Mohammed Anbar

ICMPv6-Based DoS and DDoS Attacks and Defense Mechanisms: Review

ABSTRACT The number of internet users and devices that are in need for more IP addresses to be assigned to them is rapidly increasing. A new protocol named IPv6 was developed in 1998 to overcome the addressing issue and to improve network communications in general. IPv6 is an improved protocol compared to IPv4 in terms of security since it provides built-in security mechanisms, such as IPSec. In addition, it brought new functionalities, such as Neighbour Discovery Protocol (NDP) procedure, which depends on Internet Control Message Protocol version 6 (ICMPv6) protocol messages. However, IPv6 inherited a number of attacks from IPv4 in addition to new attacks it brought within its new features. One of the most common attacks is the Denial of Service (DoS) attack due to its ease of being launched in different ways. A more serious DoS attack can be launched from many hosts called Distributed Denial of Service (DDoS). DoS and DDoS attacks are thorny and a grave problem of todays internet, resulting in economic damages for organizations and individuals. Therefore, this paper is created to study the properties of DoS and DDoS attacks against IPv6 networks using ICMPv6 messages. Additionally, it analyzes the various existing detection and prevention approaches that are proposed to tackle ICMPv6-based DoS and DDoS attacks. Moreover, it explains the existing tools that might be used for performing these attacks.

An Intelligent ICMPv6 DDoS Flooding-Attack Detection Framework (v6IIDS) using Back-Propagation Neural Network

ABSTRACT IPv6 was designed to solve the issue of adopting IPv4 addresses by presenting a large number of address spaces. Currently, many networking devices consider IPv6 as a supportive IPv6-enabled device that includes routers, notebooks, personal computers, and mobile phones. Security has increasingly become a significant issue in exploiting networks and obtaining the benefits of IPv6. One of the important protocols in IPv6 implementation that is used for neighbor and router discovery is ICMPv6. However, this protocol can be used by attackers to deny network services through ICMPv6 DDoS flooding attacks that decrease the network performance. To solve this problem, this study proposes an intelligent ICMPv6 DDoS flooding-attack detection framework using back-propagation neural network (v6IIDS) in IPv6 networks. This study also explores and analyzes the detection accuracy of the proposed v6IIDS framework. The effectiveness of the v6IIDS framework is demonstrated by using real data-sets obtained from an NAv6 laboratory. The data-set traffic is based on a test-bed environment created on the basis of certain parameters used as inputs to generate a new data-set. The results prove that the proposed framework is capable of detecting ICMPv6 DDoS flood attacks with a detection accuracy rate of 98.3%.

Design, deployment and use of HTTP-based botnet (HBB) testbed

Botnet is one of the most widespread and serious malware which occur frequently in todays cyber attacks. A botnet is a group of Internet-connected computer programs communicating with other similar programs in order to perform various attacks. HTTP-based botnet is most dangerous botnet among all the different botnets available today. In botnets detection, in particularly, behavioural-based approaches suffer from the unavailability of the benchmark datasets and this lead to lack of precise results evaluation of botnet detection systems, comparison, and deployment which originates from the deficiency of adequate datasets. Most of the datasets in the botnet field are from local environment and cannot be used in the large scale due to privacy problems and do not reflect common trends, and also lack some statistical features. To the best of our knowledge, there is not any benchmark dataset available which is infected by HTTP-based botnet (HBB) for performing Distributed Denial of Service (DDoS) attacks against Web servers by using HTTP-GET flooding method. In addition, there is no Web access log infected by botnet is available for researchers. Therefore, in this paper, a complete test-bed will be illustrated in order to implement a real time HTTP-based botnet for performing variety of DDoS attacks against Web servers by using HTTP-GET flooding method. In addition to this, Web access log with http bot traces are also generated. These real time datasets and Web access logs can be useful to study the behaviour of HTTP-based botnet as well as to evaluate different solutions proposed to detect HTTP-based botnet by various researchers.

Intrusion Detection Systems of ICMPv6-based DDoS attacks

Denial of Service (DoS) and Distributed Denial of Service (DDoS) attacks are thorny and a grave problem of today’s Internet, resulting in economic damages for organizations and individuals. DoS and DDoS attacks that are using Internet Control Message Protocol version six (ICMPv6) messages are the most common attacks against the Internet Protocol version six (IPv6). They are common because of the necessary inclusion of the ICMPv6 protocol in any IPv6 network to work properly. Intrusion Detection Systems (IDSs) of the Internet Protocol version four (IPv4) can run in an IPv6 environment, but they are unable to solve its security problems such as ICMPv6-based DDoS attacks due to the new characteristics of IPv6, such as Neighbour Discovery Protocol and auto-configuration addresses. Therefore, a number of IDSs have been either exclusively proposed to detect IPv6 attacks or extended from existing IPv4 IDSs to support IPv6. This paper reviews and classifies the detection mechanisms of the existing IDSs which are either proposed or extended to tackle ICMPv6-based DDoS attacks. To the best of the authors’ knowledge, it is the first review paper that explains and clarifies the problems of ICMPv6-based DDoS attacks and that classifies and criticizes the existing detection.

Review of Security Vulnerabilities in the IPv6 Neighbor Discovery Protocol

Internet Protocol version 6 (IPv6) contains a new protocol, Neighbor Discovery Protocol (NDP), that replaces Address Resolution Protocol (ARP) in Internet Protocol version 4 (IPv4), router discovery, and redirect. If implemented without any security mechanism, NDP contains vulnerabilities. Using spoofed Media Access Control (MAC) addresses in an NDP message, a malicious host can launch Denial-of -Service or Man-in-the-Middle attacks. IPv6 depends heavily on NDP, which appears in the network in the form of ICMPv6. If ICMP is disabled or dropped from the network, IPv6 does not operate, in contrast to IPv4. The importance of the NDP protocol in the IPv6 network is that it catches attackers’ attention on NDP vulnerabilities that they can exploit. This paper describes and reviews some of the fundamental attacks on NDP, prevention mechanisms, and current detection mechanisms for NDP-based attacks.

A Machine Learning Approach to Detect Router Advertisement Flooding Attacks in Next-Generation IPv6 Networks

Router advertisement (RA) flooding attack aims to exhaust all node resources, such as CPU and memory, attached to routers on the same link. A biologically inspired machine learning-based approach is proposed in this study to detect RA flooding attacks. The proposed technique exploits information gain ratio (IGR) and principal component analysis (PCA) for feature selection and a support vector machine (SVM)-based predictor model, which can also detect input traffic anomaly. A real benchmark dataset obtained from National Advanced IPv6 Center of Excellence laboratory is used to evaluate the proposed technique. The evaluation process is conducted with two experiments. The first experiment investigates the effect of IGR and PCA feature selection methods to identify the most contributed features for the SVM training model. The second experiment evaluates the capability of SVM to detect RA flooding attacks. The results show that the proposed technique demonstrates excellent detection accuracy and is thus an effective choice for detecting RA flooding attacks. The main contribution of this study is identification of a set of new features that are related to RA flooding attack by utilizing IGR and PCA algorithms. The proposed technique in this paper can effectively detect the presence of RA flooding attack in IPv6 network.

Internet of Things (IoT) communication protocols: Review

Internet of Things (IoT) consists of smart devices that communicate with each other. It enables these devices to collect and exchange data. Besides, IoT has now a wide range of life applications such as industry, transportation, logistics, healthcare, smart environment, as well as personal, social gaming robot, and city information. Smart devices can have wired or wireless connection. As far as the wireless IoT is the main concern, many different wireless communication technologies and protocols can be used to connect the smart device such as Internet Protocol Version 6 (IPv6), over Low power Wireless Personal Area Networks (6LoWPAN), ZigBee, Bluetooth Low Energy (BLE), Z-Wave and Near Field Communication (NFC). They are short range standard network protocols, while SigFox and Cellular are Low Power Wide Area Network (LPWAN).standard protocols. This paper will be an attempt to review different communication protocols in IoT. In addition, it will compare between commonly IoT communication protocols, with an emphasis on the main features and behaviors of various metrics of power consumption security spreading data rate, and other features. This comparison aims at presenting guidelines for the researchers to be able to select the right protocol for different applications.

Malware detection based on evolving clustering method for classification

Malware is a computer program that can replicate itself and cause potential damage in data files. The high speed of the computers and networks increased the virus spread. To avoid the virus infection and the data loss, it is important to use an efficient and effective method for virus detection. This paper proposes an approach for malware detection based on the evolving clustering method. The proposed approach effectively combined the information gain method as a feature selector with the evolving clustering method as evolving learning classifier. Based on the experimental results, the proposed malware detection approach proved its capability to detect the malware by decreasing the false positive rate to 1% while increasing the level of accuracy to 99%.

A REVIEW OF PEER-TO-PEER BOTNET DETECTION TECHNIQUES

In recent years, Peer-to-Peer technology has an ext ensive use. Botnets have exploited this technology efficiently and introduced the P2P botnet, which us es P2P network for remote control of its bots and become one of the most significant threats to compu ter networks. They are used to make DDOS attacks, generate spam, click fraud and steal sensitive info rmation. Compared with traditional botnets, P2P bot nets are harder to be defended and hijacked. In this stu dy we discuss various P2P botnet detection approaches and evaluate their effectiveness. We identify the advantages and shortcomings of each of the discussed techniques. This can guide the researchers to a bet ter understanding of P2P botnets and easier for the m developing more sufficient detection techniques. Ou r evaluation shows that each technique has its own advantages and limitations. Two or more detection t echniques might be used together, in order to have a robust P2P botent detection.

Statistical cross-relation approach for detecting TCP and UDP random and sequential network scanning SCANS

Network scanning is considered to be the first step taken by attackers trying to gain access to a targeted network. System and network administrators find it useful if they are able to identify the targets scanned by network attackers. Resources and services can be further protected by patching or installing security measures, such as a firewall, an intrusion detection system, or some alternative computer system. This paper presents a statistical ‘cross-relation’ approach for detecting network scanning and identifying its targets. Our approach is based on using TCP RST packets for detecting TCP sequential scanning and ICMP type 3 (port unreachable) packets for detecting UDP sequential scanning. TCP or UDP random scanning is confirmed when there is a ‘cross-relation’ between an ICMP type 3, code 1 (host unreachable) and the TCP RST counts per source IP address and between an ICMP type 3, code 3 (port unreachable) and an ICMP type 3, code 1 (host unreachable). We tested the proposed approach with the DARPA 1998 data set and confirmed that our method was more effective in detecting TCP and UDP scanning than the existing approaches, and it also provided better detection accuracy.