Detection and Prevention of DDoS Attack over Wireless IPv6 Network

Abstract

「分散式阻斷攻擊」Distributed Denial of Service(DDoS)攻擊，是現今IPv4網路具有嚴重性的威脅。新一代IPv6網路由於其有龐大住址空間以及IPSec機制，因此TPv6網路比傳統IPv4網路具有更高的安全性，但IPv6網路上仍無法免除DDoS攻擊。在邁向Wireless及3G的時代，IPv6扮演著重要的角色，而安全性也是必須被重視的一個環節。為了瞭解無線IPv6網路上的安全性問題，本文提出並分析Wireless IPv6 Network 上的DDoS攻擊，同時我們以Signature-Based Detection技術進行偵測，並提出Auto-Response Algonthm 實作Inline TPS。就我們所知，現有文獻中尚無詳細記載DDoS 在無線IPv6網路上的攻擊分析與偵測文件，本文特別針對Wireless IPv6 Home Network，進行DDoS攻擊的偵測與防禦。我們以tunnel broker為基礎實作出 W6SGW(Wireless IPv6-enabling Security Gateway)，並規劃Scenario-Based Testing進行DDoS 攻擊測試，且利用W6SGW來偵測並加以阻擋此攻擊。實驗結果顯示W6SGW可正確無誤地偵測4to6 DDoS攻擊。

Although many proposals of detection and prevention technologies for DDoS (Distributed Denial of Service) attack, it is still the major threat in IPv4 network. Due to providing larger address space and ipsec, IPv6 network is believed to be more secure than IPv4 network. However, IPv6 network still suffer from DDoS attack. In the era of the 3G and Wireless network, IPv6 plays an important role and then the security of IPv6 is important issue should be studied. In this paper, we present the security analysis of DDoS attack in the Wireless IPv6 Network and implement an integrated Security Gateway W6SGW(Wireless IPv6 enabled Security Gateway).\nOur W6SGW is designed with an IPv6 active inline IPS engine, which is based on signature-based detection and auto-response algorithm. We also employ tunnel broker mechanism to implement the W6SGW (Wireless IPv6-enabling Security Gateway). To test the effectiveness of our W6SGW, we conduct scenario-based testing based on 4to6 DDoS attack over Wireless IPv6 Home Network. Our primary results show that 4to6 DDoS attack can be correctly detected and prevented by our W6SGW. To our knowledge, this is the first literature to discuss the detection and prevention of DDoS attack in Wireless IPv6 Network.