An efficient CGA algorithm against DoS attack on Duplicate Address Detection process

Abstract

Neighbor Discovery Protocol (NDP) is significant in mobile network, which enables mobile node randomly access to foreign network by Stateless Link Address Autoconfiguration (SLAAC). However, the NDP initially offers no protection mechanism and is prone to address spoofing and Denial of Service (DoS). Secure Neighbor Discovery Protocol (SeNDP) is proposed to solve these NDP threats. Recently there are many solutions presented in SeNDP which relies on special IPv6 addresses named Cryptographically Generated Address (CGA). But there is little work to defend DoS attack on Duplicate Address Detection (DAD). In our paper, we focus on the problems of CGA and propose a novel time-based monitoring DoS attack. The conventional DoS defense mechanisms are realized by monitoring the packet rating and observing connection delay to analyze various DoS attack. Hence, we adopt a delay as an indication to distinct the DoS attack. We set a timer to control the address generation for monitoring abnormal attack to protect each address configuration. In addition, we adopt SHA-224 hash function instead of SHA-1 to improve the security of address generation. Considering the computation overhead, we decrease the hash matching factor from 16 bits to 8 bits. We develop our scheme using the Network Simulator (NS2) and the OpenSSL library. Finally, experiment results prove our scheme can provide more efficient IP generation. Compared with the CGA algorithm in SeNDP, our time consumption decreases to 10%. From the view of defense attack, our scheme can control DoS attack.