Performance evaluation of defence mechanisms against ICMPv6 router advertisement flood attacks

Abstract

The Internet Protocol version 6 (IPv6) was developed to replace the Internet Protocol version 4 (IPv4). IPv6 provides many improvements over IPv4. However, there are major problems with new features introduced in IPv6, which are susceptible to threats such as Denial of Service (DoS) attacks. In a DoS attack, malicious network traffic is sent to the victim node to prevent it from gaining access to network resources. DoS attacks on internal IPv6 networks are among the security concerns of many organisations.

The Neighbour Discovery Protocol (NDP) was introduced in IPv6. NDP processes use the Internet Control Message Protocol for IPv6 (ICMPv6). For example, the NDP Stateless Address Autoconfiguration process uses ICMPv6 Router Advertisement messages (Router Advertisements). Router Advertisements enable computers on an IPv6 network to generate IPv6 addresses for themselves. Router Advertisements can be misused to launch a link-local IPv6 DoS attacks called Router Advertisement flood attacks.

The purpose of this research was to evaluate existing defence mechanisms against three types of Router Advertisement flood attacks. ACL, ACL Fragments, ACL Undetermined- transport, Disable Router Discovery, RA Guard, Validate Source MAC and VLAN were the defence mechanisms that were evaluated. A testbed was deployed and experiments were conducted by measuring the TCP throughput, TCP round-trip time (RTT) and CPU utilisation using the latest Windows and Linux operating systems namely Windows 8.1 and Debian 7.5.0. Data was gathered before and during attacks as well as after the defence mechanisms were used. ACL and ACL Undetermined-transport were the most effective defences and Disable Router Discovery, RA Guard and Validate Source MAC were the least effective defences. Overall, the performance of Debian 7.5.0 was better than Windows 8.1.