for choosing 50 packets is due
to the small size window. Moreover, a list of 50 values can be calculated much faster
than 500 values. Consequently, the intrusion can be detected much earlier because
less computation is needed.
Entropy is a common method of network intrusion detection. In this research, en-
tropy is mainly selected because it can measure randomness in the packets that are
forwarded into a network. Furthermore, entropy provides a relatively low computa-
tion overhead. The higher the randomness of an information given, the higher the
entropy and vice versa. When an attack occurs, the entropy value of the source IP
address increases because the attacker will always spoof its source IP address on each
packet transmission. Hence, a continuously changing source IP is a strong indicator of
a DoS RA flooding attack. The Mathematical Theory of Communication, a paper
published by C. E. Shannon, defines entropy as:
𝐻(𝑥) = − ∑𝑛𝑖=1 𝑝𝑖 log 𝑝𝑖 (1)

The calculation function computes the entropy of the source IP address of the RA
message every 50 packets. A specific threshold value is therefore important in accu-
rately detecting a flooding attack. Ideally, the threshold value should be updated adap-
tively according to the network traffic condition to perform a much more accurate
320 S. B. I. Shah et al.

detection. The adaptive threshold algorithm, a simple algorithm to detect anomalies

based on threshold violations over a given interval, can be calculated as:

𝑋𝑛 = (α + 1) ⋅ µ 𝑛−1 (2)

In accordance with network traffic changes, the threshold is set adaptively based
on the mean value of recent traffic measurement [16]. This research applies the expo-
nential weighted moving average (EWMA) to calculate the mean entropy value in
Equation (3).

µ 𝑛 =⋋⋅ µ 𝑛 + (1 −⋋) ⋅ 𝑋𝑛 (3)

Similar to the entropy computation, the mean value of entropy is calculated on

each sliding window by using EWMA. The threshold calculation function computes
and sets the adaptive threshold based on the most recent mean value calculated. Then,
the output of the entropy calculation function is compared with the adaptive threshold
values.

If the entropy value of the source IP address exceeds the threshold value consecu-
tively three times, then a DoS RA flooding attack is likely happening and this will
trigger an alarm. In the event that an alarm is triggered, the threshold value is levelled
off until the entropy value falls below the threshold value. The reason for this behav-
iour is to reduce the number of false negative detection.

4 Discussion

In this research, detection accuracy is the metric used to evaluate the effectiveness of
the technique. Detection accuracy reflects the capability of an IDS detection engine to
accurately determine alerts and generate corresponding alarms in the event of network
intrusions. The number of false alarms produced by the system and the percentage of
detection are the main indicators of IDS performance

𝑇𝑃+𝑇𝑁
𝐴𝑐𝑐𝑢𝑟𝑎𝑐𝑦 = ∗ 100 (4)
𝑇𝑃+𝑇𝑁+𝐹𝑃+ 𝐹𝑁
Hybridizing Entropy Based Mechanism with Adaptive Threshold Algorithm … 321

Table 2. Definition of abbreviation for accuracy calculation

Abbreviation Description
TP True Positive; situation where anomalous events are truly detected as anomaly.
TN True Negative; situation where normal events are truly recorded as normal.
FP False Positive; situation where normal events are detected as anomaly.
FN False Negative; situation where anomalous events are recorded as normal.

Four scenarios are considered and taken as baselines to evaluate the accuracy of
the proposed hybrid detection technique. The first scenario involves an attack in the
default mode. The second scenario involves an attacker using the extension header to
evade the RA guard. The third scenario involves an attack that fragments its packets
to avoid detection. The last scenario involves normal IPv6 traffic.
The detection technique is evaluated for each type of dataset (low-, medium- and
high-generated packet traffic datasets) and repeated three times to ensure maximal
robustness. The results are averaged to obtain the precise accuracy and ensure con-
sistency.

Table 3. Results using scenario 1 datasets

Run Number of RA Packets FP FN TP TN Accuracy

1 1451 0 0 30 10 100%
2 3572 0 1 68 16 98.8%
3 7981 0 1 102 2 99%
100+98.8+99
∗ 100 = 99.26% (5)
3

The three runs have yielded an average detection accuracy of 99.26%. The results
prove that the detection technique can accurately detect DoS RA flooding attacks, i.e.
the attacker floods the link-local network with bogus prefix address and fake router
information.

Table 4. Results using scenario 2 datasets

Run Number of RA Packets FP FN TP TN Accuracy

1 2186 0 2 48 37 97.7%
2 3322 0 1 64 11 98.6%
3 7343 0 2 141 11 98.7%
97.7+98.6+98.7
∗ 100 = 98.3% (6)
3

The result of 98.3% proves that the detection technique can accurately detect DoS RA
flooding attacks, i.e. the attacker floods the link-local network with bogus address
prefixes and fake router information that sits below an additional layer of extension
headers (Hop_by_Hop) to evade security devices, such as RA guards.
322 S. B. I. Shah et al.

Table 5. Results using Scenario 3 datasets

Run Number of RA Packets FP FN TP TN Accuracy

1 1591 0 0 140 17 100%
2 2939 0 0 326 1 100%
3 4720 0 0 481 12 100%

100+100+100
∗ 100 = 100% (7)
3

The result is 100%, which clearly proves that the detection technique can detect
DoS RA flooding attacks, i.e. the attacker floods the link-local network with frag-
mented RA packets to evade security devices, such as RA guards.

Table 6. Results using Scenario 4 datasets

Run Number of RA Packets FP FN TP TN Accuracy

1 2856 0 0 0 127 100%
2 2856 0 0 0 127 100%
3 2856 0 0 0 127 100%

100+100+100
∗ 100 = 100% (8)
3

The result is 100%, which clearly proves that the solution does not trigger any false
alarm in normal IPv6 traffic conditions.

5 Conclusion and Future Direction

The experimental results prove the capability of the proposed technique to detect RA
DoS flooding attacks in IPv6 link-local networks. The effectiveness of the detection
technique is evaluated on datasets that have been generated in real time in controlled
environments. The results further show that the detection accuracy is high at 98%.
The proposed detection technique can be extended to several promising avenues
and directions, such as when building frameworks, to detect NDP flooding attacks in
IPv6 link-local networks. Apart from RA DoS flooding, the other types of NDP flood-
ing attacks that may benefit from this research are RS, NS, NA, redirect and MLD
flooding attacks. Such directions may be helpful in overcoming the limited attacks
that can be detected by the proposed technique in this research. The proposed hybrid
detection technique can only detect RA DoS flooding attack in an IPv6 link local
network. In future work, the proposed detection technique may be extended for other
types of NDP flooding attack detection. The datasets may also be expanded by includ-
ing more attack scenarios to cover all NDP flooding types.
Hybridizing Entropy Based Mechanism with Adaptive Threshold Algorithm … 323

References
1. Al-Ani, A.K., Anbar, M., Manickam, S., Al-Ani, A., Leau, Y.-B.: Proposed DAD-match
Mechanism for Securing Duplicate Address Detection Process in IPv6 Link-Local Net-
work Based on Symmetric-Key Algorithm. In: International Conference on Computational
Science and Technology. pp. 108–118 (2017)
2. Graziani, R.: IPv6 fundamentals: a straightforward approach to understanding IPv6.
Pearson Education (2012)
3. Al-Ani, A.K., Anbar, M., Manickam, S., Al-Ani, A., Leau, Y.-B.: Proposed DAD-match
Security Technique based on Hash Function to Secure Duplicate Address Detection in
IPv6 Link-local Network. In: Proceedings of the 2017 International Conference on Infor-
mation Technology. pp. 175–179 (2017)
4. Anbar, M., Abdullah, R., Saad, R., Hasbullah, I.H.: Review of Preventive Security Mecha-
nisms for Neighbour Discovery Protocol. Adv. Sci. Lett. 23, 1130611310 (2017)
5. Anbar, M., Abdullah, R., Al-Tamimi, B.N., Hussain, A.: A Machine Learning Approach to
Detect Router Advertisement Flooding Attacks in Next-Generation IPv6 Networks. Cog-
nit. Comput. 114 (2017)
6. Elejla, O.E., Belaton, B., Anbar, M., Alnajjar, A.: Intrusion detection systems of ICMPv6-
based DDoS attacks. Neural Comput. Appl. 112 (2016)
7. Gont, F.: Implementation Advice for IPv6 Router Advertisement Guard (RA-Guard).
(2014)
8. Levy-Abegnoli, E., de Velde, G., Popoviciu, C., Mohacsi, J.: IPv6 router advertisement
guard. (2011)
9. M. Anbar, R. Abdullah, B. Al-Tamimi, A. H.-C. Computation, and undefined 2017, “A
Machine Learning Approach to Detect Router Advertisement Flooding Attacks in Next-
Generation IPv6 Networks,” Springer.
10. Arkko, J., Aura, T., Kempf, J., Mntyl, V.-M., Nikander, P., Roe, M.: Securing IPv6 neigh-
bor and router discovery. In: Proceedings of the 1st ACM workshop on Wireless security.
pp. 7786 (2002)
11. Yang, X., Ma, T., Shi, Y.: Typical dos/ddos threats under ipv6. In: Computing in the
Global Information Technology, 2007. ICCGI 2007. International Multi-Conference on. p.
55 (2007)
12. Chown, T., Venaas, S.: Rogue IPv6 Router Advertisement Problem Statement. (2011)
13. Aleesa, A.M., Hassan, R., Kamal, S.U.M.: A rule-based technique to detect router adver-
tisement flooding attack against biobizz web application. Adv. Sci. Lett. 22, 18871891
(2016)
14. Oshima, S., Hirakawa, A., Nakashima, T., Sueyoshi, T.: DoS/DDoS detection scheme us-
ing statistical method based on the destination port number. In: Intelligent Information
Hiding and Multimedia Signal Processing, 2009. IIH-MSP09. Fifth International Confer-
ence on. pp. 206209 (2009)
15. Mousavi, S.M., St-Hilaire, M.: Early detection of DDoS attacks against SDN controllers.
In: Computing, Networking and Communications (ICNC), 2015 International Conference
on. pp. 7781 (2015)
16. Cisar, P., Cisar, S.M.: EWMA statistic in adaptive threshold algorithm. In: Intelligent En-
gineering Systems, 2007. INES 2007. 11th International Conference on. pp.5154 (2007)