‘IPv6 Address Cookies’

Summary

‘It has long been known to researchers that address spoofing on the Internet is a serious problem. While a great deal of effort has been put into finding theoretical and practical solutions, spoofed attacks are still globally endemic. They represent a simple nuisance to many, but a business-halting bane to others. Enter IPv6. IPv6 is the next generation of the Internet protocol designed to alleviate the existing global address shortage and improve the scalability and extensibility of the aging IPv4 protocol. This new protocol provides an enormous 128-bit address space, which should provide enough addresses for several decades, if not centuries, of Internet expansion. In this paper, we propose methods which utilize the large IPv6 address space to mitigate spoofed attacks.’

Credit:

‘The information has been provided by Tim.
The original article can be found at: http://www.sentinelchicken.com/research/tdm-ms-thesis/


Details

‘Enter IPv6. IPv6 is the next generation of the Internet protocol designed to alleviate the existing global address shortage and improve the scalability and extensibility of the aging IPv4 protocol. This new protocol provides a huge 128-bit address space which should provide enough addresses for a great deal of Internet expansion. Individual Internet users can easily obtain their own 80-bit block of addresses if they currently have a single IPv4 address. This means it will be possible for any user to effectively hide a system in such an address space without ever being found. That is, if no DNS records point to them, and they don t respond to broadcast requests, it would be effectively impossible to nd a host through brute force probes.

To put this into perspective, let us suppose an attacker can scan addresses of a network at 232 (more than four billion) packets/second (which is probably a stretch for today s fastest routers [45]). It would take on average, 247 seconds (or 4.5 million years) to nd a single live address in a range of 280 addresses. For this reason, the only way to nd systems that do not pick an obvious IPv6 address would be to query some name resolution service (such as the DNS). In this paper, we propose methods which utilize the large IPv6 address space to mitigate spoofed attacks by forcing clients to always use the DNS prior to submitting service requests.

The remainder of this chapter contains the problem statement and some denitions of commonly used terms. Chapter 2 describes and classies the popular types of attacks used on the current IPv4 Internet. Chapter 3 explores the impact IPv6 will have on scanning and spoong attacks. Chapter 4 gives an overview of the novel system proposed for combating spoofed attacks in IPv6. Chapter 5 provides analysis of attacks against the proposed system, as well as how it can be used to mitigate current attacks. Chapter 6 proposes some solutions for the engineering challenges faced with implementing the system and describes a prototype software
implementation used in testing. Chapter 7 describes experiments performed with the prototype software implementation, and provides results of these tests. Finally, chapter 8 offers some concluding remarks.

Problem Statment:
Spoofed denial of service attacks have plagued the Internet for a number of years, and show no signs of abating. Research into mitigation techniques has apparently not led to a nancially viable solution, and new attacks have been discovered in the wild without being widely anticipated. With the advent of a new Internet protocol, the world stands in a unique position to get ahead of this criminal activity by fundamentally changing the way the Internet works and being prepared for the attacks to come. Whether by intention or chance, the vastly increased Internet address space in IPv6 has done so. We seek to use this fundamental shift in resource availability to develop a novel, lower cost solution to mitigating spoofed attacks.

To read more please visit: http://www.sentinelchicken.com/research/tdm-ms-thesis/

Categories: Reviews