Options
A study on path behavior characteristics of IPv6 based reflector attacks
Date Issued
01-12-2011
Author(s)
Meenakshi, S. P.
Raghavan, S. V.
Bhaskar, S. M.
Abstract
IPv6 communication protocol vulnerabilities are common security threats in Next Generation Networks. Distributed Denial of Service (DDoS) attacks generated by exploiting these vulnerabilities have performance impact on both victim as well as on other hosts sharing the communication path. Hence in order to protect the computational and bandwidth resources of the shared path, the anomalies caused by these attacks are to be detected and the attack traffic should be filtered out from the network elements. Under the context of flow state maintenance not deployed in the network elements, the bandwidth characterization of the attack traffic is essential to deploy the filtering rules in the equipments. In this work we have considered the network bandwidth characterization of a highly critical DDoS attack in the network: the distributed reflector attack through spoofed IPv6 flows. The generated spoofed IPv6 traffic from the attacker (slaves), the reflector attack traffic caused by the responses from the reflector and the victim, and the end-to-end path bandwidth characteristics of these flows over a 6to4 tunnel are reported in terms of flow rates and per flow packet count. The flow rate pattern of the spoofed flows is modeled at the attacker side using inter departure time and packet size. The impact of network scale factor on the flow rate pattern over the path is studied and reported. We also have quantified the reflector attack flow rate in the presence of the scale factor and multiple spoofed flow sources. © 2011 IEEE.